Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023)
đ Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!đ
Last week, there were 109 vulnerabilities disclosed in 98 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
- WordPress Core 6.4-6.4.1 – Remote Code Execution POP Chain via Object Injection
(Note that the existence of the POP chain is not classified as a vulnerability on its own so it does not have a Wordfence Intelligence Entry. The rule is intended to block exploitation by any existing Object Injection vulnerability.) - Two additional firewall rules for vulnerabilities that have not yet been patched or publicly disclosed.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 63 |
Patched | 46 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 88 |
High Severity | 9 |
Critical Severity | 12 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 28 |
Missing Authorization | 28 |
Cross-Site Request Forgery (CSRF) | 21 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 6 |
Unrestricted Upload of File with Dangerous Type | 5 |
Deserialization of Untrusted Data | 5 |
Information Exposure | 3 |
Improper Authorization | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 2 |
Use of Less Trusted Source | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Uncontrolled Resource Consumption (‘Resource Exhaustion’) | 1 |
Protection Mechanism Failure | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Improper Control of Generation of Code (‘Code Injection’) | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Improper Neutralization of Alternate XSS Syntax | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Nguyen Xuan Chien | 13 |
Rafie Muhammad | 12 |
Abdi Pranata | 12 |
Dmitrii Ignatyev | 7 |
Vladislav Pokrovsky (ÎX.MI) | 7 |
Mika | 6 |
NgĂŽ ThiĂȘn An (ancorn_) | 5 |
emad | 4 |
IstvĂĄn MĂĄrton (Wordfence Vulnerability Researcher) |
4 |
Skalucy | 4 |
Brandon James Roldan (tomorrowisnew) | 3 |
thiennv | 3 |
lttn | 3 |
LVT-tholv2k | 2 |
Marco Wotschka (Wordfence Vulnerability Researcher) |
2 |
Abu Hurayra (HurayraIIT) | 2 |
Kyle Sanchez | 2 |
qilin_99 | 2 |
Rafshanzani Suhada | 1 |
Universe | 1 |
German Ritter | 1 |
DoYeon Park (p6rkdoye0n) | 1 |
Naveen Muthusamy | 1 |
Hong Quan | 1 |
0x9567b | 1 |
Luqman Hakim Y | 1 |
Yuchen Ji | 1 |
Labda | 1 |
Enrico Marcolini | 1 |
Claudio Marchesini (Dottormarc) | 1 |
Rachit Arora | 1 |
Muhammad Daffa | 1 |
Huynh Tien Si | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Advanced Database Cleaner | advanced-database-cleaner |
Advanced Page Visit Counter â Most Wanted Analytics Plugin for WordPress | advanced-page-visit-counter |
Alma â Pay in installments or later for WooCommerce | alma-gateway-for-woocommerce |
Alt Manager | alt-manager |
Annual Archive | anual-archive |
AppMySite â Create an app with the Best Mobile App Builder | appmysite |
ArtPlacer Widget | artplacer-widget |
Astra Pro Addon | astra-addon |
Author Avatars List/Block | author-avatars |
Awesome Support â WordPress HelpDesk & Support Plugin | awesome-support |
BCorp Shortcodes | bcorp-shortcodes |
Backup Migration | backup-backup |
Bacola Core | bacola-core |
Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo | biteship |
Block for Font Awesome | block-for-font-awesome |
Bold Page Builder | bold-page-builder |
Bulk Edit Post Titles | bulk-edit-post-titles |
Burst Statistics Pro | burst-pro |
Burst Statistics â Privacy-Friendly Analytics for WordPress | burst-statistics |
CSV Importer | csv-importer |
CSprite | csprite |
Caddy â Smart Side Cart for WooCommerce | caddy |
Calculated Fields Form | calculated-fields-form |
Clotya Core | clotya-core |
Code Embed | simple-embed-code |
Cookie Bar | cookie-bar |
Cosmetsy Core | cosmetsy-core |
Custom Login | custom-login |
Custom Post Type Page Template | custom-post-type-page-template |
Dashboard Widgets Suite | dashboard-widgets-suite |
Digital Publications by Supsystic | digital-publications-by-supsystic |
Duplicator Pro | duplicator-pro |
Duplicator â WordPress Migration & Backup Plugin | duplicator |
Elementor Timeline Widget | 3r-elementor-timeline-widget |
Elementor Website Builder â More than Just a Page Builder | elementor |
Email Subscription Popup | email-subscribe |
EmbedPress â Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
Event Manager, Event Calendar, Event Tickets for WooCommerce â Eventin | wp-event-solution |
FOX â Currency Switcher Professional for WooCommerce | woocommerce-currency-switcher |
First Order Discount Woocommerce | first-order-discount-woocommerce |
Fix My Feed RSS Repair | fix-my-feed-rss-repair |
Flexible Woocommerce Checkout Field Editor | flexible-woocommerce-checkout-field-editor |
Furnob Core | furnob-core |
Genesis Simple Love | genesis-simple-love |
Gift Up Gift Cards for WordPress and WooCommerce | gift-up |
Guest Author | guest-author |
Ibtana â WordPress Website Builder | ibtana-visual-editor |
Import and export users and customers | import-users-from-csv-with-meta |
Integrate Google Drive â Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site | integrate-google-drive |
LiveChat â WP live chat plugin for WordPress | wp-live-chat-software-for-wordpress |
Login With Ajax | login-with-ajax |
MW WP Form | mw-wp-form |
Manage Notification E-mails | manage-notification-emails |
Medibazar Core | medibazar-core |
Menu Bar Cart Icon For WooCommerce By Binary Carpenter | bc-menu-cart-woo |
Multi Currency For WooCommerce | wc-multi-currency |
Optin Forms â Simple List Building Plugin for WordPress | optin-forms |
Parto Core | partdo-core |
PayTR Taksit Tablosu â WooCommerce | paytr-taksit-tablosu-woocommerce |
Piotnet Forms | piotnetforms |
Post Duplicator | post-duplicator |
Product Catalog Feed by PixelYourSite | product-catalog-feed |
Product Enquiry for WooCommerce | gm-woocommerce-quote-popup |
Redirects | redirects |
RegistrationMagic â Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
Responsive Slick Slider WordPress | responsive-slick-slider |
Rocket Maintenance Mode & Coming Soon Page | rocket-maintenance-mode |
Sayfa Sayac | sayfa-sayac |
SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy | woo-aliexpress-dropshipping |
Shortcoder â Create Shortcodes for Anything | shortcoder |
Shortcodes and extra features for Phlox theme | auxin-elements |
Smart External Link Click Monitor [Link Log] | link-log |
Smart Forms â when you need more than just a contact form | smart-forms |
Social Media Feather | social media sharing | social-media-feather |
Spectra â WordPress Gutenberg Blocks | ultimate-addons-for-gutenberg |
SpeedyCache â Cache, Optimization, Performance | speedycache |
Square Thumbnails | square-thumbnails |
Structured Content (JSON-LD) #wpsc | structured-content |
SureTriggers â Connect All Your Plugins, Apps, Tools & Automate Everything! | suretriggers |
Symbiostock â Sell Photos Online For Free! | symbiostock |
System Dashboard | system-dashboard |
Translate WordPress â Google Language Translator | google-language-translator |
Tutor LMS â eLearning and online course solution | tutor |
Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
Ultimate Dashboard â Custom WordPress Dashboard | ultimate-dashboard |
Video PopUp | video-popup |
WP Booking System â Booking Calendar | wp-booking-system |
WP Photo Album Plus | wp-photo-album-plus |
WP Project Manager â Task, team, and project management plugin featuring kanban board and gantt charts | wedevs-project-manager |
WPBakery Page Builder Addons by Livemesh | addons-for-visual-composer |
WPPerformanceTester | wpperformancetester |
WPsoonOnlinePage | wp-soononline-page |
WappPress â Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute | wapppress-builds-android-app-for-website |
Webflow Pages | webflow-pages |
Welcart e-Commerce | usc-e-shop |
WooDiscuz â WooCommerce Comments | woodiscuz-woocommerce-comments |
WooPayments â Fully Integrated Solution Built and Supported by Woo | woocommerce-payments |
WordPress Simple HTML Sitemap | wp-simple-html-sitemap |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Adifier – Classified Ads WordPress Theme | adifier-system |
Bacola – Grocery Store and Food eCommerce Theme | bacola |
Clotya – Fashion Store eCommerce Theme | clotya |
Cosmetsy – Beauty Cosmetics Shop Theme | cosmetsy |
Couponis Demo | couponis-demo |
Furnob – Furniture Store WooCommerce Theme | furnob |
Machic – Electronics Store WooCommerce Theme | machic-core |
Medibazar – Medical WooCommerce Theme | medibazar |
Partdo – Auto Parts and Tools Shop WooCommerce Theme | partdo |
Soledad | soledad |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldâve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
WappPress <= 5.0.3 – Unauthenticated Arbitrary File Upload
CVE ID: CVE-2023-49815
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07eab536-6f20-45ec-9f9e-70ab35555db2
Burst Statistics â Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 – Unauthenticated SQL Injection
CVE ID: CVE-2023-5761
CVSS Score: 9.8 (Critical)
Researcher/s: German Ritter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3
Couponis Demo < 2.2 – Unauthenticated SQL Injection
CVE ID: CVE-2023-49750
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd67a02-b0fb-4c4f-9564-c3ee0180e79c
Genesis Simple Love <= 2.0 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-49772
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55abf798-f336-4262-9f52-4526a4bae15a
Soledad <= 8.4.1 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-49826
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e954190-7c58-4044-a85e-a188fe5b6d89
Adifier System < 3.1.4 – Unauthenticated SQL Injection
CVE ID: CVE-2023-49752
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e64d865-5acc-419b-8c61-e8fd8207fa94
BCorp Shortcodes <= 0.23 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-49773
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94696151-9f99-4847-bd67-8fb77f8b6a0e
Sayfa Sayaç <= 2.6 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-49778
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a29180-901d-447e-8f82-63161b9e11e0
MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload
CVE ID: CVE-2023-6316
CVSS Score: 9.8 (Critical)
Researcher/s: IstvĂĄn MĂĄrton
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2c03142-be30-4173-a140-14d73a16dd2b
Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6114
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3f7a88c-a09b-46ac-b345-139c2d20a3d2
Adifier System < 3.1.4 – Unauthenticated Local File Inclusion
CVE ID: CVE-2023-49753
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8574ff9-847c-4337-8c0e-2a717b51f66c
Backup Migration <= 1.3.5 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6271
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f661f19d-fdd4-4cd3-8fb3-8b6073d94596
Structured Content <= 1.5.3 – Authenticated (Contributor+) PHP Object Injection
CVE ID: CVE-2023-49819
CVSS Score: 8.8 (High)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b25252b-fad3-4212-be72-94e94779ef67
Smart Forms <= 2.6.84 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
CVE ID: CVE-2023-49856
CVSS Score: 8.8 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac48cd9-1de5-4840-b3f3-dc24ca52442e
Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
CVE ID: CVE-2023-48777
CVSS Score: 8.8 (High)
Researcher/s: Hong Quan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b6d0a38-ac28-41c9-9da1-b30b3657b463
Soledad <= 8.4.1 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-49825
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a9846c4-4678-4c25-84fd-b05d21ea34fb
Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox
CVE ID: CVE-2023-49830
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9769bc3-236f-4c9d-a4ce-544e49eee2ec
ArtPlacer Widget <= 2.20.6 – Authenticated (Editor+) SQL Injection
CVE ID: CVE-2023-6373
CVSS Score: 8.8 (High)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bff3a160-5238-4478-ab11-3300cac51cf2
Piotnet Forms <= 1.0.26 – Unauthenticated Arbitrary File Upload
CVE ID: CVE-2023-6220
CVSS Score: 8.1 (High)
Researcher/s: IstvĂĄn MĂĄrton
(Wordfence Vulnerability Researcher)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af2b7eac-a3f5-408f-b139-643e70b3f27a
Advanced Database Cleaner <= 3.1.2 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-49764
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62c46925-8e97-4989-8c2c-56223d6911a2
Symbiostock Lite <= 6.0.0 – Authenticated (Shop Manager+) Arbitrary File Upload
CVE ID: CVE-2023-49814
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/666b8b39-fab0-4e99-b365-a4ac9f964494
Import and export users and customers <= 1.24.2 – Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality
CVE ID: CVE-2023-6583
CVSS Score: 6.6 (Medium)
Researcher/s: Labda
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac709779-36f1-4f66-8db3-95a514a5ea59
Code Embed <= 2.3.6 – Authenticated(Contributor+) Denial of Service
CVE ID: CVE-2023-49837
CVSS Score: 6.5 (Medium)
Researcher/s: Universe
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef2ded1-dd56-4c33-98dc-d4c69e66568f
Alma â Pay in installments or later for WooCommerce <= 5.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-50369
CVSS Score: 6.4 (Medium)
Researcher/s: NgĂŽ ThiĂȘn An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044d7480-ccd7-4ce8-bb5d-367ba5d0217c
Ibtana â WordPress Website Builder <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-6684
CVSS Score: 6.4 (Medium)
Researcher/s: IstvĂĄn MĂĄrton
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b09d496-0e03-48a4-acf7-57febe18ed0a
Spectra <= 2.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49833
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0df493cb-2b5e-4a16-b6d8-4cd9a473540d
WooCommerce Payments <= 6.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49828
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13617b70-9b57-4873-9942-12bffed411e2
Annual Archive <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49847
CVSS Score: 6.4 (Medium)
Researcher/s: NgĂŽ ThiĂȘn An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20199c88-1800-4d18-a0ee-0219be77b429
Advanced Page Visit Counter <= 8.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-50371
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b497a36-4929-413f-abfc-1d81bfaa7889
Livemesh Addons for WPBakery Page Builder <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-50370
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60af0a7c-014b-4f71-9918-7ddc1186bee4
Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4962
CVSS Score: 6.4 (Medium)
Researcher/s: IstvĂĄn MĂĄrton
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89
Guest Author <= 2.3 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49747
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78fd9dcf-228e-46ec-b34f-2cb0c87cc895
Bold Page Builder <= 4.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49823
CVSS Score: 6.4 (Medium)
Researcher/s: NgĂŽ ThiĂȘn An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c99f70b-77a6-4bd7-99b1-ad4ec76d50c6
Shortcodes and extra features for Phlox theme <= 2.15.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-50368
CVSS Score: 6.4 (Medium)
Researcher/s: NgĂŽ ThiĂȘn An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95d61096-8e44-4b70-a409-c02cb3d1e32c
WP Project Manager <= 2.6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49860
CVSS Score: 6.4 (Medium)
Researcher/s: lttn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd625d24-c1e9-465d-896a-bff75d8c534f
Author Avatars List/Block <= 2.1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49846
CVSS Score: 6.4 (Medium)
Researcher/s: NgĂŽ ThiĂȘn An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7c8380b-02ae-49d2-8c64-debe7f73ee35
Structured Content <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49820
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e44ad307-2663-4613-ae53-9ef6208f08f9
Ultimate Addons for Contact Form 7 <= 3.2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49766
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/364946a5-ce1e-4872-895d-e7cf795a04f7
Multiple Plugins by KlbTheme <= (Various Versions) – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49839
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fb06315-30ad-4d98-af75-b04933583be7
WP Photo Album Plus <= 8.5.02.005 – Cross-Site Scripting
CVE ID: CVE-2023-49813
CVSS Score: 6.1 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5486d50c-8544-4368-b58b-66024a8ae86d
Email Subscription Popup <= 1.2.18 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-6527
CVSS Score: 6.1 (Medium)
Researcher/s: 0x9567b
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f84814e-f7b7-4228-b331-63027a0770af
Machic Core <= 1.2.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49186
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4fc9628-b254-405b-a7cc-bb955618bc35
Smart External Link Click Monitor [Link Log] <= 5.0.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49771
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d062bc7b-0cb0-46bd-b203-90cc9a44a403
Soledad <= 8.4.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49827
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83b36fe-4e46-4ab7-a113-6dcfa7cce625
Biteship <= 2.2.22 – Authenticated (Shop manager+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49767
CVSS Score: 5.5 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78c46ac-22dd-48f2-a10b-016205f7e7fa
Cookie Bar <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-49836
CVSS Score: 5.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd58bc54-f16e-48ee-97f4-95b839d75350
WOOCS â WooCommerce Currency Switcher <= 1.4.1.4 – Cross-Site Request Forgery via delete_profiles_data
CVE ID: CVE-2023-49834
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/139d4ec2-1147-4332-a56d-633890f32560
Digital Publications by Supsystic <= 1.7.6 – Cross-Site Request Forgery via AJAX action
CVE ID: CVE-2023-5756
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
(Wordfence Vulnerability Researcher)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2304e4dc-0dc6-4ded-b8e6-8d76d70f63d7
SpeedyCache <= 1.1.2 – Authenticated (Subscriber+) Server-Side Request Forgery
CVE ID: CVE-2023-49746
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab922406-4af8-4ef2-bcc8-c326212546b1
Awesome Support <= 6.1.6 – Missing Authorization
CVE ID: CVE-2023-49757
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd9f1385-6457-4bc9-9c75-0fcd399a5956
WP Photo Album Plus <= 8.5.02.005 – IP Spoofing
CVE ID: CVE-2023-49774
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/017fe804-a1a5-4f8d-a531-e928d668dbc4
Manage Notification E-mails <= 1.8.5 – Missing Authorization
CVE ID: CVE-2023-6496
CVSS Score: 5.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/048bc117-88df-44b3-a30c-692bad23050f
RegistrationMagic <= 5.2.3.0 – Missing Authorization
CVE ID: CVE-2023-49831
CVSS Score: 5.3 (Medium)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d041b14-0d05-4bfe-bd5c-7e06d7b108b8
Square Thumbnails <= 1.1.0 – Missing Authorization
CVE ID: CVE-2023-49851
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31cc30c7-262d-4582-8976-fc8095bdca5f
Awesome Support <= 6.1.6 – Missing Authorization
CVE ID: CVE-2023-49857
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a1cbd74-e598-4edf-90c2-f97d5070f0cc
Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post
CVE ID: CVE-2023-49744
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e8d9909-7b98-4d98-8293-0c30eebc6c7b
Ultimate Dashboard <= 3.7.10 – Login Page Disclosure on Multi-site
CVE ID: CVE-2023-49822
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56f3cb34-0452-4e3d-9442-0decc77f5e63
PayTR Taksit Tablosu <= 1.3.1 – Improper Authorization
CVE ID: CVE-2023-49853
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5898944f-565c-4950-83e8-ad0de0f948d1
Flexible Woocommerce Checkout Field Editor <= 2.0.1 – Missing Authorization
CVE ID: CVE-2023-49817
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5947f7cb-de84-4a62-bef7-cbeb1f20bb72
WP Photo Album Plus <= 8.5.02.005 – Insecure Direct Object Reference
CVE ID: CVE-2023-49812
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72f3925d-6b3a-43bf-bfd1-fef7e71d5e43
AppMySite <= 3.10.0 – Unauthenticated Information Disclsoure
CVE ID: CVE-2023-49762
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b9f171f-56d8-4ab9-bf61-0daa7c0d928f
Redirects <= 1.2.1 – Missing Authorization
CVE ID: CVE-2023-49845
CVSS Score: 5.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/903161b0-b64c-4986-8c94-b90221bc911b
Webflow Pages <= 1.0.8 – Missing Authorization
CVE ID: CVE-2023-49818
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a01141ed-9b9c-426f-96b3-c6ceade4d35c
Shortcoder <= 6.3.1 – Missing Authorization
CVE ID: CVE-2023-49849
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54ad0b4-b6e7-4eac-843e-261ec6c83d84
EmbedPress <= 3.9.4 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7cf1c70-9778-4b50-b494-d0b1d0277b35
Alt Manager <= 1.5.9 – Missing Authorization
CVE ID: CVE-2023-50373
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaa041a3-d8e5-4637-b8da-5f07c498685a
Custom Login <= 4.1.0 – Missing Authorization
CVE ID: CVE-2023-49858
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b23afc11-c31d-4569-8f4b-8141eef7b3d9
Google Language Translator <= 6.0.20 – Missing Authorization to Notice Dismissal
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec894433-53c8-4d04-bb8a-92c66cbd2ce7
WP Simple HTML Sitemap <= 2.4 – Missing Authorization
CVE ID: CVE-2023-49850
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eff4cb35-492b-448a-8d16-b9210917c567
Login With Ajax <= 4.1 – Missing Authorization
CVE ID: CVE-2023-49859
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f11926c8-2b31-4ad5-9fd0-225071a91b2a
WP Project Manager <= 2.6.7 – Missing Authorization
CVE ID: CVE-2023-40003
CVSS Score: 5.3 (Medium)
Researcher/s: lttn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83a6631-ff6c-422e-8b6c-49576fadb89f
Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.1 – Missing Authorization
CVE ID: CVE-2023-49848
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbc7e515-c712-4a39-a0f7-c3f646083060
Rocket Maintenance Mode & Coming Soon Page <= 4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49842
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/055cc26b-1e24-4e39-89c8-bdc4a69ce938
Optin Forms <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49841
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35e0a997-190e-457a-b80c-7b4ecec97095
Smart External Link Click Monitor [Link Log] <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49770
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c1811f7-0fb4-4f50-93ac-6abd9e6a1d66
Calculated Fields Form <= 1.2.40 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6446
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c879123c-531e-43d8-a7d3-16a3c86b68a3
Dashboard Widgets Suite <= 3.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49743
CVSS Score: 4.4 (Medium)
Researcher/s: Rachit Arora
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cba77ced-412e-4461-8d2a-980371c78a17
Tutor LMS <= 2.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49829
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b2a90f-7a0a-4150-8a24-14b2ed11663e
Fix My Feed RSS Repair <= 1.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-49816
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/038742d8-3da9-4e2a-bbd4-9ed6b31e8767
Product Catalog Feed by PixelYourSite <= 2.1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-49824
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09547dae-85dc-481d-9eb1-423d8faadc80
LiveChat <= 4.5.15 – Cross-Site Request Forgery
CVE ID: CVE-2023-49821
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b80e90d-72bd-4253-b84b-d2706e1abd4c
System Dashboard <= 2.8.8 – Missing Authorization to Information Disclosure (sd_php_info)
CVE ID: CVE-2023-5711
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17bc3a9f-2bf9-44e3-81ef-bfa932085da9
CSV Importer <= 0.3.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-49775
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/252153ec-3811-484a-984f-eeb6ed9229a5
Integrate Google Drive <= 1.3.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-49769
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c53cd7-3ea3-4971-be51-9544ca9d488f
WPPerformanceTester <= 2.0.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-49844
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fb35366-b09c-4667-8fb9-6f80ba6d09f0
Social Media Feather <= 2.1.3 – Missing Authorization
CVE ID: CVE-2023-49861
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4154aa02-7fa1-4858-bea7-092ec4a508ac
SureTriggers <= 1.0.23 – Cross-Site Request Forgery
CVE ID: CVE-2023-49749
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/461211c9-951e-4ccd-abf5-84941290a6a5
System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_db_specs)
CVE ID: CVE-2023-5714
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53b3ac83-847d-4bd0-a79b-531af266e1b4
Block for Font Awesome <= 1.4.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-49751
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d255ca7-37a5-4c1b-84be-356ae3900f7e
Multi Currency For WooCommerce <= 1.5.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-49840
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a19d494-08d1-479a-8ba4-edeb2873866a
System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_global_value)
CVE ID: CVE-2023-5712
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70f14d9d-6ed6-4bcb-944d-f9c5aa6a17a6
WP Booking System <= 2.0.19.2 – Missing Authorization
CVE ID: CVE-2023-49758
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/805c46ec-0b8a-4a40-bfc9-5d2d8d43a17b
Elementor Timeline Widget <= 2.0 – Missing Authorization to Notice Dismissal
CVE ID: CVE-2023-49755
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/819b3e0c-1cd0-45f9-8621-41817ad1de5e
Custom Post Type Page Template <= 1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-50372
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff05617-61b1-4d1f-9230-c771f23d3283
WPsoonOnlinePage <= 1.9 – Cross-Site Request Forgery
CVE ID: CVE-2023-49760
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a554b365-b54b-4696-87f6-df5099e15708
Caddy <= 1.9.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-49854
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b331c32e-7341-458b-80be-574cfa915159
First Order Discount Woocommerce <= 1.21 – Cross-Site Request Forgery
CVE ID: CVE-2023-49843
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9d161a3-eb9f-447f-b2d2-b8b193678d20
Bulk Edit Post Titles <= 5.0.0 – Missing Authorization
CVE ID: CVE-2023-49754
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbdeaa77-72c9-4afc-8913-7a1e44cdeb82
Responsive Slick Slider WordPress <= 1.4 – Authenticated (Contributor+) Content Injection
CVE ID: CVE-2023-49852
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c59f1784-da65-4e6d-b284-d65ee2196be9
WooDiscuz â WooCommerce Comments <= 2.3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-49759
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0bfa461-5cea-40e8-af9f-800cdbb6efb5
Post Duplicator <= 2.31 – Missing Authorization via mtphr_duplicate_post
CVE ID: CVE-2023-49835
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5665931-8da9-44db-a5b1-46acebf14f3b
Multiple Themes by KlbTheme <= (Various Versions) – Cross-Site Request Forgery
CVE ID: CVE-2023-49838
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ÎX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d5036a-c756-47a6-b071-c393f8a6ce5e
System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_option_value)
CVE ID: CVE-2023-5713
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d1a33b-2518-48f7-90b6-a94a34473d1e
System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_constants)
CVE ID: CVE-2023-5710
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f170379e-e833-42e0-96fd-1e1722a8331c
Eventin <= 3.3.44 – Missing Authorization
CVE ID: CVE-2023-49756
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256036d-11e8-4311-baa0-d15193c72da0
Product Enquiry for WooCommerce <= 3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-49761
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f37cc9d0-345e-4ab7-ae99-d9d7fee6c1e5
CSprite <= 1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-49763
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5da3a4f-7084-4ba9-89c9-5a480efc7eca
BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter <= 1.49.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-49855
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc626bdb-e962-407c-95c3-3f9e28dc5876
Welcart e-Commerce <= 2.9.6 – Authenticated (Administrator+) Directory Traversal
CVE ID: CVE-2023-6120
CVSS Score: 4.1 (Medium)
Researcher/s: Marco Wotschka
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2677cea6-d60d-4e10-afd7-e088a5592b19
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfenceâs highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments