Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)

🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!🎁


Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 66
Patched 58

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 113
High Severity 10
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 53
Missing Authorization 24
Cross-Site Request Forgery (CSRF) 21
Information Exposure 7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 4
Unrestricted Upload of File with Dangerous Type 3
Server-Side Request Forgery (SSRF) 2
Incorrect Authorization 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Authorization Bypass Through User-Controlled Key 1
Guessable CAPTCHA 1
Use of Less Trusted Source 1
Protection Mechanism Failure 1
Improper Access Control 1
Improper Authorization 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1
Reliance on Untrusted Inputs in a Security Decision 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Rafie Muhammad 9
Abdi Pranata 8
emad 7
Mika 7
DoYeon Park (p6rkdoye0n) 6
Ngô Thiên An (ancorn_) 6
Joshua Chan 5
Le Ngoc Anh 4
LEE SE HYOUNG 4
qilin_99 4
LVT-tholv2k 4
Rafshanzani Suhada 3
Vladislav Pokrovsky (ΞX.MI) 3
Abu Hurayra (HurayraIIT) 3
Skalucy 3
resecured.io 2
Revan Arifio 2
Francesco Carlucci 2
yuyudhn 2
István Márton
(Wordfence Vulnerability Researcher)
2
thiennv 2
Elliot 2
SeungYongLee 2
Phd 2
Abdullah Hussam 1
Sebastian Neef 1
Yudistira Arya 1
Nguyen Xuan Chien 1
Brandon James Roldan (tomorrowisnew) 1
Alex Thomas
(Wordfence Vulnerability Researcher)
1
Shahzaib Ali Khan 1
Dmitrii Ignatyev 1
Bob Matyas 1
Krzysztof Zając 1
Truoc Phan 1
Dave Jong 1
Nguyen Anh Tien 1
Yuchen Ji 1
Arvandy 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
12 Step Meeting List 12-step-meeting-list
360 Javascript Viewer 360deg-javascript-viewer
AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages
Abandoned Cart Lite for WooCommerce woocommerce-abandoned-cart
AdFoxly – Ad Manager, AdSense Ads & Ads.txt adfoxly
Add to Cart Text Changer and Customize Button, Add Custom Icon woo-add-to-cart-text-change
Ads by datafeedr.com ads-by-datafeedrcom
Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates affiliatebooster-blocks
Antispam Bee antispam-bee
Aparat aparat
Aruba HiSpeed Cache aruba-hispeed-cache
Author Box, Guest Author and Co-Authors for Your Posts – Molongui molongui-authorship
Automatic Youtube Video Posts Plugin automatic-youtube-video-posts
BSK Forms Blacklist bsk-gravityforms-blacklist
Backup Migration backup-backup
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss bp-better-messages
BigCommerce For WordPress bigcommerce
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin bookingpress-appointment-booking
BrainCert – HTML5 Virtual Classroom html5-virtual-classroom
Bravo Translate bravo-translate
Button Generator – easily Button Builder button-generation
CF7 Google Sheets Connector cf7-google-sheets-connector
Campaign Monitor for WordPress forms-for-campaign-monitor
Chartify – WordPress Chart Plugin chart-builder
Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back chat-bubble
Client Dash client-dash
Coming soon and Maintenance mode coming-soon-page
CommentLuv commentluv
Contact Form 7 contact-form-7
Contact Form – Custom Builder, Payment Form, and More powr-pack
Credit Tracker credit-tracker
Crypto Converter ⚡ Widget crypto-converter-widget
Currency Converter Calculator currency-converter-calculator
Database for CF7 database-for-cf7
Debug Log Manager debug-log-manager
Delete Post Revisions In WordPress delete-post-revisions-on-single-click
Doofinder WP & WooCommerce Search doofinder-for-woocommerce
Ecwid Ecommerce Shopping Cart ecwid-shopping-cart
Email Address Encoder email-address-encoder
Enhanced Text Widget enhanced-text-widget
Event post event-post
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media evergreen-content-poster
Export WP Page to Static HTML/CSS export-wp-page-to-static-html
File Gallery file-gallery
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms happyforms
Forms by CaptainForm – Form Builder for WordPress captainform
Formzu WP formzu-wp
GDPR Cookie Consent by Supsystic gdpr-compliance-by-supsystic
Gift Up Gift Cards for WordPress and WooCommerce gift-up
GoDaddy Email Marketing godaddy-email-marketing-sign-up-forms
Guest Author guest-author
HDW Player Plugin (Video Player & Video Gallery) hdw-player-video-player-video-gallery
HUSKY – Products Filter for WooCommerce Professional woocommerce-products-filter
Hubbub Lite (formerly Grow Social) social-pug
IdeaPush ideapush
Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More importify
Innovs HR – Complete Human Resource Management System for Your Business innovs-hr-manager
JetBlocks for Elementor jet-blocks
JetBlog for Elementor jet-blog
JetCompareWishlist for Elementor jet-compare-wishlist
JetElements jet-elements
JetEngine jet-engine
JetFormBuilder — Dynamic Blocks Form Builder jetformbuilder
JetMenu for Elementor jet-menu
JetPopup jet-popup
JetProductGallery jet-woo-product-gallery
JetReviews for Elementor jet-reviews
JetSearch jet-search
JetSmartFilters for Elementor jet-smart-filters
JetTabs for Elementor jet-tabs
JetThemeCore for Elementor jet-theme-core
JetTricks for Elementor jet-tricks
JetWooBuilder for Elementor jet-woo-builder
KP Fastest Tawk.to Chat kp-fastest-tawk-to-chat
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… ladipage
List all posts by Authors, nested Categories and Titles list-all-posts-by-authors-nested-categories-and-titles
MSync msync
Media File Renamer: Rename Files (Manual, Auto & AI) media-file-renamer
MkRapel Regiones y Ciudades de Chile para WC wc-ciudades-y-regiones-de-chile
Mollie Payments for WooCommerce mollie-payments-for-woocommerce
Multiple Post Passwords multiple-post-passwords
MyTube PlayList mytube
Nested Pages wp-nested-pages
NextScripts: Social Networks Auto-Poster social-networks-auto-poster-facebook-twitter-g
Ocean Extra ocean-extra
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Parallax Slider Block parallax-slider-block
Participants Database participants-database
Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) wp-retina-2x
PowerPack Pro for Elementor powerpack-elements
Prevent Landscape Rotation prevent-landscape-rotation
Product Size Chart For WooCommerce product-size-chart-for-woo
Qode Essential Addons qode-essential-addons
Quotes for WooCommerce quotes-for-woocommerce
Razorpay for WooCommerce woo-razorpay
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager
Related Post related-post
Responsive Lightbox & Gallery responsive-lightbox
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share wp-scheduled-posts
Seraphinite Accelerator seraphinite-accelerator
Sign In Scheduling Online Appointment Booking System 10to8-online-booking
Simple Long Form simple-long-form
Site Offline Or Coming Soon Or Maintenance Mode site-offline
SiteOrigin Widgets Bundle so-widgets-bundle
Social Share Buttons & Analytics Plugin – GetSocial.io wp-share-buttons-analytics-by-getsocial
SoundCloud Shortcode soundcloud-shortcode
SpeedyCache – Cache, Optimization, Performance speedycache
Spiffy Calendar spiffy-calendar
Swift Performance Lite swift-performance-lite
Track Geolocation Of Users Using Contact Form 7 track-geolocation-of-users-using-contact-form-7
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping wc-multishipping
WP Catalogue wp-catalogue
WP CleanFix wp-cleanfix
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce wp-event-manager
WP Forms Puzzle Captcha wp-forms-puzzle-captcha
WP Pocket URLs wp-pocket-urls
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WordPress Brute Force Protection – Stop Brute Force Attacks guardgiant
YASR – Yet Another Star Rating Plugin for WordPress yet-another-stars-rating
affiliate-toolkit – WordPress Affiliate Plugin affiliate-toolkit-starter
canvasio3D Light canvasio3d-light
teachPress teachpress
which template file which-template-file

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
adifier adifier
restricted-site-access restricted-site-access

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Unauthenticated SQL Injection via search terms

Affected Software: HUSKY – Products Filter for WooCommerce Professional
CVE ID: CVE-2023-40010
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba

JetEngine <= 3.2.4 – Authenticated (Contributor+) Privilege Escalation

Affected Software: JetEngine
CVE ID: CVE-2023-48757
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b

CommentLuv <= 3.0.4 – Server Side Request Forgery via do_click

Affected Software: CommentLuv
CVE ID: CVE-2023-49159
CVSS Score: 8.2 (High)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c

Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure

Affected Software: Backup Migration
CVE ID: CVE-2023-6266
CVSS Score: 7.5 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612

CF7 Google Sheets Connector <= 5.0.5 – Unauthenticated Sensitive Information Exposure via Debug Log

Affected Software: CF7 Google Sheets Connector
CVE ID: CVE-2023-44989
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4

Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization to Unauthenticated Unauthorized Action


MSync <= 1.0.0 – Authenticated (Administrator+) SQL Injection

Affected Software: MSync
CVE ID: CVE-2023-49166
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf

Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload

Affected Software: Mollie Payments for WooCommerce
CVE ID: CVE-2023-6090
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c

BookingPress <= 1.0.76 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
CVE ID: CVE-2023-6219
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29

JetEngine <= 3.2.4 – Missing Authorization

Affected Software: JetEngine
CVE ID: CVE-2023-48758
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c

WP Cleanfix <= 5.5.0 – Missing Authorization via register

Affected Software: WP CleanFix
CVE ID: CVE-2023-48775
CVSS Score: 7.1 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac

WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: WordPress Brute Force Protection – Stop Brute Force Attacks
CVE ID: CVE-2023-48764
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056

Contact Form 7 <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload

Affected Software: Contact Form 7
CVE ID: CVE-2023-6449
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6

Bravo Translate <= 1.2 – Authenticated (Administrator+) SQL Injection

Affected Software: Bravo Translate
CVE ID: CVE-2023-49161
CVSS Score: 6.6 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d

Chat Bubble <= 2.3 – Cross-Site Request Forgery via cbb_submit_settings_data


Prevent Landscape Rotation <= 2.0 – Cross-Site Request Forgery via adminpage.php

Affected Software: Prevent Landscape Rotation
CVE ID: CVE-2023-48772
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6

Database for CF7 <= 1.2.4 – Missing Authorization via wpcf7db_delete AJAX action

Affected Software: Database for CF7
CVE ID: CVE-2023-49167
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61

MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 – Cross-Site Request Forgery via multiple functions

Affected Software: MkRapel Regiones y Ciudades de Chile para WC
CVE ID: CVE-2023-48781
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487

Product Size Chart For WooCommerce <= 1.1.5 – Cross-Site Request Forgery via get_save_option

Affected Software: Product Size Chart For WooCommerce
CVE ID: CVE-2023-48778
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46

Guest Author <= 2.3 – Authenticated Stored Cross-Site Scripting

Affected Software: Guest Author
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455

Powr Pack <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Contact Form – Custom Builder, Payment Form, and More
CVE ID: CVE-2023-45609
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a

Responsive Lightbox <= 2.4.5 – Authenticated (Author+) Stored Cross-Site Scripting via name

Affected Software: Responsive Lightbox & Gallery
CVE ID: CVE-2023-49174
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08

12 Step Meeting List <= 3.14.24 – Authenticated (Contributor+) Server-Side Request Forgery

Affected Software: 12 Step Meeting List
CVE ID: CVE-2023-46641
CVSS Score: 6.4 (Medium)
Researcher/s: Shahzaib Ali Khan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6225
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574

WP Catalogue <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Catalogue
CVE ID: CVE-2023-48780
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66

Ads by datafeedr.com <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ads by datafeedr.com
CVE ID: CVE-2023-49169
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f

Event post <= 5.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Event post
CVE ID: CVE-2023-49179
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131

Formzu WP <= 1.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id

Affected Software: Formzu WP
CVE ID: CVE-2023-49160
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd

Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2023-48321
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1

Currency Converter Calculator <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Currency Converter Calculator
CVE ID: CVE-2023-49149
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe

10to8 Online Appointment Booking System <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Sign In Scheduling Online Appointment Booking System
CVE ID: CVE-2023-49173
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510

BP Better Messages <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode


Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Email Address Encoder
CVE ID: CVE-2023-48765
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e

Parallax Slider Block <= 1.2.4 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: Parallax Slider Block
CVE ID: CVE-2023-49184
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8

Credit Tracker <= 1.1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Credit Tracker
CVE ID: CVE-2023-49152
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955

Crypto Converter Widget <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Crypto Converter ⚡ Widget
CVE ID: CVE-2023-49150
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2

Aparat <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Aparat
CVE ID: CVE-2023-48770
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4

Related Post <= 2.0.53 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Related Post
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f08ca5e3-8b48-4333-9c42-cc103d40394c

Spiffy Calendar <= 4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Spiffy Calendar
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5

Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization


File Gallery <= 1.8.5.4 – Reflected Cross-Site Scripting via post_id

Affected Software: File Gallery
CVE ID: CVE-2023-48771
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64

affiliate-toolkit – WordPress Affiliate Plugin <= 3.4.3 – Reflected Cross-Site Scripting via keyword

Affected Software: affiliate-toolkit – WordPress Affiliate Plugin
CVE ID: CVE-2023-46086
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752

NextScripts <= 4.4.2 – Reflected Cross-Site Scripting via code

Affected Software: NextScripts: Social Networks Auto-Poster
CVE ID: CVE-2023-49183
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1

Adifier (Premium Theme) < 3.1.4 – Reflected Cross-Site Scripting

Affected Software: adifier
CVE ID: CVE-2023-49187
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30

JetBlocks For Elementor <= 1.3.8 – Reflected Cross Site Scripting

Affected Software: JetBlocks for Elementor
CVE ID: CVE-2023-48756
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1

WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting

Affected Software: WP Forms Puzzle Captcha
CVE ID: CVE-2023-48278
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc

PowerPack Pro for Elementor <= 2.9.23 – Reflected Cross-Site Scripting

Affected Software: PowerPack Pro for Elementor
CVE ID: CVE-2023-49739
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504

MyTube PlayList <= 2.0.3 – Reflected Cross-Site Scripting via addplaylistid

Affected Software: MyTube PlayList
CVE ID: CVE-2023-48767
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792

Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via rt

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2023-49740
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f

List all posts by Authors, nested Categories and Title <= 2.7.10 – Cross-Site Scripting

Affected Software: List all posts by Authors, nested Categories and Titles
CVE ID: CVE-2023-49182
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10

BrainCert – HTML5 Virtual Classroom <= 1.30 – Reflected Cross-Site Scripting

Affected Software: BrainCert – HTML5 Virtual Classroom
CVE ID: CVE-2023-49172
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea

HDW Player Plugin (Video Player & Video Gallery) <= 5.0 – Cross-Site Scripting

Affected Software: HDW Player Plugin (Video Player & Video Gallery)
CVE ID: CVE-2023-49178
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd

Forms by CaptainForm <= 2.5.3 – Reflected Cross-Site Scripting via REQUEST_URI

Affected Software: Forms by CaptainForm – Form Builder for WordPress
CVE ID: CVE-2023-49170
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62

WP Pocket URLs <= 1.0.2 – Reflected Cross-Site Scripting

Affected Software: WP Pocket URLs
CVE ID: CVE-2023-49176
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920

Campaign Monitor for WordPress <= 2.8.12 – Reflected Cross-Site Scripting

Affected Software: Campaign Monitor for WordPress
CVE ID: CVE-2023-38474
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b

which template file <= 4.9.0 – Unauthenticated Cross-Site Scripting

Affected Software: which template file
CVE ID: CVE-2023-49177
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d

Doofinder for WooCommerce <= 2.1.4 – Reflected Cross-Site Scripting

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-49185
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90

Innovs HR <= 1.0.3.4 – Reflected Cross-Site Scripting

Affected Software: Innovs HR – Complete Human Resource Management System for Your Business
CVE ID: CVE-2023-49171
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b

Happyforms <= 1.25.9 – Reflected Cross-Site Scripting


SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion

Affected Software: SiteOrigin Widgets Bundle
CVE ID: CVE-2023-6295
CVSS Score: 5.9 (Medium)
Researcher/s: Sebastian Neef
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda

Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Automatic Youtube Video Posts Plugin
CVE ID: CVE-2023-49180
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b

Client Dash <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Client Dash
CVE ID: CVE-2023-49165
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441

WP Event Manager <= 3.1.39 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
CVE ID: CVE-2023-49181
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f

Download canvasio3D Light <= 2.4.6 – Missing Authorization

Affected Software: canvasio3D Light
CVE ID: CVE-2023-48776
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b

Export WP Page to Static HTML/CSS <= 2.1.9 – Missing Authorization via Multiple AJAX Actions

Affected Software: Export WP Page to Static HTML/CSS
CVE ID: CVE-2023-6369
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1

Abandoned Cart Lite for WooCommerce <= 5.16.1 – Missing Authorization via multiple AJAX functions

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE-2023-41671
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86

Chronopost & Mondial relay pour WooCommerce – WCMultiShipping <= 2.3.7 – Incorrect Authorization

Affected Software: UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5

Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726

Social Pug <= 1.20.3 – Missing Authorization via multiple admin_init actions

Affected Software: Hubbub Lite (formerly Grow Social)
CVE ID: CVE-2023-49193
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5

Enhanced Text Widget <= 1.6.2 – Missing Authorization via etw_hide_admin_notification_callback

Affected Software: Enhanced Text Widget
CVE ID: CVE-2023-49192
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc

360 Javascript Viewer <= 1.7.11 – Missing Authorization

Affected Software: 360 Javascript Viewer
CVE ID: CVE-2023-48779
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead

Yet Another Stars Rating <= 3.4.3 – Missing Authorization via init

Affected Software: YASR – Yet Another Star Rating Plugin for WordPress
CVE ID: CVE-2023-39305
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c

PageLayer <= 1.7.7 – Cross-Site Request Forgery via pagelayer_load_plugin

Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0

Participants Database <= 2.5.5 – Missing Authorization

Affected Software: Participants Database
CVE ID: CVE-2023-48751
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4

WP Retina 2x <= 6.4.5 – Sensitive Information Exposure

Affected Software: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
CVE ID: CVE-2023-44982
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7

WP Forms Puzzle Captcha <= 4.1 – Captcha Bypass

Affected Software: WP Forms Puzzle Captcha
CVE ID: CVE-2023-48276
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917

Media File Renamer <= 5.6.9 – Sensitive Information Exposure via Log File

Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI)
CVE ID: CVE-2023-44991
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba

Aruba HiSpeed Cache <= 2.0.6 – Sensitive Information Exposure via Log File

Affected Software: Aruba HiSpeed Cache
CVE ID: CVE-2023-44983
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0

Button Generator – easily Button Builder <= 2.3.8 – Missing Authorization

Affected Software: Button Generator – easily Button Builder
CVE ID: CVE-2023-49154
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56

Restricted Site Access <= 7.4.1 – IP Spoofing to Protection Mechanism Bypass

Affected Software: restricted-site-access
CVE ID: CVE-2023-48753
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4

Importify <= 1.0.4 – Unauthenticated Sensitive Information Exposure

Affected Software: Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More
CVE ID: CVE-2023-49194
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52

Swift Performance Lite <= 2.3.6.14 – Missing Authorization to Unauthenticated Settings Export

Affected Software: Swift Performance Lite
CVE ID: CVE-2023-6289
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7

Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post

Affected Software: Gift Up Gift Cards for WordPress and WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f

teachPress <= 9.0.4 – Cross-Site Request Forgery

Affected Software: teachPress
CVE ID: CVE-2023-48755
CVSS Score: 5.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f

Coming soon and Maintenance mode <= 3.7.3 – IP Address Spoofing via get_real_ip

Affected Software: Coming soon and Maintenance mode
CVE ID: CVE-2023-49741
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2

JetElements For Elementor <= 2.6.13 – Missing Authorization to Unauthenticated Arbitrary Attachment Download

Affected Software: JetElements
CVE ID: CVE-2023-48759
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d

BigCommerce <= 5.0.6 – Unauthenticated Sensitive Information Exposure

Affected Software: BigCommerce For WordPress
CVE ID: CVE-2023-49162
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df

JetFormBuilder <= 3.1.4 – Unauthenticated Content Injection

Affected Software: JetFormBuilder — Dynamic Blocks Form Builder
CVE ID: CVE-2023-48763
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635

Antispam Bee <= 2.11.3 – IP Address Spoofing via get_client_ip

Affected Software: Antispam Bee
CVE ID: CVE-2023-41134
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b

KP Fastest Tawk.to Chat <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: KP Fastest Tawk.to Chat
CVE ID: CVE-2023-49175
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69

GDPR Cookie Consent by Supsystic <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: GDPR Cookie Consent by Supsystic
CVE ID: CVE-2023-49191
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2

Molongui <= 4.6.19 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
CVE ID: CVE-2023-39921
CVSS Score: 4.4 (Medium)
Researcher/s: Abdullah Hussam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d

Chart Builder <= 1.9.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Chartify – WordPress Chart Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9

SoundCloud Shortcode <= 3.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SoundCloud Shortcode
CVE ID: CVE-2023-34018
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82

Social Share Buttons & Analytics Plugin – GetSocial.io <= 4.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Social Share Buttons & Analytics Plugin – GetSocial.io
CVE ID: CVE-2023-49189
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c

Simple Long Form <= 2.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Long Form
CVE ID: CVE-2023-41136
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d

Track Geolocation Of Users Using Contact Form 7 <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Track Geolocation Of Users Using Contact Form 7
CVE ID: CVE-2023-49188
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6

BSK Forms Blacklist <= 3.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: BSK Forms Blacklist
CVE ID: CVE-2023-5980
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7

Multiple Post Passwords <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Multiple Post Passwords
CVE ID: CVE-2023-49157
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366

Site Offline <= 1.5.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Site Offline Or Coming Soon Or Maintenance Mode
CVE ID: CVE-2023-49190
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c

Evergreen Content Poster <= 1.3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting


Nested Pages <= 3.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Nested Pages
CVE ID: CVE-2023-49195
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9

Multiple Plugins by Crocoblock <= (Various Versions) – Cross-Site Request Forgery


teachPress <= 9.0.5 – Cross-Site Request Forgery via delete_database()

Affected Software: teachPress
CVE ID: CVE-2023-49163
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d

Qode Essential Addons <= 1.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Affected Software: Qode Essential Addons
CVE ID: CVE-2023-47840
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Insecure Direct Object Reference to Information Disclosure

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6226
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7

IdeaPush <= 8.53 – Missing Authorization

Affected Software: IdeaPush
CVE ID: CVE-2023-48774
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72

Quotes for WooCommerce <= 2.0.1 – Missing Authorization

Affected Software: Quotes for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8

Quotes for WooCommerce <= 2.0.1 – Cross-Site Request Forgery

Affected Software: Quotes for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6954364e-567c-407c-afc6-983b7257cc88

RegistrationMagic <= 5.2.2.6 – Cross-Site Request Forgery

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-47645
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521

Debug Log Manager <= 2.2.0 – Cross-Site Request Forgery

Affected Software: Debug Log Manager
CVE ID: CVE-2023-5772
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a

LadiApp <= 4.3 – Missing Authorization

Affected Software: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
CVE ID: CVE-2023-49158
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6

Ocean Extra <= 2.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation

Affected Software: Ocean Extra
CVE ID: CVE-2023-49164
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca

SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache

Affected Software: SpeedyCache – Cache, Optimization, Performance
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812

Button Generator – easily Button Builder <= 2.3.8 – Cross-Site Request Forgery

Affected Software: Button Generator – easily Button Builder
CVE ID: CVE-2023-49155
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b

Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 – Cross-Site Request Forgery via wactc_text_form

Affected Software: Add to Cart Text Changer and Customize Button, Add Custom Icon
CVE ID: CVE-2023-49153
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5

GoDaddy Email Marketing <= 1.4.3 – Missing Authorization

Affected Software: GoDaddy Email Marketing
CVE ID: CVE-2023-49156
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618

SchedulePress <= 5.0.4 – Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications

Affected Software: SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd

Ecwid Ecommerce Shopping Cart <= 6.12.4 – Cross-Site Request Forgery

Affected Software: Ecwid Ecommerce Shopping Cart
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed

AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 – Cross-Site Request Forgery

Affected Software: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
CVE ID: CVE-2023-46617
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569

Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 – Cross-Site Request Forgery via process_bulk_action

Affected Software: Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
CVE ID: CVE-2023-49148
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a

Razorpay for WooCommerce <= 4.5.6 – Cross-Site Request Forgery

Affected Software: Razorpay for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e

Delete Post Revisions In WordPress <= 4.6 – Cross-Site Request Forgery

Affected Software: Delete Post Revisions In WordPress
CVE ID: CVE-2023-48754
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36

Razorpay for WooCommerce <= 4.5.6 – Missing Authorization

Affected Software: Razorpay for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments