Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset
Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions
HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
29
Patched
32
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
0
Medium Severity
49
High Severity
8
Critical Severity
4
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
24
Cross-Site Request Forgery (CSRF)
14
Missing Authorization
14
Authorization Bypass Through User-Controlled Key
4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
2
Information Exposure
1
Uncontrolled Resource Consumption (‘Resource Exhaustion’)
1
Unrestricted Upload of File with Dangerous Type
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Alex Thomas
(Wordfence Vulnerability Researcher)
9
Lana Codes
(Wordfence Vulnerability Researcher)
3
yuyudhn
3
Elliot
1
easyBug
1
Friday
1
thiennv
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
mystickyelements
Animated Number Counters
animated-number-counters
Auto Location for WP Job Manager via Google
auto-location-for-wp-job-manager
BadgeOS
badgeos
Baidu Tongji generator
baidu-tongji-generator
Booking Package
booking-package
Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin
media-library-helper
Classified Listing – Classified ads & Business Directory Plugin
classified-listing
Coming Soon Page – Responsive Coming Soon & Maintenance Mode
responsive-coming-soon-page
Cryptocurrency Widgets – Price Ticker & Coins List
cryptocurrency-price-ticker-widget
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin
fluent-smtp
Getnet Argentina para Woocommerce
integrar-getnet-con-woo
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
gift-voucher
HT Mega – Absolute Addons For Elementor
ht-mega-for-elementor
Header Footer Code Manager
header-footer-code-manager
Image Regenerate & Select Crop
image-regenerate-select-crop
Image Social Feed Plugin
add-instagram
Kingkong Board
kingkong-board
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder
learning-management-system
LearnPress – WordPress LMS Plugin
learnpress
Livestream Notice
livestream-notice
Menubar
menubar
Mobile Call Now & Map Buttons
mobile-call-now-map-buttons
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
ninja-forms
Product Category Tree
product-category-tree
Querlo Chatbot
querlo-chatbots
RSVPMaker
rsvpmaker
Reservation.Studio widget
reservation-studio-widget
SMTP Mail
smtp-mail
Secondary Title
secondary-title
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor)
woolentor-addons
Simple Giveaways – Grow your business, email lists and traffic with contests
giveasap
Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)
only-tweet-like-share-and-google-1
Simple Site Verify
simple-site-verify
Social Share Boost
social-share-boost
SrbTransLatin – Serbian Latinisation
srbtranslatin
Sublanguage
sublanguage
User Registration – Custom Registration Form, Login Form And User Profile For WordPress
user-registration
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
yotuwp-easy-youtube-embed
Visibility Logic for Elementor
visibility-logic-elementor
Visual Website Collaboration, Feedback & Project Management – Atarim
atarim-visual-collaboration
WP Content Copy Protection & No Right Click
wp-content-copy-protector
WP Dummy Content Generator
wp-dummy-content-generator
WP Full Stripe Free
wp-full-stripe-free
WP Mail Log
wp-mail-log
WP RSS Images
wp-rss-images
WP Reroute Email
wp-reroute-email
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
wp-sms
WP-Cirrus
wp-cirrus
WP-Optimize – Cache, Clean, Compress.
wp-optimize
WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps
wordpress-mobile-pack
oAuth Twitter Feed for Developers
oauth-twitter-feed-for-developers
wpForo Forum
wpforo
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
WPLMS Learning Management System for WordPress, WordPress LMS
wplms
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload
CVE ID: CVE-2023-3342
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d
HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46f3cc62-c2d8-45af-bb92-c2040789cbc0
Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset
CVE ID: CVE-2023-37389
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65166432-a877-4070-94c1-cdaf7e5d7586
Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions
CVE ID: CVE Unknown
CVSS Score: 9.1 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f3a6e1-6126-4825-b2b1-e40dc5694f43
Getnet Argentina para Woocommerce 0.0.1 – 0.0.4 – Authorization Bypass via webhook
CVE ID: CVE-2023-3525
CVSS Score: 7.5 (High)
Researcher/s: Kijam López
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/245e9117-ca63-458e-a094-60a759f5ec19
LearnPress <= 4.2.3 – Missing Authorization to Information Exposure
CVE ID: CVE-2023-36515
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea136a60-aa42-4577-88b6-a49c79098954
WP Reroute Email <= 1.4.9 – Unauthenticated Stored Cross-Site Scripting via Email Subject
CVE ID: CVE-2023-3168
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a0e962b-b6a0-4179-91d0-5ede508a9895
RSVPMarker <= 10.5.4 – Authenticated (Administrator+) SQL Injection via ‘resend’
CVE ID: CVE-2023-29095
CVSS Score: 7.2 (High)
Researcher/s: Rafi Priatna Kasbiantoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6709f9b0-0915-4361-9fb0-1f2696e26c2f
WP Mail Log <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting via Email
CVE ID: CVE-2023-3088
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86ee1acb-6f0c-40e6-80a0-fc93b61c1602
SMTP Mail <= 1.2.16 – Unauthenticated Stored Cross-Site Scripting via Email Subject
CVE ID: CVE-2023-3092
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ae734d1-0cd4-4ff5-8448-828b0fb64f70
Coming Soon <= 1.5.8 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2022-46849
CVSS Score: 7.2 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a371489-031e-483e-9fde-3901b55710c6
FluentSMTP <= 2.2.4 – Unauthenticated Stored Cross-Site Scripting via Email Subject
CVE ID: CVE-2023-3087
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa47a794-e5ce-491d-a10b-c7c5718aa853
ARMember <= 4.0.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-3011
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42f5f29b-2d83-4b15-82aa-0598f8a2317b
Masteriyo – LMS for WordPress <= 1.6.7 – Sensitive Information Exposure
CVE ID: CVE-2023-3345
CVSS Score: 6.5 (Medium)
Researcher/s: Yassir Sbai Fahim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e8933b8-1e09-4cd7-8206-711cc0716dba
Simple Giveaways <= 2.46.0 – Missing Authorization
CVE ID: CVE-2023-23893
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/721f8943-5d59-41ee-935e-999dff2e590d
BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion
CVE ID: CVE-2023-2173
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebb9e37c-9e8b-429b-b4ef-cd875351852c
Querlo Chatbot <= 1.2.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-3418
CVSS Score: 6.4 (Medium)
Researcher/s: Rafael B.
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/157ea849-7947-4d0d-9ecf-7705f9039c8d
Secondary Title <= 2.0.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28773
CVSS Score: 6.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5ab7d3e-b0c8-4e30-942b-23d91daff2ac
WPLMS < 4.900 – Cross-Site Request Forgery
CVE ID: CVE-2023-36690
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9071acdf-8d40-4e8b-8d1f-be2cabf3d66e
Kingkong Board <= 2.1.0.2 – Missing Authorization
CVE ID: CVE-2023-36694
CVSS Score: 6.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7b33199-d254-4d0c-88d0-ad2f7515d747
wpForo Forum <= 2.1.8 – Reflected Cross-Site Scripting via ‘wpforo_debug’
CVE ID: CVE-2023-2309
CVSS Score: 6.1 (Medium)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35b6a26a-d7c1-4538-87f3-fcb1095797a3
WP-Optimize <= 3.2.12 & SrbTransLatin <= 2.4 – Stored/Reflected Cross-Site Scripting via Third Party Library
CVE ID: CVE-2023-1119
CVSS Score: 6.1 (Medium)
Researcher/s: Paolo Elia
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fdb822e8-583e-4437-a735-b116aa8886e2
Animated Number Counters <= 1.6 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24393
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e87ea6b5-4288-4ebb-8a29-e0a179e6b584
WordPress Mobile Pack <= 3.4.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-37391
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f545c20-5be1-42bc-9268-640590ee4bf2
LearnPress <= 4.2.3 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/389277fd-e47e-42df-9305-61ceedbcfb29
Sublanguage <= 2.9 – Missing Authorization
CVE ID: CVE-2023-36695
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50726c57-8d42-4143-9e75-d30513d8d0e2
Header Footer Code Manager <= 1.1.34 – Cross-Site Request Forgery via process_bulk_action
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60493635-b1b0-4e76-8f73-16c223d7b4d7
BadgeOS <= 3.7.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2171
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74a280e1-e4b6-4bd9-882b-d9f185332d61
Menubar <= 5.8.2 – Cross-Site Request Forgery in wpm-admin.php
CVE ID: CVE-2023-36687
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be10894d-2a86-4f07-8119-e6eac8c9c950
Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization
CVE ID: CVE-2023-36680
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb7335c0-b6ed-43bb-91b7-870093d14cb8
LearnPress <= 4.2.3 – Missing Authorization
CVE ID: CVE-2023-36516
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e91e864a-20f6-48a2-ab9f-d20836207383
Product Category Tree <= 2.5 – Missing Authorization
CVE ID: CVE-2023-29173
CVSS Score: 5.3 (Medium)
Researcher/s: Friday
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88840d66-1644-4af0-b811-41f0e9fe2c0c
Ninja Forms <= 3.6.25 – Denial of Service via Large Form Submissions
CVE ID: CVE-2023-35909
CVSS Score: 5.3 (Medium)
Researcher/s: PetiteMais
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/952a3e52-4e23-4bc4-92d3-e15ae2f3d28b
Cryptocurrency Widgets – Price Ticker & Coins List <= 2.6.2 – Missing Authorization
CVE ID: CVE-2023-36681
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dec2855c-71a8-46b2-819a-d85cd11a1a24
WP Dummy Content Generator <= 2.3.0 – Missing Authorization
CVE ID: CVE-2023-37394
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4dad030-41e4-4d67-8650-8d268c44d352
Auto Location for WP Job Manager via Google <= 1.0 – Authenticated (Administrator+) Stored Cross Site Scripting
CVE ID: CVE-2023-3344
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19a70aa0-7075-4922-8feb-25b7fbe9da42
WP Full Stripe Free <= 1.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28934
CVSS Score: 4.4 (Medium)
Researcher/s: easyBug
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2afbc0a4-32ad-4fc4-9b10-5c06784f72f3
Social Share Boost <= 4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25044
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d09e93-8503-41e8-85d3-8550dc8f85bd
WP-Cirrus <= 0.6.11 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-36692
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4cab3c9c-39c6-4279-9573-858b0592c3fa
All-in-one Floating Contact Form <= 2.1.1 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-3248
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52538617-a1d1-40ed-8321-e39d06869398
Livestream Notice <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-27621
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69d957d3-a0d5-44ec-a9b0-8c9b41175379
Reservation.Studio widget <= 1.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24397
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7caa4c73-cf57-4f99-8bc6-6fd02308a58f
Video Gallery <= 1.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25477
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93b5bc57-3bfa-4477-a9d4-f0563008cf94
WP Content Copy Protection & No Right Click <= 3.5.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-36678
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9589d44b-55c3-45b4-84bb-c86143de3f95
Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-37388
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98780ecc-fb45-4392-955d-ddecf9f7fca1
Mobile Call Now & Map Buttons <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24401
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a10ee756-1b71-4232-817c-1ba6ead7f0f0
Simple Site Verify <= 1.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-36688
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1ea7e04-d3b3-43fa-be9a-a2d5ac3e34c3
Image Social Feed Plugin <= 1.7.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24412
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcaa19b0-2d55-4a0c-98e7-9a38488dd922
oAuth Twitter Feed for Developers <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25042
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa3819b1-8e7c-4e97-bac5-96d73d935845
Gift Cards (Gift Vouchers and Packages) <= 4.3.5 – Cross-Site Request Forgery in new_voucher_template.php
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0007d830-2e68-4c2f-8fac-f4363bc2d73d
WP Dummy Content Generator <= 2.3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-37392
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0576737d-8330-4a80-af70-4f0eab6657ed
Classified Listing <= 2.4.5 – Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete
CVE ID: CVE-2023-37387
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2352dce7-5302-4892-9ae2-bf814f029af4
WooLentor <= 2.6.2 – Cross-Site Request Forgery via process_data
CVE ID: CVE-2022-47172
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c068079-0857-4116-8edb-1bc2fea3c6b7
BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite
CVE ID: CVE-2023-2172
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dae8e82-e252-48d9-ae1f-62acfcd17e2b
BadgeOS <= 3.7.1.6 – Missing Authorization in delete_badgeos_log_entries
CVE ID: CVE-2023-2174
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64e0adbc-c524-4f9d-9741-ce69edf888f7
Visibility Logic for Elementor <= 2.3.4 – Missing Authorization via admin_post ‘toggle_option’
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72c04de6-78d2-4a45-834a-01ed879b528f
WP SMS <= 6.1.5 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/747afa58-182a-4fb3-bfe3-f15db0b1d85a
Baidu Tongji generator <= 1.0.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-31230
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8438ea46-9ac1-4ef5-a436-e438c35a4321
WP RSS Images <= 1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-36693
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/adb70798-2ef9-4384-bcca-8862afa044ed
Visibility Logic for Elementor <= 2.3.4 – Cross-Site Request Forgery via toggle_option
CVE ID: CVE-2022-47169
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb8aca3a-e4f7-41d6-9ea9-d189817c2c04
Media Library Helper by Codexin <= 1.2.0 – Cross-Site Request Forgery via rate_the_plugin_action
CVE ID: CVE-2023-37386
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc2356b2-e153-4e80-bfac-c25c15cdc259
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023) appeared first on Wordfence.