(647) 243-4688

Last week, there were 80 vulnerabilities disclosed in 69 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WooCommerce Payments <= 5.6.1 -Authentication Bypass and Privilege Escalation 

The Wordfence Firewall has blocked 57,136 exploit attempts targeting this vulnerability since its release to premium, care, and response customers on March 23, 2023.

WAF-RULE-569 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
SEO Plugin by Squirrly SEO <= 12.1.20 – Missing Authorization

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
27

Patched
53

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
70

High Severity
9

Critical Severity
1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
39

Cross-Site Request Forgery (CSRF)
18

Missing Authorization
10

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
3

Improper Neutralization of Formula Elements in a CSV File
2

Authentication Bypass Using an Alternate Path or Channel
1

Deserialization of Untrusted Data
1

Information Exposure
1

Unrestricted Upload of File with Dangerous Type
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
10

Mika
7

yuyudhn
6

Joshua Martinelle
5

Erwan LR
4

Yuki Haruma
3

Cat
3

Varun
2

Rafshanzani Suhada
2

Rio Darmawan
2

thiennv
2

Shreya Pohekar
2

minhtuanact
2

Vaibhav Rajput
1

Abdi Pranata
1

Nguyen Anh Tien
1

Michael Mazzolini
1

Fariq Fadillah Gusti Insani
1

Rafie Muhammad
1

Flaviu Popescu
1

rSolutions Security Team
1

ipatelsumit
1

Nithissh S
1

Bartłomiej Marek
1

NeginNrb
1

Pavitra Tiwari
1

Muhammad Daffa
1

Cyxow
1

Dave Jong
1

R3zk0n
1

Karol Mazurek
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Advance WordPress Search Plugin
th-advance-product-search

All-In-One Security (AIOS) – Security and Firewall
all-in-one-wp-security-and-firewall

BigContact Contact Page
bigcontact

Branded Social Images – Open Graph Images with logo and extra text layer
branded-social-images

CBX Currency Converter
cbcurrencyconverter

Contact Form Email
contact-form-to-email

Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
fluentform

ConvertBox Auto Embed WordPress plugin
convertbox-auto-embed

Custom Field Template
custom-field-template

Cyberus Key
cyberus-key

Disqus Conditional Load
disqus-conditional-load

Easy Table of Contents
easy-table-of-contents

Enhanced Plugin Admin
enhanced-plugin-admin

Event Manager and Tickets Selling Plugin for WooCommerce
mage-eventpress

Events Made Easy
events-made-easy

Export Users Data Distinct
export-users-data-distinct

Floating Cart and Menu Cart for WooCommerce
th-all-in-one-woo-cart

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
gallery-plugin

GamiPress – Youtube integration
gamipress-youtube-integration

GiveWP – Donation Plugin and Fundraising Platform
give

Google XML Sitemap for Mobile
google-mobile-sitemap

Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS
hummingbird-performance

I Recommend This
i-recommend-this

If Menu – Visibility control for Menus
if-menu

InPost Gallery
inpost-gallery

JS Job Manager
js-jobs

JetEngine
jet-engine

Kanban Boards for WordPress
kanban

Klaviyo
klaviyo

Lazy Social Comments
lazy-facebook-comments

MDTF – Meta Data and Taxonomies Filter
wp-meta-data-filter-and-taxonomy-filter

Open Graphite
open-graphite

Owl Carousel
owl-carousel

Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
pagination

Photo Gallery by 10Web – Mobile-Friendly Image Gallery
photo-gallery

Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
pricing-tables-for-wpbakery-page-builder

Product Feed PRO for WooCommerce
woo-product-feed-pro

Safe SVG
safe-svg

Scheduled Announcements Widget
scheduled-announcements-widget

Simple Custom Author Profiles
simple-custom-author-profiles

Simple Giveaways – Grow your business, email lists and traffic with contests
giveasap

Simple Mobile URL Redirect
simple-mobile-url-redirect

Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows
ml-slider

Stock Sync for WooCommerce
stock-sync-for-woocommerce

Store Locator WordPress
agile-store-locator

Stylish Cost Calculator
stylish-cost-calculator-premium

Team Member – Team with Slider
team-showcase-supreme

Thank You Page Customizer for WooCommerce – Increase Your Sales
woo-thank-you-page-customizer

Time Sheets
time-sheets

TreePress – Easy Family Trees & Ancestor Profiles
treepress

User Registration – Custom Registration Form, Login Form And User Profile For WordPress
user-registration

Userlike – WordPress Live Chat plugin
userlike

Variation Swatches for WooCommerce
th-variation-swatches

Vertical scroll recent post
vertical-scroll-recent-post

VigilanTor
vigilantor

W4 Post List
w4-post-list

WP Content Filter – Censor All Offensive Content From Your Site
wp-content-filter

WP Popup Banners
wp-popup-banners

WP VR – 360 Panorama and Virtual Tour Builder For WordPress
wpvr

Waiting: One-click countdowns
waiting

Wbcom Designs – BuddyPress Activity Social Share
bp-activity-social-share

Weather Station
live-weather-station

WooCommerce JazzCash Gateway Plugin
jazzcash-woocommerce-gateway

WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo
woocommerce-payments

WordPress Amazon S3 Plugin
wp-s3

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
groundhogg

WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
gs-pinterest-portfolio

amr users
amr-users

eRoom – Zoom Meetings & Webinars
eroom-zoom-meetings-webinar

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Resoto
resoto

Vulnerability Details

WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation

Affected Software: WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Michael Mazzolini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41cf57ff-421d-4db2-894f-17f2c4d4b9ed

Waiting: One-click countdowns <= 0.6.2 – Authenticated (Subscriber+) SQL Injection via ‘pbc_down[meta][id]’

Affected Software: Waiting: One-click countdowns
CVE ID: CVE-2023-28659
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17d12a35-35a1-4f7b-aa03-33ddafe17f5b

WP Popup Banners <= 1.2.5 – Authenticated (Subscriber+) SQL Injection via ‘value’

Affected Software: WP Popup Banners
CVE ID: CVE-2023-28661
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa64d6b4-5673-4d88-b5c7-d3441eaa0706

Events Made Easy <= 2.3.14 – Authenticated (Subscriber+) SQL Injection via ‘search_name’

Affected Software: Events Made Easy
CVE ID: CVE-2023-28660
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2550461-2546-4dc4-85ff-decf2fca3f10

Crocoblock JetEngine <= 3.1.3 – Authenticated(Author+) Arbitrary File Upload to Remote Code Execution

Affected Software: JetEngine
CVE ID: CVE-2023-1406
CVSS Score: 8.8 (High)
Researcher/s: R3zk0n
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7e7247f-869a-4cf0-ae03-0b36ecbc1b7e

Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 – Authenticated (Subscriber+) Local File Inclusion via Shortcode

Affected Software: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
CVE ID: CVE-2023-1274
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3475c8fe-17fa-4d8e-bffd-a33e59f6e03b

User Registration <= 2.3.2.1 – PHP Object Injection

Stylish Cost Calculator < 7.9.0 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Stylish Cost Calculator
CVE ID: CVE-2023-0983
CVSS Score: 7.2 (High)
Researcher/s: Flaviu Popescu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b7cc660-b430-4b0f-b2d1-68ba458de8a9

Groundhogg <= 2.7.9.3 – Authenticated (Administrator)+ SQL Injection

SVG Sanitizer library <= 0.15.4 – Cross-Site Scripting Bypass

Affected Software: Safe SVG
CVE ID: CVE-2023-28426
CVSS Score: 7.2 (High)
Researcher/s: Cyxow
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca73de6d-2d47-4d7c-a917-0f99fed8c27d

JS Job Manager <= 2.0.0 – Missing Authorization

Affected Software: JS Job Manager
CVE ID: CVE-2023-28689
CVSS Score: 6.5 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55604ee9-7343-472c-9a29-035d18b266ab

TH Advance WordPress Search <= 1.1.4 – Missing Authorization via settings_init

Affected Software: Advance WordPress Search Plugin
CVE ID: CVE-2023-25969
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826a3fa2-ee41-4960-becb-0df8813a964a

FluentForms <= 4.3.24 – Authenticated(Contributor+) Stored Cross-Site Scripting

Vertical scroll recent post <= 14.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

Affected Software: Vertical scroll recent post
CVE ID: CVE-2023-23862
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a0e93cb-4311-4b38-8eb4-17152e1f3475

WordPress Pinterest Plugin <= 1.6.1 – Stored (Contributor+) Cross-Site Scripting via Shortcode

Affected Software: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20daf751-176d-48f2-ac68-480fda89cee1

Team Member <= 4.4 – Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name

Affected Software: Team Member – Team with Slider
CVE ID: CVE-2023-23647
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353d22c5-dee1-485f-ae66-e9c7afe3ad8e

W4 Post List <= 2.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options

Affected Software: W4 Post List
CVE ID: CVE-2023-0374
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64ed8547-0dc1-4f0a-8b0b-27ce20b8bbd6

Scheduled Announcements Widget <= 0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Scheduled Announcements Widget
CVE ID: CVE-2023-0363
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/755ae574-9df3-44d1-a14b-16887f234510

GamiPress – Youtube integration <= 1.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: GamiPress – Youtube integration
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb74a917-2dfb-4229-a72a-9c3d1f9a6324

Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
CVE ID: CVE-2023-0367
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c04a0f82-97f6-44ff-999d-08a8c106f889

ConvertBox Auto Embed WordPress plugin <= 1.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ConvertBox Auto Embed WordPress plugin
CVE ID: CVE-2023-23664
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8a4e9b8-9794-48b7-8c53-cfad37ed530c

Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 – Reflected Cross-Site Scripting

Affected Software: Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows
CVE ID: CVE-2023-1473
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/290233f0-a5dd-4c69-8039-7392268daf40

InPost Gallery <= 2.1.4.1 – Reflected Cross-Site Scripting via ‘imgurl’

Affected Software: InPost Gallery
CVE ID: CVE-2023-28666
CVSS Score: 6.1 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69fd66db-5693-4976-96c0-60dbfeccd14f

MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 – Relected Cross-Site Scripting via ‘tax_name’

Affected Software: MDTF – Meta Data and Taxonomies Filter
CVE ID: CVE-2023-28664
CVSS Score: 6.1 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6edb6604-9da8-421e-933b-bac02b179bd0

WP VR <= 8.2.8 – Reflected Cross-Site Scripting

Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
CVE ID: CVE-2023-1413
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fbde737-0730-49a4-a84e-a9c5e0e32af5

W4 Post List <= 2.4.5 – Reflected Cross-Site Scripting

Affected Software: W4 Post List
CVE ID: CVE-2023-1373
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d6a7230-07c7-43f3-a844-77d2bb19545d

WordPress Amazon S3 Plugin <= 1.5 – Reflected Cross-Site Scripting

Affected Software: WordPress Amazon S3 Plugin
CVE ID: CVE-2023-0423
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab779713-7004-47f6-af16-2db2c7c1013b

WooCommerce JazzCash Gateway Plugin <= 2.0 – Unauthenticated Cross-Site Scripting

Affected Software: WooCommerce JazzCash Gateway Plugin
CVE ID: CVE-2022-46822
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6809f7f-4495-4185-b439-820010afc305

Open Graphite <= 1.6.0 – Reflected Cross-Site Scripting via topic parameter

Affected Software: Open Graphite
CVE ID: CVE-2022-47439
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd368b2c-ef40-453b-aeef-ad88d847c29b

Export Users Data Distinct <= 1.3 – Authenticated (Subscriber+) CSV Injection

Affected Software: Export Users Data Distinct
CVE ID: CVE-2022-46804
CVSS Score: 5.8 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03a1724c-8fea-4e9f-a4a1-9de236e1f15a

amr users <= 4.59.4 – Authenticated (Subscriber+) CSV Injection

Affected Software: amr users
CVE ID: CVE-2022-45348
CVSS Score: 5.8 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/879e7695-3a61-4e65-b102-fcdc63fac688

Simple Giveaways <= 2.45.0 – Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-1122
CVSS Score: 5.5 (Medium)
Researcher/s: Varun
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/240691c4-35c5-40e1-b1ab-a500ffcdac73

Wbcom Designs – BuddyPress Activity Social Share <= 3.5.0 – Cross-Site Request Forgery

Affected Software: Wbcom Designs – BuddyPress Activity Social Share
CVE ID: CVE-2023-28694
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c8152c5-7d72-48a1-9140-8b0341c86023

TH Variation Swatches <= 1.2.7 – Cross-Site Request Forgery via delete_settings

Affected Software: Variation Swatches for WooCommerce
CVE ID: CVE-2023-28688
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e98fb74-46f2-4a6a-8012-e2824bd77070

CBX Currency Converter <= 3.0.3 – Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes

Affected Software: CBX Currency Converter
CVE ID: CVE-2023-28747
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/711d2c4d-700d-4d6e-911f-99abf86eff32

Enhanced Plugin Admin <= 1.16 – Cross-Site Request Forgery via epa_options_page

Affected Software: Enhanced Plugin Admin
CVE ID: CVE-2023-28618
CVSS Score: 5.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b5bc030-7739-4eb4-b85d-99e5d0f2643a

Easy Table of Contents <= 2.0.45.2 – Missing Authorization via eztoc_reset_options_to_default

Affected Software: Easy Table of Contents
CVE ID: CVE-2023-25469
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff937860-c4e0-4172-9f0f-d66578fa7203

TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 – Missing Authorization

Affected Software: Floating Cart and Menu Cart for WooCommerce
CVE ID: CVE-2023-25969
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c0d18d3-8758-41ae-b104-dac69eee4ac9

Branded Social Images <= 1.1.0 – Missing Authorization leading to Unauthenticated Plugin Settings Updates

Affected Software: Branded Social Images – Open Graph Images with logo and extra text layer
CVE ID: CVE-2023-28536
CVSS Score: 5.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cbc0b70-c8a4-4924-a67f-cea81ab19cdc

Owl Carousel <= 0.5.3 – Missing Authorization via save_paramter.php

Affected Software: Owl Carousel
CVE ID: CVE-2022-44578
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37aaf109-e04f-40d7-8303-a581b0b09d24

If Menu <= 0.16.3 – Missing Authorization to Admin Settings Modification

Affected Software: If Menu – Visibility control for Menus
CVE ID: CVE-2022-41698
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b5fc0ac-7a33-48da-8b0f-566b9eb0f17f

eRoom – Zoom Meetings & Webinar <= 1.4.6 – Missing Authorization via add_feedback

Affected Software: eRoom – Zoom Meetings & Webinars
CVE ID: CVE-2022-43472
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e0767a8-9e82-4ce4-9df9-19b458dc5ce0

GiveWP <= 2.25.2 – Cross-Site Request Forgery via give_ajax_delete_payment_note

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2dc1a04-5503-412b-92e7-ed86910abd92

GiveWP <= 2.25.2 – Cross-Site Request Forgery via give_ajax_store_payment_note

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d09a0b62-6556-4be5-a6f2-0cb0edcced3b

Hummingbird <= 3.4.1 – Unauthenticated Path Traversal

Affected Software: Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS
CVE ID: CVE-2023-1478
CVSS Score: 5.3 (Medium)
Researcher/s: Karol Mazurek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9b8e6dc-a9ac-4afb-ad47-4f51032bb1f4

Resoto <= 1.0.8 – Missing Authorization leading to Authenticated (Subscriber+) Arbitrary Plugin Activation

Affected Software: Resoto
CVE ID: CVE-2023-28619
CVSS Score: 5 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5c5e82-d6e5-4237-958f-12fc4698e77e

Photo Gallery by 10Web <= 1.8.14 – Authenticated (Administrator+) Directory Traversal

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0f55f3e-9a9a-42a7-91b5-0d515519d545

Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Kanban Boards for WordPress
CVE ID: CVE-2023-23884
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/071b5c32-b6ac-402a-af74-6ecd05279d93

Userlike <= 2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Userlike – WordPress Live Chat plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14c94d47-c911-4874-a897-58f4c0800329

Store Locator WordPress <= 1.4.9 – Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters

Affected Software: Store Locator WordPress
CVE ID: CVE-2023-27618
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dad9de0-5e43-4dfd-a56c-5e9efff35c0a

Klaviyo <= 3.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Klaviyo
CVE ID: CVE-2023-0874
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/294de862-716c-4e17-a1cf-cade53207013

VigilanTor <= 1.3.10 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: VigilanTor
CVE ID: CVE-2023-28695
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ea71d63-27ce-4f24-b3ef-de38e6f25e0d

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.6.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adf6b20-110f-4057-9fab-5248e9c18555

Lazy Social Comments <= 2.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options

Affected Software: Lazy Social Comments
CVE ID: CVE-2023-23733
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43f2c020-a531-4e25-948e-372bc7af3bab

Disqus Conditional Load <= 11.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.

Affected Software: Disqus Conditional Load
CVE ID: CVE-2023-23732
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/762190dc-cd19-4bc1-8204-9219881d95e9

Simple Giveaways <= 2.45.0 – Authenticated (Admin+) Stored Cross-Site Scripting via Settings

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-1120
CVSS Score: 4.4 (Medium)
Researcher/s: ipatelsumit
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86991143-d4e7-4114-b219-0deedd084858

Simple Giveaways <= 2.45.0 – Authenticated(Admin+) Stored Cross-Site Scripting via form fields

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-1121
CVSS Score: 4.4 (Medium)
Researcher/s: Varun
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91552a9b-d46b-4a75-b096-8f28bdd9fb56

WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Content Filter – Censor All Offensive Content From Your Site
CVE ID: CVE-2023-23883
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95ffefff-80e1-4f5a-8939-47a00f75493d

Simple Custom Author Profiles <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Custom Author Profiles
CVE ID: CVE-2023-24372
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/986d16d5-f1f4-4ed9-9978-0f12ee22a543

All-In-One Security (AIOS) <= 5.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE-2023-0157
CVSS Score: 4.4 (Medium)
Researcher/s: Bartłomiej Marek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3ae55ad-b192-4dde-8a7c-3a4fd71d3475

Pagination by BestWebSoft < 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4572874-afd4-4e46-8a28-76a0a6cc8acb

Cyberus Key <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘uid’ in ‘cyberkey_settings’ Plugin Setting

Affected Software: Cyberus Key
CVE ID: CVE-2023-28620
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf5e5eaf-b42d-49b9-8f55-6025e64748c9

Event Manager for WooCommerce <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mep_get_option’ function

Affected Software: Event Manager and Tickets Selling Plugin for WooCommerce
CVE ID: CVE-2023-28422
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2f4c1de-7eeb-45c4-bbff-ec85f2cda5aa

Time Sheets <= 1.29.2 – Authenticated(Admin+) Stored Cross-Site Scripting

Affected Software: Time Sheets
CVE ID: CVE-2023-0893
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7e25e64-4504-4aad-aeb6-d58b5c36a4bd

Cyberus Key <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cyberus Key
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3944b2d-c431-4a53-b4e2-740480e746d6

TreePress – Easy Family Trees & Ancestor Profiles <= 2.0.22 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘post_title’ parameter

Affected Software: TreePress – Easy Family Trees & Ancestor Profiles
CVE ID: CVE-2023-23863
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbef8738-d639-48a5-98b7-abf9a7e9fec1

TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 – Cross-Site Request Forgery

Affected Software: Floating Cart and Menu Cart for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18f04566-3a63-41f3-aa9b-766304d56499

W4 Post List <= 2.4.5 – Information Disclosure via post_excerpt

Affected Software: W4 Post List
CVE ID: CVE-2023-1371
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ac7408d-8ec7-415b-bf52-024182888cb4

GiveWP <= 2.25.2 – Cross-Site Request Forgery

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ea02dd5-d837-471c-aa6a-264ffcedd55d

I Recommend This <= 3.8.3 – Cross-Site Request Forgery

Affected Software: I Recommend This
CVE ID: CVE-2023-28696
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0ee9b26-4e7f-475f-b42b-5af40b78cbca

BigContact <= 1.5.8 – Cross-Site Request Forgery leading to Plugin Settings Updates

Affected Software: BigContact Contact Page
CVE ID: CVE-2023-22694
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0403adb-08c4-4697-a7d9-50e39d46cd43

Download Weather Station <= 3.8.11 – Cross-Site Request Forgery

Affected Software: Weather Station
CVE ID: CVE-2023-25478
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1e1db3f-1ebc-4f16-b2d8-8bce9c51b3db

Google XML Sitemap for Mobile <= 1.6.1 – Cross-Site Request Forgery via mobile_sitemap_generate

Affected Software: Google XML Sitemap for Mobile
CVE ID: CVE-2023-23869
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2b0c5f9-b734-41e6-8ecb-4cf3d891ddb7

Custom Field Template <= 2.5.8 – Cross-Site Request Forgery via Plugin Options Update

Affected Software: Custom Field Template
CVE ID: CVE-2023-22695
CVSS Score: 4.3 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b55853e1-2f20-417f-b07e-eda758eaed32

Stock Sync for WooCommerce <= 2.3.2 – Missing Authorization

Affected Software: Stock Sync for WooCommerce
CVE ID: CVE-2022-46807
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8faa34a-17fd-4a2e-b8bf-ed40fc7a88d9

Simple Mobile URL Redirect <= 1.7.2 – Cross-Site Request Forgery leading to Mobile Redirect Updates

Affected Software: Simple Mobile URL Redirect
CVE ID: CVE-2023-23897
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be8dcff9-1626-4919-b297-c423891f3d02

Product Feed PRO for WooCommerce <= 12.4.0 – Cross-Site Request Forgery via update_project

Affected Software: Product Feed PRO for WooCommerce
CVE ID: CVE-2022-46793
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5b0939a-1699-483c-9a4f-7978155e6ad1

Contact Form Email <= 1.3.31 – Cross-Site Request Forgery to Feedback Submission

Affected Software: Contact Form Email
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce6ea115-941e-482f-a2a4-95293ff10a69

Stock Sync for WooCommerce <= 2.3.2 – Cross-Site Request Forgery

Affected Software: Stock Sync for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf13732b-7c24-443a-bae9-d8cf70b5cb33

Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.0.13 – Cross-Site Request Forgery via send_email

Affected Software: Thank You Page Customizer for WooCommerce – Increase Your Sales
CVE ID: CVE-2022-46812
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ecd504ad-8812-46ec-be18-e98d05982312

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 20, 2023 to Mar 26, 2023) appeared first on Wordfence.