Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)

🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 22 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 15
Patched 64

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 54
High Severity 23
Critical Severity 2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 23
Missing Authorization 19
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 16
Cross-Site Request Forgery (CSRF) 13
Unrestricted Upload of File with Dangerous Type 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2
Protection Mechanism Failure 2
Improper Control of Generation of Code (‘Code Injection’) 1
Authorization Bypass Through User-Controlled Key 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher)
22
Alex Thomas
(Wordfence Vulnerability Researcher)
14
Abdi Pranata 7
Marco Wotschka
(Wordfence Vulnerability Researcher)
4
yuyudhn 4
Duc Manh 4
Naveen Muthusamy 2
Mika 2
Ala Arfaoui 2
Vladislav Pokrovsky 1
DoYeon Park (p6rkdoye0n) 1
Emili Castells 1
Rachit Arora 1
Revan Arifio 1
dc11 1
NGÔ THIÊN AN (ancorn_) 1
Rafie Muhammad 1
Brandon James Roldan 1
lttn 1
thiennv 1
Cat 1
Huynh Tien Si 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AI ChatBot chatbot
Admin Bar & Dashboard Access Control admin-bar-dashboard-control
Ads by datafeedr.com ads-by-datafeedrcom
Advance Menu Manager advance-menu-manager
Animated Rotating Words (Interchanging Random Words in a Sentence) css3-rotating-words
Apollo13 Framework Extensions apollo13-framework-extensions
Auto Publish for Google My Business wp-google-my-business-auto-publish
Basic Interactive World Map basic-interactive-world-map
Comments Ratings comments-ratings
Comments – wpDiscuz wpdiscuz
Decorator – WooCommerce Email Customizer decorator-woocommerce-email-customizer
Defender Security – Malware Scanner, Login Security & Firewall defender-security
Digirisk digirisk
Drag and Drop Multiple File Upload – Contact Form 7 drag-and-drop-multiple-file-upload-contact-form-7
Easy PayPal Shopping Cart easy-paypal-shopping-cart
Email Templates Customizer and Designer for WordPress and WooCommerce email-templates
Finale Lite – Sales Countdown Timer & Discount for WooCommerce finale-woocommerce-sales-countdown-timer-discount
Gift Up Gift Cards for WordPress and WooCommerce gift-up
GiveWP – Donation Plugin and Fundraising Platform give
HTML filter and csv-file search hk-filter-and-search
Icons Font Loader icons-font-loader
IdeaPush ideapush
Image horizontal reel scroll slideshow image-horizontal-reel-scroll-slideshow
Image vertical reel scroll slideshow image-vertical-reel-scroll-slideshow
Information Reel information-reel
Interact: Embed A Quiz On Your Site interact-quiz-embed
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free funnelforms-free
Jquery accordion slideshow jquery-accordion-slideshow
Jquery news ticker jquery-news-ticker
Kadence WooCommerce Email Designer kadence-woocommerce-email-designer
Layer Slider slider-slideshow
Left right image slideshow gallery left-right-image-slideshow-gallery
Linker linker
Live updates from Excel ipushpull
Message ticker message-ticker
Popup with fancybox popup-with-fancybox
Post Sliders & Post Grids post-slider-carousel
Product Catalog Mode For Woocommerce woocommerce-catalog-enquiry
SEO Slider seo-slider
Short URL shorten-url
ShortCodes UI shortcodes-ui
Social Feed | All social media in one place add-facebook
Solid Security – Password, Two Factor Authentication, and Brute Force Protection better-wp-security
Superb slideshow gallery superb-slideshow-gallery
The Plus Addons for Elementor Page Builder theplus_elementor_addon
Top 10 – WordPress Popular posts by WebberZone top-10
Top 25 Social Icons top-25-social-icons
Up down image slideshow gallery up-down-image-slideshow-gallery
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress userswp
Vertical marquee plugin vertical-marquee-plugin
WP Affiliate Disclosure wp-affiliate-disclosure
WP Customer Reviews wp-customer-reviews
WP Meta and Date Remover wp-meta-and-date-remover
WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine wp-travel
WP fade in text news wp-fade-in-text-news
WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location byconsole-woo-order-delivery-time
Wp anything slider wp-anything-slider
Wp photo text slider 50 wp-photo-text-slider-50
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress youzify
iPages Flipbook For WordPress ipages-flipbook
idbbee idbbee
iframe forms iframe-forms
video carousel slider with lightbox wp-responsive-video-gallery-with-lightbox
wp image slideshow wp-image-slideshow

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

The Plus Addons for Elementor Pro <= 5.2.8 – Unauthenticated Local File Inclusion

Affected Software: The Plus Addons for Elementor Page Builder
CVE ID: CVE-2023-47178
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d739821-569d-42d7-a4c5-70e32d5d41a1

Ads by datafeedr.com <= 1.1.3 – Unauthenticated (Limited) Remote Code Execution

Affected Software: Ads by datafeedr.com
CVE ID: CVE-2023-5843
CVSS Score: 9 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5412fd87-49bc-445c-8d16-443e38933d1e

Image vertical reel scroll slideshow <= 9.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Image vertical reel scroll slideshow
CVE ID: CVE-2023-5428
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01d31d8a-4459-488a-9cbe-92761faa58b4

Jquery accordion slideshow <= 8.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Jquery accordion slideshow
CVE ID: CVE-2023-5464
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0531ca34-5d7b-4071-a1aa-934f14b87728

Image horizontal reel scroll slideshow <= 13.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Image horizontal reel scroll slideshow
CVE ID: CVE-2023-5412
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08fb698f-c87c-4200-85fe-3fe72745633e

Up down image slideshow gallery <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Up down image slideshow gallery
CVE ID: CVE-2023-5435
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b72cf6f-4924-4fa5-8e1a-4054dfe73be0

Superb slideshow gallery <= 13.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Superb slideshow gallery
CVE ID: CVE-2023-5434
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a12945d-a67c-4a19-a4e7-f65f5f2a21bb

Jquery news ticker <= 3.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Jquery news ticker
CVE ID: CVE-2023-5430
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b7f8739-7f40-40a7-952e-002ea3b82ac7

Wp photo text slider 50 <= 8.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Wp photo text slider 50
CVE ID: CVE-2023-5439
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/515502b5-c344-4855-aff1-57833233c5d2

Wp anything slider <= 9.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Wp anything slider
CVE ID: CVE-2023-5466
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/535e754e-f851-4809-a148-d9ba808b9d8a

Information Reel <= 10.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Information Reel
CVE ID: CVE-2023-5429
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64db63e5-ff76-494a-be4f-d820f0cc9ab0

Left right image slideshow gallery <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Left right image slideshow gallery
CVE ID: CVE-2023-5431
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69902627-ce79-4a43-8949-43db6a9cc0dd

wp image slideshow <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: wp image slideshow
CVE ID: CVE-2023-5438
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e24383b-5b0f-4114-908b-4c2778632f73

WooODT Lite <= 2.4.6 – Missing Authorization to Arbitrary Options Update

Affected Software: WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location
CVE ID: CVE-2023-47179
CVSS Score: 8.8 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9939f297-e3ca-4d7d-9acd-c416ee2014c9

WP fade in text news <= 12.0 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: WP fade in text news
CVE ID: CVE-2023-5437
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4accf10-710e-4cba-8d61-04e422324f9d

Popup with fancybox <= 3.5 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Popup with fancybox
CVE ID: CVE-2023-5465
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c943cf0b-0e99-4d47-808d-2b803369d53a

Vertical marquee plugin <= 7.1 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Vertical marquee plugin
CVE ID: CVE-2023-5436
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd90d9c0-0cab-4fd3-b016-106032f300f7

Message ticker <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Message ticker
CVE ID: CVE-2023-5433
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0b1fa88-2fc6-41af-bd39-12af92dc6533

HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Local File Inclusion via Shortcode

Affected Software: HTML filter and csv-file search
CVE ID: CVE-2023-5099
CVSS Score: 8.8 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee2b4055-8cbd-49b7-bb0b-eddef85060fc

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.3 – Unauthenticated Arbitrary File Upload

Affected Software: Drag and Drop Multiple File Upload – Contact Form 7
CVE ID: CVE-2023-5822
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b3be300-5b7f-4844-8637-1bb8c939ed4c

Finale Lite <= 2.16.0 – Missing Authorization to Content Deletion

Affected Software: Finale Lite – Sales Countdown Timer & Discount for WooCommerce
CVE ID: CVE-2023-47180
CVSS Score: 7.5 (High)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/725bce1b-ec76-411d-928c-2aea47867292

WP Travel <= 7.5.0 – Missing Authorization via Multiple AJAX Actions

Affected Software: WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine
CVE ID: CVE-2023-47224
CVSS Score: 7.5 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d23d2cdf-206e-4714-9753-198519ba737b

wpDiscuz <= 7.6.11 – Unauthenticated Stored Cross-Site Scripting via Comment Uploaded Image Filename

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-47185
CVSS Score: 7.2 (High)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/026ff6f4-077e-4fee-8fbe-8176f8ca5af3

Icons Font Loader <= 1.1.2 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: Icons Font Loader
CVE ID: CVE-2023-5860
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a9fbe8-445a-478a-b6ce-cd669ccb6a2d

iPages Flipbook < 1.5.0 – Authenticated (Administrator+) SQL Injection

Affected Software: iPages Flipbook For WordPress
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/279a02e1-7b61-4edd-ab67-6a7fed4e17c1

Funnelforms Free <= 3.4 – Missing Authorization to Arbitrary Post Deletion


Funnelforms Free <= 3.4 – Cross-Site Request Forgery to Arbitrary Post Deletion


Youzify <= 1.2.2 – Insecure Direct Object Reference


Short URL <= 1.6.8 – Missing Authorization via multiple AJAX functions

Affected Software: Short URL
CVE ID: CVE-2023-47225
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a83061c0-d8d3-4dbe-bf2a-65350d17094b

HTML filter and csv-file search <= 2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: HTML filter and csv-file search
CVE ID: CVE-2023-5096
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/157eddd4-67f0-4a07-b3ab-11dbfb9f12aa

SEO Slider <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: SEO Slider
CVE ID: CVE-2023-5707
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32bc88a7-93ed-4d67-9383-b6d935a0df4d

WP Meta and Date Remover < 2.2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via settings

Affected Software: WP Meta and Date Remover
CVE ID: CVE-2023-4823
CVSS Score: 6.4 (Medium)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3da0a44f-d4b4-4330-a2e3-d25a2a7df926

Linker <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Linker
CVE ID: CVE-2023-47177
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fd620a3-5d9e-4bc3-b026-871610df7c2d

Apollo13 Framework Extensions <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Apollo13 Framework Extensions
CVE ID: CVE-2023-47190
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c5b2ce5-d3bf-4412-b329-470a1115260b

Gift Up Gift Cards for WordPress and WooCommerce <= 2.20.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Gift Up Gift Cards for WordPress and WooCommerce
CVE ID: CVE-2023-5703
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e498706-3dbe-4c48-9c0d-0d90677aba0d

Interact: Embed A Quiz On Your Site <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Interact: Embed A Quiz On Your Site
CVE ID: CVE-2023-5659
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69ba1a39-ddb0-4661-8104-d8bb71710e0c

iframe forms <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via iframe Shortcode

Affected Software: iframe forms
CVE ID: CVE-2023-5073
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes, Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/818de7f7-913a-4ade-927e-bba281b4709a

Live updates from Excel <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Live updates from Excel
CVE ID: CVE-2023-5116
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab856722-e954-49de-a93f-46664da6e3e8

Download Top 25 Social Icons <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Top 25 Social Icons
CVE ID: CVE-2023-47229
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9e3e417-d8a8-4e32-99aa-650e0a25a415

Easy PayPal Shopping Cart <= 1.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Easy PayPal Shopping Cart
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf6e3552-9616-4da1-8d8e-a6144ba1d0a3

ShortCodes UI <= 1.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ShortCodes UI
CVE ID: CVE-2023-47231
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6c14c65-a47c-4dc1-9d5a-f804061152e4

Digirisk 6.0.0.0 – Reflected Cross-Site Scripting

Affected Software: Digirisk
CVE ID: CVE-2023-5946
CVSS Score: 6.1 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d41355ed-77d0-48b3-bbb3-4cc3b4df4b2a

GiveWP <= 2.33.3 – Cross-Site Request Forgery to Stripe Integration Deletion

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE-2023-4248
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bff8dea-6971-47d4-bd2c-0821687033e5

Auto Publish for Google My Business <= 3.7 – Cross-Site Request Forgery

Affected Software: Auto Publish for Google My Business
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d4b9f07-a4a0-4cbd-a147-281570bc7f4a

idbbee <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: idbbee
CVE ID: CVE-2023-5114
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes, Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac763936-7147-4100-8a46-4c6d2f2224b4

GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin deactivation

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE-2023-4247
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e32d9104-5a39-4455-b76a-e24ae787bdfd

GiveWP <= 2.33.1 – Missing Authorization via handleBeforeGateway

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE-2023-47183
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b6b1b7e-2ba4-4b72-9e3d-b54c00437cac

Defender Security <= 4.2.0 – Masked Login Area Security Feature Bypass

Affected Software: Defender Security – Malware Scanner, Login Security & Firewall
CVE ID: CVE-2023-5977
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66122be6-7c28-44cc-a8dd-7b2ec64346f7

Solid Security Basic <= 9.0.0 – Unauthenticated Login Page Disclosure


Post Sliders & Post Grids <= 1.0.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Post Sliders & Post Grids
CVE ID: CVE-2023-47226
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ddc39a8-57b7-46be-878a-2e1cf3271bd2

Basic Interactive World Map <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Basic Interactive World Map
CVE ID: CVE-2023-47223
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/321b2b0d-8169-4e80-b86f-2ae29d9b8b7d

IdeaPush <= 8.46 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: IdeaPush
CVE ID: CVE-2023-47181
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3673a86c-1e11-45ad-8944-84a38aad53dd

Admin Bar & Dashboard Control <= 1.2.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Admin Bar & Dashboard Access Control
CVE ID: CVE-2023-47184
CVSS Score: 4.4 (Medium)
Researcher/s: Rachit Arora
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37aa3d05-79b6-49ea-b698-afa78615e438

Social Feed | All social media in one place <= 1.5.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting]

Affected Software: Social Feed | All social media in one place
CVE ID: CVE-2023-47227
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a77675b-5a31-4bc1-b4bd-36dd9a612b7c

Comments Ratings <= 1.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Comments Ratings
CVE ID: CVE-2023-23702
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5786b859-3ee9-45ab-8926-f4a09e323e3b

Layer Slider <= 1.1.9.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Layer Slider
CVE ID: CVE-2023-47228
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6df68d66-7294-4dff-8ba8-394932a64281

ChatBot 4.8.6 – 4.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder

Affected Software: AI ChatBot
CVE ID: CVE-2023-5606
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc305c48-8337-42b7-ad61-61aea8018def

Advance Menu Manager <= 3.0.6 – Missing Authorization

Affected Software: Advance Menu Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04ad816b-0ac0-44b5-928a-5bb3e36523b2

WP Affiliate Disclosure <= 1.2.6 – Cross-Site Request Forgery via check_capability

Affected Software: WP Affiliate Disclosure
CVE ID: CVE-2023-47232
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11cc8c6e-b60e-46b3-966e-07b1fb2bf8e9

Funnelforms Free <= 3.4 – Missing Authorization to Category Update


Animated Rotating Words <= 5.4 – Cross-Site Request Forgery via save_admin_options

Affected Software: Animated Rotating Words (Interchanging Random Words in a Sentence)
CVE ID: CVE-2023-47187
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15b7008f-07fc-4f8a-b214-8ac0c4cf6d99

WP Customer Reviews <= 3.6.6 – Authenticated (Subscriber+) Sensitive Information Exposure

Affected Software: WP Customer Reviews
CVE ID: CVE-2023-4686
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24b9984c-ec33-4492-815b-67a21ac4da0e

UsersWP <= 1.2.3.22 – Cross-Site Request Forgery


Animated Rotating Words <= 5.4 – Missing Authorization via save_admin_options

Affected Software: Animated Rotating Words (Interchanging Random Words in a Sentence)
CVE ID: CVE-2023-47187
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d9786e-4ce3-42d6-a0d6-8eb863103d5c

Funnelforms Free <= 3.4 – Missing Authorization to Test Email Sending


Funnelforms Free <= 3.4 – Missing Authorization to New Category Creation


Kadence WooCommerce Email Designer <= 1.5.11 – Cross-Site Request Forgery

Affected Software: Kadence WooCommerce Email Designer
CVE ID: CVE-2023-47186
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b8483b8-07b4-436f-992f-35e16fef867b

Top 10 <= 3.3.2 – Cross-Site Request Forgery via edit_count_ajax

Affected Software: Top 10 – WordPress Popular posts by WebberZone
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e7d3bf0-1860-45b0-b928-2291b0f98902

Funnelforms Free <= 3.4 – Missing Authorization to Post Modification


Funnelforms Free <= 3.4 – Missing Authorization to Category Deletion


Funnelforms Free <= 3.4 – Missing Authorization to Enable/Disable Dark Mode


Advance Menu Manager <= 3.0.6 – Cross-Site Request Forgery

Affected Software: Advance Menu Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf34af9d-4de7-498d-8065-c3cc6818b7c4

Funnelforms Free <= 3.4 – Cross-Site Request Forgery to Arbitrary Post Duplication


Decorator – WooCommerce Email Customizer <= 1.2.7 – Cross-Site Request Forgery

Affected Software: Decorator – WooCommerce Email Customizer
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db664d0a-a58d-4d8b-ae0a-074f32d8710c

video carousel slider with lightbox 1.0 – Cross-Site Request Forgery

Affected Software: video carousel slider with lightbox
CVE ID: CVE-2023-5945
CVSS Score: 4.3 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc052b00-65a7-4668-8bdd-b06d69d12a4a

GiveWP <= 2.33.3 – Cross-Site Request Forgery to plugin installation

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE-2023-4246
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc5c511f-dc79-468b-a107-cdf50999faf8

Funnelforms Free <= 3.4 – Missing Authorization to Arbitrary Post Duplication


Product Catalog Enquiry <= 5.0.2

Affected Software: Product Catalog Mode For Woocommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e881ba2f-0e88-4c7b-aa0d-84e816019db9

Email Templates <= 1.4.2 – Cross-Site Request Forgery via send_test_email

Affected Software: Email Templates Customizer and Designer for WordPress and WooCommerce
CVE ID: CVE-2022-47181
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3e1851a-9545-4687-b58b-5cdad3291525

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments