Wordfence Intelligence Weekly WordPress Vulnerability Report (September 25, 2023 to October 1, 2023)
Last week, there were 90 vulnerabilities disclosed in 68 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 11,800 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Simple Membership <= 4.3.4 – Account Takeover via Password Reset
- Allow PHP in Posts and Pages <= 3.0.4 – Authenticated (Subscriber+) Remote Code Execution via Shortcode
- WAF-RULE-635 – data redacted while we work with the developer on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 38 |
Patched | 52 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 3 |
Medium Severity | 76 |
High Severity | 9 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35 |
Cross-Site Request Forgery (CSRF) | 30 |
Missing Authorization | 6 |
Missing Authentication for Critical Function | 3 |
Information Exposure | 3 |
Improper Input Validation | 3 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
Authorization Bypass Through User-Controlled Key | 2 |
Improper Control of Generation of Code (‘Code Injection’) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Guessable CAPTCHA | 1 |
Files or Directories Accessible to External Parties | 1 |
Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Marco Wotschka (Wordfence Vulnerability Researcher) |
13 |
Lana Codes (Wordfence Vulnerability Researcher) |
11 |
Nguyen Xuan Chien | 8 |
Rio Darmawan | 7 |
Dmitrii Ignatyev | 4 |
Skalucy | 4 |
Pedro José Navas Pérez | 3 |
NGÔ THIÊN AN | 3 |
Abdi Pranata | 3 |
yuyudhn | 3 |
SeungYongLee | 2 |
DoYeon Park | 2 |
Ben Bidner | 2 |
Vladislav Pokrovsky | 2 |
Rafie Muhammad | 2 |
qilin_99 | 2 |
Bartłomiej Marek | 2 |
Tomasz Swiadek | 2 |
Erwan LR | 2 |
Alex Thomas (Wordfence Vulnerability Researcher) |
1 |
Mika | 1 |
Muhammad Daffa | 1 |
Jonatas Souza Villa Flor | 1 |
thiennv | 1 |
Rafshanzani Suhada | 1 |
Linwz | 1 |
Pablo Sanchez | 1 |
Akihiro Hashimoto | 1 |
Dao Xuan Hieu | 1 |
Karolis Narvilas | 1 |
emad | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Active Directory Integration / LDAP Integration | ldap-login-for-intranet-sites |
ActivityPub | activitypub |
Add Shortcodes Actions And Filters | add-actions-and-filters |
Advanced Custom Fields: Extended | acf-extended |
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | woo-bulk-editor |
Backend Localization | kau-boys-backend-localization |
Best WordPress Gallery Plugin – FooGallery | foogallery |
Block Plugin Update | block-specific-plugin-updates |
Blocks | blocks |
Booking Calendar | booking |
BuddyMeet | buddymeet |
Comments by Startbit | facebook-comment-by-vivacity |
Contact Form | contact-form-ready |
Contractor Contact Form Website to Workflow Tool | contractor-contact-form-website-to-workflow-tool |
Cooked – Recipe Plugin | cooked |
CopyRightPro | copyrightpro |
Events Rich Snippets for Google | rich-snippets-vevents |
Font Awesome Integration | font-awesome-integration |
Font Awesome More Icons | font-awesome-more-icons |
Instant CSS | instant-css |
Keap Landing Pages | infusionsoft-landing-pages |
Kv TinyMCE Editor Add Fonts | kv-tinymce-editor-fonts |
Magic Action Box | magic-action-box |
Mang Board WP | mangboard |
Mediavine Control Panel | mediavine-control-panel |
Modal Window – create popup modal window | modal-window |
Modern Events Calendar Lite | modern-events-calendar-lite |
Onclick show popup | onclick-show-popup |
OpenHook | thesis-openhook |
Options for Twenty Seventeen | options-for-twenty-seventeen |
Popup contact form | popup-contact-form |
Pretty Google Calendar | pretty-google-calendar |
Remove slug from custom post type | remove-slug-from-custom-post-type |
Schema App Structured Data | schema-app-structured-data-for-schemaorg |
School Management System – WPSchoolPress | wpschoolpress |
Shockingly Simple Favicon | shockingly-simple-favicon |
Simple File List | simple-file-list |
Simple Membership | simple-membership |
Simple Posts Ticker – Easy, Lightweight & Flexible | simple-posts-ticker |
Slideshow, Image Slider by 2J | 2j-slideshow |
Staff / Employee Business Directory for Active Directory | ldap-ad-staff-employee-directory-search |
TM WooCommerce Compare & Wishlist | tm-woocommerce-compare-wishlist |
Table of Contents Plus | table-of-contents-plus |
The Awesome Feed – Custom Feed | wp-facebook-feed |
Tiger Forms – Drag and Drop Form Builder | tiger-form |
Timthumb Vulnerability Scanner | timthumb-vulnerability-scanner |
Tiny Carousel Horizontal Slider | tiny-carousel-horizontal-slider |
Track The Click | track-the-click |
Unyson | unyson |
User Activity Log Pro | user-activity-log-pro |
User Avatar – Reloaded | user-avatar-reloaded |
Vrm 360 3D Model Viewer | vrm360 |
WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders | adminify |
WP Captcha | wp-captcha |
WP Custom Admin Interface | wp-custom-admin-interface |
WP GPX Maps | wp-gpx-maps |
WP Hide Pages | wp-hide-pages |
WP Job Openings – Job Listing, Career Page and Recruitment Plugin | wp-job-openings |
WP Jump Menu | wp-jump-menu |
WP Site Protector | wp-site-protector |
WWM Social Share On Image Hover | wwm-social-share-on-image-hover |
Welcart e-Commerce | usc-e-shop |
Woocommerce ESTO | woo-esto |
WordPress Gallery Plugin – NextGEN Gallery | nextgen-gallery |
WordPress Online Booking and Scheduling Plugin – Bookly | bookly-responsive-appointment-booking-tool |
bbp style pack | bbp-style-pack |
flowpaper | flowpaper-lite-pdf-flipbook |
iframe | iframe |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
OpenHook <= 4.3.0 – Authenticated (Subscriber+) Remote Code Execution via Shortcode
CVE ID: CVE-2023-5201
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37b9ed0e-5af2-47c1-b2da-8d103e4c31bf
Simple File List <= 6.1.8 – Unauthenticated Arbitrary File Deletion
CVE ID: CVE-2023-44227
CVSS Score: 9.1 (Critical)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7eada9b7-8d53-4e95-858e-aa706f74b2a1
Events Rich Snippets for Google <= 1.8 – Cross-Site Request Forgery to Arbitrary Options Update
CVE ID: CVE-2023-44478
CVSS Score: 8.8 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5beb0f93-baa7-4400-ab40-d63f3430169e
Welcart e-Commerce <= 2.8.21 – Authenticated(Editor+) Arbitrary File Upload
CVE ID: CVE-2023-40219
CVSS Score: 8.8 (High)
Researcher/s: Akihiro Hashimoto
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5eb9b1f-39d5-4c5d-8fb3-71d4bbe5f43a
Track The Click <= 0.3.11 – Authenticated (Author+) SQL Injection via ‘stats’ REST Endpoint
CVE ID: CVE-2023-5041
CVSS Score: 8.8 (High)
Researcher/s: Karolis Narvilas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dcddb0f3-41d5-4635-88ac-556ee3eec49a
Simple Membership <= 4.3.4 – Account Takeover via Password Reset
CVE ID: CVE-2023-41956
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e53bb240-8784-4d34-8d3f-4a7af917f3f4
Active Directory Integration / LDAP Integration <= 4.1.9 – Sensitive Information Exposure
CVE ID: CVE-2023-4506
CVSS Score: 7.5 (High)
Researcher/s: Pedro José Navas Pérez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c667631-7934-467e-baa2-7c3b0160c3a5
Simple Membership <= 4.3.4 – Privilege escalation via Registration
CVE ID: CVE-2023-41957
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cff7dc5-23e1-424c-923b-68eef49dec6f
FooGallery <= 2.2.44 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-44244
CVSS Score: 7.2 (High)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5fd495e8-d7e8-4949-b7aa-43ef40063ca1
User Activity Log Pro <= 2.3.3 – Unauthenticated Stored Cross-Site Scripting via User-Agent header
CVE ID: CVE-2023-5167
CVSS Score: 7.2 (High)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcf205a3-be7b-49e7-ba02-3f69632ed65f
WPSchoolPress <= 2.2.4 – Authenticated(Teacher+) SQL Injection via ClassID
CVE ID: CVE-2023-4776
CVSS Score: 7.2 (High)
Researcher/s: Dao Xuan Hieu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d070e12e-ec53-4574-ac37-dc8805d9a553
Bookly <= 22.3.1 – Authenticated(Administrator+) SQL Injection
CVE ID: CVE-2023-4691
CVSS Score: 6.6 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ade6f9f2-2a35-4bb0-ab13-33b84394d965
NextGEN Gallery <= 3.37 – Authenticated (Admininistrator+) Arbitrary File Read and Deletion in gallery_edit
CVE ID: CVE-2023-3155
CVSS Score: 6.5 (Medium)
Researcher/s: Linwz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a15e917f-f46a-4006-a4cb-3d55331ccb5b
ActivityPub <= 0.17.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Sensitive Post Content Exposure
CVE ID: CVE-2023-3707
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1c6ad5a-bc76-4012-acc6-35f742e0869e
Booking Calendar <= 9.7.3.3 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08814d06-0039-49cc-bcbb-96cb01129e3c
Font Awesome More Icons <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5232
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15947764-a070-4715-bd44-cb79b62ed59d
bbp style pack <= 5.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-44984
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/169cb1b8-8a37-4a8b-b824-c31ef132b88a
flowpaper <= 2.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5200
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31d6288d-87f0-4822-b3f4-541f70cf99fd
iframe <= 4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘iframe’ Shortcode
CVE ID: CVE-2023-4919
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes, Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3706deed-55f2-4dfb-bfed-7a14872cd15a
ActivityPub <= 0.17.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Content
CVE ID: CVE-2023-3746
CVSS Score: 6.4 (Medium)
Researcher/s: Ben Bidner
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/406951d8-4c61-45b3-a8a2-788921662b6c
Modal Window <= 5.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5161
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/48e2129f-6a2c-45e4-a0cf-7d8d5f563a7f
Slideshow, Image Slider by 2J <= 1.3.54 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44242
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bbccacf-0c34-4656-834b-b3b4c0a84abe
Comments by Startbit <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5295
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/602b3b9c-76a7-4b0b-8aad-e554c2fd6910
The Awesome Feed – Custom Feed <= 2.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-44264
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6892fefa-3866-4dbf-8604-dd4bc1e7d481
BuddyMeet <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-44985
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75dafb36-7596-492f-a377-32315b1abe33
Cooked <= 1.7.13 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44477
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76ba273d-0919-45b3-8044-b8f0ff3972ab
ActivityPub <= 0.17.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via User Metadata
CVE ID: CVE-2023-5057
CVSS Score: 6.4 (Medium)
Researcher/s: Ben Bidner
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76e35dc6-a4d2-4dca-a186-395f0dd954aa
TM WooCommerce Compare & Wishlist <= 1.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5230
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/771ecb8c-feb1-40ea-b47b-a2ae033b3c87
Pretty Google Calendar <= 1.5.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via pretty_google_calendar shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ed90a91-e007-42a5-bbef-f186bd3875ea
Font Awesome Integration <= 5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5233
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2791f48-895f-4099-87ec-41aaac2494a2
User Avatar – Reloaded <= 1.2.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4798
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3ecf638-dfc4-4e9d-bca8-cd008227e934
Magic Action Box <= 2.17.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5231
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce9b908b-1388-41fb-915c-e4e29eaf57ed
Advanced Custom Fields: Extended <= 0.8.9.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5292
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dcbe0c72-d518-45d3-a220-896a51071b26
Options for Twenty Seventeen <= 2.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5162
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df35d8c6-55ec-4cf5-8055-93ec5193c0a4
Simple Posts Ticker <= 1.1.5 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-4646
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec1ffc70-fc0c-4c25-926c-e78e0f206d2b
Tiger Forms <= 2.0.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-44474
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/286e52b4-2694-4f3b-9d1d-fd1ebf1d1e50
Contractor Contact Form Website to Workflow Tool <= 4.0.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-44245
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da4684b8-20f6-4dc1-8f29-d79f64ccb9d8
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Product Deletion
CVE ID: CVE-2023-4923
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a4db03d-ec40-4145-aa95-fee78bda5205
BEAR <= 1.1.3.3 – Missing Authorization to Product Deletion
CVE ID: CVE-2023-4924
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dfd0246-4265-4dde-8a1e-18b7042eae74
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Product Deletion
CVE ID: CVE-2023-4926
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab633506-63a1-4be1-b402-c7f0bcc4ea7a
Block Plugin Update <= 3.3 – Cross-Site Request Forgery via bspu_plugin_select.php
CVE ID: CVE-2023-44261
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a998de7-fa46-495c-a4ca-15df4e59457f
Schema App Structured Data <= 1.22.3 – Missing Authorization via page_init
CVE ID: CVE-2023-44258
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3de82328-e44f-4488-a2ae-1dd2c3b8a502
CopyRightPro <= 2.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-44476
CVSS Score: 5.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/83b48cfc-04e7-4929-8da2-cf6beee6d88e
User Activity Log Pro <= 2.3.3 – Tracking Bypass via IP Spoofing
CVE ID: CVE-2023-5133
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9666913e-55a3-441c-85ef-8a12756e37ba
WP Captcha <= 2.0.0 – CAPTCHA Bypass
CVE ID: CVE-2023-44235
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bc2a04c-7b7c-483f-b81b-97a7caac179c
WP Jump Menu <= 3.6.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44479
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d34c665-e99c-408e-b7ab-d08a1a51c6c4
Popup contact form <= 7.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44265
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47eb6ca7-049c-41b8-9210-391d4d1b8b2f
Blocks <= 1.6.41 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44262
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66925385-d89e-45c0-a87b-4ad4f7b89d60
Simple Posts Ticker <= 1.1.5 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-4725
CVSS Score: 4.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ac2c929-2188-4818-880d-8793984e8df1
WP Adminify <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44266
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a600f164-7255-4590-8239-2d3e0b445e79
Popup contact form <= 7.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44230
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad896d7d-2c75-466c-9a79-b6a9cfb0bc15
WWM Social Share On Image Hover <= 2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44239
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9ab868b-51ab-4dad-b662-8302cda9c0e7
Tiny Carousel Horizontal Slider <= 8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44229
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2a3ad97-b4ea-4ad9-ac83-071e56cb8df7
Onclick Show Popup <= 8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-44228
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee013d3f-18bc-418e-ab5b-87724710f340
Modern Events Calendar lite < 7.1.0 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-4021
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f213fb42-5bab-4017-80ea-ce6543031af2
Keap Landing Pages <= 1.4.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-44241
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/113f0cb7-a5eb-42d5-ad42-871c0381b617
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Product Manipulation
CVE ID: CVE-2023-4942
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26d8b75b-befa-4c6a-b072-0da44e437174
BEAR <= 1.1.3.3 – Missing Authorization to Product Manipulation
CVE ID: CVE-2023-4943
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d10475f-83dd-4e59-83e4-aeaa72a22b96
Instant CSS <= 1.2.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-44243
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30ce93b4-9e2a-4a8c-8590-ffd61d618d31
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Product Manipulation
CVE ID: CVE-2023-4940
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31c5e524-ef4d-48c7-baa0-595f8060a167
Unyson <= 2.7.28 – Missing Authorization
CVE ID: CVE-2023-44472
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35421b32-701a-4fc9-bcec-80684d874bab
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Product Manipulation
CVE ID: CVE-2023-4937
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40bf51bf-efb2-4504-815b-4681d1078f77
WP Custom Admin Interface <= 7.32 – Missing Authorization to Transients Deletion
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/418b9138-9ae0-41f1-a75b-69cbcaffbb88
WP Hide Pages <= 1.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-44232
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46e7ca97-6dd9-4e27-8e69-2e73f9490ea7
Add Shortcodes Actions And Filters <= 2.0.9 – Cross-Site Request Forgery
CVE ID: CVE-2023-44475
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4942de17-d141-4a6c-885e-75f540fe21b6
Woocommerce ESTO <= 2.23.1 – Cross-Site Request Forgery via saveSetting
CVE ID: CVE-2023-44260
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49f7e35d-e453-4e60-8f73-12891def267a
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-4920
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58d25eeb-b12c-4850-8308-eaa30982b5a8
Contact Form <= 2.0.10 – Cross-Site Request Forgery
CVE ID: CVE-2023-44231
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bdba43c-0156-4a6b-b7b9-3f74b506e8f8
Table of Contents Plus <= 2302 – Cross-Site Request Forgery
CVE ID: CVE-2023-44473
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/624a3174-03fa-4a8e-9c02-5e24add92392
WP GPX Map <= 1.7.05 – Missing Authorization
CVE ID: CVE-2023-44234
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/625c1df5-6655-4319-8833-5519b464e53e
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Profile Creation
CVE ID: CVE-2023-4935
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/639f3941-7783-4500-aca4-5e8155db6460
Vrm 360 3D Model Viewer <= 1.2.1 – Authenticated(Subscriber+) Sensitive Information Exposure
CVE ID: CVE-2023-5177
CVSS Score: 4.3 (Medium)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c71183f-45e7-44de-a957-614ce417db90
Remove slug from custom post type <= 1.0.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-44238
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77cb14b1-d9e5-4296-ad8c-6642327ef310
WP Captcha <= 2.0.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-44236
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/810adc9a-d4e1-46a8-89e4-22615cbbb9c6
WP Custom Admin Interface <= 7.32 – Cross-Site Request Forgery to Transients Deletion
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5bc6097-d6ed-4598-b3c8-9159d5ce04ee
Mediavine Control Panel <= 2.10.2 – Cross-Site Request Forgery via render_settings_page
CVE ID: CVE-2023-44259
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac20b454-a5e5-4ff6-a5bf-9c3c339321d8
Backend Localization <= 2.1.10 – Cross-Site Request Forgery
CVE ID: CVE-2023-44471
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad0bd82d-db0e-440e-9cea-d3843525b0f0
BEAR <= 1.1.3.3 – Missing Authorization to Product Manipulation
CVE ID: CVE-2023-4941
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc20f303-cac3-4517-9c45-153c410a13af
BEAR <= 1.1.3.3 – Cross-Site Request Forgery to Profile Deletion
CVE ID: CVE-2023-4935
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c045b31f-b4d6-470e-8f93-36eb70bb75f8
BEAR <= 1.1.3.3 – Missing Authorization to Product Manipulation
CVE ID: CVE-2023-4938
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c42f56a2-b9f9-40ef-86ad-fea6cf2e29f8
Kv TinyMCE Editor Add Fonts <= 1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-44470
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cde526f2-7eff-49cf-8a9f-e0c0cdd12522
ActivityPub <= 0.17.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Sensitive Post Title Exposure
CVE ID: CVE-2023-3706
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1b92249-bc18-4939-aefa-286667f6c003
FooGallery <= 2.2.44 – Cross-Site Request Forgery
CVE ID: CVE-2023-44233
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d58ca75a-f425-477d-8e48-a5d600543578
Mang Board WP <= 1.7.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-44257
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4a32fdc-1c72-45fc-bb57-44f6888e0885
Timthumb Vulnerability Scanner <= 1.54 – Cross-Site Request Forgery
CVE ID: CVE-2023-44240
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0e8d029-af6b-43cb-aa90-f92777c5ac99
WP Site Protector <= 2.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-44237
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f92f614b-162a-4ca5-bf7d-9d7088f59af9
Shockingly Simple Favicon <= 1.8.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-44246
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd7a1440-18f5-4bcb-a4cf-c4713375d0a1
WP Job Openings <= 3.4.2 – Information Exposure
CVE ID: CVE-2023-4933
CVSS Score: 3.7 (Low)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/334be95c-438a-4e03-9ee4-9a6d2c2fa5f7
Active Directory Integration / LDAP Integration <= 4.1.10 – LDAP Passback
CVE ID: CVE-2023-4506
CVSS Score: 2.2 (Low)
Researcher/s: Pedro José Navas Pérez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0585969d-dd08-4058-9d72-138a55a2cdf1
Staff / Employee Business Directory for Active Directory <= 1.2.3 – Authenticated (Admin+) LDAP Passback
CVE ID: CVE-2023-4505
CVSS Score: 2.2 (Low)
Researcher/s: Pedro José Navas Pérez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ea40b96-4693-4f98-8e6e-2ed8186cedd8
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments