(647) 243-4688

Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
68

Patched
41

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
91

High Severity
15

Critical Severity
2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
47

Cross-Site Request Forgery (CSRF)
25

Missing Authorization
17

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4

Unrestricted Upload of File with Dangerous Type
3

Improper Authorization
3

Information Exposure
3

Deserialization of Untrusted Data
2

Authorization Bypass Through User-Controlled Key
1

Server-Side Request Forgery (SSRF)
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Improper Privilege Management
1

Authentication Bypass by Primary Weakness
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

LEE SE HYOUNG
14

Lana Codes
(Wordfence Vulnerability Researcher)
12

Rafie Muhammad
8

Abdi Pranata
7

Mika
5

Nguyen Xuan Chien
4

thiennv
4

Francesco Carlucci
4

Le Ngoc Anh
4

Rio Darmawan
3

Marco Wotschka
(Wordfence Vulnerability Researcher)
3

Revan Arifio
3

Jonas Höbenreich
2

Emili Castells
2

Skalucy
2

Shuning Xu
1

qilin_99
1

niclo
1

Ala Arfaoui
1

Taihei Shimamine
1

Milad Hacking
1

Alexander Concha
1

NGÔ THIÊN AN
1

Phd
1

Alex Thomas
(Wordfence Vulnerability Researcher)
1

minhtuanact
1

Nguyen Anh Tien
1

DoYeon Park
1

Dimas Maulana
1

emad
1

juweihuitao
1

Dmitrii Ignatyev
1

Krzysztof Zając
1

Elliot
1

Theodoros Malachias
1

trein
1

TP Cyber Security
1

Rafshanzani Suhada
1

Joshua Chan
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

404 Solution
404-solution

Add Custom Body Class
add-custom-body-class

Add Shortcodes Actions And Filters
add-actions-and-filters

Advanced Local Pickup for WooCommerce
advanced-local-pickup-for-woocommerce

Ajax Archive Calendar
ajax-archive-calendar

ApplyOnline – Application Form Builder and Manager
apply-online

Appointment Calendar
appointment-calendar

Archivist – Custom Archive Templates
archivist-custom-archive-templates

Ashe Extra
ashe-extra

Auto Login New User After Registration
auto-login-new-user-after-registration

BetterLinks – Shorten, Track and Manage any URL
betterlinks

Booster for WooCommerce
woocommerce-jetpack

Broken Link Checker | Finder
broken-link-finder

CPO Shortcodes
cpo-shortcodes

Category SEO Meta Tags
category-seo-meta-tags

Comments – wpDiscuz
wpdiscuz

Contact Form Builder, Contact Widget
contact-forms-builder

Contact Form builder with drag & drop for WordPress – Kali Forms
kali-forms

Custom post types, Custom Fields & more
custom-post-types

DX Delete Attached Media
dx-delete-attached-media

Delete Usermetas
delete-usermetas

Duplicate Theme
duplicate-theme

E2Pdf – Export To Pdf Tool for WordPress
e2pdf

EG-Attachments
eg-attachments

Envo Extra
envo-extra

Eonet Manual User Approve
eonet-manual-user-approve

EventON
eventon-lite

Freesoul Deactivate Plugins – Plugin manager and cleanup
freesoul-deactivate-plugins

FreshMail For WordPress
freshmail-integration

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory
geodirectory

Grid Plus – Unlimited grid layout
grid-plus

Headline Analyzer
headline-analyzer

Icons Font Loader
icons-font-loader

Internal Link Building
internal-link-building-plugin

Just Custom Fields
just-custom-fields

Lava Directory Manager
lava-directory-manager

MW WP Form
mw-wp-form

Maileon for WordPress
xqueue-maileon

Mediabay – Media Library Folders
mediabay-lite

Minimum Purchase for WooCommerce
minimum-purchase-for-woocommerce

Modern Footnotes
modern-footnotes

Motors – Car Dealer, Classifieds & Listing
motors-car-dealership-classified-listings

Novo-Map : your WP posts on custom google maps
novo-map

Open Graph Metabox
open-graph-metabox

Popup by Supsystic
popup-by-supsystic

Post Meta Data Manager
post-meta-data-manager

Product Category Tree
product-category-tree

Protección de Datos RGPD
click-datos-lopd

Recip.ly Plugin
reciply

Rocket Font
rocket-font

SALESmanago
salesmanago

Simple Calendar – Google Calendar Plugin
google-calendar-events

Simple Table Manager
simple-table-manager

Skype Legacy Buttons
skype-online-status

Smart App Banner
smart-app-banner

Smart Online Order for Clover
clover-online-orders

Smooth Scroll Links [SSL]
smooth-scrolling-links-ssl

Social Media Share Buttons & Social Sharing Icons
ultimate-social-media-icons

Social proof testimonials and reviews by Repuso
social-testimonials-and-reviews-widget

Soisy Pagamento Rateale
soisy-pagamento-rateale

Super Testimonials
super-testimonial

TCD Google Maps
tcd-google-maps

Tab Ultimate
tabs-pro

Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
taggbox-widget

Team Showcase
team-showcase

Templately – Templates Cloud for Elementor & Gutenberg : 4000+ Free & Premium Designs!
templately

The Awesome Feed – Custom Feed
wp-facebook-feed

Theme Blvd Shortcodes
theme-blvd-shortcodes

Theme Switcha – Easily Switch Themes for Development and Testing
theme-switcha

Thumbnail Slider With Lightbox
wp-responsive-slider-with-lightbox

Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce
enhanced-e-commerce-for-woocommerce-store

Triberr
triberr-wordpress-plugin

Ultimate Addons for WPBakery
Ultimate_VC_Addons

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
userfeedback-lite

Userback
userback

WC Captcha
wc-captcha

WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce
wc-serial-numbers

WDSocialWidgets
spider-facebook

WOLF – WordPress Posts Bulk Editor and Manager Professional
bulk-editor

WP EXtra
wp-extra

WP Full Stripe Free
wp-full-stripe-free

WP Hotel Booking
wp-hotel-booking

WP Post Columns
wp-post-columns

WP Radio – Worldwide Online Radio Stations Directory for WordPress
wp-radio

Web Push Notifications – Webpushr
webpushr-web-push-notifications

Webmaster Tools
webmaster-tools

WhatsApp Share Button
whatsapp

Who Hit The Page – Hit Counter
who-hit-the-page-hit-counter

Widgets for Google Reviews
wp-reviews-plugin-for-google

WooCommerce Ninja Forms Product Add-ons
woocommerce-ninjaforms-product-addons

WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
woo-pdf-invoice-builder

WooCommerce Stripe Payment Gateway
woocommerce-gateway-stripe

Wp Ultimate Review
wp-ultimate-review

iPanorama 360 – WordPress Virtual Tour Builder
ipanorama-360-virtual-tour-builder-lite

mpOperationLogs
mpoperationlogs

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

themify-ultra
themify-ultra

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Recip.ly <= 1.1.7 – Unauthenticated Arbitrary File Upload in uploadImage.php

Affected Software: Recip.ly Plugin
CVE ID: CVE-2011-10004
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/068da172-629d-422a-bcd5-1b73af2a5933

WooCommerce Ninja Forms Product Add-ons <= 1.7.0 – Unauthenticated Arbitrary File Upload

Affected Software: WooCommerce Ninja Forms Product Add-ons
CVE ID: CVE-2023-5601
CVSS Score: 9.8 (Critical)
Researcher/s: Alexander Concha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/601d70ff-2e0e-403b-9c58-130d378a8240

Themify Ultra <= 7.3.3 – Authenticated (Subscriber+) PHP Object Injection

Affected Software: themify-ultra
CVE ID: CVE-2023-46147
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17c6a91c-e2a6-4f17-b145-145e9e7a0079

iPanorama 360 – WordPress Virtual Tour Builder <= 1.8.0 – Authenticated (Contributor+) SQL Injection via Shortcode

Affected Software: iPanorama 360 – WordPress Virtual Tour Builder
CVE ID: CVE-2023-5336
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3566b602-c991-488f-9de2-57236c4735b5

Icons Font Loader <= 1.1.2 – Authenticated (Subscriber+) SQL Injection

Affected Software: Icons Font Loader
CVE ID: CVE-2023-46084
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8564fc82-ff23-44b6-91b0-d63e6afb1a73

Themify Ultra <= 7.3.3 – Privilege Escalation

Affected Software: themify-ultra
CVE ID: CVE-2023-46145
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc994b2a-b3da-4edc-ada3-1150065efd30

Webpushr <= 4.34.0 – Cross-Site Request Forgery to Local File Inclusion via menu

Affected Software: Web Push Notifications – Webpushr
CVE ID: CVE-2023-35041
CVSS Score: 8.8 (High)
Researcher/s: Theodoros Malachias
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e140973b-d37c-45bf-aed2-9223bd812957

Themify Ultra <= 7.3.3 – Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: themify-ultra
CVE ID: CVE-2023-46149
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed5251e7-64d2-4210-9864-144952a49327

Soisy Pagamento Rateale <= 6.0.1 – Missing Authorization to Sensitive Information Exposure

Affected Software: Soisy Pagamento Rateale
CVE ID: CVE-2023-5132
CVSS Score: 7.5 (High)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3c997cd-37b4-4b9c-b99e-397be484aa36

Advanced Local Pickup for WooCommerce <= 1.5.5 – Authenticated (Administrator+) SQL Injection

Affected Software: Advanced Local Pickup for WooCommerce
CVE ID: CVE-2023-2841
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/125e7ea3-574a-4760-b10b-7a98d94c87a5

GeoDirectory <= 2.3.28 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: GeoDirectory – WordPress Business Directory Plugin, or Classified Directory
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bcd61d4-4775-4297-b7f5-664991fcd6d2

Lava Directory Manager <= 1.1.34 – Unauthenticated Stored Cross-Site Scripting via New Listing

Affected Software: Lava Directory Manager
CVE ID: CVE-2023-46081
CVSS Score: 7.2 (High)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bf669ed-ea31-4144-96b3-b1f29057b86d

Motors – Car Dealer & Classified Ads <= 1.4.6 – Server Side Request Forgery

Affected Software: Motors – Car Dealer, Classifieds & Listing
CVE ID: CVE-2023-46207
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/437423f0-978f-4c7c-9ec3-40668c630c93

User Feedback <= 1.0.9 – Unauthenticated Cross-Site Scripting

Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
CVE ID: CVE-2023-46153
CVSS Score: 7.2 (High)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abc056b0-55a2-439c-b7f6-4a2fc48c9823

MpOperationLogs <= 1.0.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: mpOperationLogs
CVE ID: CVE-2023-5538
CVSS Score: 7.2 (High)
Researcher/s: juweihuitao
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc5f1b00-acee-4dc8-acd7-2d3f3493f253

E2Pdf <= 1.20.18 – Authenticated (Administrator+) PHP Object Injection

Affected Software: E2Pdf – Export To Pdf Tool for WordPress
CVE ID: CVE-2023-46154
CVSS Score: 7.2 (High)
Researcher/s: trein
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea7f654b-88d1-4ed8-bab0-701e2e66e060

Ultimate Addons for WPBakery Page Builder <= 3.19.14 – Authenticated(Contributor+) Local File Inclusion

Affected Software: Ultimate Addons for WPBakery
CVE ID: CVE-2023-46205
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5222ce69-ac9f-4bb0-9832-8cdff1f8b078

BetterLinks <= 1.6.0 – Improper Authorization to Data Import and Export

Affected Software: BetterLinks – Shorten, Track and Manage any URL
CVE ID: CVE-2023-45104
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92b8829e-a8eb-4fdb-a772-9efbb5aaeb6c

Headline Analyzer <= 1.3.1 – Missing Authorization via REST APIs

Affected Software: Headline Analyzer
CVE ID: CVE-2023-46195
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a057ad05-0ed7-48c4-9dc1-0e7b1d3cb270

Templately <= 2.2.5 – Improper Authorization to Arbitrary Post Deletion

Social Media Share Buttons & Social Sharing Icons <= 2.8.5 – Information Exposure

Affected Software: Social Media Share Buttons & Social Sharing Icons
CVE ID: CVE-2023-5070
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9e43c5b-a094-44ab-a8a3-52d437f0e00d

Tab Ultimate <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Tab Ultimate
CVE ID: CVE-2023-5667
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08220b23-d6fa-4005-bbbb-019412d328a5

Theme Switcha <= 3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Theme Switcha – Easily Switch Themes for Development and Testing
CVE ID: CVE-2023-5614
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b0937fe-3ea6-427a-aef7-539c08687abb

Minimum Purchase for WooCommerce <= 2.0.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Minimum Purchase for WooCommerce
CVE ID: CVE-2023-30492
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4633c5b1-a6e3-4ee8-94ca-8afa8ff16a35

TCD Google Maps <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: TCD Google Maps
CVE ID: CVE-2023-5128
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50f6d0aa-059d-48d9-873b-6404f288f002

Super Testimonials <= 2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Super Testimonials
CVE ID: CVE-2023-5613
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52659f1c-642e-4c88-b3d0-d5c5a206b11c

Ajax Archive Calendar <= 2.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ajax Archive Calendar
CVE ID: CVE-2023-46069
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/664d22f2-b7a3-42df-9530-4040160ead2c

WhatsApp Share Button <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WhatsApp Share Button
CVE ID: CVE-2023-5668
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77911b0f-c028-49ae-b85e-15909d806e30

Theme Blvd Shortcodes <= 1.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Theme Blvd Shortcodes
CVE ID: CVE-2023-5338
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88809668-ea6b-41df-b2a7-ffe03a931c86

Ultimate Addons for WPBakery Page Builder <= 3.19.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ultimate Addons for WPBakery
CVE ID: CVE-2023-46211
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/90a8230f-7008-48af-a1a9-fbaf38dcb21c

Skype Legacy Buttons <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Skype Legacy Buttons
CVE ID: CVE-2023-5615
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/914bcc8f-fecd-450e-b2a7-0989b7a0dd4c

Add Custom Body Class <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Add Custom Body Class
CVE ID: CVE-2023-5205
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9841b57b-b869-4282-8781-60538f6f269f

Mediabay <= 1.6 – Authenticated (Editor+) Stored Cross-Site Scripting Vulnerability

Affected Software: Mediabay – Media Library Folders
CVE ID: CVE-2023-46066
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1954340-397c-4cc0-ba9d-d698d94ea608

Modern Footnotes <= 1.4.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Modern Footnotes
CVE ID: CVE-2023-5618
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c20c674f-54b5-470f-b470-07a63501eb4d

Team Showcase <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Team Showcase
CVE ID: CVE-2023-5639
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3b26060-294e-4d4c-9295-0b08f533d5c4

WP Post Columns <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Post Columns
CVE ID: CVE-2023-5708
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d96e5986-8c89-4e7e-aa63-f41aa13eeff4

Booster for WooCommerce <= 7.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-5638
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0257620-3a0e-4011-9378-7aa423e7c0b2

CPO Shortcodes <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: CPO Shortcodes
CVE ID: CVE-2023-5704
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8ba38c3-51d2-43a7-89ff-c72a8edc946b

The Awesome Feed – Custom Feed <= 2.2.5 – Reflected Cross-Site Scripting

Affected Software: The Awesome Feed – Custom Feed
CVE ID: CVE-2023-46077
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01878991-37c7-4c7b-b68c-d59ca66521e7

EventON <= 2.2.2 – Reflected Cross-Site Scripting

Affected Software: EventON
CVE ID: CVE-2023-4635
CVSS Score: 6.1 (Medium)
Researcher/s: Shuning Xu
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/115ad0b2-febe-485a-8fb5-9bd6edc37ef7

Motors – Car Dealer & Classified Ads <= 1.4.6 – Reflected Cross-Site Scripting

Affected Software: Motors – Car Dealer, Classifieds & Listing
CVE ID: CVE-2023-46208
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f06b855-c1e1-4378-a340-9dda2919fb83

Contact Form Builder, Contact Widget <= 2.1.6 – Reflected Cross-Site Scripting

Affected Software: Contact Form Builder, Contact Widget
CVE ID: CVE-2023-46075
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43ea0665-2c6e-4c78-8bc5-056f47f190ab

Add Shortcodes Actions And Filters <= 2.0.9 – Reflected Cross-Site Scripting

Affected Software: Add Shortcodes Actions And Filters
CVE ID: CVE-2023-46072
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44cb21f9-467a-4119-99fb-5cd21166a334

Smart Online Order for Clover <= 1.5.4 – Reflected Cross-Site Scripting

Affected Software: Smart Online Order for Clover
CVE ID: CVE-2023-46312
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f1e0dfa-f99a-43d1-bdc9-6fc7a4ea381d

Conversios.io <= 6.5.3 – Reflected Cross-Site Scripting

Affected Software: Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce
CVE ID: CVE-2023-46094
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ad84e6e-5498-4bf1-b662-15b7628ceba2

Grid Plus <= 1.3.2 – Reflected Cross-Site Scripting via grid_id

Affected Software: Grid Plus – Unlimited grid layout
CVE ID: CVE-2023-46209
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b213baa-8508-4eb2-ac09-d320e2b4276c

Spider Facebook <= 1.0.15 – Reflected Cross-Site Scripting

Affected Software: WDSocialWidgets
CVE ID: CVE-2023-46090
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a74d6b36-e0f1-4cfb-b1e9-0573081ed975

EG-Attachments <= 2.1.3 – Reflected Cross-Site Scripting via ‘paged’

Affected Software: EG-Attachments
CVE ID: CVE-2023-46070
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b63ccc9a-222d-4119-909b-d04bab78d663

Archivist – Custom Archive Templates <= 1.7.5 – Reflected Cross-Site Scripting

Affected Software: Archivist – Custom Archive Templates
CVE ID: CVE-2023-46194
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3f59671-0db2-4acf-8e97-a0ead518bebd

FreshMail For WordPress <= 2.3.2 – Reflected Cross-Site Scripting

Affected Software: FreshMail For WordPress
CVE ID: CVE-2023-46074
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e87fe70d-5ac3-40ee-a8d0-601d7b417562

Protección de Datos RGPD <= 3.1.0 – Reflected Cross-Site Scripting

Affected Software: Protección de Datos RGPD
CVE ID: CVE-2023-46071
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eaebcae4-cdf5-4eb7-9246-07185fe62d07

WooCommerce PDF Invoice Builder <= 1.2.101 – Reflected Cross-Site Scripting

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-46076
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb0d093b-c339-4b19-a6cd-d2589b8e57ff

Appointment Calendar <= 2.9.6 – Cross-Site Request Forgery

Affected Software: Appointment Calendar
CVE ID: CVE-2023-46198
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06a92619-5281-414e-8846-be0db38df89d

Themify Ultra <= 7.3.3 – Missing Authorization

Affected Software: themify-ultra
CVE ID: CVE-2023-46148
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cf17465-59a9-475d-bd1a-9e3623190926

Stripe Gateway <= 7.6.0 – Cross-Site Request Forgery

Affected Software: WooCommerce Stripe Payment Gateway
CVE ID: CVE-2023-44999
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e4ad8fa-b04c-4821-aadb-3120f824557f

Themify Ultra <= 7.3.3 – Missing Authorization

Affected Software: themify-ultra
CVE ID: CVE-2023-46146
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a32f50f7-d271-45f6-9a73-838a8dcb901f

Taggbox <= 2.9 – Missing Authorization

Affected Software: Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
CVE ID: CVE-2023-33215
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d970a9f6-69f6-42d2-b863-82b8110e52c3

WP Hotel Booking <= 2.0.7 – Missing Authorization to (Subscriber+) Arbitrary Post Deletion

Affected Software: WP Hotel Booking
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0439d2ee-7742-4aa7-ba4e-db55c6b2718e

Post Meta Data Manager <= 1.2.0 – Missing Authorization to Post, Term, and User Meta Deletion

Affected Software: Post Meta Data Manager
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1958c166-282d-4469-b79d-4e959e0492c1

wpDiscuz <= 7.6.11 – Insufficient Authorization to Comment Submission on Deleted Posts

Affected Software: Comments – wpDiscuz
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a1fe36b-75d2-48c3-bfac-af965eb9363f

MW WP Form <= 4.4.5 – Missing Authorization

Affected Software: MW WP Form
CVE ID: CVE-2023-46206
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/616de170-6645-4a06-a393-51bec1d8bd8c

Contact Form builder with drag & drop – Kali Forms <= 2.3.27 – Missing Authorization via Contact Form

Affected Software: Contact Form builder with drag & drop for WordPress – Kali Forms
CVE ID: CVE-2023-46083
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfb473a6-08ba-4b23-877d-4aa661c0053f

SALESmanago <= 3.2.4 – Log Injection via Weak Authentication Token

Affected Software: SALESmanago
CVE ID: CVE-2023-4939
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de7db1d6-b352-44c7-a6cc-b21cb65a0482

Broken Link Checker | Finder <= 2.4.2 – Missing Authorization via moblc_auth_save_settings

Affected Software: Broken Link Checker | Finder
CVE ID: CVE-2023-46082
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4383f41-bd08-4fab-9491-4cf9f7326300

Draft Vulnerability for 404 Solution 2.33.0 – Sensitive Information Exposure

Affected Software: 404 Solution
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fadc1374-fe4d-414a-af84-1a4de5b89807

Smart App Banner <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Smart App Banner
CVE ID: CVE-2023-46200
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c7497fc-e42c-49a6-99ee-6ec774cc4617

Auto Login New User After Registration <= 1.9.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via alnuar_auto_login_new_user_after_registration_redirect

Affected Software: Auto Login New User After Registration
CVE ID: CVE-2023-46201
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0fb82b48-3cf8-47a5-b68d-e37a1823a125

Eonet Manual User Approve <= 2.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Eonet Manual User Approve
CVE ID: CVE-2023-32738
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b696e0b-d4e1-4a81-9204-929100ade073

WC Captcha <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WC Captcha
CVE ID: CVE-2023-46210
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/400dde23-eafb-4ace-8b4a-ac88d0b200ac

Simple Table Manager <= 1.5.6 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Table Manager
CVE ID: CVE-2023-4858
CVSS Score: 4.4 (Medium)
Researcher/s: niclo
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53760acf-e8b2-4e35-8c01-768472fc0996

Thumbnail Slider With Lightbox <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Image Title

Affected Software: Thumbnail Slider With Lightbox
CVE ID: CVE-2023-5621
CVSS Score: 4.4 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/547c425d-8b0f-4e65-8b8a-c3a3059301fe

Custom post types <= 4.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom post types, Custom Fields & more
CVE ID: CVE-2023-32116
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58ee5f31-7d10-4772-929c-98249a351342

Triberr <= 4.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Triberr
CVE ID: CVE-2023-46199
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e8a8e0e-6dc0-4d9f-aee3-1fd940c49d3d

Category SEO Meta Tags <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Category SEO Meta Tags
CVE ID: CVE-2023-46091
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6985a8bb-0ad5-4b02-9a95-9dbc6018dec0

Maileon <= 2.16.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Maileon for WordPress
CVE ID: CVE-2023-46068
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a67972d7-abfd-4ce3-9e47-30736ab32af5

WP Full Stripe Free <= 1.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Full Stripe Free
CVE ID: CVE-2023-46088
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7c630c0-b37f-48d5-a87c-8e7c60103a30

Internal Link Building <= 1.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Internal Link Building
CVE ID: CVE-2023-46192
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd300737-dda4-4ed3-b21f-0407a5e32a05

Webmaster Tools <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Webmaster Tools
CVE ID: CVE-2023-46093
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e80bb7de-ce18-40d5-bf4c-9616739b2f9d

Who Hit The Page – Hit Counter <= 1.4.14.3 – Cross-Site Request Forgery

Affected Software: Who Hit The Page – Hit Counter
CVE ID: CVE-2023-46087
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07663fae-53e9-45d2-834c-6e1392484e0a

Ashe Extra <= 1.2.6 – Missing Authorization via multiple AJAX actions

Affected Software: Ashe Extra
CVE ID: CVE-2023-46079
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09551d22-c8c2-435c-9d00-bb4833497c16

Google Calendar Events <= 3.2.5 – Cross-Site Request Forgery via bulk_actions

Affected Software: Simple Calendar – Google Calendar Plugin
CVE ID: CVE-2023-46189
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1218ed3b-badc-464e-adbc-76fb4f6af008

Product Category Tree <= 2.5 – Cross-Site Request Forgery

Affected Software: Product Category Tree
CVE ID: CVE-2023-46151
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/147e47f8-c40b-4ae7-8627-b32b36e4d14f

Wp Ultimate Review <= 2.2.4 – Cross-Site Request Forgery via wur_settings_view

Affected Software: Wp Ultimate Review
CVE ID: CVE-2023-46085
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1559fb43-cc5e-4dd2-80d8-06a137c7276d

Userback <= 1.0.13 – Cross-Site Request Forgery

Affected Software: Userback
CVE ID: CVE-2023-46089
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2178b39c-5341-4f53-82be-668b400d7f25

Delete Usermetas <= 1.1.2 – Cross-Site Request Forgery

Affected Software: Delete Usermetas
CVE ID: CVE-2023-5537
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23b46e5b-ce1e-4215-921c-edea7fd6c56a

Simple Calendar <= 3.2.4 – Cross-Site Request Forgery via duplicate_feed

Affected Software: Simple Calendar – Google Calendar Plugin
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38adede2-73ca-470c-8ace-4f5bbec51d28

Webmaster Tools <= 2.0 – Cross-Site Request Forgery vin lionscripts_plg_f

Affected Software: Webmaster Tools
CVE ID: CVE-2023-46092
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4112ca9a-39fa-4fe8-a060-9f8f492eb846

Smooth Scroll Links <= 1.1.0 – Cross-Site Request Forgery

Affected Software: Smooth Scroll Links [SSL]
CVE ID: CVE-2023-46095
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49018b4b-2833-4ced-b36a-ebe69c5cb096

Open Graph Metabox <= 1.4.4 – Cross-Site Request Forgery

Affected Software: Open Graph Metabox
CVE ID: CVE-2023-46191
CVSS Score: 4.3 (Medium)
Researcher/s: Milad Hacking
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a2b7aac-b11d-4c52-b3d8-7b3f4b3eecd5

Rocket Font <= 1.2.3 – Cross-Site Request Forgery via update_option_check_match_default

Affected Software: Rocket Font
CVE ID: CVE-2023-46067
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/635f448b-5c51-4152-b6f5-076a686709bf

Widgets for Google Reviews <= 10.9 – Cross-Site Request Forgery to Plugin Settings Reset

Affected Software: Widgets for Google Reviews
CVE ID: CVE-2023-3254
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70968476-b064-477f-999f-4aa2c51d89cc

Internal Link Building <= 1.2.3 – Cross-Site Request Forgery

Affected Software: Internal Link Building
CVE ID: CVE-2023-46193
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78ce6a2a-aa28-4ae9-a2e7-ca3861a9677f

Just Custom Fields <= 3.3.2 – Cross-Site Request Forgery on AJAX Actions

Affected Software: Just Custom Fields
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79899dc1-4953-4f95-95f5-853d24e7b9ab

Serial Numbers for WooCommerce – License Manager <= 1.6.3 – Cross-Site Request Forgery

WP Radio – Worldwide Online Radio Stations Directory for WordPress <= 3.1.9 – Cross-Site Request Forgery

Affected Software: WP Radio – Worldwide Online Radio Stations Directory for WordPress
CVE ID: CVE-2023-46150
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/874e9e14-1330-40f0-8199-8abcaae58e98

WOLF <= 1.0.7.1 – Cross-Site Request Forgery

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE-2023-46152
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b771d76-b79a-4ff2-9433-8d35734a4396

Auto Login New User After Registration <= 1.9.6 – Cross-Site Request Forgery to Settings Modification

Affected Software: Auto Login New User After Registration
CVE ID: CVE-2023-46202
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9311c7b6-2c32-4f30-8286-6d59c267c09d

DX Delete Attached Media <= 2.0.5.1 – Cross-Site Request Forgery via add_to_base

Affected Software: DX Delete Attached Media
CVE ID: CVE-2023-46073
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/961d6d1d-46e8-489f-ac5f-51b55c5a0460

ApplyOnline – Application Form Builder and Manager <= 2.5.2 – Missing Authorization

Affected Software: ApplyOnline – Application Form Builder and Manager
CVE ID: CVE-2023-46080
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3473b5e-2f50-4845-9cfa-d19129f2a430

Social Media Share Buttons & Social Sharing Icons <= 2.8.5 – Cross-Site Request Forgery

Affected Software: Social Media Share Buttons & Social Sharing Icons
CVE ID: CVE-2023-5602
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d44a45fb-3bff-4a1f-8319-a58a47a9d76b

Duplicate Theme <= 0.1.6 – Cross-Site Request Forgery via themeDuplicationAction

Affected Software: Duplicate Theme
CVE ID: CVE-2023-46204
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d93e0175-db55-42ab-8475-cd0f47e5dcbb

Social proof testimonials and reviews by Repuso <= 4.97 – Missing Authorization

Affected Software: Social proof testimonials and reviews by Repuso
CVE ID: CVE-2023-46196
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec311df2-33af-4b91-80a1-252d934c7f61

WP EXtra <= 6.2 – Missing Authorization to Export Settings

Affected Software: WP EXtra
CVE ID: CVE-2023-46212
CVSS Score: 4.3 (Medium)
Researcher/s: TP Cyber Security
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed5c433b-eaab-4716-8749-2a5598a1dbb9

Freesoul Deactivate Plugins <= 2.1.3 – Cross-Site Request Forgery via eos_dp_pro_delete_transient

Affected Software: Freesoul Deactivate Plugins – Plugin manager and cleanup
CVE ID: CVE-2023-46188
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2949ff1-5c69-4189-99a9-e50c65c78461

Popup by Supsystic <= 1.10.19 – Missing Authorization to Sensitive Information Exposure

Affected Software: Popup by Supsystic
CVE ID: CVE-2023-46197
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f458663f-6b1a-4acd-b2db-c66d7a915ab7

Just Custom Fields <= 3.3.2 – Missing Authorization on AJAX Actions

Affected Software: Just Custom Fields
CVE ID: CVE-2023-46203
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6d44749-8b1a-4d22-9917-fee134737063

Novo-Map : your WP posts on custom google maps <= 1.1.2 – Cross-Site Request Forgery

Affected Software: Novo-Map : your WP posts on custom google maps
CVE ID: CVE-2023-46190
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6f91816-a263-4938-bac1-eeb3bb2fc120

Envo Extra <= 1.8.3 – Cross-Site Request Forgery

Affected Software: Envo Extra
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f709fca2-b7b6-4567-8055-1156f510d1ca

wpDiscuz <= 7.6.3 – Authenticated(Author+) Insecure Direct Object Reference

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-46311
CVSS Score: 2.7 (Low)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/359c573f-7031-4f56-b66f-c37339667aca

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023) appeared first on Wordfence.