Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023)
🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 40 |
Patched | 86 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 2 |
Medium Severity | 105 |
High Severity | 14 |
Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 43 |
Missing Authorization | 36 |
Cross-Site Request Forgery (CSRF) | 26 |
Unrestricted Upload of File with Dangerous Type | 4 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 3 |
Information Exposure | 2 |
Deserialization of Untrusted Data | 2 |
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1 |
Improper Privilege Management | 1 |
Unverified Password Change | 1 |
Protection Mechanism Failure | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1 |
Use of Less Trusted Source | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Improper Authorization | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Abdi Pranata | 23 |
Rafie Muhammad | 18 |
Ngô Thiên An (ancorn_) | 10 |
Le Ngoc Anh | 5 |
István Márton (Wordfence Vulnerability Researcher) |
4 |
Mika | 4 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
4 |
Paolo Tresso (Wordfence Vulnerability Researcher) |
4 |
emad | 3 |
Huynh Tien Si | 3 |
Ala Arfaoui | 2 |
Vincenzo Turturro | 2 |
Gianluca Parisi | 2 |
Vincenzo Cantatore | 2 |
Revan Arifio | 1 |
Enrico Marcolini | 1 |
Claudio Marchesini (Dottormarc) | 1 |
wpdabh | 1 |
RIN MIYACHI | 1 |
Nicolas Surribas | 1 |
Naveen Muthusamy | 1 |
Vladislav Pokrovsky (ΞX.MI) | 1 |
niclo | 1 |
LEE SE HYOUNG | 1 |
Muhammad Daffa | 1 |
Brandon James Roldan (tomorrowisnew) | 1 |
BuShiYue | 1 |
Alex Sanford | 1 |
thiennv | 1 |
Nguyen Xuan Chien | 1 |
Furkan ÖZER | 1 |
DoYeon Park (p6rkdoye0n) | 1 |
Dmitrii Ignatyev | 1 |
Bartłomiej Marek | 1 |
Tomasz Swiadek | 1 |
resecured.io | 1 |
Ivy (TOOR, Lisa) | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
10WebAnalytics | wd-google-analytics |
AMP+ Plus | amp-plus |
ARI Stream Quiz – WordPress Quizzes Builder | ari-stream-quiz |
AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | aweber-web-form-widget |
Accordion | accordions-wp |
Acme Fix Images | acme-fix-images |
Add Widgets to Page | add-widgets-to-page |
Ajax Domain Checker | ajax-domain-checker |
Anywhere Flash Embed | anywhere-flash-embed |
AppPresser – Mobile App Framework | apppresser |
Audio Merchant | audio-merchant |
BMI Calculator Plugin | bmi-calculator-shortcode |
BP Profile Shortcodes Extra | bp-profile-shortcodes-extra |
BSK Contact Form 7 Blacklist | bsk-contact-form-7-blacklist |
Bamboo Columns | bamboo-columns |
Better RSS Widget | better-rss-widget |
BetterDocs – Best Documentation & Knowledge Base Plugin | betterdocs |
Big File Uploads – Increase Maximum File Upload Size | tuxedo-big-file-uploads |
Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin | bus-ticket-booking-with-seat-reservation |
Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress | sprout-invoices |
CodeBard’s Patron Button and Widgets for Patreon | patron-button-and-widgets-by-codebard |
Comments – wpDiscuz | wpdiscuz |
Community by PeepSo – Social Network, Membership, Registration, User Profiles | peepso-core |
Conditional Fields for Contact Form 7 | cf7-conditional-fields |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Daily Prayer Time | daily-prayer-time-for-mosques |
Delete Duplicate Posts | delete-duplicate-posts |
Ditty – Responsive News Tickers, Sliders, and Lists | ditty-news-ticker |
DrawIt (draw.io) | drawit |
EWWW Image Optimizer | ewww-image-optimizer |
Easy Call Now by ThikShare | easy-call-now |
EasyAzon – Amazon Associates Affiliate Plugin | easyazon |
Elementor Addon Elements | addon-elements-for-elementor-page-builder |
Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification | miniorange-otp-verification |
Embed Privacy | embed-privacy |
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
Essential Grid Portfolio – Photo Gallery | essential-grid |
Events Addon for Elementor | events-addon-for-elementor |
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty | chaty |
Footer Putter | footer-putter |
FormCraft – Contact Form Builder for WordPress | formcraft-form-builder |
Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
Frontend File Manager Plugin | nmedia-user-file-uploader |
Hreflang Manager | hreflang-manager-lite |
Image Compressor & Optimizer – iLoveIMG | iloveimg |
Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms | cf7-constant-contact |
Interactive World Map | interactive-world-map |
Jetpack – WP Security, Backup, Speed, & Growth | jetpack |
LWS Hide Login | lws-hide-login |
LayerSlider | layerslider |
Leadster | leadster-marketing-conversacional |
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | legal-pages |
Live Preview for Contact Form 7 | cf7-live-preview |
LuckyWP Scripts Control | luckywp-scripts-control |
MP3 Audio Player for Music, Radio & Podcast by Sonaar | mp3-music-player-by-sonaar |
Namaste! LMS | namaste-lms |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Permalinks Customizer | permalinks-customizer |
Phlox Shop | auxin-shop |
Popup Box – Best WordPress Popup Plugin | ays-popup-box |
Post Status Notifier Lite | post-status-notifier-lite |
Premium Portfolio Features for Phlox theme | auxin-portfolio |
Premmerce Redirect Manager | premmerce-redirect-manager |
Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic | shareaholic |
Pz-LinkCard | pz-linkcard |
Quick Call Button | quick-call-button |
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress | quiz-master-next |
Restaurant & Cafe Addon for Elementor | restaurant-cafe-addon-for-elementor |
SearchIQ – The Search Solution | searchiq |
Shortcodes and extra features for Phlox theme | auxin-elements |
Simple 301 Redirects by BetterLinks | simple-301-redirects |
Simply Excerpts | simply-excerpts |
Slider Revolution | revslider |
Slider – Ultimate Responsive Image Slider | ultimate-responsive-image-slider |
Star CloudPRNT for WooCommerce | star-cloudprnt-for-woocommerce |
Theater for WordPress | theatre |
URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress | url-shortify |
Ultimate Dashboard – Custom WordPress Dashboard | ultimate-dashboard |
WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses | wp-courses |
WP Custom Admin Interface | wp-custom-admin-interface |
WP EXtra | wp-extra |
WP Fastest Cache | wp-fastest-cache |
WP Like Button | wp-like-button |
WP Maintenance | wp-maintenance |
WP Meta and Date Remover | wp-meta-and-date-remover |
WP Not Login Hide (WPNLH) | wp-not-login-hide-wpnlh |
WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation | wp-cafe |
Website Optimization – Plerdy | plerdy-heatmap |
Welcart e-Commerce | usc-e-shop |
Welcome Email Editor | welcome-email-editor |
WooCommerce | woocommerce |
WooCommerce Blocks | woo-gutenberg-products-block |
WooCommerce Bookings | woocommerce-bookings |
WooCommerce Product Carousel Slider | product-carousel-slider-for-woocommerce |
Woocommerce Shipping Canada Post | woocommerce-shipping-canada-post |
WordPress File Upload | wp-file-upload |
YOP Poll | yop-poll |
avalex – Automatisch sichere Rechtstexte | avalex |
eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
wpMandrill | wpmandrill |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Betheme | betheme |
Thrive Themes Builder | thrive-theme |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Shortcodes and extra features for Phlox theme <= 2.14.0 – Unauthenticated Local File Inclusion
CVE ID: CVE-2023-37888
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09437329-f01a-4998-90ec-e4b2e271e896
WP Fastest Cache <= 1.2.2 – Unauthenticated SQL Injection
CVE ID: CVE-2023-6063
CVSS Score: 9.8 (Critical)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/876efd71-8867-44b8-8017-86fad2a1b89f
Phlox Shop <= 2.0.0 – Unauthenticated Local File Inclusion
CVE ID: CVE-2023-39163
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e11e4bab-f8a9-4ecb-b36e-09a55e47f1ae
Phlox Portfolio <= 2.3.1 – Unauthenticated Local File Inclusion
CVE ID: CVE-2023-38399
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6f3f82e-6b1b-4138-b8f3-82e8dcd24479
Frontend File Manager Plugin <= 22.5 – Authenticated (Editor+) Directory Traversal
CVE ID: CVE-2023-5105
CVSS Score: 9.1 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b59b5c41-6173-485e-869d-4165dc18e2bd
Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Arbitrary File Upload
CVE ID: CVE-2023-6196
CVSS Score: 8.8 (High)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06513dfe-f263-48b7-ba01-2c205247095b
Thrive Theme Builder <= 3.20.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-47781
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353c3cd9-5ada-466b-b8e5-d40e0ec4e867
Thrive Theme Builder <= 3.20.1 – Privilege Escalation
CVE ID: CVE-2023-47782
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b345dfe-3945-405a-9825-c88816b2adee
WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a6f7952-cb64-4cff-aae7-0f03692cd95f
Welcart e-Commerce <= 2.9.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59004bb-b026-4137-a332-f46a09237e7b
Welcart e-Commerce <= 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f690e67c-119f-4ea6-9505-101e7f7a3dea
Essential Grid <= 3.0.18 – Missing Authorization
CVE ID: CVE-2023-47771
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/326618eb-186b-44a2-a779-00d5366bfff2
Thrive Theme Builder <= 3.20.1 – Missing Authorization
CVE ID: CVE-2023-47783
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd6fa4f-8f4d-4d2f-ac67-98124cfa9592
AppPresser <= 4.2.5 – Insecure Password Reset Mechanism
CVE ID: CVE-2023-4214
CVSS Score: 8.1 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde
Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload
CVE ID: CVE-2023-6187
CVSS Score: 7.5 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5979f2eb-2ca8-4b06-814c-c4236bb81af0
Image Compressor & Optimizer – iLoveIMG <= 1.0.5 – Authenticated (Administrator+) PHP Object Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/501e9cd1-1187-4d01-a3cc-5edba64c391f
Welcart e-Commerce <= 2.9.5 – Authenticated (Administrator+) PHP Object Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91f86c22-94db-4c43-985a-2f3dd96ece21
Slider Revolution <= 6.6.15 – Authenticated (Author+) Arbitrary File Upload
CVE ID: CVE-2023-47784
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2d29afd-06e8-461a-918f-38228441a51a
Bus Ticket Booking with Seat Reservation <= 5.2.5 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-30496
CVSS Score: 7.2 (High)
Researcher/s: Ivy (TOOR, Lisa)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9960282-4730-4ee8-b338-adcc57f01cc6
Forminator <= 1.27.0 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-6133
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3
Email Encoder Bundle <= 2.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47821
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09f328f6-8a66-46bf-80d9-3ffeaecfec32
Better RSS Widget <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47813
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12660e7a-51fc-42c5-8a09-49df1db51efb
eCommerce Product Catalog for WordPress <= 3.3.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39695b53-9af7-42f0-8bde-3969398a7186
LayerSlider <= 7.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47786
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/441bc9fe-3dd6-40a6-b7f3-36511115c083
WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute
CVE ID: CVE-2023-47777
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/525dec5b-b457-483c-ab2d-09dd320edcaa
Quiz And Survey Master <= 8.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47834
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c482b6e-ce1e-46e2-8847-10c485594448
Ajax Domain Checker <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47810
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/699459a1-d407-4561-9d08-dd5d918ea601
Add Widgets to Page <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47808
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af20a2c-065c-48d5-a95c-2883ceeb50c6
Slider Revolution <= 6.6.14 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47772
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/772e843b-00ea-45f5-b730-c9a793d4c2db
Jetpack <= 12.8-a.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
CVE ID: CVE-2023-45050
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/824360ab-c797-465a-8480-baeae941af29
BMI Calculator Plugin <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47814
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bf0e224-d8c7-4bf9-b9a3-97545da9d90c
Bamboo Columns <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47812
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e7b40e4-c80a-4317-acff-77696fd8098f
Anywhere Flash Embed <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47811
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a95d7ff6-55ce-4d63-8433-60cece306628
DrawIt (draw.io) <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47831
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddde9db5-3ed7-42f7-97c1-4ff9b9d1f627
WooCommerce Product Carousel Slider <= 3.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47755
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6f6dab2-da03-43b6-b9c1-ebc6a7e1d1c9
BP Profile Shortcodes Extra <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47815
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea9eaca6-3441-4976-8556-0ce288d1a0c6
ARI Stream Quiz <= 1.2.32 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47835
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edb4f4b7-a59c-454b-82b5-d8e91c1c82a3
Daily Prayer Time <= 2023.10.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47817
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0ccd265-2e64-4b23-a032-aaeb9941df34
Shareaholic <= 9.7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4889
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff6932c6-f3ec-46a8-a03b-95512eee5bf1
AWeber <= 7.3.9 – Missing Authorization via AJAX actions
CVE ID: CVE-2023-47757
CVSS Score: 6.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/397f20d8-2400-4403-8543-f57141378012
Betheme <= 27.1.1 – Missing Authorization
CVE ID: CVE-2023-47770
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72bdc81e-1a9d-4dd8-93a5-fb1026d6a2d9
Interactive World Map <= 3.2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47767
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09b0bfd3-93a7-4f13-828d-772f54085a60
BSK Contact Form 7 Blacklist <= 1.0.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-5141
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e27b0a8-e052-49ed-8744-a2376aa386f5
Star CloudPRNT for WooCommerce <= 2.0.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-4603
CVSS Score: 6.1 (Medium)
Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/110c6d41-e814-41c9-a3e7-d94ec3d953e6
AMP+ Plus <= 3.0 – Reflected Cross Site Scripting
CVE ID: CVE-2023-5210
CVSS Score: 6.1 (Medium)
Researcher/s: Nicolas Surribas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ff4fd-e514-4366-b9a6-c04d7434eac1
EmbedPress <= 3.9.1 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41edf49a-18a2-4cf0-b498-738e77287b90
Footer Putter <= 6.1.3 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/688353c9-e4e5-4717-9651-15d05248554f
Post Status Notifier Lite <= 1.11.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47766
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af1224e-0ed3-4770-96c0-c15cc895d36d
Permalinks Customizer <= 2.8.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47773
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/702dca65-fa8c-48c7-89e4-cba4b151e2c4
Namaste! LMS <= 2.6.1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-4602
CVSS Score: 6.1 (Medium)
Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d014f512-9030-49ce-945d-4900594fb373
Accordion <= 2.6 – Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings
CVE ID: CVE-2023-47809
CVSS Score: 5.5 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff656409-2344-4190-a731-5a282e21375c
Embed Privacy <= 1.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48300
CVSS Score: 5.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26d9dfc7-151c-4b32-9ae4-3085d08f137c
Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-4689
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/472cdbc4-3bfa-4254-b35a-be7ae10782e6
MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10 – Missing Authorization to Template Import
CVE ID: CVE-2023-47822
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6bcb9d95-acb4-4405-b785-1e5eace10dc9
Legal Pages <= 1.3.8 – Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data
CVE ID: CVE-2023-47824
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fb9c8c3-e491-4bca-adeb-b87d9f8f3b32
Pz-LinkCard <= 2.4.8 – Cross-Site Request Forgery via page_cacheman
CVE ID: CVE-2023-47790
CVSS Score: 5.4 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6de97ac-127d-47ec-8b74-03e7fa4932f6
eCommerce Product Catalog for WordPress <= 3.3.25 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba70f811-543f-4da4-ba45-715dbd6be6be
Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting
CVE ID: CVE-2023-6197
CVSS Score: 5.4 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7911337-57fa-4268-8366-d37ff13fae86
Delete Duplicate Posts <= 4.8.9 – Missing Authorization via AJAX Actions
CVE ID: CVE-2023-47754
CVSS Score: 5.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f603a25f-7d56-4cf4-89aa-de87ee49522a
Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-4690
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd53b4e1-c6b7-4111-911a-04b14c7a9c4e
Restaurant & Cafe Addon for Elementor <= 1.5.2 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07712191-03b6-4de4-b0a4-e6f03ce9dc81
Ditty <= 3.1.24 – Missing Authorization via save_ditty_permissions_check
CVE ID: CVE-2023-47764
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08630dfd-df43-4a5a-8fc7-ba8ff753db3d
FormCraft <= 1.2.7 – Missing Authorization via formcraft_nag_update
CVE ID: CVE-2023-47823
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25d5735a-8eed-4b4a-9bbe-9e42fb18ddf2
SearchIQ <= 4.4 – Missing Authorization via getSIQPluginSettings
CVE ID: CVE-2023-47832
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3001829b-f63b-4b99-91a0-53d615ac96c1
YOP Poll <= 6.5.26 – Race Condition to Vote Manipulation
CVE ID: CVE-2023-6109
CVSS Score: 5.3 (Medium)
Researcher/s: RIN MIYACHI
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c
WPCafe <= 2.2.19 – Missing Authorization via dismiss_ajax_call
CVE ID: CVE-2023-47805
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4261bc62-a091-408b-8643-e6fa61d62103
LWS Hide Login <= 2.1.8 – Protection Mechanism Bypass
CVE ID: CVE-2023-47818
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/532cffdb-16e8-4ced-9477-483c96db343c
avalex – Automatisch sichere Rechtstexte <= 3.0.8 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7319293e-f921-46d1-aea6-2578d1a251a7
WP Maintenance <= 6.1.3 – IP Restriction Bypass
CVE ID: CVE-2023-47769
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87a1cc00-330c-40c3-a174-8ea50075c4bd
Elementor Addon Elements <= 1.12.7 – Missing Authorization to Sensitive Information Exposure
CVE ID: CVE-2023-4723
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89489218-263f-4157-a5cd-a12bc6a0dfe6
Welcome Email Editor <= 5.0.5 – Missing Authorization via ajax_handler
CVE ID: CVE-2023-47756
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/943cd10b-1b58-4803-ba6f-291f73353422
Events Addon for Elementor <= 2.1.2 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7f52e71-da35-4b46-b658-d293f81b5dc9
Acme Fix Images <= 1.0.0 – Missing Authorization via acme_fix_images_ajax_callback
CVE ID: CVE-2023-47793
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9047775-2d72-4eb5-9339-419f95aa19b2
EWWW Image Optimizer <= 7.2.0 – Unauthenticated Sensitive Information Exposure via Debug Log
CVE ID: CVE-2023-40600
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d20ff1a8-8794-41e1-9e66-1cda90f9ff77
WP Meta and Date Remover <= 2.3.0 – Cross-Site Request Forgery via updateSettings
CVE ID: CVE-2023-47836
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/faa9ad87-44b2-47b3-a05c-52e59af7255a
Jetpack < 12.7 – Authenticated(Contributor+) Clickjacking via Iframe Injection
CVE ID: CVE-2023-47774
CVSS Score: 5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92a3e622-b3b2-450e-82a7-0a942711e8c0
Integration for Contact Form 7 and Constant Contact <= 1.1.4 – Open Redirect
CVE ID: CVE-2023-47779
CVSS Score: 4.7 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c8404d2-7b37-40df-b756-328f827f273d
Chaty <= 3.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-47759
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/361deac0-f675-432c-b7d2-b99f168d476d
Popup Box <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a40bac7-d3b8-486d-938a-30591ff3016c
Simply Excerpts <= 1.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5137
CVSS Score: 4.4 (Medium)
Researcher/s: niclo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e6a7f09-2166-426e-a548-daafb23363a6
Quick Call Button <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-47829
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b5e9c7f-e0c9-4c27-8b39-87e15fd29604
Ultimate Dashboard <= 3.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-4726
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79cce1fc-a27f-4842-b1a2-2c53857add4c
WP Not Login Hide <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5940
CVSS Score: 4.4 (Medium)
Researcher/s: Furkan ÖZER
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fc46de4-af1c-4e38-9caa-55b7b18a69ae
Theater for WordPress <= 0.18.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-47833
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0fdad22-5aee-468f-885c-f65c068cf413
Premmerce Redirect Manager <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3d4f658-e9ce-490b-bcaa-1061a463dbb2
Elementor Addon Elements <= 1.12.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5381
CVSS Score: 4.4 (Medium)
Researcher/s: Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd2bc2e7-960e-40db-9dcc-a6a60117bd83
Website Optimization – Plerdy <= 1.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5715
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db18ac07-2e7a-466d-b00c-a598401f8633
URL Shortify <= 1.7.9 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5605
CVSS Score: 4.4 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddc4b758-5a1e-4d0a-949e-869fcd9df0bc
wpDiscuz <= 7.6.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68bc7e9-3bfe-4b2f-82a1-92bbde1a133a
Community by PeepSo <= 6.1.6.0 – Cross-Site Request Forgery via delete
CVE ID: CVE-2023-39925
CVSS Score: 4.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0aea5564-b1b9-4d57-9f7e-81dd791c8d48
WP Courses LMS <= 3.2.3 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1127fe1e-4359-4dff-93a7-392a8bfded51
Sprout Invoices <= 20.5.3 – Sensitive Information Exposure
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2330b18e-0907-47e1-b91f-1fe466bcf76b
BetterDocs <= 2.5.2 – Missing Authorization via AJAX actions
CVE ID: CVE-2023-47762
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a7d6059-4cef-4bd1-a14d-ad544bfaeea3
Conditional Fields for Contact Form 7 <= 2.4.1 – Missing Authorization
CVE ID: CVE-2023-47838
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cfd8b2d-cf2a-439d-9f9a-dbe499b1cd48
WP Courses LMS <= 3.2.3 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/487e23c9-9100-4240-8992-c4c85930c4a6
LuckyWP Scripts Control <= 1.2.1 – Missing Authorization
CVE ID: CVE-2023-47778
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51c42ca2-cdba-49f5-bea2-83c9b8cf0db7
Events Addon for Elementor <= 2.1.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5256ef2b-e1fc-4746-b35e-07a265f47f95
wpDiscuz <= 7.6.11 – Cross-Site Request Forgery
CVE ID: CVE-2023-47775
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f
Ultimate Responsive Image Slider <= 3.5.11 – Missing Authorization via AJAX action
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c92beb0-1fcf-4352-bd34-00e31b265c04
10WebAnalytics <= 1.2.12 – Missing Authorization via gawd_wd_bp_install_notice_status
CVE ID: CVE-2023-47807
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd2a4cb-dd74-4b00-82f5-3bf1452e71a3
miniorange otp verification <= 4.2.1 – Missing Authorization via dismiss_notice
CVE ID: CVE-2023-47776
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62ea1427-0990-4645-aa1a-42da6fd3944f
WP EXtra <= 6.4 – Cross-Site Request Forgery ToolImport
CVE ID: CVE-2023-47825
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e3f3104-e213-4b0f-9821-b3f1a5c06191
Leadster <= 1.1.2 – Cross-Site Request Forgery via leadster_script_code_action
CVE ID: CVE-2023-47791
CVSS Score: 4.3 (Medium)
Researcher/s: BuShiYue
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86837f87-ea91-404a-92ac-38d1abf14cde
Live Preview for Contact Form 7 <= 1.2.0 – Missing Authorization via update_option
CVE ID: CVE-2023-47830
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89dbf14f-1cc8-4a66-b3d3-3568cba9a0aa
WP Custom Admin Interface <= 7.31 – Missing Authorization via wpcai_pro_notice_disable
CVE ID: CVE-2023-47763
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b040f47-b126-4640-9fc5-bda8650f6c69
EasyAzon – Amazon Associates Affiliate <= 5.1.0 – Missing Authorization on AJAX actions
CVE ID: CVE-2023-47780
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ba93de-4c5f-4611-8296-adfc85c8dd2b
LayerSlider <= 7.7.9 – Cross-Site Request Forgery
CVE ID: CVE-2023-47785
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9225ebc6-bff9-4176-a86e-022ff8ec3b05
Big File Uploads <= 2.1.1 – Cross-Site Request Forgery via actions
CVE ID: CVE-2023-47792
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93b527a8-30c0-4e47-bb2b-522380b21699
Easy Call Now by ThikShare <= 1.1.0 – Cross-Site Request Forgery via settings_page
CVE ID: CVE-2023-47819
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bd8c4e5-ef53-47e8-8658-291509e9b987
Restaurant & Cafe Addon for Elementor <= 1.5.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d986739-d6a5-491d-948f-4c58af75369a
Conditional Fields for Contact Form 7 <= 2.4.0 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a175d2b2-0a35-4c5a-b05b-4d334e444e85
CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Cross-Site Request Forgery
CVE ID: CVE-2023-47765
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ea53bd-2ce7-4dce-8c57-51ba81838f1a
WooCommerce Bookings <= 2.0.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-47787
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54841af-65ce-4434-a67e-79ea673ec8f9
Customer Reviews for WooCommerce <= 5.38.1 – Cross-Site Request Forgery via manual review reminders
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b243722e-6510-48bd-be26-95ccbe79fa57
WordPress File Upload 4.24.0 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6048088-c11c-4741-8dde-da707f8f84f2
ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6c5f933-b71b-4475-abdf-4cffff2a1a6c
wpMandrill <= 1.33 – Missing Authorization via getAjaxStats
CVE ID: CVE-2023-47828
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89cf8ef-9fa0-4ede-8ec9-c166d0db74fe
Essential Blocks for Gutenberg <= 4.2.0 – Missing Authorization via AJAX actions
CVE ID: CVE-2023-47760
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2136e1c-5f69-434d-bdc7-72a144da744b
Hreflang Manager <= 1.06 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c357e34f-2d0f-4af4-bb67-cbbc6cd4e141
Customer Reviews for WooCommerce <= 5.38.1 – Missing Authorization via manual review reminders
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6e2710f-f51a-487d-a4bb-a19f614ff254
Legal Pages <= 1.3.8 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db0508dd-143f-4674-8193-d46967d2799f
Simple 301 Redirects by BetterLinks <= 2.0.7 – Missing Authorization via clicked
CVE ID: CVE-2023-47761
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddacd612-0cd5-4b07-9184-bec6f1adbb4c
Jetpack <= 12.6.2 – Improper Authorization via WPCom External Media REST endpoints
CVE ID: CVE-2023-47788
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e62fa16f-a4a1-44a7-9a66-abafd8dddf67
WooCommerce Canada Post Shipping <= 2.8.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-47789
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff850f88-6e89-48dd-ad70-dda4018c22fc
Restaurant & Cafe Addon for Elementor <= 1.5.3 – Missing Authorization via multiple AJAX functions
CVE ID: CVE-2023-47826
CVSS Score: 3.1 (Low)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad003d57-a573-473e-80a9-5bf60d42a707
WP Like Button <= 1.7.0 – Missing Authorization via crublabFBLBAjax
CVE ID: CVE-2023-47820
CVSS Score: 3.1 (Low)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da550fd7-3c1a-4b07-afc0-2366e0f5cccd
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments