Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)
🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!🎁
Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week:
- wp-autoload.php backdoor – while we typically write firewall rules for vulnerabilities, we wrote a firewall rule to block successful exploitation of this piece of malware we wrote about here.
- Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 66 |
Patched | 58 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 113 |
High Severity | 10 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 53 |
Missing Authorization | 24 |
Cross-Site Request Forgery (CSRF) | 21 |
Information Exposure | 7 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Unrestricted Upload of File with Dangerous Type | 3 |
Server-Side Request Forgery (SSRF) | 2 |
Incorrect Authorization | 1 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Guessable CAPTCHA | 1 |
Use of Less Trusted Source | 1 |
Protection Mechanism Failure | 1 |
Improper Access Control | 1 |
Improper Authorization | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Reliance on Untrusted Inputs in a Security Decision | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Rafie Muhammad | 9 |
Abdi Pranata | 8 |
emad | 7 |
Mika | 7 |
DoYeon Park (p6rkdoye0n) | 6 |
Ngô Thiên An (ancorn_) | 6 |
Joshua Chan | 5 |
Le Ngoc Anh | 4 |
LEE SE HYOUNG | 4 |
qilin_99 | 4 |
LVT-tholv2k | 4 |
Rafshanzani Suhada | 3 |
Vladislav Pokrovsky (ΞX.MI) | 3 |
Abu Hurayra (HurayraIIT) | 3 |
Skalucy | 3 |
resecured.io | 2 |
Revan Arifio | 2 |
Francesco Carlucci | 2 |
yuyudhn | 2 |
István Márton (Wordfence Vulnerability Researcher) |
2 |
thiennv | 2 |
Elliot | 2 |
SeungYongLee | 2 |
Phd | 2 |
Abdullah Hussam | 1 |
Sebastian Neef | 1 |
Yudistira Arya | 1 |
Nguyen Xuan Chien | 1 |
Brandon James Roldan (tomorrowisnew) | 1 |
Alex Thomas (Wordfence Vulnerability Researcher) |
1 |
Shahzaib Ali Khan | 1 |
Dmitrii Ignatyev | 1 |
Bob Matyas | 1 |
Krzysztof Zając | 1 |
Truoc Phan | 1 |
Dave Jong | 1 |
Nguyen Anh Tien | 1 |
Yuchen Ji | 1 |
Arvandy | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
12 Step Meeting List | 12-step-meeting-list |
360 Javascript Viewer | 360deg-javascript-viewer |
AMP for WP – Accelerated Mobile Pages | accelerated-mobile-pages |
Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
AdFoxly – Ad Manager, AdSense Ads & Ads.txt | adfoxly |
Add to Cart Text Changer and Customize Button, Add Custom Icon | woo-add-to-cart-text-change |
Ads by datafeedr.com | ads-by-datafeedrcom |
Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates | affiliatebooster-blocks |
Antispam Bee | antispam-bee |
Aparat | aparat |
Aruba HiSpeed Cache | aruba-hispeed-cache |
Author Box, Guest Author and Co-Authors for Your Posts – Molongui | molongui-authorship |
Automatic Youtube Video Posts Plugin | automatic-youtube-video-posts |
BSK Forms Blacklist | bsk-gravityforms-blacklist |
Backup Migration | backup-backup |
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss | bp-better-messages |
BigCommerce For WordPress | bigcommerce |
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin | bookingpress-appointment-booking |
BrainCert – HTML5 Virtual Classroom | html5-virtual-classroom |
Bravo Translate | bravo-translate |
Button Generator – easily Button Builder | button-generation |
CF7 Google Sheets Connector | cf7-google-sheets-connector |
Campaign Monitor for WordPress | forms-for-campaign-monitor |
Chartify – WordPress Chart Plugin | chart-builder |
Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back | chat-bubble |
Client Dash | client-dash |
Coming soon and Maintenance mode | coming-soon-page |
CommentLuv | commentluv |
Contact Form 7 | contact-form-7 |
Contact Form – Custom Builder, Payment Form, and More | powr-pack |
Credit Tracker | credit-tracker |
Crypto Converter ⚡ Widget | crypto-converter-widget |
Currency Converter Calculator | currency-converter-calculator |
Database for CF7 | database-for-cf7 |
Debug Log Manager | debug-log-manager |
Delete Post Revisions In WordPress | delete-post-revisions-on-single-click |
Doofinder WP & WooCommerce Search | doofinder-for-woocommerce |
Ecwid Ecommerce Shopping Cart | ecwid-shopping-cart |
Email Address Encoder | email-address-encoder |
Enhanced Text Widget | enhanced-text-widget |
Event post | event-post |
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media | evergreen-content-poster |
Export WP Page to Static HTML/CSS | export-wp-page-to-static-html |
File Gallery | file-gallery |
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms | happyforms |
Forms by CaptainForm – Form Builder for WordPress | captainform |
Formzu WP | formzu-wp |
GDPR Cookie Consent by Supsystic | gdpr-compliance-by-supsystic |
Gift Up Gift Cards for WordPress and WooCommerce | gift-up |
GoDaddy Email Marketing | godaddy-email-marketing-sign-up-forms |
Guest Author | guest-author |
HDW Player Plugin (Video Player & Video Gallery) | hdw-player-video-player-video-gallery |
HUSKY – Products Filter for WooCommerce Professional | woocommerce-products-filter |
Hubbub Lite (formerly Grow Social) | social-pug |
IdeaPush | ideapush |
Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More | importify |
Innovs HR – Complete Human Resource Management System for Your Business | innovs-hr-manager |
JetBlocks for Elementor | jet-blocks |
JetBlog for Elementor | jet-blog |
JetCompareWishlist for Elementor | jet-compare-wishlist |
JetElements | jet-elements |
JetEngine | jet-engine |
JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
JetMenu for Elementor | jet-menu |
JetPopup | jet-popup |
JetProductGallery | jet-woo-product-gallery |
JetReviews for Elementor | jet-reviews |
JetSearch | jet-search |
JetSmartFilters for Elementor | jet-smart-filters |
JetTabs for Elementor | jet-tabs |
JetThemeCore for Elementor | jet-theme-core |
JetTricks for Elementor | jet-tricks |
JetWooBuilder for Elementor | jet-woo-builder |
KP Fastest Tawk.to Chat | kp-fastest-tawk-to-chat |
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… | ladipage |
List all posts by Authors, nested Categories and Titles | list-all-posts-by-authors-nested-categories-and-titles |
MSync | msync |
Media File Renamer: Rename Files (Manual, Auto & AI) | media-file-renamer |
MkRapel Regiones y Ciudades de Chile para WC | wc-ciudades-y-regiones-de-chile |
Mollie Payments for WooCommerce | mollie-payments-for-woocommerce |
Multiple Post Passwords | multiple-post-passwords |
MyTube PlayList | mytube |
Nested Pages | wp-nested-pages |
NextScripts: Social Networks Auto-Poster | social-networks-auto-poster-facebook-twitter-g |
Ocean Extra | ocean-extra |
Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
Parallax Slider Block | parallax-slider-block |
Participants Database | participants-database |
Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) | wp-retina-2x |
PowerPack Pro for Elementor | powerpack-elements |
Prevent Landscape Rotation | prevent-landscape-rotation |
Product Size Chart For WooCommerce | product-size-chart-for-woo |
Qode Essential Addons | qode-essential-addons |
Quotes for WooCommerce | quotes-for-woocommerce |
Razorpay for WooCommerce | woo-razorpay |
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
Related Post | related-post |
Responsive Lightbox & Gallery | responsive-lightbox |
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share | wp-scheduled-posts |
Seraphinite Accelerator | seraphinite-accelerator |
Sign In Scheduling Online Appointment Booking System | 10to8-online-booking |
Simple Long Form | simple-long-form |
Site Offline Or Coming Soon Or Maintenance Mode | site-offline |
SiteOrigin Widgets Bundle | so-widgets-bundle |
Social Share Buttons & Analytics Plugin – GetSocial.io | wp-share-buttons-analytics-by-getsocial |
SoundCloud Shortcode | soundcloud-shortcode |
SpeedyCache – Cache, Optimization, Performance | speedycache |
Spiffy Calendar | spiffy-calendar |
Swift Performance Lite | swift-performance-lite |
Track Geolocation Of Users Using Contact Form 7 | track-geolocation-of-users-using-contact-form-7 |
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping | wc-multishipping |
WP Catalogue | wp-catalogue |
WP CleanFix | wp-cleanfix |
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | wp-event-manager |
WP Forms Puzzle Captcha | wp-forms-puzzle-captcha |
WP Pocket URLs | wp-pocket-urls |
WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
WordPress Brute Force Protection – Stop Brute Force Attacks | guardgiant |
YASR – Yet Another Star Rating Plugin for WordPress | yet-another-stars-rating |
affiliate-toolkit – WordPress Affiliate Plugin | affiliate-toolkit-starter |
canvasio3D Light | canvasio3d-light |
teachPress | teachpress |
which template file | which-template-file |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
adifier | adifier |
restricted-site-access | restricted-site-access |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Unauthenticated SQL Injection via search terms
CVE ID: CVE-2023-40010
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba
JetEngine <= 3.2.4 – Authenticated (Contributor+) Privilege Escalation
CVE ID: CVE-2023-48757
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b
CommentLuv <= 3.0.4 – Server Side Request Forgery via do_click
CVE ID: CVE-2023-49159
CVSS Score: 8.2 (High)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c
Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure
CVE ID: CVE-2023-6266
CVSS Score: 7.5 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612
CF7 Google Sheets Connector <= 5.0.5 – Unauthenticated Sensitive Information Exposure via Debug Log
CVE ID: CVE-2023-44989
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4
Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization to Unauthenticated Unauthorized Action
CVE ID: CVE-2023-48760
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7addc83b-cde5-4f91-b286-70db6f384a9f
MSync <= 1.0.0 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-49166
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf
Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload
CVE ID: CVE-2023-6090
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c
BookingPress <= 1.0.76 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-6219
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29
JetEngine <= 3.2.4 – Missing Authorization
CVE ID: CVE-2023-48758
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c
WP Cleanfix <= 5.5.0 – Missing Authorization via register
CVE ID: CVE-2023-48775
CVSS Score: 7.1 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac
WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 – Authenticated (Administrator+) SQL Injection via orderby
CVE ID: CVE-2023-48764
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056
Contact Form 7 <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload
CVE ID: CVE-2023-6449
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6
Bravo Translate <= 1.2 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-49161
CVSS Score: 6.6 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d
Chat Bubble <= 2.3 – Cross-Site Request Forgery via cbb_submit_settings_data
CVE ID: CVE-2023-48769
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/206261fa-58b6-4407-b8e1-2315836b6c88
Prevent Landscape Rotation <= 2.0 – Cross-Site Request Forgery via adminpage.php
CVE ID: CVE-2023-48772
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6
Database for CF7 <= 1.2.4 – Missing Authorization via wpcf7db_delete AJAX action
CVE ID: CVE-2023-49167
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61
MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 – Cross-Site Request Forgery via multiple functions
CVE ID: CVE-2023-48781
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487
Product Size Chart For WooCommerce <= 1.1.5 – Cross-Site Request Forgery via get_save_option
CVE ID: CVE-2023-48778
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46
Guest Author <= 2.3 – Authenticated Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455
Powr Pack <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-45609
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a
Responsive Lightbox <= 2.4.5 – Authenticated (Author+) Stored Cross-Site Scripting via name
CVE ID: CVE-2023-49174
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08
12 Step Meeting List <= 3.14.24 – Authenticated (Contributor+) Server-Side Request Forgery
CVE ID: CVE-2023-46641
CVSS Score: 6.4 (Medium)
Researcher/s: Shahzaib Ali Khan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92
WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6225
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574
WP Catalogue <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-48780
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66
Ads by datafeedr.com <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49169
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f
Event post <= 5.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49179
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131
Formzu WP <= 1.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id
CVE ID: CVE-2023-49160
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd
Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-48321
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1
Currency Converter Calculator <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49149
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe
10to8 Online Appointment Booking System <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49173
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510
BP Better Messages <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49168
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ccc7f8-c8e0-457a-b437-2a23530a9df4
Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48765
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e
Parallax Slider Block <= 1.2.4 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49184
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8
Credit Tracker <= 1.1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49152
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955
Crypto Converter Widget <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49150
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2
Aparat <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48770
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4
Related Post <= 2.0.53 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f08ca5e3-8b48-4333-9c42-cc103d40394c
Spiffy Calendar <= 4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5
Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization
CVE ID: CVE-2023-48761
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/893500ba-cc16-4429-bbe1-725aa65589c9
File Gallery <= 1.8.5.4 – Reflected Cross-Site Scripting via post_id
CVE ID: CVE-2023-48771
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64
affiliate-toolkit – WordPress Affiliate Plugin <= 3.4.3 – Reflected Cross-Site Scripting via keyword
CVE ID: CVE-2023-46086
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752
NextScripts <= 4.4.2 – Reflected Cross-Site Scripting via code
CVE ID: CVE-2023-49183
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1
Adifier (Premium Theme) < 3.1.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49187
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30
JetBlocks For Elementor <= 1.3.8 – Reflected Cross Site Scripting
CVE ID: CVE-2023-48756
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1
WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting
CVE ID: CVE-2023-48278
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc
PowerPack Pro for Elementor <= 2.9.23 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49739
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504
MyTube PlayList <= 2.0.3 – Reflected Cross-Site Scripting via addplaylistid
CVE ID: CVE-2023-48767
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792
Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via rt
CVE ID: CVE-2023-49740
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f
List all posts by Authors, nested Categories and Title <= 2.7.10 – Cross-Site Scripting
CVE ID: CVE-2023-49182
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10
BrainCert – HTML5 Virtual Classroom <= 1.30 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49172
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea
HDW Player Plugin (Video Player & Video Gallery) <= 5.0 – Cross-Site Scripting
CVE ID: CVE-2023-49178
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd
Forms by CaptainForm <= 2.5.3 – Reflected Cross-Site Scripting via REQUEST_URI
CVE ID: CVE-2023-49170
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62
WP Pocket URLs <= 1.0.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49176
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920
Campaign Monitor for WordPress <= 2.8.12 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-38474
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b
which template file <= 4.9.0 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-49177
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d
Doofinder for WooCommerce <= 2.1.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49185
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90
Innovs HR <= 1.0.3.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49171
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b
Happyforms <= 1.25.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48752
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff986a66-93f7-4926-8818-7af745c0166c
SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion
CVE ID: CVE-2023-6295
CVSS Score: 5.9 (Medium)
Researcher/s: Sebastian Neef
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda
Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-49180
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b
Client Dash <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-49165
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441
WP Event Manager <= 3.1.39 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49181
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f
Download canvasio3D Light <= 2.4.6 – Missing Authorization
CVE ID: CVE-2023-48776
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b
Export WP Page to Static HTML/CSS <= 2.1.9 – Missing Authorization via Multiple AJAX Actions
CVE ID: CVE-2023-6369
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1
Abandoned Cart Lite for WooCommerce <= 5.16.1 – Missing Authorization via multiple AJAX functions
CVE ID: CVE-2023-41671
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86
Chronopost & Mondial relay pour WooCommerce – WCMultiShipping <= 2.3.7 – Incorrect Authorization
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5
Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726
Social Pug <= 1.20.3 – Missing Authorization via multiple admin_init actions
CVE ID: CVE-2023-49193
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5
Enhanced Text Widget <= 1.6.2 – Missing Authorization via etw_hide_admin_notification_callback
CVE ID: CVE-2023-49192
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc
360 Javascript Viewer <= 1.7.11 – Missing Authorization
CVE ID: CVE-2023-48779
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead
Yet Another Stars Rating <= 3.4.3 – Missing Authorization via init
CVE ID: CVE-2023-39305
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c
PageLayer <= 1.7.7 – Cross-Site Request Forgery via pagelayer_load_plugin
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0
Participants Database <= 2.5.5 – Missing Authorization
CVE ID: CVE-2023-48751
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4
WP Retina 2x <= 6.4.5 – Sensitive Information Exposure
CVE ID: CVE-2023-44982
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7
WP Forms Puzzle Captcha <= 4.1 – Captcha Bypass
CVE ID: CVE-2023-48276
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917
Media File Renamer <= 5.6.9 – Sensitive Information Exposure via Log File
CVE ID: CVE-2023-44991
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba
Aruba HiSpeed Cache <= 2.0.6 – Sensitive Information Exposure via Log File
CVE ID: CVE-2023-44983
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0
Button Generator – easily Button Builder <= 2.3.8 – Missing Authorization
CVE ID: CVE-2023-49154
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56
Restricted Site Access <= 7.4.1 – IP Spoofing to Protection Mechanism Bypass
CVE ID: CVE-2023-48753
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4
Importify <= 1.0.4 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-49194
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52
Swift Performance Lite <= 2.3.6.14 – Missing Authorization to Unauthenticated Settings Export
CVE ID: CVE-2023-6289
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7
Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f
teachPress <= 9.0.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-48755
CVSS Score: 5.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f
Coming soon and Maintenance mode <= 3.7.3 – IP Address Spoofing via get_real_ip
CVE ID: CVE-2023-49741
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2
JetElements For Elementor <= 2.6.13 – Missing Authorization to Unauthenticated Arbitrary Attachment Download
CVE ID: CVE-2023-48759
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d
BigCommerce <= 5.0.6 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-49162
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df
JetFormBuilder <= 3.1.4 – Unauthenticated Content Injection
CVE ID: CVE-2023-48763
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635
Antispam Bee <= 2.11.3 – IP Address Spoofing via get_client_ip
CVE ID: CVE-2023-41134
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b
KP Fastest Tawk.to Chat <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49175
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69
GDPR Cookie Consent by Supsystic <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49191
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2
Molongui <= 4.6.19 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-39921
CVSS Score: 4.4 (Medium)
Researcher/s: Abdullah Hussam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d
Chart Builder <= 1.9.6 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9
SoundCloud Shortcode <= 3.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34018
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82
Social Share Buttons & Analytics Plugin – GetSocial.io <= 4.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49189
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c
Simple Long Form <= 2.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41136
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d
Track Geolocation Of Users Using Contact Form 7 <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49188
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6
BSK Forms Blacklist <= 3.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5980
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7
Multiple Post Passwords <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49157
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366
Site Offline <= 1.5.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49190
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c
Evergreen Content Poster <= 1.3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41127
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7b67c83-7fb7-4bac-a8eb-7fc318f2ff50
Nested Pages <= 3.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49195
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9
Multiple Plugins by Crocoblock <= (Various Versions) – Cross-Site Request Forgery
CVE ID: CVE-2023-48762
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c85e5e0-d8ee-46d3-99b1-df6c6744f020
teachPress <= 9.0.5 – Cross-Site Request Forgery via delete_database()
CVE ID: CVE-2023-49163
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d
Qode Essential Addons <= 1.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
CVE ID: CVE-2023-47840
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1
WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Insecure Direct Object Reference to Information Disclosure
CVE ID: CVE-2023-6226
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7
IdeaPush <= 8.53 – Missing Authorization
CVE ID: CVE-2023-48774
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72
Quotes for WooCommerce <= 2.0.1 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8
Quotes for WooCommerce <= 2.0.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6954364e-567c-407c-afc6-983b7257cc88
RegistrationMagic <= 5.2.2.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-47645
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521
Debug Log Manager <= 2.2.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-5772
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a
LadiApp <= 4.3 – Missing Authorization
CVE ID: CVE-2023-49158
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6
Ocean Extra <= 2.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVE ID: CVE-2023-49164
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca
SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812
Button Generator – easily Button Builder <= 2.3.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-49155
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b
Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 – Cross-Site Request Forgery via wactc_text_form
CVE ID: CVE-2023-49153
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5
GoDaddy Email Marketing <= 1.4.3 – Missing Authorization
CVE ID: CVE-2023-49156
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618
SchedulePress <= 5.0.4 – Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd
Ecwid Ecommerce Shopping Cart <= 6.12.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-46617
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569
Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 – Cross-Site Request Forgery via process_bulk_action
CVE ID: CVE-2023-49148
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a
Razorpay for WooCommerce <= 4.5.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e
Delete Post Revisions In WordPress <= 4.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-48754
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36
Razorpay for WooCommerce <= 4.5.6 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments