Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
MStore API <= 3.9.2 – Multiple Authentication Bypass
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 – Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
TheGem < 5.8.1.1 – Missing Authorization
BP Social Connect <= 1.5 – Authentication Bypass
WAF-RULE-595 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
WAF-RULE-596 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
Woodmart Core <= 1.0.36 – Authentication Bypass to Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
15
Patched
67
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
3
Medium Severity
68
High Severity
8
Critical Severity
3
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
35
Cross-Site Request Forgery (CSRF)
17
Missing Authorization
15
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
3
Authentication Bypass Using an Alternate Path or Channel
3
Authorization Bypass Through User-Controlled Key
2
Acceptance of Extraneous Untrusted Data With Trusted Data
2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
1
Server-Side Request Forgery (SSRF)
1
Improper Authentication
1
Deserialization of Untrusted Data
1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher)
12
Marco Wotschka
(Wordfence Vulnerability Researcher)
10
Erwan LR
6
Mika
4
yuyudhn
2
LOURCODE
1
konagash
1
thiennv
1
Ramuel Gall
(Wordfence Vulnerability Researcher)
1
Matt Rusnak
(Wordfence Vulnerability Researcher)
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
ai-engine
AutomateWoo
automatewoo
BP Social Connect
bp-social-connect
Baidu Tongji generator
baidu-tongji-generator
Contact Form by Supsystic
contact-form-by-supsystic
ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages
convertkit
Cookie Monster
cookiemonster
Custom 404 Pro
custom-404-pro
Customize WordPress Emails and Alerts – Better Notifications for WP
bnfw
Drop Shadow Boxes
drop-shadow-boxes
Easing Slider
easing-slider
Easy Forms for Mailchimp
yikes-inc-easy-mailchimp-extender
Essential Addons for Elementor Pro
essential-addons-elementor
File Away
file-away
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
chaty
Jazz Popups
jazz-popups
MStore API
mstore-api
Multiple Page Generator Plugin – MPG
multiple-pages-generator-by-porthas
OTP Login Woocommerce & Gravity Forms
mobile-login-woocommerce
Performance Lab
performance-lab
Photo Gallery by Ays – Responsive Image Gallery
gallery-photo-gallery
PixelYourSite Pro – Your smart PIXEL (TAG) Manager
pixelyoursite-pro
PixelYourSite – Your smart PIXEL (TAG) Manager
pixelyoursite
Predictive Search
predictive-search
Predictive Search for WooCommerce
woocommerce-predictive-search
Quiz Maker
quiz-maker
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager
Ricerca – advanced search
ricerca-smart-search
SEO Change Monitor – Track Website Changes
seo-change-monitor
Scripts n Styles
scripts-n-styles
Simple Page Ordering
simple-page-ordering
Smart App Banner
smart-app-banner
Stop Referrer Spam
stop-referrer-spam
Stop Spammers Security | Block Spam Users, Comments, Forms
stop-spammer-registrations-plugin
Survey Maker – Best WordPress Survey Plugin
survey-maker
Ultimate Dashboard – Custom WordPress Dashboard
ultimate-dashboard
UpdraftPlus WordPress Backup Plugin
updraftplus
Video Gallery
video-slider-with-thumbnails
WP Activity Log
wp-security-audit-log
WP Activity Log Premium
wp-security-audit-log-premium
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
wp-sms
WP htaccess Control
wp-htaccess-control
Waiting: One-click countdowns
waiting
WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress
wesecur-security
WishSuite – Wishlist for WooCommerce
wishsuite
WooCommerce Bookings
woocommerce-bookings
WooCommerce Brands
woocommerce-brands
WooCommerce Composite Products
woocommerce-composite-products
WooCommerce Pre-Orders
woocommerce-pre-orders
WooCommerce Product Add-ons
woocommerce-product-addons
WooCommerce Ship to Multiple Addresses
woocommerce-shipping-multiple-addresses
WooDiscuz – WooCommerce Comments
woodiscuz-woocommerce-comments
WordPress
wordpress
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
groundhogg
Zotpress
zotpress
nuajik
nuajik-cdn
reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China
recaptcha-for-all
video carousel slider with lightbox
wp-responsive-video-gallery-with-lightbox
woocommerce-product-recommendations
woocommerce-product-recommendations
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
Appzend
appzend
BuzzStore
buzzstore
Craft Blog
craft-blog
Fitness Park
fitness-park
Kathmag
kathmag
Kingcabs
kingcabs
Medical Heed
medical-heed
MetroStore
metrostore
Online eStore
online-estore
SparkleStore
sparklestore
SpiderMag
spidermag
Vulnerability Details
BP Social Connect <= 1.5 – Authentication Bypass
CVE ID: CVE-2023-2704
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9
RegistrationMagic <= 5.2.1.0 – Authentication Bypass
CVE ID: CVE-2023-2499
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87ec5542-b6e7-4b18-a3ec-c258e749d32e
MStore API <= 3.9.0 – Authentication Bypass
CVE ID: CVE-2023-2733
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c726d8f0-7f2a-414b-9d73-a053921074d9
SEO Change Monitor <= 1.2 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-33209
CVSS Score: 8.8 (High)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4f19302-70a5-4132-b841-fba1dd86a0d3
OTP Login Woocommerce & Gravity Forms <= 2.2 – Authentication Bypass to Privilege Escalation
CVE ID: CVE-2023-2706
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1b7b653-496f-467a-9513-4be1891f38ae
Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Privilege Escalation
CVE ID: CVE-2023-2736
CVSS Score: 7.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bf472f1-5980-48ee-aa10-aad19b6f2456
Waiting: One-click countdowns <= 0.6.2 – Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2757
CVSS Score: 7.4 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38cc5a39-6ec3-4ce9-b9ad-d4ca5dafe9a7
Essential Addons for Elementor Pro <= 5.4.8 – Unauthenticated Server-Side Request Forgery
CVE ID: CVE-2023-32245
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a193b7-21e5-4f57-aaa6-e55c79f8e957
Multiple Page Generator Plugin <= 3.3.17 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2607
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1575f0ad-0a77-4047-844c-48db4c8b4e91
WooCommerce Pre-Orders <= 1.9.0 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-32802
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b93f66ac-5c9b-483a-a7ad-0a404d3935e0
WooCommerce Product Add-ons <= 6.1.3 – Authenticated (Shop Manager+) PHP Object Injection
CVE ID: CVE-2023-32795
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d77666b5-956d-420b-93ed-a15cdbfcced7
Predictive Search <= 1.2.2 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/340e98bf-6484-4634-b2f8-e02f14de67de
WordPress Core < 6.2.2 – Shortcode Execution in User Generated Content
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Liam Gladdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e3a6fe2-6292-44ff-8925-a4aeb77c2a7f
WordPress Core < 6.2.1 – Shortcode Execution in User Generated Content
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Liam Gladdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6300c8c2-f539-46b2-9ee0-80bebbe4cad3
Predictive Search <= 1.2.2 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca481a37-8c45-499c-bf68-3af6795af827
Predictive Search <= 1.2.2 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d396e90b-c113-4534-8ce3-27bea3bd7296
File Away <= 3.9.9.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-0431
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f78dd75-d853-4b16-843e-e0c9c55a103c
Drop Shadow Boxes <= 1.7.10 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f2b4ac7-f888-408b-a77a-bd73ac8e967d
WordPress Core < 6.2.1 – Insufficient Sanitization of Block Attributes
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/834c92ba-8b48-4ae3-9073-085e8f559762
WooCommerce Brands <= 1.6.45 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-32746
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/accdcff0-f361-4632-b0b7-e55975adeebb
WordPress Core < 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Jakub Zoczek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bba3eeeb-5e7e-4ec3-9db0-02c44585647a
WooCommerce Pre-Orders <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32793
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3915c2f-400d-433d-bbc8-4d88258123dc
WP SMS <= 6.1.4 – Reflected Cross-Site Scripting via ‘delete_mobile’
CVE ID: CVE-2023-32742
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04970416-06db-4339-ac22-34fde5a48f2a
Survey Maker <= 3.4.6 – Reflected Cross-Site Scripting via ‘page’ parameter
CVE ID: CVE-2023-2572
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15b57809-6062-48ca-8572-26032928cd16
WooCommerce Composite Products <= 8.7.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32801
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d45bd32-d693-40e6-9b30-9e0b91eb4660
Chaty <= 3.0.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-25019
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36741b46-57ac-402e-bfb1-8424c7e70598
Easy Forms for Mailchimp <= 6.8.8 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-23900
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4afb25d5-dce1-4a7a-8afe-0fc2a384b945
UpdraftPlus <= 1.23.3 – Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage
CVE ID: CVE-2023-32960
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/597f06ac-f9c7-4dcb-bb72-15ed7e9d8ac6
Custom 404 Pro <= 3.8.1 – Reflected Cross-Site Scripting via ‘page’
CVE ID: CVE-2023-32740
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d90dad3-d7ef-4060-8328-fd551cee92e2
Stop Spammers Security <= 2022.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2489
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/889cb1d5-7f5c-4904-9b5f-cc8a505eb65c
Video Gallery <= 1.0.10 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2708
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka, yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cfbad9f-61ba-4216-9078-c1e7e809899a
Jazz Popups <= 1.8.7 – Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’
CVE ID: CVE-2023-32965
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba8c5db5-48d4-4ce1-84b9-5743c7444a3a
Photo Gallery by Ays <= 5.1.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2568
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca62b54e-dde6-440f-bed9-db320179269e
ConvertKit <= 2.2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2337
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf3a16b6-7256-4fad-b3f2-d1d9d833f45e
video carousel slider with lightbox <= 1.0.22 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2710
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka, yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e88bb3a8-de24-46fb-a3e4-9ca3fdd4cca7
Quiz Maker <= 6.4.2.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2571
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f70d0bea-3ac2-4235-92a2-09458b85bddd
Essential Addons for Elementor Pro <= 5.4.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32241
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8f86293-a32f-49a6-8c8c-d37354ab040a
AutomateWoo <= 5.7.1 – Authenticated (Shop manager+) SQL Injection
CVE ID: CVE-2023-32743
CVSS Score: 5.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9202cb4d-7fd4-444d-ab44-8f6d9e68d869
Contact Form by Supsystic <= 1.7.24 – Cross-Site Request Forgery via AJAX action
CVE ID: CVE-2023-2528
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c387b07-baf6-4c62-943e-4bd121160ceb
Groundhogg <= 2.7.9.8 – Missing Authorization to Non-Arbitrary File Upload
CVE ID: CVE-2023-2716
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c5bde0e-3138-4995-92ae-6deaf6b7be5b
Zotpress <= 7.3.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32961
CVSS Score: 5.4 (Medium)
Researcher/s: LOURCODE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/617dcc0e-e212-4da0-8918-e55e6b3895fa
Simple Page Ordering <= 2.5.0 – Missing Authorization to Information Disclosure
CVE ID: CVE-2023-32798
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77d8d29b-b730-46be-a354-7abfa83ac664
Stop Referrer Spam <= 1.3.0 – Cross-Site Request Forgery via processParameters
CVE ID: CVE-2023-33207
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5deac61-031f-452a-a478-d5d0c7953817
Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Disable All Plugins
CVE ID: CVE-2023-2717
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af73240c-b711-4e91-9998-5f7e6a9a4fb9
WordPress Core < 6.2.1 – Directory Traversal
CVE ID: CVE-2023-2745
CVSS Score: 5.4 (Medium)
Researcher/s: Ramuel Gall, Matt Rusnak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f
Smart App Banner <= 1.1.2 – Cross-Site Request Forgery via wsl_smart_app_banner_options
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f71453d9-8bbf-4546-b69f-e86cc41da9bd
Multiple sparklewpthemes Themes (Various versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVE ID: CVE-2023-32959
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62e30cef-ce5d-4450-989e-f08f09b7638f
WooCommerce Predictive Search <= 5.8.0 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-32963
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ea2726a-a601-45ac-9f20-c34b82edf441
Easing Slider <= 3.0.8 – Missing Authorization to Unauthenticated Settings Reset
CVE ID: CVE-2023-30490
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9e04a2f8-5071-4c85-b4f8-cb914ee509b5
Multiple sparklewpthemes Themes (Various versions) – Missing Authorization to Arbitrary Plugin Activation
CVE ID: CVE-2023-32959
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c37bfdeb-2d0c-4ace-94cc-b85c16985994
WooCommerce Predictive Search <= 5.8.0 – Cross-Site Request Forgery via multiple AJAX actions
CVE ID: CVE-2023-32963
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc428f4b-fe82-419a-aee3-38f0bb582506
Groundhogg <= 2.7.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2735
CVSS Score: 4.9 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4938206e-2ea4-47ed-a307-87cf67dd74a4
WooDiscuz – WooCommerce Comments <= 2.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33216
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01bd8a24-5580-4b16-94b3-c231d5fe7a01
Chaty <= 3.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3baa0543-cdfb-4699-97ca-eaa83c2494a1
Cookie Monster <= 1.51 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33208
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f040075-83a0-4c9a-8d93-99aa36606b31
PixelYourSite <= 9.3.6 and PixelYourSite Pro <= 9.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2584
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ebf1e83-50b8-4f56-ba76-10100375edda
WP htaccess Control <= 3.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25462
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6741b770-79d3-4797-8f8f-4ca83fde4705
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: WPScanTeam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d8f59b0-da92-43aa-990d-5271aa40d6b4
WishSuite <= 1.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32962
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b515782a-d7ec-41a6-92f8-91823f2c0dcf
Stop Spammers Security <= 2022.6 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2489
CVSS Score: 4.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c83df43e-286d-4695-9c37-bee2870fd3b5
WeSecur Security <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24390
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d732ea2d-c763-4735-b541-6c5fd5167cb4
Ultimate Dashboard <= 3.7.5 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5103e60-771f-46cf-b432-21d131e30bcc
nuajik CDN <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33210
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcf09793-1277-41a0-9ce4-b85b13721729
WordPress Core < 6.2.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: John Blackbourn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0da1cc3b-5d6b-4ca0-9d8a-31c63ab5b9c9
WooCommerce Ship to Multiple Addresses <= 3.8.3 – Insecure Direct Object Reference
CVE ID: CVE-2023-32799
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/163328e9-2918-4bc0-8bbc-90d7e992754d
Groundhogg <= 2.7.9.8 – Missing Authorization to Admin Account and Ticket Creation
CVE ID: CVE-2023-2715
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24747507-8f24-499e-a257-d379dc171e18
Groundhogg <= 2.7.9.8 – Missing Authorization to Update License
CVE ID: CVE-2023-2714
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29700844-b41d-4f10-90a7-06c8574d8d2a
WooCommerce Bookings <= 1.15.78 – Insecure Direct Object Reference
CVE ID: CVE-2023-32747
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b365fb8-7a93-4306-b2b1-ce47dc19457a
Ricerca smart and advanced search <= 1.0.15 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fefcc8c-3864-4764-86e7-678d8604fd67
WP Activity Log Premium <= 4.5.0 – Cross-Site Request Forgery via ajax_switch_db
CVE ID: CVE-2023-2285
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c659f6d-e02b-42ab-ba02-eb9b00602ad4
AutomateWoo <= 5.7.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-32745
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/540de1b8-eb1f-4f9d-b45c-d3d5f11b642d
reCAPTCHA for all <= 1.22 – Missing Authorization via recaptcha_for_all_image_select
CVE ID: CVE-2023-32599
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66585943-cb70-4296-af66-5b786d1bafb9
WP Activity Log Premium <= 4.5.0 – Missing Authorization via ajax_switch_db
CVE ID: CVE-2023-2284
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e29fd6b-462a-42be-9a2a-b6717b20a937
Performance Lab <= 2.2.0 – Cross-Site Request Forgery via dismiss-wp-pointer
CVE ID: CVE-2022-47174
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f1e3586-99f7-4cac-bbb2-1a6406c4f8a4
Better Notifications for WP <= 1.9.2 – Cross-Site Request Forgery via handle_actions
CVE ID: CVE-2023-32964
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ddabda2-1e27-4b87-b643-b0166112a890
WooCommerce Product Recommendations < 2.3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-32744
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826fe5a8-3290-4f70-b9bb-8bd4aec3634c
WooCommerce Product Add-ons <= 6.1.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-32794
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5bd3852-c1a5-4d7d-b4fb-59911fba4873
WP Activity Log <= 4.5.0 – Cross-Site Request Forgery via ajax_run_cleanup
CVE ID: CVE-2023-2286
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2008e0b-32c6-46fb-93b9-2b0004f478e8
WP Activity Log <= 4.5.0 – Missing Capabilities Check to User Enumeration
CVE ID: CVE-2023-2261
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f51f0919-498e-4f86-a933-1b7f2c4a10a4
Scripts n Styles <= 3.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-31236
CVSS Score: 3.3 (Low)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a86d8f97-54dc-4c6b-92c0-05a8625cc073
Baidu Tongji generator <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-31233
CVSS Score: 3.3 (Low)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b9b6f4-6ee7-498d-9693-a5ae5f7f4719
Multiple Page Generator Plugin <= 3.3.17 – Cross-Site Request Forgery to SQL Injection
CVE ID: CVE-2023-2608
CVSS Score: 3.1 (Low)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d900584c-0f58-4abc-92ff-841f898d02fc
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023) appeared first on Wordfence.