Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)
🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 22 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- 10Web Booster <= 2.24.14 – Unauthenticated Arbitrary Option Deletion
- WooODT Lite <= 2.4.6 – Missing Authorization to Arbitrary Options Update
- MStore API <= 4.10.7 – Unauthorized Account Access and Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 15 |
Patched | 64 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 54 |
High Severity | 23 |
Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 23 |
Missing Authorization | 19 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 16 |
Cross-Site Request Forgery (CSRF) | 13 |
Unrestricted Upload of File with Dangerous Type | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 2 |
Protection Mechanism Failure | 2 |
Improper Control of Generation of Code (‘Code Injection’) | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes (Wordfence Vulnerability Researcher) |
22 |
Alex Thomas (Wordfence Vulnerability Researcher) |
14 |
Abdi Pranata | 7 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
4 |
yuyudhn | 4 |
Duc Manh | 4 |
Naveen Muthusamy | 2 |
Mika | 2 |
Ala Arfaoui | 2 |
Vladislav Pokrovsky | 1 |
DoYeon Park (p6rkdoye0n) | 1 |
Emili Castells | 1 |
Rachit Arora | 1 |
Revan Arifio | 1 |
dc11 | 1 |
NGÔ THIÊN AN (ancorn_) | 1 |
Rafie Muhammad | 1 |
Brandon James Roldan | 1 |
lttn | 1 |
thiennv | 1 |
Cat | 1 |
Huynh Tien Si | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI ChatBot | chatbot |
Admin Bar & Dashboard Access Control | admin-bar-dashboard-control |
Ads by datafeedr.com | ads-by-datafeedrcom |
Advance Menu Manager | advance-menu-manager |
Animated Rotating Words (Interchanging Random Words in a Sentence) | css3-rotating-words |
Apollo13 Framework Extensions | apollo13-framework-extensions |
Auto Publish for Google My Business | wp-google-my-business-auto-publish |
Basic Interactive World Map | basic-interactive-world-map |
Comments Ratings | comments-ratings |
Comments – wpDiscuz | wpdiscuz |
Decorator – WooCommerce Email Customizer | decorator-woocommerce-email-customizer |
Defender Security – Malware Scanner, Login Security & Firewall | defender-security |
Digirisk | digirisk |
Drag and Drop Multiple File Upload – Contact Form 7 | drag-and-drop-multiple-file-upload-contact-form-7 |
Easy PayPal Shopping Cart | easy-paypal-shopping-cart |
Email Templates Customizer and Designer for WordPress and WooCommerce | email-templates |
Finale Lite – Sales Countdown Timer & Discount for WooCommerce | finale-woocommerce-sales-countdown-timer-discount |
Gift Up Gift Cards for WordPress and WooCommerce | gift-up |
GiveWP – Donation Plugin and Fundraising Platform | give |
HTML filter and csv-file search | hk-filter-and-search |
Icons Font Loader | icons-font-loader |
IdeaPush | ideapush |
Image horizontal reel scroll slideshow | image-horizontal-reel-scroll-slideshow |
Image vertical reel scroll slideshow | image-vertical-reel-scroll-slideshow |
Information Reel | information-reel |
Interact: Embed A Quiz On Your Site | interact-quiz-embed |
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free | funnelforms-free |
Jquery accordion slideshow | jquery-accordion-slideshow |
Jquery news ticker | jquery-news-ticker |
Kadence WooCommerce Email Designer | kadence-woocommerce-email-designer |
Layer Slider | slider-slideshow |
Left right image slideshow gallery | left-right-image-slideshow-gallery |
Linker | linker |
Live updates from Excel | ipushpull |
Message ticker | message-ticker |
Popup with fancybox | popup-with-fancybox |
Post Sliders & Post Grids | post-slider-carousel |
Product Catalog Mode For Woocommerce | woocommerce-catalog-enquiry |
SEO Slider | seo-slider |
Short URL | shorten-url |
ShortCodes UI | shortcodes-ui |
Social Feed | All social media in one place | add-facebook |
Solid Security – Password, Two Factor Authentication, and Brute Force Protection | better-wp-security |
Superb slideshow gallery | superb-slideshow-gallery |
The Plus Addons for Elementor Page Builder | theplus_elementor_addon |
Top 10 – WordPress Popular posts by WebberZone | top-10 |
Top 25 Social Icons | top-25-social-icons |
Up down image slideshow gallery | up-down-image-slideshow-gallery |
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress | userswp |
Vertical marquee plugin | vertical-marquee-plugin |
WP Affiliate Disclosure | wp-affiliate-disclosure |
WP Customer Reviews | wp-customer-reviews |
WP Meta and Date Remover | wp-meta-and-date-remover |
WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine | wp-travel |
WP fade in text news | wp-fade-in-text-news |
WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location | byconsole-woo-order-delivery-time |
Wp anything slider | wp-anything-slider |
Wp photo text slider 50 | wp-photo-text-slider-50 |
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | youzify |
iPages Flipbook For WordPress | ipages-flipbook |
idbbee | idbbee |
iframe forms | iframe-forms |
video carousel slider with lightbox | wp-responsive-video-gallery-with-lightbox |
wp image slideshow | wp-image-slideshow |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
The Plus Addons for Elementor Pro <= 5.2.8 – Unauthenticated Local File Inclusion
CVE ID: CVE-2023-47178
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d739821-569d-42d7-a4c5-70e32d5d41a1
Ads by datafeedr.com <= 1.1.3 – Unauthenticated (Limited) Remote Code Execution
CVE ID: CVE-2023-5843
CVSS Score: 9 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5412fd87-49bc-445c-8d16-443e38933d1e
Image vertical reel scroll slideshow <= 9.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5428
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01d31d8a-4459-488a-9cbe-92761faa58b4
Jquery accordion slideshow <= 8.1 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5464
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0531ca34-5d7b-4071-a1aa-934f14b87728
Image horizontal reel scroll slideshow <= 13.2 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5412
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08fb698f-c87c-4200-85fe-3fe72745633e
Up down image slideshow gallery <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5435
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b72cf6f-4924-4fa5-8e1a-4054dfe73be0
Superb slideshow gallery <= 13.1 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5434
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a12945d-a67c-4a19-a4e7-f65f5f2a21bb
Jquery news ticker <= 3.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5430
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b7f8739-7f40-40a7-952e-002ea3b82ac7
Wp photo text slider 50 <= 8.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5439
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/515502b5-c344-4855-aff1-57833233c5d2
Wp anything slider <= 9.1 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5466
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/535e754e-f851-4809-a148-d9ba808b9d8a
Information Reel <= 10.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5429
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64db63e5-ff76-494a-be4f-d820f0cc9ab0
Left right image slideshow gallery <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5431
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69902627-ce79-4a43-8949-43db6a9cc0dd
wp image slideshow <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5438
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e24383b-5b0f-4114-908b-4c2778632f73
WooODT Lite <= 2.4.6 – Missing Authorization to Arbitrary Options Update
CVE ID: CVE-2023-47179
CVSS Score: 8.8 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9939f297-e3ca-4d7d-9acd-c416ee2014c9
WP fade in text news <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5437
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4accf10-710e-4cba-8d61-04e422324f9d
Popup with fancybox <= 3.5 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5465
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c943cf0b-0e99-4d47-808d-2b803369d53a
Vertical marquee plugin <= 7.1 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5436
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd90d9c0-0cab-4fd3-b016-106032f300f7
Message ticker <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode
CVE ID: CVE-2023-5433
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0b1fa88-2fc6-41af-bd39-12af92dc6533
HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Local File Inclusion via Shortcode
CVE ID: CVE-2023-5099
CVSS Score: 8.8 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc
Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.3 – Unauthenticated Arbitrary File Upload
CVE ID: CVE-2023-5822
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b3be300-5b7f-4844-8637-1bb8c939ed4c
Finale Lite <= 2.16.0 – Missing Authorization to Content Deletion
CVE ID: CVE-2023-47180
CVSS Score: 7.5 (High)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/725bce1b-ec76-411d-928c-2aea47867292
WP Travel <= 7.5.0 – Missing Authorization via Multiple AJAX Actions
CVE ID: CVE-2023-47224
CVSS Score: 7.5 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d23d2cdf-206e-4714-9753-198519ba737b
wpDiscuz <= 7.6.11 – Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename
CVE ID: CVE-2023-47185
CVSS Score: 7.2 (High)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/026ff6f4-077e-4fee-8fbe-8176f8ca5af3
Icons Font Loader <= 1.1.2 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-5860
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a9fbe8-445a-478a-b6ce-cd669ccb6a2d
iPages Flipbook < 1.5.0 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/279a02e1-7b61-4edd-ab67-6a7fed4e17c1
Funnelforms Free <= 3.4 – Missing Authorization to Arbitrary Post Deletion
CVE ID: CVE-2023-5386
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas, Duc Manh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/400fe58b-8203-4fd5-a3d3-d30eb1b8cd85
Funnelforms Free <= 3.4 – Cross-Site Request Forgery to Arbitrary Post Deletion
CVE ID: CVE-2023-5382
CVSS Score: 6.5 (Medium)
Researcher/s: Duc Manh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72e4428b-d2cd-471f-9821-947f4601fd64
Youzify <= 1.2.2 – Insecure Direct Object Reference
CVE ID: CVE-2023-47191
CVSS Score: 6.5 (Medium)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94c98edf-6f4a-4c23-afa7-d5caaa22397f
Short URL <= 1.6.8 – Missing Authorization via multiple AJAX functions
CVE ID: CVE-2023-47225
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a83061c0-d8d3-4dbe-bf2a-65350d17094b
HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5096
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/157eddd4-67f0-4a07-b3ab-11dbfb9f12aa
SEO Slider <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5707
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32bc88a7-93ed-4d67-9383-b6d935a0df4d
WP Meta and Date Remover < 2.2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-4823
CVSS Score: 6.4 (Medium)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3da0a44f-d4b4-4330-a2e3-d25a2a7df926
Linker <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47177
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fd620a3-5d9e-4bc3-b026-871610df7c2d
Apollo13 Framework Extensions <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-47190
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c5b2ce5-d3bf-4412-b329-470a1115260b
Gift Up Gift Cards for WordPress and WooCommerce <= 2.20.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5703
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e498706-3dbe-4c48-9c0d-0d90677aba0d
Interact: Embed A Quiz On Your Site <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5659
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69ba1a39-ddb0-4661-8104-d8bb71710e0c
iframe forms <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via iframe Shortcode
CVE ID: CVE-2023-5073
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes, Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/818de7f7-913a-4ade-927e-bba281b4709a
Live updates from Excel <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5116
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab856722-e954-49de-a93f-46664da6e3e8
Download Top 25 Social Icons <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-47229
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9e3e417-d8a8-4e32-99aa-650e0a25a415
Easy PayPal Shopping Cart <= 1.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf6e3552-9616-4da1-8d8e-a6144ba1d0a3
ShortCodes UI <= 1.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-47231
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6c14c65-a47c-4dc1-9d5a-f804061152e4
Digirisk 6.0.0.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-5946
CVSS Score: 6.1 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d41355ed-77d0-48b3-bbb3-4cc3b4df4b2a
GiveWP <= 2.33.3 – Cross-Site Request Forgery to Stripe Integration Deletion
CVE ID: CVE-2023-4248
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bff8dea-6971-47d4-bd2c-0821687033e5
Auto Publish for Google My Business <= 3.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d4b9f07-a4a0-4cbd-a147-281570bc7f4a
idbbee <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5114
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes, Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac763936-7147-4100-8a46-4c6d2f2224b4
GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin deactivation
CVE ID: CVE-2023-4247
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e32d9104-5a39-4455-b76a-e24ae787bdfd
GiveWP <= 2.33.1 – Missing Authorization via handleBeforeGateway
CVE ID: CVE-2023-47183
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b6b1b7e-2ba4-4b72-9e3d-b54c00437cac
Defender Security <= 4.2.0 – Masked Login Area Security Feature Bypass
CVE ID: CVE-2023-5977
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66122be6-7c28-44cc-a8dd-7b2ec64346f7
Solid Security Basic <= 9.0.0 – Unauthenticated Login Page Disclosure
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88163d55-ab97-4697-a25b-d54615e2a843
Post Sliders & Post Grids <= 1.0.20 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47226
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ddc39a8-57b7-46be-878a-2e1cf3271bd2
Basic Interactive World Map <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47223
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/321b2b0d-8169-4e80-b86f-2ae29d9b8b7d
IdeaPush <= 8.46 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47181
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3673a86c-1e11-45ad-8944-84a38aad53dd
Admin Bar & Dashboard Control <= 1.2.8 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47184
CVSS Score: 4.4 (Medium)
Researcher/s: Rachit Arora
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37aa3d05-79b6-49ea-b698-afa78615e438
Social Feed | All social media in one place <= 1.5.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting]
CVE ID: CVE-2023-47227
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a77675b-5a31-4bc1-b4bd-36dd9a612b7c
Comments Ratings <= 1.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23702
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5786b859-3ee9-45ab-8926-f4a09e323e3b
Layer Slider <= 1.1.9.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47228
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6df68d66-7294-4dff-8ba8-394932a64281
ChatBot 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
CVE ID: CVE-2023-5606
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc305c48-8337-42b7-ad61-61aea8018def
Advance Menu Manager <= 3.0.6 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04ad816b-0ac0-44b5-928a-5bb3e36523b2
WP Affiliate Disclosure <= 1.2.6 – Cross-Site Request Forgery via check_capability
CVE ID: CVE-2023-47232
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11cc8c6e-b60e-46b3-966e-07b1fb2bf8e9
Funnelforms Free <= 3.4 – Missing Authorization to Category Update
CVE ID: CVE-2023-5417
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/148794ea-3bc9-4084-bdb9-6ee63a781a39
Animated Rotating Words <= 5.4 – Cross-Site Request Forgery via save_admin_options
CVE ID: CVE-2023-47187
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15b7008f-07fc-4f8a-b214-8ac0c4cf6d99
WP Customer Reviews <= 3.6.6 – Authenticated (Subscriber+) Sensitive Information Exposure
CVE ID: CVE-2023-4686
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24b9984c-ec33-4492-815b-67a21ac4da0e
UsersWP <= 1.2.3.22 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/413d3ec0-8d04-4bef-9394-f666cfed733e
Animated Rotating Words <= 5.4 – Missing Authorization via save_admin_options
CVE ID: CVE-2023-47187
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d9786e-4ce3-42d6-a0d6-8eb863103d5c
Funnelforms Free <= 3.4 – Missing Authorization to Test Email Sending
CVE ID: CVE-2023-5419
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64248d15-e6a7-442f-b269-e9f629d297d3
Funnelforms Free <= 3.4 – Missing Authorization to New Category Creation
CVE ID: CVE-2023-5415
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ec3051e-a5e4-48ee-8f8e-eb5dbc482f33
Kadence WooCommerce Email Designer <= 1.5.11 – Cross-Site Request Forgery
CVE ID: CVE-2023-47186
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b8483b8-07b4-436f-992f-35e16fef867b
Top 10 <= 3.3.2 – Cross-Site Request Forgery via edit_count_ajax
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e7d3bf0-1860-45b0-b928-2291b0f98902
Funnelforms Free <= 3.4 – Missing Authorization to Post Modification
CVE ID: CVE-2023-5411
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/816f5fc1-e4e6-4c0d-b222-fe733f026e33
Funnelforms Free <= 3.4 – Missing Authorization to Category Deletion
CVE ID: CVE-2023-5416
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/992fc98f-4b23-4596-81fb-5543d82fd615
Funnelforms Free <= 3.4 – Missing Authorization to Enable/Disable Dark Mode
CVE ID: CVE-2023-5387
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ccb34b44-9fa4-4ebe-b217-b2a42920247f
Advance Menu Manager <= 3.0.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf34af9d-4de7-498d-8065-c3cc6818b7c4
Funnelforms Free <= 3.4 – Cross-Site Request Forgery to Arbitrary Post Duplication
CVE ID: CVE-2023-5383
CVSS Score: 4.3 (Medium)
Researcher/s: Duc Manh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d35ec0f0-fa7a-4531-b5f7-5adcf2af051c
Decorator – WooCommerce Email Customizer <= 1.2.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db664d0a-a58d-4d8b-ae0a-074f32d8710c
video carousel slider with lightbox 1.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-5945
CVSS Score: 4.3 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc052b00-65a7-4668-8bdd-b06d69d12a4a
GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin installation
CVE ID: CVE-2023-4246
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc5c511f-dc79-468b-a107-cdf50999faf8
Funnelforms Free <= 3.4 – Missing Authorization to Arbitrary Post Duplication
CVE ID: CVE-2023-5385
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas, Duc Manh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2719afc-e52c-4fcc-b030-2f6aaddb5ab9
Product Catalog Enquiry <= 5.0.2
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e881ba2f-0e88-4c7b-aa0d-84e816019db9
Email Templates <= 1.4.2 – Cross-Site Request Forgery via send_test_email
CVE ID: CVE-2022-47181
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3e1851a-9545-4687-b58b-5cdad3291525
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments