(647) 243-4688

Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

ZM Ajax Login & Register

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
30

Patched
39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
60

High Severity
6

Critical Severity
3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
31

Cross-Site Request Forgery (CSRF)
16

Missing Authorization
10

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
5

Authorization Bypass Through User-Controlled Key
2

Improper Privilege Management
1

Information Exposure
1

Authentication Bypass Using an Alternate Path or Channel
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Improper Neutralization of Formula Elements in a CSV File
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Mika
4

Lana Codes
4

yuyudhn
3

Erwan LR
3

Dave Jong
3

Shreya Pohekar
3

Rio Darmawan
2

Maurice Fielenbach
2

Alex Thomas
2

Prasanna V Balaji
2

Muhammad Daffa
2

Pavak Tiwari
2

Cat
2

Ivy
2

Abdi Pranata
2

Rafie Muhammad
2

Mahesh Nagabhairava
1

TEAM WEBoB of BoB 11th
1

Skalucy
1

Marc-Alexandre Montpas
1

Fariq Fadillah Gusti Insani
1

qilin_99
1

dc11
1

Pavitra Tiwari
1

Johan Kragt
1

Sajjad Shariati
1

Justiice
1

Yuki Haruma
1

LOURCODE
1

Ramuel Gall
1

Padavishree
1

Ameen Alkurdy
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

AFFILIATE Solution
affiliate-solution

AI ChatBot
chatbot

AdFoxly – Ad Manager, AdSense Ads & Ads.txt
adfoxly

Affiliate Links Lite
affiliate-links

Article Directory Redux
article-directory-redux

Best WordPress Gallery Plugin – FooGallery
foogallery

Better Search – Relevant search results for WordPress
better-search

Blocksy Companion
blocksy-companion

Booqable Rental Plugin
booqable-rental-reservations

Cloud Manager
cloud-manager

CoSchedule
coschedule-by-todaymade

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
contact-form-to-db

Coupon Affiliates – WooCommerce Affiliate Plugin
woo-coupon-usage

Custom Order Numbers for WooCommerce
custom-order-numbers-for-woocommerce

Cyr to Lat enhanced
cyr3lat

Database Collation Fix
database-collation-fix

Download Manager Pro
download-manager

Easy Appointments
easy-appointments

ElasticPress
elasticpress

Electric Studio Client Login
electric-studio-client-login

Enable Accessibility
enable-accessibility

External Videos
external-videos

Fantastic Content Protector Free
fantastic-content-protector-free

Featured Post Creative
featured-post-creative

Forminator – Contact Form, Payment Form & Custom Form Builder
forminator

Kaya QR Code Generator
kaya-qr-code-generator

Landing Page Builder – Free Landing Page Templates
ultimate-landing-page

Limit Login Attempts
limit-login-attempts

Motor Racing League
motor-racing-league

Neshan Maps
neshan-maps

Newsletters
newsletters-lite

Optima Express + MarketBoost IDX Plugin
optima-express

Paytm – Donation Plugin
paytm-donation

Pickup | Delivery | Dine-in date time
restaurant-pickup-delivery-dine-in

PowerPress Podcasting plugin by Blubrry
powerpress

Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
pretty-link

Product Catalog Feed by PixelYourSite
product-catalog-feed

Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
quiz-master-next

Restricted Site Access
restricted-site-access

ReviewX – Multi-criteria Rating & Reviews for WooCommerce
reviewx

Ruby Help Desk
ruby-help-desk

ShiftController Employee Shift Scheduling
shiftcontroller

Shortcodes by Angie Makes
wc-shortcodes

Simple PopUp
simple-popup

Stamped.io Product Reviews & UGC for WooCommerce
stampedio-product-reviews

Stock Exporter for WooCommerce
stock-exporter-for-woocommerce

SupportCandy – Helpdesk & Support Ticket System
supportcandy

Ultimate Noindex Nofollow Tool II
ultimate-noindex-nofollow-tool-ii

User registration & user profile – UserPlus
userplus

Vimeotheque / Vimeo
codeflavors-vimeo-video-post-lite

WP EasyPay – Square for WordPress
wp-easy-pay

WP Inventory Manager
wp-inventory-manager

WP Reroute Email
wp-reroute-email

WP Roles at Registration
wp-roles-at-registration

Watu Quiz
watu

WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation)
smart-wishlist-for-more-convert

ZM Ajax Login & Register
zm-ajax-login-register

a3 Portfolio
a3-portfolio

hiWeb Migration Simple
hiweb-migration-simple

tencentcloud-cos
tencentcloud-cos

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Betheme
betheme

Blogger Buzz
blogger-buzz

Educenter
educenter

Square
square

Vulnerability Details

SupportCandy <= 3.1.4 – Unauthenticated SQL Injection via parse_user_filters

Affected Software: SupportCandy – Helpdesk & Support Ticket System
CVE ID: CVE-2023-1730
CVSS Score: 9.8 (Critical)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca1c55a-cd4e-429a-ab74-dd1bad1a65f5

ZM Ajax Login & Register <= 2.0.2 – Authentication Bypass

Affected Software: ZM Ajax Login & Register
CVE ID: CVE-2023-2027
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d01ec-54ef-456b-9410-ed013343a962

Quiz and Survey Master <= 8.1.4 – Unauthenticated SQL Injection

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE-2023-28787
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b29dcd7a-a0bc-4983-85ba-6ebf2c405ceb

Cyr to Lat <= 3.5 – Authenticated SQL Injection

Affected Software: Cyr to Lat enhanced
CVE ID: CVE-2022-4290
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c29130-1b42-4edd-ad62-6f635e03ae31

webpack JS package <= 5.75.0 – Sandbox Bypass

Affected Software/s: Restricted Site Access, ElasticPress
CVE ID: CVE-2023-28154
CVSS Score: 8.3 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1cda31a4-4c79-4567-a527-6510c31d2843

WP Reroute Email <= 1.4.6 – Authenticated (Administrator+) SQL Injection

Affected Software: WP Reroute Email
CVE ID: CVE-2023-27605
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395a8ca6-78b8-43f2-8e8c-896702b5da0d

Paytm Payment Donation <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Paytm – Donation Plugin
CVE ID: CVE-2023-28535
CVSS Score: 7.2 (High)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/534e6f80-b162-4a4b-a979-72ed63a8b0dc

Landing Page Builder – Free Landing Page Templates <= 3.1.9.8 – Local File Inclusion

Affected Software: Landing Page Builder – Free Landing Page Templates
CVE ID: CVE-2023-24379
CVSS Score: 7.2 (High)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c40bf215-81c1-423a-9d41-9a231dfc8053

Neshan Maps <= 1.1.4 – Authenticated (Administrator+) SQL Injection

Affected Software: Neshan Maps
CVE ID: CVE-2022-47426
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee7eb754-27f0-47b0-a82f-4781cfbb0fa6

Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 – Missing Authorization

Affected Software: Stamped.io Product Reviews & UGC for WooCommerce
CVE ID: CVE-2023-30479
CVSS Score: 6.5 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/490061dc-11f7-48f2-bc9a-974bedf16621

ReviewX <= 1.6.6 – Unauthenticated CSV Injection

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
CVE ID: CVE-2022-46809
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc465757-4295-4a75-90f6-92c4be4e8944

Limit Login Attempts <= 1.7.1 – Authenticated(Subscriber+) Stored Cross-Site Scripting

Affected Software: Limit Login Attempts
CVE ID: CVE-2023-1861
CVSS Score: 6.4 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3334fc78-48c5-4cfa-ac83-5690fdbf590a

Affiliate Links Lite <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Affiliate Links Lite
CVE ID: CVE-2023-22696
CVSS Score: 6.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9511d8f1-ab96-4695-aa8c-16a3482a6de4

a3 Portfolio <= 3.1.0 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: a3 Portfolio
CVE ID: CVE-2023-29097
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a190909-4b0f-4a44-8371-d79f64d323c2

Kaya QR Code Generator <= 1.5.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter

Affected Software: Kaya QR Code Generator
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad8b5fd2-ba92-4afa-9b4a-a95936b9a18d

Product Catalog Feed by PixelYourSite <= 2.1.0 – Reflected Cross-Site Scripting via ‘page’

Affected Software: Product Catalog Feed by PixelYourSite
CVE ID: CVE-2023-1805
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18d33d68-9719-4e74-a594-bc4add38ceee

Contact Form to DB <= 1.7.0 – Multiple Cross-Site Scripting

Affected Software: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19b21013-136a-41b0-a667-39f23ccedf2e

Watu Quiz <= 3.3.9.2 – Reflected Cross-Site Scripting via ‘question’

Affected Software: Watu Quiz
CVE ID: CVE-2023-30483
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d24dbdf-8fb0-41c3-8c35-e0d65c6b96f5

WP Inventory Manager <= 2.1.0.11 – Reflected Cross-Site Scripting via ‘message’

Affected Software: WP Inventory Manager
CVE ID: CVE-2023-1806
CVSS Score: 6.1 (Medium)
Researcher/s: Maurice Fielenbach
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/363ece80-1fa6-4019-84c9-e0a65f02625d

AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.4 – Unauthenticated Cross-Site Scripting

Affected Software: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
CVE ID: CVE-2023-30754
CVSS Score: 6.1 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d13ae87-f632-4eb0-bc71-5132ba6a9b13

Cloud Manager <= 1.0 – Reflected Cross-Site Scripting

Affected Software: Cloud Manager
CVE ID: CVE-2023-0421
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d896366-a85d-49c9-9509-3f7454712474

Coupon Affiliates <= 5.4.5 – Reflected Cross-Site Scripting via ‘page’

Affected Software: Coupon Affiliates – WooCommerce Affiliate Plugin
CVE ID: CVE-2023-30475
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c6fc6be-7e9a-40cb-b9cd-bb71d4f487f7

Vimeotheque <= 2.2.1 – Reflected Cross-Site Scripting via ‘view’ and ‘page’

Affected Software: Vimeotheque / Vimeo
CVE ID: CVE-2023-30498
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72256ac2-72a7-4c3c-a892-1f1795671c5d

FooGallery <= 2.2.35 – Reflected Cross-Site Scripting

Affected Software: Best WordPress Gallery Plugin – FooGallery
CVE ID: CVE-2023-29439
CVSS Score: 6.1 (Medium)
Researcher/s: LOURCODE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7181056-d2ee-4c0f-b9a8-fdb7ad042a6b

UserPlus <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: User registration & user profile – UserPlus
CVE ID: CVE-2023-0824
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd0349b-7864-4e4e-84ba-6f0ec5b585f3

ShiftController Employee Shift Scheduling <= 4.9.25 – Reflected Cross-Site Scripting via Query String

Affected Software: ShiftController Employee Shift Scheduling
CVE ID: CVE-2023-1978
CVSS Score: 6.1 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5c61212-e68e-4198-b078-18121576b767

hiWeb Migration Simple <= 2.0.0.1 – Reflected Cross-Site Scripting

Affected Software: hiWeb Migration Simple
CVE ID: CVE-2023-0769
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9aacc69-aa46-4cdb-a301-c0bf2836d441

Betheme <= 26.7.5 – Reflected Cross-Site Scripting

Affected Software: Betheme
CVE ID: CVE-2023-29101
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c14b948f-129d-4223-b3ee-0bef1f9fc703

Product Catalog Feed by PixelYourSite <= 2.1.0 – Reflected Cross-Site Scripting via ‘edit’

Affected Software: Product Catalog Feed by PixelYourSite
CVE ID: CVE-2023-1804
CVSS Score: 6.1 (Medium)
Researcher/s: Maurice Fielenbach
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d82d1dd2-b5b5-490a-92e5-1a4d4ab0085d

Booqable Rental Plugin <= 2.4.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Booqable Rental Plugin
CVE ID: CVE-2023-30746
CVSS Score: 5.5 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16f183a6-b8db-461e-b17d-2faa528ff0ff

Newsletters <= 4.8.8 – Cross-Site Request Forgery

Affected Software: Newsletters
CVE ID: CVE-2023-30478
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cd6474f-72e1-4ec2-a056-3c05a0dfa173

PowerPress <= 10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE-2023-1917
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44583cb7-bc32-4e62-8431-f5f1f6baeff2

Custom Order Numbers for WooCommerce <= 1.4.0 – Cross-Site Request Forgery

Affected Software: Custom Order Numbers for WooCommerce
CVE ID: CVE-2022-45367
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d19800a-bff3-414f-a809-0159f49d263a

Featured Post Creative <= 1.2.7 – Missing Authorization via wpfp_update_featured_post

Affected Software: Featured Post Creative
CVE ID: CVE-2023-30488
CVSS Score: 5.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61585a02-fe7b-4a54-959f-346e4e0d6658

Blogger Buzz <= 1.2.1 – Missing Authorization via activate_plugin

Affected Software: Blogger Buzz
CVE ID: CVE-2023-30476
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/823dce74-2688-4573-b0c8-353f1789ea48

Download Manager Pro <= 6.2.9 – Unauthenticated Information Disclosure

Affected Software: Download Manager Pro
CVE ID: CVE-2023-1809
CVSS Score: 5.3 (Medium)
Researcher/s: Johan Kragt
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88d80702-a987-4b12-a003-2fa564fda409

Fantastic Content Protector Free <= 2.6 – Missing Authorization via update_setting_fantastic_content_protector

Affected Software: Fantastic Content Protector Free
CVE ID: CVE-2023-25048
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b93f8036-4a89-45e6-b86f-9d57e1662a35

Shortcodes by Angie Makes <= 3.46 – Missing Authorization

Affected Software: Shortcodes by Angie Makes
CVE ID: CVE-2023-23725
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e20feb23-f78e-42e7-8922-e7cf37dbdcb1

Optima Express + MarketBoost IDX Plugin <= 7.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optima Express + MarketBoost IDX Plugin
CVE ID: CVE-2023-30749
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/059e262b-ee63-4f8b-82ab-c12bcf70f879

External Videos <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: External Videos
CVE ID: CVE-2023-30752
CVSS Score: 4.4 (Medium)
Researcher/s: Mahesh Nagabhairava
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/168e8512-d551-47f9-bc2b-c458180a6d13

Simple Popup Images <= 1.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple PopUp
CVE ID: CVE-2023-24406
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18c0ecc5-b3e2-4ac0-b901-dae397e2d57c

WP Roles at Registration <= 0.23 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Roles at Registration
CVE ID: CVE-2023-27609
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a4eeb77-7a8b-489f-8ded-bbe09e881758

Article Directory Redux <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Article Directory Redux
CVE ID: CVE-2023-30751
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63c681e5-3110-4790-a075-4996fa1f2129

Motor Racing League <= 1.9.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Motor Racing League
CVE ID: CVE-2023-27614
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8876ecc4-1a50-43ac-9c8d-354f6de4abdd

Pickup | Delivery | Dine-in date time <= 1.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Pickup | Delivery | Dine-in date time
CVE ID: CVE-2023-0894
CVSS Score: 4.4 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/936803ab-93d5-4808-8758-6b8f7c01b3c2

Easy Appointments <= 3.11.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Appointments
CVE ID: CVE-2023-30748
CVSS Score: 4.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfe8d13b-f387-4c82-ba9f-efadda18c882

AI ChatBot <= 4.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: AI ChatBot
CVE ID: CVE-2023-1649
CVSS Score: 4.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdb3fbaa-4d33-4754-848b-77e902ea4a85

Electric Studio Client Login <= 0.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Electric Studio Client Login
CVE ID: CVE-2023-27425
CVSS Score: 4.4 (Medium)
Researcher/s: Padavishree
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e797c0ca-f348-4d9c-815e-0c1756686690

AFFILIATE Solution <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: AFFILIATE Solution
CVE ID: CVE-2023-30477
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef778a1d-d4ce-47fd-932b-9e86b38e2681

tencentcloud-cos <= 1.0.7 – Cross-Site Request Forgery

Affected Software: tencentcloud-cos
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be21ac7-4f61-44fc-9ffc-ab65faa549f6

Forminator <= 1.22.1 – Missing Authorization on ‘load_hcaptcha_preview’ AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef15cb1-b320-42d9-a2fd-afff2ec8a93b

Database Collation Fix <= 1.2.7 – Cross-Site Request Forgery via admin_page

Affected Software: Database Collation Fix
CVE ID: CVE-2023-23997
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31612b4b-a75f-4fa4-831b-43f62a8d5fad

Featured Post Creative <= 1.2.7 – Cross-Site Request Forgery via wpfp_update_featured_post

Affected Software: Featured Post Creative
CVE ID: CVE-2023-30488
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33a47156-ee93-4b59-9f73-56be5c9e3b00

Educenter <= 1.5.1 – Missing Authorization via activate_plugin

Affected Software: Educenter
CVE ID: CVE-2023-30480
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/344ad959-038a-46d1-b515-ae3473af8209

Shortlinks by Pretty Links <= 3.4.0 – Cross-Site Request Forgery via route

Affected Software: Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
CVE ID: CVE-2022-47149
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5304da48-5d42-47ce-b1b1-dc04b8fa9dff

Stock Exporter for WooCommerce <= 1.1.0 – Cross-Site Request Forgery

Affected Software: Stock Exporter for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c4a9092-fd49-42fe-a84d-a9f7fe708122

Forminator <= 1.22.1 – Missing Authorization on ‘load_recaptcha_preview’ AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/718e54f5-f040-42d6-958d-255d905615d5

Ultimate Noindex Nofollow Tool II <= 1.3.3 – Cross-Site Request Forgery

Affected Software: Ultimate Noindex Nofollow Tool II
CVE ID: CVE-2023-30474
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7761fe7c-e7f5-4bab-8820-42e6fcabcb2f

Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 – Cross-Site Request Forgery

Affected Software: Stamped.io Product Reviews & UGC for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a8c4232-2e1e-4c99-83d5-d70f7ca1c879

MC Woocommerce Wishlist <= 1.5.4 – Cross-Site Request Forgery

Affected Software: WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c7f6ef2-6c50-4739-8844-0db7d9ffe7f7

WP Reroute Email <= 1.4.6 – Cross-Site Request Forgery

Affected Software: WP Reroute Email
CVE ID: CVE-2023-27606
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c3a047f-be12-4308-a4a5-fbbbc37f674d

Enable Accessibility <= 1.4 – Cross-Site Request Forgery

Affected Software: Enable Accessibility
CVE ID: CVE-2023-30484
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0b8c4c3-eba2-4c20-b790-48eceeba898e

CoSchedule <= 3.3.8 – Cross-Site Request Forgery

Affected Software: CoSchedule
CVE ID: CVE-2022-47165
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca55a7a0-da31-4d3f-845b-80f89ffbadf5

Forminator <= 1.22.1 – Missing Authorization on ‘hubspot_support_request’ AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0cb4434-94c5-42a9-bd86-869058dcbf67

Blocksy Companion <= 1.8.81 – Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode

Affected Software: Blocksy Companion
CVE ID: CVE-2023-1911
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d31aad1c-89d4-4f71-bfed-a795f7a4f209

Square <= 2.0.0 – Missing Authorization via activate_plugin

Affected Software: Square
CVE ID: CVE-2023-30486
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3ca4c3c-2b20-42d4-8dcf-77f4d52c25a3

Better Search <= 3.1.0 – Cross-Site Request Forgery

Affected Software: Better Search – Relevant search results for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7a02502-bc3c-4fd1-b6db-7b3c476c141f

WP EasyPay <= 4.0.4 – Cross-Site Request Forgery

Affected Software: WP EasyPay – Square for WordPress
CVE ID: CVE-2022-47177
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2c1606e-b6b6-4f7d-8473-1015677ded7c

Ruby Help Desk <= 1.3.3 – Missing Authorization to Arbitrary Ticket Modification

Affected Software: Ruby Help Desk
CVE ID: CVE-2023-1125
CVSS Score: 4.3 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd741e2d-5478-4b9a-83ab-7ccafdc5d12f

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023) appeared first on Wordfence.