Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)
🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th.
Last week, there were 135 vulnerabilities disclosed in 119 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 99 |
Patched | 36 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 124 |
High Severity | 9 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 70 |
Cross-Site Request Forgery (CSRF) | 29 |
Missing Authorization | 21 |
Information Exposure | 5 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Improper Authorization | 2 |
Deserialization of Untrusted Data | 1 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
István Márton (Wordfence Vulnerability Researcher) |
20 |
LEE SE HYOUNG (hackintoanetwork) | 11 |
Abdi Pranata | 10 |
Emili Castells | 9 |
Le Ngoc Anh | 8 |
Rafie Muhammad | 7 |
Mika | 7 |
thiennv | 7 |
Nguyen Xuan Chien | 4 |
yuyudhn | 4 |
Skalucy | 3 |
minhtuanact | 3 |
Elliot | 3 |
Krzysztof Zając | 3 |
Dmitrii Ignatyev | 3 |
Ala Arfaoui | 2 |
Enrico Marcolini | 2 |
Claudio Marchesini (Dottormarc) | 2 |
Joshua Chan | 2 |
Huynh Tien Si | 1 |
Robert DeVore | 1 |
Jeongwoo-Lee | 1 |
BuShiYue | 1 |
Nithissh S | 1 |
lttn | 1 |
Robin Wood | 1 |
Fariq Fadillah Gusti Insani | 1 |
Abu Hurayra (HurayraIIT) | 1 |
Vaishnav Rajeevan | 1 |
Luqman Hakim Y | 1 |
DoYeon Park (p6rkdoye0n) | 1 |
Brandon Roldan | 1 |
qilin_99 | 1 |
Erwan LR | 1 |
SeungYongLee | 1 |
Taihei Shimamine | 1 |
Nguyen Anh Tien | 1 |
Nicolas Decayeux | 1 |
Rafshanzani Suhada | 1 |
Alex Thomas (Wordfence Vulnerability Researcher) |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
ANAC XML Bandi di Gara | avcp |
ANAC XML Viewer | anac-xml-viewer |
ARI Stream Quiz – WordPress Quizzes Builder | ari-stream-quiz |
Actueel Financieel Nieuws – Denk Internet Solutions | denk-internet-solutions |
Add Local Avatar | add-local-avatar |
Additional Order Filters for WooCommerce | additional-order-filters-for-woocommerce |
Advanced iFrame | advanced-iframe |
Amazonify | amazonify |
Animator – Scroll Triggered Animations | scroll-triggered-animations |
Arigato Autoresponder and Newsletter | bft-autoresponder |
Auto Affiliate Links | wp-auto-affiliate-links |
Auto Tag Creator | auto-tag-creator |
BZScore – Live Score | bzscore-live-score |
BadgeOS | badgeos |
Best Restaurant Menu by PriceListo | best-restaurant-menu-by-pricelisto |
Bitly’s WordPress Plugin | wp-bitly |
Brizy – Page Builder | brizy |
CBX Map for Google Map & OpenStreetMap | cbxgooglemap |
Category Post List Widget | category-post-list-widget |
Checkout Field Manager (Checkout Manager) for WooCommerce | woocommerce-checkout-manager |
Cloud Templates & Patterns collection | templates-patterns-collection |
CoCart – Decoupling WooCommerce Made Easy | cart-rest-api-for-woocommerce |
Code Snippets | code-snippets |
CodeBard’s Patron Button and Widgets for Patreon | patron-button-and-widgets-by-codebard |
Contact Form – Custom Builder, Payment Form, and More | powr-pack |
Countdown and CountUp, WooCommerce Sales Timer | countdown-wpdevart-extended |
Custom post types, Custom Fields & more | custom-post-types |
Direct Checkout – Quick View – Buy Now For WooCommerce | quick-view-and-buy-now-for-woocommerce |
Donations Made Easy – Smart Donations | smart-donations |
Dragfy Addons for Elementor | dragfy-addons-for-elementor |
Droit Dark Mode | droit-dark-mode |
Easy Social Icons | easy-social-icons |
EasyRotator for WordPress – Slider Plugin | easyrotator-for-wordpress |
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase) | eazydocs |
Ecwid Ecommerce Shopping Cart | ecwid-shopping-cart |
Edit WooCommerce Templates | woo-edit-templates |
Elementor Website Builder – More than Just a Page Builder | elementor |
Email Marketing for WooCommerce by Omnisend | omnisend-connect |
Essential Grid Portfolio – Photo Gallery | essential-grid |
Extra Product Options for WooCommerce | extra-product-options-for-woocommerce |
Featured Image Caption | featured-image-caption |
Flo Forms – Easy Drag & Drop Form Builder | flo-forms |
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | mailchimp-wp |
Foyer – Digital Signage for WordPress | foyer |
Front End PM | front-end-pm |
Garden Gnome Package | garden-gnome-package |
Image Hover Effects – WordPress Plugin | image-hover-effects |
ImageMapper | imagemapper |
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site | integrate-google-drive |
Japanized For WooCommerce | woocommerce-for-japan |
Job Manager & Career – Manage job board listings, and recruitments | job-manager-career |
Korea SNS | korea-sns |
Lava Directory Manager | lava-directory-manager |
LearnPress – WordPress LMS Plugin | learnpress |
Live Gold Price & Silver Price Charts Widgets | gold-price-chart-widget |
Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic | martins-link-network |
Membership Plugin – Restrict Content | restrict-content |
Mmm Simple File List | mmm-file-list |
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images | nitropack |
OneClick Chat to Order | oneclick-whatsapp-order |
Patreon WordPress | patreon-connect |
Photo Feed | photo-feed |
Pinyin Slugs | so-pinyin-slugs |
Plainview Protect Passwords | plainview-protect-passwords |
Plugin Name: Device Theme Switcher | device-theme-switcher |
Podlove Web Player | podlove-web-player |
Post Pay Counter | post-pay-counter |
Preloader Matrix | matrix-pre-loader |
Product Catalog Simple | post-type-x |
Product Enquiry for WooCommerce | gm-woocommerce-quote-popup |
Product Visibility by Country for WooCommerce | product-visibility-by-country-for-woocommerce |
Products, Order & Customers Export for WooCommerce | export-woocommerce |
ProfileGrid – User Profiles, Memberships, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Q2W3 Post Order | q2w3-post-order |
QR Code Tag | qr-code-tag |
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress | quiz-master-next |
Recently viewed and most viewed products | recently-viewed-and-most-viewed-products |
Redirect 404 Error Page to Homepage or Custom Page with Logs | redirect-404-error-page-to-homepage-or-custom-page |
Rename Media Files | rename-media-files |
Responsive Column Widgets | responsive-column-widgets |
Responsive Pricing Table | dk-pricr-responsive-pricing-table |
Restrict Categories | restrict-categories |
SEO by 10Web | seo-by-10web |
Seers | GDPR & CCPA Cookie Consent & Compliance | seers-cookie-consent-banner-privacy-policy |
SendPress Newsletters | sendpress |
Simple Like Page Plugin | simple-facebook-plugin |
Social Feed | All social media in one place | add-facebook |
Social Sharing Plugin – Social Warfare | social-warfare |
Solid Central – Site Management, Backups, Security, and Reporting | ithemes-sync |
Sponsors | wp-sponsors |
Star CloudPRNT for WooCommerce | star-cloudprnt-for-woocommerce |
TWB Woocommerce Reviews | twb-woocommerce-reviews |
Team Members Showcase | dazzlersoft-teams |
Telephone Number Linker | telephone-number-linker |
Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
Under Construction / Maintenance Mode from Acurax | coming-soon-maintenance-mode-from-acurax |
UpdraftPlus: WordPress Backup & Migration Plugin | updraftplus |
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | profile-builder |
UserHeat Plugin | userheat |
Visitor Traffic Real Time Statistics | visitors-traffic-real-time-statistics |
Visual Website Collaboration, Feedback & Project Management – Atarim | atarim-visual-collaboration |
WD WidgetTwitter | widget-twitter |
WP Crowdfunding | wp-crowdfunding |
WP Discord Invite | wp-discord-invite |
WP Edit Username | wp-edit-username |
WP Full Stripe Free | wp-full-stripe-free |
WP Links Page | wp-links-page |
WP MapIt | wp-mapit |
WPDBSpringClean | wpdbspringclean |
Web Push Notifications – Webpushr | webpushr-web-push-notifications |
Who Hit The Page – Hit Counter | who-hit-the-page-hit-counter |
Woo Custom and Sequential Order Number | woo-custom-and-sequential-order-number |
WooCommerce Product Enquiry | woo-product-enquiry |
WooCommerce Product Table Lite | wc-product-table-lite |
WordPress Backup & Migration | wp-migration-duplicator |
Youtube SpeedLoad | youtube-speedload |
Ziteboard Online Whiteboard | ziteboard-online-whiteboard |
masterslider | masterslider |
코드엠샵 마이사이트 – MSHOP MY SITE | mshop-mysite |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Master Slider Pro <= 3.6.5 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-47507
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66749606-e76f-41fb-bcf1-c06681de2ee3
WD WidgetTwitter <= 1.0.9 – Authenticated (Contributor+) SQL Injection via Shortcode
CVE ID: CVE-2023-5709
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86cdbfec-b1af-48ec-ae70-f97768694e44
Rename Media Files <= 1.0.1 – Authenticated (Contributor+) Remote Code Execution
CVE ID: CVE-2023-32095
CVSS Score: 8.8 (High)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c22c2c17-c9c5-46eb-877a-a49ccf1a74ef
Mmm Simple File List <= 2.3 – Authenticated (Subscriber+) Directory Traversal
CVE ID: CVE-2023-4297
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f33a13dc-ebff-4033-9b8d-10076b1c2d0d
Brizy <= 2.4.29 – Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/546cd218-3f6d-4e8f-83d5-e9aceb6f33ed
Who Hit The Page – Hit Counter <= 1.4.14.3 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-47558
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54c94de4-59b4-4f0b-85db-2074a41d04f8
Redirect 404 Error Page to Homepage or Custom Page with Logs <= 1.8.7 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-47530
CVSS Score: 7.2 (High)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59ec4bbd-5192-45f8-8cfc-d43858b46901
Webpushr <= 4.34.0 – Missing Authorization to Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-5620
CVSS Score: 7.2 (High)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e092d67-ab81-4366-824c-cfb240ba3042
Master Slider Pro <= 3.6.5 – Authenticated (Editor+) SQL Injection
CVE ID: CVE-2023-47506
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a69a5249-f9ab-4489-a032-33dd482fdc96
Profile Builder <= 3.10.3 – Cross-Site Request Forgery via pms-cross-promotion.php
CVE ID: CVE-2023-47669
CVSS Score: 7.1 (High)
Researcher/s: Brandon Roldan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0b2bdb3-713c-47c6-8907-ac0f86038dc2
EazyDocs <= 2.3.3 – Missing Authorization via doc_one_page and edit_doc_one_page
CVE ID: CVE-2023-47648
CVSS Score: 6.5 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ec64507-b77e-4685-978f-7408fe8db5ee
Japanized For WooCommerce <= 2.6.4 – Missing Authorization
CVE ID: CVE-2023-47698
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0fc675e8-8ba1-40b0-829e-7a48d5eb586d
Podlove Web Player <= 5.7.1 – Missing Authorization
CVE ID: CVE-2023-47691
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fd8a952-d723-45a2-9027-12e3d99f715b
Elementor Website Builder <= 3.16.4 – Missing Authorization to Arbitrary Attachment Read
CVE ID: CVE-2023-47504
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c873c76a-144e-4945-8fa2-c9ffe0e3c061
WooCommerce Checkout Manager <= 7.3.0 – Missing Authorization
CVE ID: CVE-2023-47681
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fffd7d50-6563-4652-8fae-3fe698125c59
Telephone Number Linker <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5743
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06424d9f-0064-4101-b819-688489a18eee
Featured Image Caption <= 0.8.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5669
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c43a88c-6374-414f-97ae-26ba15d75cdc
ANAC XML Bandi di Gara <= 7.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47242
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/101945f6-d709-4c99-8c80-def9dd2fa636
EasyRotator for WordPress <= 1.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5742
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3041e28e-d965-4672-ab10-8b1f3d874f19
Bitly’s WordPress Plugin <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5577
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31522e54-f260-46d0-8d57-2d46af7d3450
BZScore – Live Score <= 1.03 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47654
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/438a94c4-a7f2-4c08-960b-e18c19196169
Sponsors <= 3.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5662
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4af04219-26c5-401d-94ef-11d2321f98bf
WP MapIt <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5658
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ef6f598-e1a7-4036-9485-1aad0416349a
Social Feed <= 1.5.4.6 – Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5661
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b145772-624e-4af0-9156-03c483bf8381
Garden Gnome Package <= 2.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5664
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c7385c7-47de-4511-b474-7415c3977aa8
Social Sharing Plugin – Social Warfare <= 4.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4842
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91
Donations Made Easy – Smart Donations <= 4.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47550
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92aae1f6-e624-4619-8195-ee3c443a31fc
WordPress Backup & Migration <= 1.4.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5738
CVSS Score: 6.4 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93de1604-2494-4c51-a93d-b01bf7ed4c07
ImageMapper <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5507
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6e687e9-6ffe-4457-8d57-3c03f657eb74
CBX Map for Google Map & OpenStreetMap <= 1.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47240
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa5505b7-2d9e-4a03-9655-75d004f53259
Elementor Website Builder <= 3.16.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()
CVE ID: CVE-2023-47505
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b44ef21f-464e-487a-ba5a-fe889e4c488c
QR Code Tag <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5567
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be004002-a3ac-46e9-b0c1-258f05f97b2a
Mmm Simple File List <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4514
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c064227f-6332-40c8-9e96-337c608da832
POWR <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5741
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2967eae-82bb-4556-a21a-c5bb6b905c62
SendPress Newsletters <= 1.22.3.31 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5660
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbce42a0-29a7-40df-973c-1fe7338f6c94
Lava Directory Manager <= 1.1.34 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-47659
CVSS Score: 6.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3d21ebb-52de-4b25-b9e9-5d6f3284cf94
Advanced iFrame <= 2023.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4775
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9944443-2e71-45c4-8a19-d76863cf66df
Ziteboard Online Whiteboard <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode
CVE ID: CVE-2023-5076
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton, Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5608f50-e17a-471f-b644-dceb64d82f0c
Simple Like Page Plugin <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4888
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f81df26f-4390-4626-8539-367a52f8a027
NitroPack <= 1.9.2 – Missing Authorization via multiple AJAX functions
CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb6f4b0b-25b8-4dcd-b002-293ce8ab307e
Category Post List Widget <= 2.0 – Unauthenticated Stored Cross-Site Scripting via custom_css
CVE ID: CVE-2023-47516
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0182ca6c-23f8-4212-bfd8-cb898e98b37b
Essential Grid <= 3.1.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47684
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02eadae8-7aa6-42f5-b807-9ed82332fa72
Category Post List Widget <= 2.0 – Cross-Site Request Forgery via get_cplw_settings
CVE ID: CVE-2023-47516
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04ffc248-2b5c-4c64-8bfd-361a8ff6a8af
SendPress Newsletters <= 1.23.11.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47517
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cd6e69b-f927-4cea-a838-5c73f52233a2
Edit WooCommerce Templates <= 1.1.1 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-47509
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34f7ab72-a4e3-4264-b6d3-530dd255dc87
Under Construction / Maintenance Mode from Acurax <= 2.6 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-39926
CVSS Score: 6.1 (Medium)
Researcher/s: Robert DeVore
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/359b8977-6d0d-4856-8d72-17091a420f67
EazyDocs <= 2.3.3 – Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page
CVE ID: CVE-2023-47549
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38145ad1-f441-40a4-9e92-6837cfeba656
Restrict Categories <= 2.6.4 – Reflected Cross-Site Scripting via rc-search
CVE ID: CVE-2023-47518
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45671cab-f719-4ee6-af81-7c19b37b8d91
Post Pay Counter <= 2.789 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47673
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a9fce6d-d5c2-4ab7-87ea-8dd6e4d92e07
Atarim <= 3.12 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-47544
CVSS Score: 6.1 (Medium)
Researcher/s: lttn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f5919eb-ac74-4926-9ede-e651bb4463b2
Product Enquiry for WooCommerce <= 3.0 – Unauthenticated Stored Cross-Site Scripting via name
CVE ID: CVE-2023-47512
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6840add4-62db-4b99-b48b-0b51aa2451b8
Martins Free & Easy SEO BackLink Link Building Network <= 1.2.29 – Reflected Cross-Site Scripting via _wpnonce
CVE ID: CVE-2023-5641
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/773b5a79-017a-4e16-b563-3aa2939fa179
WP Crowdfunding <= 2.1.6 – Reflected Cross-Site Scripting via postid
CVE ID: CVE-2023-47532
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f13a432-e37d-4183-85ff-e2a04b40cda8
LearnPress <= 4.2.5.3 – Reflected Cross-Site Scripting via add_internal_scripts_to_head
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81fd3ac1-91af-4cfa-ac4e-712beb4236c0
Photo Feed <= 2.2.1 – Reflected Cross-Site Scripting via pf-gid
CVE ID: CVE-2023-47522
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a36b98b-7197-434e-88ac-6fcfa34d6abb
Auto Affiliate Links <= 6.4.2.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-47652
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c84ffd3-e000-4d67-9789-e439e7c128e8
CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Reflected Cross-Site Scripting via cb_p6_tab
CVE ID: CVE-2023-47524
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96649aa6-f3ba-4e9e-9fa5-a5fbd52c3836
Master Slider Pro <= 3.6.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47508
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f77755a-9b28-4e31-8a01-42e96b5698bf
Star CloudPRNT for WooCommerce <= 2.0.3 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-47514
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f850644-4923-46c1-90f6-d29088c9cb1a
WPDBSpringClean <= 1.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47510
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6627f96-63d6-4f22-9eb7-fb42e748ae38
Q2W3 Post Order <= 1.2.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47521
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/affc9dff-75a1-4cb3-8465-55254db6441b
Seo By 10Web <= 1.2.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34375
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4533554-52e4-44b4-9230-b6e3feb2e4a1
Plainview Protect Passwords <= 1.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47665
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b63d8238-267f-4a40-9af0-37ae8b9ba26b
Additional Order Filters for WooCommerce <= 1.10 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-47690
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/baa8b5ce-7ef8-4ca8-9957-2c3469f55dda
ImageMapper <= 1.2.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title
CVE ID: CVE-2023-5532
CVSS Score: 6.1 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbb67f02-87e8-4ca3-8a9d-6663a700ab5b
Responsive Column Widgets <= 1.2.7 – Reflected Cross-Site Scripting via tab
CVE ID: CVE-2023-47520
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d749c24c-0ed9-423b-872a-4771e9d8a2eb
Products, Order & Customers Export for WooCommerce <= 2.0.7 – Reflected Cross-Site Scripting via date parameters
CVE ID: CVE-2023-47547
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eac8685b-8ed9-432d-8912-b66bd62c950f
Extra Product Options for WooCommerce <= 3.0.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-47658
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/393a856e-dc13-4fb6-8ff3-5880631953c4
Actueel Financieel Nieuws – Denk Internet Solutions <= 5.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-6107
CVSS Score: 5.5 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e0ad29a-b7a0-407e-8fb0-0917b8671afb
Direct Checkout – Quick View – Buy Now For WooCommerce <= 1.5.8 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code
CVE ID: CVE-2023-47657
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/514aa001-24c8-4624-8e25-f17b8454354c
Recently viewed and most viewed products <= 1.1.1 – Authenticated (Shop Manager+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47646
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61ec0e78-b367-438f-929d-94e055c83477
Responsive Pricing Table < 5.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-4810
CVSS Score: 5.5 (Medium)
Researcher/s: Vaishnav Rajeevan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fb7dd8f-6258-46e1-9cc5-87ec73d5736c
Forms for Mailchimp by Optin Cat <= 2.5.4 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47545
CVSS Score: 5.5 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7d5edee-04fb-41e0-be5e-ca3681956d2d
Countdown and CountUp, WooCommerce Sales Timer <= 1.8.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-47533
CVSS Score: 5.5 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1ec113c-d11f-4b0b-8d4a-46d37687b3b2
Live Gold Price & Silver Price Charts Widgets <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-47662
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c53ebf2f-44ab-4d0f-ac3d-c08806c07343
ANAC XML Bandi di Gara <= 7.5 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47656
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb610baa-093d-4a41-8e28-c65fdb0e32aa
Add Local Avatar <= 12.1 – Cross-Site Request Forgery via manage_avatar_cache
CVE ID: CVE-2023-47650
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/241da621-b892-4263-8409-a40ac5a1ade3
Code Snippets <= 3.5.0 – Cross-Site Request Forgery via load
CVE ID: CVE-2023-47666
CVSS Score: 5.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28aae3d4-c4c4-4cda-9f4b-7f2ea58629aa
ImageMapper <= 1.2.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax
CVE ID: CVE-2023-5506
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31dff395-c3ce-4ebe-8d38-5243fc4510d6
Solid Central <= 3.0.0 – Stored Cross-Site Scripting via packages
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Robin Wood
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55234307-9d51-4fe8-bc22-78d32a5fed11
Quiz And Survey Master <= 8.1.18 – Multiple Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91c5a83a-679c-405b-973d-a2255d2bced2
WP Discord Invite < 2.5.1 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-5006
CVSS Score: 5.4 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d92bfa61-7ae2-427a-8f3a-82709471735b
UpdraftPlus <= 1.23.10 – Cross-Site Request Forgery to Google Drive Storage Update
CVE ID: CVE-2023-5982
CVSS Score: 5.4 (Medium)
Researcher/s: Nicolas Decayeux
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1be11c5-0a44-4816-b6bf-d330cb51dbf3
Ecwid Ecommerce Shopping Cart <= 6.12.3 – Missing Authorization on multiple functions
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3d5bc99-2b55-4e19-8304-e56f3d4a2f1a
Ultimate Addons for Contact Form 7 <= 3.2.6 – Missing Authorization
CVE ID: CVE-2023-47693
CVSS Score: 5.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73720e67-79e5-4b4c-8720-e28ad718b2b3
Front End PM < 11.4.3 – Sensitive Information Exposure via Directory Listing
CVE ID: CVE-2023-4930
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8250c277-200a-4808-98ae-ede169aad3fd
CoCart – Headless ecommerce <= 3.9.0 – Missing Authorization
CVE ID: CVE-2023-47241
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98e8e09c-f2fe-40ab-b1ce-62a1627b6b65
Restrict Content <= 3.2.7 – Information Exposure via legacy log file
CVE ID: CVE-2023-47668
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad2d5070-ddc6-4478-abe5-776e197a4507
Cloud Templates & Patterns collection <= 1.2.2 – Sensitive Information Exposure via Log File
CVE ID: CVE-2023-47529
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c59baad8-b888-4475-8371-645811a6b569
Email Marketing for WooCommerce by Omnisend <= 1.13.8 – Sensitive Information Exposure
CVE ID: CVE-2023-47244
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc2cd74d-b828-4524-b33d-c806bfd970b9
Seers <= 8.0.6 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-47515
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d300288e-f100-4c02-ba65-d728e3b1522e
Animator <= 3.0.9 – Missing Authorization to Plugin Settings Update
CVE ID: CVE-2023-47689
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8457aeb-867b-4185-8271-a5452b7c5365
WooCommerce Product Enquiry <= 2.3.4 – Unauthenticated Self-Based Cross-Site Scripting
CVE ID: CVE-2023-32796
CVSS Score: 4.7 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97c68df7-69fd-4817-9473-3d3e1fd6d348
Integrate Google Drive <= 1.3.1 – Open Redirect via state
CVE ID: CVE-2023-47548
CVSS Score: 4.7 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bccceb2d-2087-4ee6-8118-eb3fb53654dc
Amazonify <= 0.8.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5819
CVSS Score: 4.4 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41adfb58-d79f-40a3-8a7e-f3f08f64659f
WP Edit Username <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47528
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47461b7b-e986-4048-88aa-175242305795
Pinyin Slugs <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47511
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65e76681-80e0-40aa-a68b-87cb0c42b4f8
OneClick Chat to Order <= 1.0.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47546
CVSS Score: 4.4 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94f338c2-95c9-4ce8-8579-0b2b66547aa0
ANAC XML Viewer <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47245
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9af963ed-8bc5-4b5e-bacd-30a2ef429ce8
Team Members Showcase <= 1.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32957
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad88c661-601c-411f-9495-2c3b8a568c6b
Product Visibility by Country for WooCommerce <= 1.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47660
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e56b11a1-dd40-461b-9624-b60367c0c727
Custom post types <= 4.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb94520e-a99d-4e34-b174-e01898de0978
TWB Woocommerce Reviews <= 1.7.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47653
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f85df8f1-9283-48d0-8f19-88a4a839d501
Flo Forms <= 1.0.41 – Missing Authorization via flo_send_test_email
CVE ID: CVE-2023-47692
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04401d7e-996d-4b46-b391-bfb0b065900b
Arigato Autoresponder and Newsletter <= 2.7.2.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-47686
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bf798b5-2a5c-42d9-a4b3-d3ed056e1fdb
Best Restaurant Menu by PriceListo <= 1.3.1 – Cross-Site Request Forgery via menu_page
CVE ID: CVE-2023-47649
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c24f881-52bc-4210-9037-bcdd1e4aa895
Amazonify <= 0.8.1 – Cross-Site Request Forgery to Amazon Tracking ID Update
CVE ID: CVE-2023-5818
CVSS Score: 4.3 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33f3c466-bdeb-402f-bf34-bc703f35e1e2
ANAC XML Bandi di Gara <= 7.5 – Cross-Site Request Forgery via settings.php
CVE ID: CVE-2023-47655
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36cf102b-bff1-4516-9a76-030ddc98c207
WooCommerce Product Table Lite <= 2.6.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-47519
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4528f805-bbf3-4a0f-a06f-879c6e607bfa
Patreon WordPress <= 1.8.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-41129
CVSS Score: 4.3 (Medium)
Researcher/s: BuShiYue
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/481121b2-4ea9-489e-b582-ec8bbf87c902
Product Catalog Simple <= 1.7.5 – Cross-Site Request Forgery via ic_system_status
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a134509-8dc0-41ac-9b5c-5b173a1e3c68
BadgeOS <= 3.7.1.6 – Missing Authorization
CVE ID: CVE-2023-47647
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/515e62ba-c3b8-42d0-95e3-be347b8851a5
Korea SNS <= 1.6.3 – Cross-Site Request Forgery via kon_tergos_options
CVE ID: CVE-2023-47670
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51d07d2a-74e6-499e-8d66-90893faedeaf
Woo Custom and Sequential Order Number <= 2.6.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-47687
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/67279c70-c416-4d18-9951-470773b9221a
WP Links Page <= 4.9.4 – Cross-Site Request Forgery via wplf_ajax_update_screenshots
CVE ID: CVE-2023-47651
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fa70ddc-9a5c-4001-967a-5aad789c862c
Dragfy Addons for Elementor <= 1.0.2 – Missing Authorization via save_settings
CVE ID: CVE-2023-47661
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7caaaaef-075b-44f6-8809-a02d5f034f26
WordPress Backup & Migration <= 1.4.3 – Missing Authorization to Settings Update
CVE ID: CVE-2023-5737
CVSS Score: 4.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7de132d5-51c9-464c-b687-8e367dd8d846
Donations Made Easy – Smart Donations <= 4.0.12 – Cross-Site Request Forgery
CVE ID: CVE-2023-47551
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f5d3973-5bbb-4c85-9790-e12f3fc14f30
Foyer <= 1.7.5 – Content Injection via Improper Access Control
CVE ID: CVE-2023-47663
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97344674-15df-45e6-9906-f21a9920a6e1
Preloader Matrix <= 2.0.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-47685
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97548879-f015-4adc-8a84-535d210ae0de
Youtube SpeedLoad <= 0.6.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-47688
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d11c022-9938-4a9e-be16-db986fdfa1c8
Plugin Name: Device Theme Switcher <= 3.0.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-47556
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d64d711-f2d9-4447-9ac1-80c5ea51c23e
ImageMapper <= 1.2.6 – Cross-Site Request Forgery to Plugin Settings Change via ajax
CVE ID: CVE-2023-5975
CVSS Score: 4.3 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a128018b-f19b-4b18-a53c-cf1310d3d0e7
WP Full Stripe Free <= 1.6.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-47667
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4f7211b-0ff0-406e-9a0a-2dd7b1314d6d
MSHOP MY SITE <= 1.1.6 – Missing Authorization via update_settings
CVE ID: CVE-2023-47243
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc2cbf43-3e8a-4364-9355-6d6587204c1c
Plainview Protect Passwords <= 1.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-47664
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc59b997-a8e2-4c75-aa5f-36cc5a66326e
UserHeat Plugin <= 1.1.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-47553
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c03b5670-9f7e-4001-ba90-197559b794a1
Easy Social Icons <= 3.2.4 – Missing Authorization via cnss_save_ajax_order
CVE ID: CVE-2023-33998
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3bdc0c4-34fb-43cc-ba2b-340347bca146
Auto Tag Creator <= 1.0.2 – Missing Authorization via tag_save_settings_callback
CVE ID: CVE-2023-47523
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4b6d2c6-d157-4c4c-b6e1-557b8353c742
Droit Dark Mode <= 1.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-47531
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3afaa85-9eb5-4cc4-883a-11d42504a8e1
Visitors Traffic Real Time Statistics <= 7.2 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-47557
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4aac424-abf3-4d6c-a0a4-a95e2cf89864
ProfileGrid <= 5.6.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-47644
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f58efd6c-58f2-464b-8aaf-f4f5c4c52f09
ARI Stream Quiz <= 1.3.0 – Authenticated(Contributor+) Content Injection
CVE ID: CVE-2023-47513
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa6fc22e-0d30-4c4b-8c8d-13f04ed1aa7c
Image Hover Effects <= 5.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-47552
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb947f1f-8cce-448d-9c86-1d3c01a4637d
Job Manager & Career <= 1.4.3 – Sensitive Information Exposure
CVE ID: CVE-2023-5906
CVSS Score: 3.7 (Low)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c66bc0b1-c157-4c05-ae9d-0927863c6b95
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments