Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024)
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 52 vulnerabilities disclosed in 42 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 15 |
Patched | 37 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 46 |
High Severity | 5 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 25 |
Cross-Site Request Forgery (CSRF) | 8 |
Missing Authorization | 5 |
Improper Access Control | 5 |
Deserialization of Untrusted Data | 2 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
Use of Insufficiently Random Values | 1 |
Improper Control of Generation of Code (‘Code Injection’) | 1 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Inappropriate Source Code Style or Formatting | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Bob Matyas | 8 |
Webbernaut | 6 |
Francesco Carlucci | 6 |
Krzysztof ZajÄ…c | 5 |
Daniel Ruf | 4 |
Sh | 2 |
Majed Refaea | 2 |
Yuki Haruma | 1 |
Tobias Weißhaar (kun_19) | 1 |
Le Ngoc Anh | 1 |
Byeongjun Jo | 1 |
Pedro Cuco (Illex) | 1 |
Bence Szalai | 1 |
arpeetrathi | 1 |
stealthcopter | 1 |
Sam Pizzey (mopman) | 1 |
Colin Xu | 1 |
Ahmed Algohary | 1 |
Akbar Kustirama | 1 |
kodaichodai | 1 |
Dipak Panchal (th3.d1p4k) | 1 |
Nex Team | 1 |
drop | 1 |
Ma Long | 1 |
SudoBash | 1 |
Richard Telleng (stueotue) | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
(Simply) Guest Author Name | guest-author-name |
10Web AI Assistant – AI content writing assistant | ai-assistant-by-10web |
AMP for WP – Accelerated Mobile Pages | accelerated-mobile-pages |
Add SVG Support for Media Uploader | inventivo | add-svg-support-for-media-uploader-inventivo |
Advanced Database Cleaner | advanced-database-cleaner |
Advanced Schedule Posts | advanced-schedule-posts |
Allow SVG | allow-svg |
Backuply – Backup, Restore, Migrate and Clone | backuply |
Better Follow Button for Jetpack | better-follow-button-for-jetpack |
Better Search Replace | better-search-replace |
Category Discount Woocommerce | woo-product-category-discount |
Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) | content-views-query-and-display-post-page |
Elementor Addons by Livemesh | addons-for-elementor |
Exclusive Addons for Elementor | exclusive-addons-for-elementor |
File Manager | wp-file-manager |
File Manager Pro | wp-file-manager-pro |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | formidable |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
Mang Board WP | mangboard |
Marketing Twitter Bot | wordpress-twitterbot |
Meks Smart Social Widget | meks-smart-social-widget |
PDF Generator For Fluent Forms – The Contact Form Plugin | fluentforms-pdf |
PDF Poster – PDF Embedder Plugin for WordPress | pdf-poster |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
SVG Uploads Support | svg-uploads-support |
Sticky Buttons – floating buttons builder | sticky-buttons |
Ultimate Noindex Nofollow Tool | ultimate-noindex-nofollow-tool |
Views for WPForms – Display & Edit WPForms Entries on your site frontend | views-for-wpforms-lite |
WP Customer Area | customer-area |
WP Dashboard Notes | wp-dashboard-notes |
WP Go Maps (formerly WP Google Maps) | wp-google-maps |
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging | wp-rss-aggregator |
WP-Reply Notify | wp-reply-notify |
WPFront Notification Bar | wpfront-notification-bar |
WebSub (FKA. PubSubHubbub) | pubsubhubbub |
WolfNet IDX for WordPress | wolfnet-idx-for-wordpress |
WordPress Button Plugin MaxButtons | maxbuttons |
WordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart |
aBitGone CommentSafe | abitgone-commentsafe |
coreActivity: Activity Logging plugin for WordPress | coreactivity |
illi Link Party! | link-party |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Better Search Replace <= 1.4.4 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-6933
CVSS Score: 9.8 (Critical)
Researcher/s: Sam Pizzey (mopman)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af
File Manager Pro <= 8.3.4 – Authenticated (Subscriber+) Arbitrary File Upload
CVE ID: CVE-2023-6846
CVSS Score: 8.8 (High)
Researcher/s: Tobias Weißhaar (kun_19)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e8e0257-a745-495f-a103-c032b95209fc
InstaWP Connect <= 0.1.0.9 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2024-23507
CVSS Score: 8.8 (High)
Researcher/s: Majed Refaea
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578cf704-e84d-469f-bf26-e60268506a78
File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames
CVE ID: CVE-2024-0761
CVSS Score: 8.1 (High)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176
illi Link Party! <= 1.0 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-7228
CVSS Score: 7.2 (High)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9df6d75b-a141-41a8-b965-6be7acee582d
coreActivity <= 1.8 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2024-0852
CVSS Score: 7.2 (High)
Researcher/s: Ahmed Algohary
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2432a0a-d262-4460-bd2d-2cb200d51f6f
Advanced Database Cleaner <= 3.1.3 – Authenticated(Administrator+) PHP Object Injection via process_bulk_action
CVE ID: CVE-2024-0668
CVSS Score: 6.6 (Medium)
Researcher/s: Richard Telleng (stueotue)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0b8c24b-3e51-4637-9d8e-da065077d082
10Web AI Assistant – AI content writing assistant <= 1.0.18 – Missing Authorization to Arbitrary Plugin Installation
CVE ID: CVE-2023-6985
CVSS Score: 6.5 (Medium)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229245a5-468d-47b9-8f26-d23d593e91da
Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 – Authenticated (Administrator+) Directory Traversal
CVE ID: CVE-2024-0697
CVSS Score: 6.5 (Medium)
Researcher/s: Bence Szalai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70effa22-fbf6-44cb-9d1b-8625969c10ac
Elementor Addons by Livemesh <= 8.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0448
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/058d1aa0-2ef6-49a4-b978-43a91c8e55f3
(Simply) Guest Author Name <= 4.34 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0254
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e9e2864-6624-497f-8bec-df8360ed3f4a
Add SVG Support for Media Uploader | inventivo <= 1.0.5 – Authenticated (Author+) Stored Cross-Site Scripting via SVG
CVE ID: CVE-2023-7088
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ca2d1d4-fcf8-4943-b9c5-9560968ae2d8
Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything
CVE ID: CVE-2024-0824
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/925b0a86-ed23-471c-84e2-ae78a01b1876
SVG Uploads Support <= 2.1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG
CVE ID: CVE-2023-7086
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad95f0b2-4d96-4f62-b495-050a89539177
WordPress Button Plugin MaxButtons <= 9.7.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-7029
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bca0e8a0-d837-42d8-a9d3-35e0c820eb43
Allow SVG <= 1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG
CVE ID: CVE-2023-6541
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee725cff-959d-4078-9c2e-2d52bb904ca0
aBitGone CommentSafe <= 1.0.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery
CVE ID: CVE-2023-7174
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2375027c-9619-40fc-811d-7f4ba02bee53
PDF Poster – PDF Embedder Plugin for WordPress <= 2.1.17 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-23508
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/341516d3-b785-4daf-98de-76f4f94b8c96
Ultimate Noindex Nofollow Tool <= 1.1.2 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-7196
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d7ca3ff-eae4-425f-8340-9d9b4952ce4a
Advanced Schedule Posts <= 2.1.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-0249
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47122866-8e40-42bc-84ed-60fc81247320
WP Customer Area <= 8.2.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-0665
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/567d62ec-e868-45e2-b07a-8cc661d7c5e1
Accelerated Mobile Pages <= 1.0.92.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-0587
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85ca96a6-7992-424b-8b88-9a0751925223
WP Go Maps (formerly WP Google Maps) <= 9.0.28 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-6697
CVSS Score: 6.1 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5
Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2024-0660
CVSS Score: 6.1 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b983d22b-6cd2-4450-99e2-88bb149091fe
Marketing Twitter Bot <= 1.11 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
CVE ID: CVE-2023-7197
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2795202-64e6-488b-a0e1-da2923f6f791
Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0823
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c5cdc3f-eaa6-4d0b-9e75-5483c723e15a
Form-Maker (twb_form-maker) <= 1.15.21 – Cross-Site Request Forgery to Limited Code Execution via Execute
CVE ID: CVE-2024-0667
CVSS Score: 5.4 (Medium)
Researcher/s: SudoBash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1
illi Link Party! <= 1.0 – Missing Authorization to Unauthenticated Arbitrary Link Deletion
CVE ID: CVE-2023-7231
CVSS Score: 5.3 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d68293a-b98b-41e0-9f79-ccd2c0108e82
Category Discount Woocommerce <= 4.12 – Missing Authorization via wpcd_save_discount()
CVE ID: CVE-2024-0617
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/996b44bb-d1e0-4f82-b8ee-a98b0ae994f9
Paid Memberships Pro <= 2.12.7 – Cross-Site Request Forgery to Level Orders Update
CVE ID: CVE-2024-0624
CVSS Score: 5.3 (Medium)
Researcher/s: kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae68d083-b6e2-409b-8c91-d4eb7e62dba9
Category Discount Woocommerce <= 4.11 – Cross-Site Request Forgery via wpcd_save_discount()
CVE ID: CVE-2024-0617
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof ZajÄ…c
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f04dee5b-d16f-4ef0-88a4-1567e2287bd5
PDF Generator For Fluent Forms <= 1.1.7 – Cross-Site Scripting
CVE ID: CVE-2023-6953
CVSS Score: 4.9 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6675c48-43d4-4394-a4a3-f753bdaa5c4e
WPFront Notification Bar <= 3.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]
CVE ID: CVE-2024-0625
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19a5a9f3-637c-42af-9775-5651a14cf516
Mang Board WP <= 1.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2024-22306
CVSS Score: 4.4 (Medium)
Researcher/s: Byeongjun Jo
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d8cfcdc-6258-4629-a3b4-d65e44ac82f1
Meks Smart Social Widget <= 1.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0664
CVSS Score: 4.4 (Medium)
Researcher/s: arpeetrathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/722aae99-fcfb-4234-9245-5db57aaa03c5
WP RSS Aggregator <= 4.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source
CVE ID: CVE-2024-0630
CVSS Score: 4.4 (Medium)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2
Content Views <= 3.6.2 – Authenticated(Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2024-0612
CVSS Score: 4.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa4377a8-bcf4-45ba-824b-3505bd8e8c61
WordPress Simple Shopping Cart <= 4.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6497
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac6201a1-7ca9-461b-b9ad-16407120dfae
Sticky Buttons <= 3.2.2 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0703
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal (th3.d1p4k)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c070be-e955-4076-9878-0b1044766397
WolfNet IDX for WordPress <= 1.19.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6783
CVSS Score: 4.4 (Medium)
Researcher/s: Ma Long
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c226ca9a-8a2e-4e56-a039-96c31526a379
illi Link Party! <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7230
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbf193ef-e172-4fe3-9bff-b5cbac9adb54
WebSub (FKA. PubSubHubbub) <= 3.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0688
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f07b166b-3436-4797-a2df-096ff7c27a09
Better Follow Button for Jetpack <= 8.0 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7168
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fec06875-f6b4-4e57-917f-e80ece3744e1
Views for WPForms <= 3.2.2 – Missing Authorization via get_form_fields
CVE ID: CVE-2024-0372
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ab58add-ab81-4c84-b773-7daf382492b0
Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via create_view
CVE ID: CVE-2024-0374
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34c0c676-37f9-49f2-ad50-2d70831fda53
Views for WPForms <= 3.2.2 – Missing Authorization via save_view
CVE ID: CVE-2024-0370
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d
WP Dashboard Notes <= 1.0.10 – Missing Authorization to Arbitrary Private Notes Update
CVE ID: CVE-2023-7239
CVSS Score: 4.3 (Medium)
Researcher/s: Pedro Cuco (Illex)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64a36778-c17c-44ee-8b09-c221d27184f8
WP-Reply Notify <= 1.1 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-7195
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/837e596e-a4a7-4fcf-a761-aed35a789770
InstaWP Connect <= 0.1.0.9 – Missing Authorization to Sensitive Information Dislcosure
CVE ID: CVE-2024-23506
CVSS Score: 4.3 (Medium)
Researcher/s: Majed Refaea
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a184384-9162-4509-957b-d97dd4089856
Views for WPForms <= 3.2.2 – Missing Authorization via create_view
CVE ID: CVE-2024-0371
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e
illi Link Party! <= 1.0 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-7229
CVSS Score: 4.3 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd6b604-45dd-4688-a9b9-fabb12c418e2
Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via save_view
CVE ID: CVE-2024-0373
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2273c53-bc8a-45c7-914d-a3b934c2cb18
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments