(647) 243-4688

Last week, there were 109 vulnerabilities disclosed in 102 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WP EXtra <= 6.2 – Missing Authorization to .htaccess File Modification

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
59

Patched
50

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
92

High Severity
14

Critical Severity
3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
42

Missing Authorization
24

Cross-Site Request Forgery (CSRF)
22

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
7

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
3

URL Redirection to Untrusted Site (‘Open Redirect’)
3

Deserialization of Untrusted Data
2

Improper Authentication
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Guessable CAPTCHA
1

Improper Access Control
1

Protection Mechanism Failure
1

Authorization Bypass Through User-Controlled Key
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
(Wordfence Vulnerability Researcher)
25

Nguyen Xuan Chien
10

Mika
8

Abdi Pranata
7

Skalucy
3

Dmitrii Ignatyev
3

qilin_99
3

Abu Hurayra
2

Muhammad Daffa
2

thiennv
2

Jonas Höbenreich
2

LEE SE HYOUNG
2

Ala Arfaoui
2

Francesco Carlucci
2

Revan Arifio
1

Le Ngoc Anh
1

Rio Darmawan
1

Enrico Marcolini
1

Claudio Marchesini
1

Florian Hauser
1

emad
1

Vaishnav Rajeevan
1

Tien from VNPT-VCI
1

Nithissh S
1

Abhijith A
1

Nicolas Surribas
1

konagash
1

Elliot
1

GiongfNef
1

TP Cyber Security
1

Erwan LR
1

Krzysztof Zając
1

Emili Castells
1

SeungYongLee
1

NGÔ THIÊN AN
1

Hamoud Al Helmani
1

Jerome Bruandet
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

10Web Booster – Website speed optimization, Cache & Page Speed optimizer
tenweb-speed-optimizer

404 Solution
404-solution

Accordion
accordions-wp

Admin and Site Enhancements (ASE)
admin-site-enhancements

Advanced Menu Widget
advanced-menu-widget

All-In-One Security (AIOS) – Security and Firewall
all-in-one-wp-security-and-firewall

Alter
alter

Animated Counters
animated-counters

Article analytics
article-analytics

Auto Excerpt everywhere
auto-excerpt-everywhere

Auto Limit Posts Reloaded
auto-limit-posts-reloaded

Autolinks Manager
daext-autolinks-manager

BSK PDF Manager
bsk-pdf-manager

Bellows Accordion Menu
bellows-accordion-menu

Bonus for Woo
bonus-for-woo

Booking calendar, Appointment Booking System
booking-calendar

Buzzsprout Podcasting
buzzsprout-podcasting

CallRail Phone Call Tracking
callrail-phone-call-tracking

Category SEO Meta Tags
category-seo-meta-tags

CloudNet360
cloudnet-sync

Convertful – Your Ultimate On-Site Conversion Tool
convertful

Cookie Bar
cookie-bar

Current Menu Item for Custom Post Types
current-menu-item-for-custom-post-types

Custom Header Images
custom-header-images

Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
feather-login-page

Custom My Account for Woocommerce
custom-my-account-for-woocommerce

DeepL API translation plugin
wpdeepl

Deeper Comments
deeper-comments

Delete Me
delete-me

DoLogin Security
dologin

EasyRecipe
easyrecipe

Export WP Page to Static HTML/CSS
export-wp-page-to-static-html

FLOWFACT WP Connector
flowfact-wp-connector

FareHarbor for WordPress
fareharbor

Fathom Analytics for WP
fathom-analytics

FeedFocal
feedfocal

GD Security Headers
gd-security-headers

Generate Dummy Posts
generate-dummy-posts

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
rafflepress

Google Maps made Simple
wp-gmappity-easy-google-maps

Grid Plus – Unlimited grid layout
grid-plus

Group Chat & Video Chat by AtomChat
atomchat

ICS Calendar
ics-calendar

ImageLinks Interactive Image Builder for WordPress
imagelinks-interactive-image-builder-lite

Interactive Image Map Plugin – Draw Attention
draw-attention

KD Coming Soon
kd-coming-soon

LiteSpeed Cache
litespeed-cache

Live Chat with Facebook Messenger
wp-facebook-messenger

Magic Embeds
wp-embed-facebook

Mail logging – WP Mail Catcher
wp-mail-catcher

Mediabay – Media Library Folders
mediabay-lite

Medialist
media-list

MomentoPress for Momento360
cmyee-momentopress

My Shortcodes
my-shortcodes

Neon text
neon-text

News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry)
blog-designer-pack

Ni WooCommerce Sales Report
ni-woocommerce-sales-report

Original texts Yandex WebMaster
original-texts-yandex-webmaster

PHP to Page
php-to-page

Parcel Pro
woo-parcel-pro

Post Meta Data Manager
post-meta-data-manager

Pre-Orders for WooCommerce
pre-orders-for-woocommerce

Product Recommendation Quiz for eCommerce
product-recommendation-quiz-for-ecommerce

PubyDoc – Data Tables and Charts
pubydoc-data-tables-and-charts

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress
quillforms

Related Products for WooCommerce
woo-related-products-refresh-on-reload

Remove Add to Cart WooCommerce
remove-add-to-cart-woocommerce

Reusable Text Blocks
reusable-text-blocks

SAHU TikTok Pixel for E-Commerce
sahu-tiktok-pixel

Seraphinite Accelerator
seraphinite-accelerator

Shortcode Menu
shortcode-menu

Simple Shortcodes
smpl-shortcodes

Simple User Listing
simple-user-listing

Slick Popup: Contact Form 7 Popup Plugin
slick-popup

Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
woocommerce-exporter

TK Google Fonts GDPR Compliant
tk-google-fonts

Thumbnail Slider With Lightbox
wp-responsive-slider-with-lightbox

Thumbnail carousel slider
wp-responsive-thumbnail-slider

User Avatar
user-avatar

VK Blocks
vk-blocks

VK Filter Search
vk-filter-search

Very Simple Google Maps
very-simple-google-maps

WCP OpenWeather
wcp-openweather

WDContactFormBuilder
contact-form-builder

WDSocialWidgets
spider-facebook

WP EXtra
wp-extra

WP Font Awesome
wp-font-awesome

WP Glossary
wp-glossary

WP Helper Premium
wp-helper-lite

WP Post Popup
wp-post-modal

WP Simple Galleries
wp-simple-galleries

WP Word Count
wp-word-count

WP iCal Availability
wp-ical-availability

WPPizza – A Restaurant Plugin
wppizza

Weather Atlas Widget
weather-atlas

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
groundhogg

WordPress CTA – WordPress Call To Action, Sticky CTA, Floating Buttons, Floating Tab Plugin
easy-sticky-sidebar

WordPress Knowledge base & Documentation Plugin – WP Knowledgebase
wp-knowledgebase

WordPress Simple HTML Sitemap
wp-simple-html-sitemap

YITH WooCommerce Product Add-Ons
yith-woocommerce-product-add-ons

YOP Poll
yop-poll

kk Star Ratings
kk-star-ratings

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

PHP to Page <= 0.3 – Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode

Affected Software: PHP to Page
CVE ID: CVE-2023-5199
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945f-190cf9175874

Article Analytics <= 1.0 – Unauthenticated SQL Injection

Affected Software: Article analytics
CVE ID: CVE-2023-5640
CVSS Score: 9.8 (Critical)
Researcher/s: Nicolas Surribas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6abbdecd-782a-44a2-981a-ae6caa50dd6a

Thumbnail Slider With Lightbox <= 1.0 – Cross-Site Request Forgery to Arbitrary File Upload

Affected Software: Thumbnail Slider With Lightbox
CVE ID: CVE-2023-5820
CVSS Score: 9.6 (Critical)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e51e1cd2-6de9-4820-8bba-1c6b5053e2c1

WP Simple Galleries <= 1.34 – Authenticated (Contributor+) PHP Object Injection

Affected Software: WP Simple Galleries
CVE ID: CVE-2023-5583
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0dc8f7cf-d8be-4229-b823-3bd9bc9f6eda

Google Maps made Simple <= 0.6 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Google Maps made Simple
CVE ID: CVE-2023-5315
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/262db9aa-0db5-48cd-a85b-3e6302e88a42

WP EXtra <= 6.2 – Missing Authorization to .htaccess File Modification

Affected Software: WP EXtra
CVE ID: CVE-2023-5311
CVSS Score: 8.8 (High)
Researcher/s: GiongfNef
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87e3dd5e-0d77-4d78-8171-0beaf9482699

Post Meta Data Manager <=1.2.0 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Affected Software: Post Meta Data Manager
CVE ID: CVE-2023-5425
CVSS Score: 8.8 (High)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7f4e710-99a2-49df-a513-725e1daaa18a

Deeper Comments <= 2.1.1 – Missing Authorization to Authenticated(Subscriber+) Arbitrary Options Update

Affected Software: Deeper Comments
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Jerome Bruandet
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1cbe675-4c0f-430a-b2db-85ba8605d172

KD Coming Soon <= 1.7 – Unauthenticated PHP Object Injection via cetitle

Affected Software: KD Coming Soon
CVE ID: CVE-2023-46615
CVSS Score: 8.1 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f831d48-733a-4e79-8559-92b03b8d0356

News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 – Unauthenticated Remote Code Execution via Local File Inclusion

Admin and Site Enhancements (ASE) <= 5.7.1 – Password Protection Mode Security Feature Bypass

Affected Software: Admin and Site Enhancements (ASE)
CVE ID: CVE-2023-46630
CVSS Score: 7.5 (High)
Researcher/s: Abu Hurayra
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0abad47f-a806-4cdd-a11f-015b997b5e86

Post Meta Data Manager <=1.2.0 – Missing Authorization to User, Term, and Post Meta Deletion

Affected Software: Post Meta Data Manager
CVE ID: CVE-2023-5426
CVSS Score: 7.5 (High)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6a7f882-4582-4b08-9597-329d140ad782

404 Solution <= 2.33.2 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: 404 Solution
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14958861-305e-4a9b-b428-de204cd6781e

ImageLinks <= 1.5.4 – Authenticated (Admin+) SQL Injection

Affected Software: ImageLinks Interactive Image Builder for WordPress
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f678700-f266-4740-a98d-19f8e9734563

GD Security Headers <= 1.7 – Authenticated (Admin+) SQL Injection

Affected Software: GD Security Headers
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b556bb3b-0fea-48a9-a893-3ad015559f3d

Booking Calendar WpDevArt <= 3.2.11 – Authenticated (Admin+) SQL Injection

Affected Software: Booking calendar, Appointment Booking System
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/caa39613-aaf3-4e47-8866-8fda1f7fc15b

Mail logging – WP Mail Catcher <= 2.1.3 – Authenticated (Admin+) SQL Injection

Affected Software: Mail logging – WP Mail Catcher
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3ebbf7f-61f2-403f-8131-8cedeb13c2d4

ICS Calendar <= 10.12.0.1 – Authenticated(Contributor+) Directory Traversal via _url_get_contents

Affected Software: ICS Calendar
CVE ID: CVE-2023-46784
CVSS Score: 6.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f18a1c5-a0b7-49f9-acc1-5604304fd72f

WordPress CTA <= 1.5.6 – Missing Authorization via Multiple AJAX Actions

Affected Software: WordPress CTA – WordPress Call To Action, Sticky CTA, Floating Buttons, Floating Tab Plugin
CVE ID: CVE-2023-46644
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a65a1f25-04e5-4ca3-9b2d-1b78254a8871

DoLogin Security <= 3.7.1 – Missing Authorization via REST Endpoints

Affected Software: DoLogin Security
CVE ID: CVE-2023-46608
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af93f4f5-4c6d-4178-b7f7-c66c341bde87

10Web Booster <= 2.24.14 – Unauthenticated Arbitrary Option Deletion

Affected Software: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4d9c659-ec6a-43ca-b484-02afd06f3c13

Product Recommendation Quiz for eCommerce <= 2.1.0 – Missing Authorization in prq_set_token

Affected Software: Product Recommendation Quiz for eCommerce
CVE ID: CVE-2023-46631
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f10ae2b6-1580-418c-9cf7-e75ed71bb309

VK Filter Search <= 2.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: VK Filter Search
CVE ID: CVE-2023-5705
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/012946d4-82ce-48b9-9b9a-1fc49846dca6

VK Blocks <= 1.63.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block

Affected Software: VK Blocks
CVE ID: CVE-2023-5706
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05dd7c96-7880-44a8-a06f-037bc627fd8d

LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: LiteSpeed Cache
CVE ID: CVE-2023-4372
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27026f0f-c85e-4409-9973-4b9cb8a90da5

Animated Counters <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Animated Counters
CVE ID: CVE-2023-5774
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33c2756d-c300-479f-b3aa-8f22c3a70278

CallRail Phone Call Tracking <= 0.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: CallRail Phone Call Tracking
CVE ID: CVE-2023-5051
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35def866-7460-4cad-8d86-7b9e4905cbe4

FareHarbor for WordPress <= 3.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: FareHarbor for WordPress
CVE ID: CVE-2023-5252
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42ad6fef-4280-45db-a3e2-6d7522751fa7

Shortcode Menu <= 3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Shortcode Menu
CVE ID: CVE-2023-5565
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/438b9c13-4059-4671-ab4a-07a8cf6f6122

Medialist <= 1.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Medialist
CVE ID: CVE-2023-46640
CVSS Score: 6.4 (Medium)
Researcher/s: Tien from VNPT-VCI
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45c7f8fb-3fd0-425f-89a1-8971f67d5755

Bellows Accordion Menu <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Bellows Accordion Menu
CVE ID: CVE-2023-5164
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50283a4f-ea59-488a-bab0-dd6bc5718556

WP Font Awesome <= 1.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Font Awesome
CVE ID: CVE-2023-5127
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59ee0b56-c11f-4951-aac0-8344200e4484

Advanced Menu Widget <= 0.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced Menu Widget
CVE ID: CVE-2023-5085
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5da2dac6-940c-419e-853f-6cfd5d53d427

BSK PDF Manager <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BSK PDF Manager
CVE ID: CVE-2023-5110
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60de55c6-e4fa-453e-84bd-309f2887e3cb

WDContactFormBuilder <= 1.0.72 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WDContactFormBuilder
CVE ID: CVE-2023-5048
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7152253a-7bb8-4b5c-bffd-86e46df54b7e

Magic Embeds <= 3.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Magic Embeds
CVE ID: CVE-2023-4799
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88ade7a7-da31-4752-b100-40dae81735b0

Simple Shortcodes <= 1.0.20 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Simple Shortcodes
CVE ID: CVE-2023-5566
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a153d6b2-e3fd-42db-90ba-d899a07d60c1

Grid Plus <= 1.3.2 – Authenticated (Subscriber+) Local File Inclusion via Shortcode

Affected Software: Grid Plus – Unlimited grid layout
CVE ID: CVE-2023-5250
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6407792-2c76-4149-a9f9-d53002135bec

Giveaways and Contests by RafflePress <= 1.12.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Accordion <= 2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Accordion
CVE ID: CVE-2023-5666
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8ada876-4a8b-494f-9132-d88a71b42c44

Related Products for WooCommerce <= 3.3.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Related Products for WooCommerce
CVE ID: CVE-2023-5234
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a98498b8-9397-42e9-9c99-a576975c9ac9

Live Chat with Facebook Messenger <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Live Chat with Facebook Messenger
CVE ID: CVE-2023-5740
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa32a790-242f-4142-9f4d-e1b2a07045bb

Buzzsprout Podcasting <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Buzzsprout Podcasting
CVE ID: CVE-2023-5335
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be7f8b73-801d-46e8-81c1-8bb0bb576700

Weather Atlas Widget <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Weather Atlas Widget
CVE ID: CVE-2023-5163
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2324caa-f804-4f76-9d08-8951fbee4669

MomentoPress for Momento360 <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: MomentoPress for Momento360
CVE ID: CVE-2023-46782
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0fdee40-9d60-4657-9e2b-42d548dea1c0

Pre-Orders for WooCommerce <= 1.2.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Pre-Orders for WooCommerce
CVE ID: CVE-2023-46783
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb2776d8-1e2f-46fb-9d3b-693c8fa115b3

Neon text <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Neon text
CVE ID: CVE-2023-5817
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9998485-e272-48fc-b2f1-9e30158d0d16

Very Simple Google Maps <= 2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Very Simple Google Maps
CVE ID: CVE-2023-5744
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fca7837c-ad24-44ce-b073-7df3f8bc4300

Draw Attention <= 2.0.15 – Improper Access Control via register_cpt

Affected Software: Interactive Image Map Plugin – Draw Attention
CVE ID: CVE-2023-46616
CVSS Score: 6.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d635669-ee85-4fb5-8238-3edb3bbb8fb4

WP Simple HTML Sitemap <= 2.1 – Reflected Cross-Site Scripting via id

Affected Software: WordPress Simple HTML Sitemap
CVE ID: CVE-2023-46627
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26e52072-9465-4b56-9794-f17861b7c70c

Bonus for Woo <= 5.8.2 – Reflected Cross-Site Scripting

Affected Software: Bonus for Woo
CVE ID: CVE-2023-5140
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b959b65-16ad-45f9-9ad9-dfc97bda571e

Download CloudNet360 <= 3.2.0 – Reflected Cross-Site Scripting

Affected Software: CloudNet360
CVE ID: CVE-2023-46643
CVSS Score: 6.1 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54b88702-ec41-414b-87f1-1859b130a713

User Avatar <= 1.4.11 – Unauthenticated Cross-Site Scripting

Affected Software: User Avatar
CVE ID: CVE-2023-46621
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6903e37e-5251-47bb-8023-755821af4689

WooCommerce – Store Exporter <= 2.7.2 – Reflected Cross-Site Scripting via ‘filter’

Affected Software: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/947286b0-347f-47ab-885a-7805b50f0be8

Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via ‘rt’

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2023-5609
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dc90b13-2f36-45bc-991c-f1927ae9253d

FLOWFACT WP Connector <= 2.1.7 – Reflected Cross-Site Scripting

Affected Software: FLOWFACT WP Connector
CVE ID: CVE-2023-46626
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4b61b5b-e5e8-41d4-bf37-d9427a204ea6

Simple User Listing <= 1.9.2 – Reflected Cross-Site Scripting via as

Affected Software: Simple User Listing
CVE ID: CVE-2023-32298
CVSS Score: 6.1 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7035903-d598-4db3-ba77-6e836229c5de

WPPizza <= 3.18.2 – Reflected Cross-Site Scripting

Affected Software: WPPizza – A Restaurant Plugin
CVE ID: CVE-2023-46622
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ccfdb5f5-8417-44a3-a27c-157a9619c68b

Reusable Text Blocks <= 1.5.3 – Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

Affected Software: Reusable Text Blocks
CVE ID: CVE-2023-5745
CVSS Score: 5.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d627ee7-1175-4621-a477-1e9ec2d05eee

My Shortcodes <= 2.3 – Missing Authorization via Multiple AJAX Actions

Affected Software: My Shortcodes
CVE ID: CVE-2023-46632
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a931496-f130-4910-9116-6c2c4df760f5

Quill Forms <= 3.3.0 – Cross-Site Request Forgery

Seraphinite Accelerator <= 2.20.28 – Arbitrary Redirect via ‘redir’

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2023-5610
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d6dd532-008b-4ce9-beca-baf5b3678a0b

Spider Facebook <= 1.0.15 – Cross-Site Request Forgery

Affected Software: WDSocialWidgets
CVE ID: CVE-2023-46619
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a94accad-27c7-462b-b26f-0dde2036a7ba

Quill Forms <= 3.3.0 – Missing Authorization

Grid Plus <= 1.3.2 – Missing Authorization to Authenticated (Subscriber+) Grid Layout Add/Update/Delete

Affected Software: Grid Plus – Unlimited grid layout
CVE ID: CVE-2023-5251
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2d34c84-473c-49f8-b55c-c869b5479974

Alter <= 1.0 – Cross-Site Request Forgery

Affected Software: Alter
CVE ID: CVE-2023-46780
CVSS Score: 5.4 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e58a45c4-06cb-4b2b-97f2-a614fc230942

kk Star Ratings <= 5.4.5 – Missing Authorization

Affected Software: kk Star Ratings
CVE ID: CVE-2023-46639
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1af442f7-b57c-47bd-9733-5e6bb5c89443

AtomChat <= 1.1.4 – Missing Authorization via credits REST API Endpoint

Affected Software: Group Chat & Video Chat by AtomChat
CVE ID: CVE-2023-46606
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21f917a4-efee-421b-98b1-a9b18c7527d2

YOP Poll <= 6.5.28 – Reusable Captcha via validateImage

Affected Software: YOP Poll
CVE ID: CVE-2023-46611
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33f8f75d-c57e-456c-a48a-82fa668adb1c

FeedFocal <= 1.2.1 – Missing Authorization via feedfocal_api_setup REST function

Affected Software: FeedFocal
CVE ID: CVE-2023-46609
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/489fe6ac-5437-44a2-93dc-00e75eefbc45

Convertful – Your Ultimate On-Site Conversion Tool <= 2.5 – Missing Authorization via add_woo_coupon

Affected Software: Convertful – Your Ultimate On-Site Conversion Tool
CVE ID: CVE-2023-46605
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e8c311e-7cf2-4aaf-8059-30f872475ee5

All In One WP Security <= 5.2.4 – Protection Bypass of Renamed Login Page via URL Encoding

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63fc381e-ce72-4c90-bb35-daba520be40d

Generate Dummy Posts <= 1.0.0 – Missing Authorization

Affected Software: Generate Dummy Posts
CVE ID: CVE-2023-46637
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d797f36-f485-4049-83f0-01d0cb409a92

YITH WooCommerce Product Add-Ons <= 4.2.0 – Missing Authorization

Affected Software: YITH WooCommerce Product Add-Ons
CVE ID: CVE-2023-46635
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e95773c-b968-47b3-8ae7-9a8d3389666c

Glossary <= 3.1.2 – Missing Authorization

Affected Software: WP Glossary
CVE ID: CVE-2023-46633
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fca34e4e-3324-4942-854b-a4511f88af8b

Delete Me <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Delete Me
CVE ID: CVE-2023-5126
CVSS Score: 4.9 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5123a7-8eb4-481e-88fe-6310be37a077

Parcel Pro <= 1.6.8 – Open Redirect via ‘redirect’

Affected Software: Parcel Pro
CVE ID: CVE-2023-46624
CVSS Score: 4.7 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95d4fbf6-e21a-48db-bfb3-32fc9116afa0

SAHU TikTok Pixel for E-Commerce <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SAHU TikTok Pixel for E-Commerce
CVE ID: CVE-2023-46642
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28cddb4c-32a1-4ea9-936d-5ec7ffd84753

PubyDoc <= 2.0.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: PubyDoc – Data Tables and Charts
CVE ID: CVE-2023-4970
CVSS Score: 4.4 (Medium)
Researcher/s: Vaishnav Rajeevan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3badf9b8-7558-4a46-9eb2-cd119a77c903

Slick Popup: Contact Form 7 Popup Plugin <= 1.7.14 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Slick Popup: Contact Form 7 Popup Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54019f42-488d-484f-b34e-2b5bd5b0a1dd

WP Post Popup <= 3.7.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Post Popup
CVE ID: CVE-2023-4808
CVSS Score: 4.4 (Medium)
Researcher/s: Abhijith A
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5fe46da6-add5-42d4-a2db-7a8bada2968c

Cookie Bar <= 2.0 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Cookie Bar
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/80afca9d-8f9c-412f-b2dd-f0078ec8173c

Fathom Analytics <= 3.0.7 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Fathom Analytics for WP
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3343d96-ca52-46a6-b464-cd2e5375d10f

Groundhogg <= 2.7.11.10 – Authenticated (Administrator+) Stored Cross-Site Scripting via Task Data

TK Google Fonts GDPR Compliant <= 2.2.11 – Missing Authorization to Font Deletion

Affected Software: TK Google Fonts GDPR Compliant
CVE ID: CVE-2023-5823
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0bc772a6-95a1-4420-bd97-1778002e2168

Custom Header Images <= 1.2.1 – Cross-Site Request Forgery

Affected Software: Custom Header Images
CVE ID: CVE-2023-46636
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0beaa7ce-40aa-429e-80fd-d04e75489b92

Autolinks Manager <= 1.10.04 – Cross-Site Request Forgery

Affected Software: Autolinks Manager
CVE ID: CVE-2023-46625
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ec5d29e-43e2-4cd3-8164-94b01fab4d64

Auto Excerpt everywhere <= 1.5 – Cross-Site Request Forgery

Affected Software: Auto Excerpt everywhere
CVE ID: CVE-2023-46776
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32647c44-389a-4a6d-a32b-e19a35bc2aeb

EasyRecipe <= 3.5.3251 – Cross-Site Request Forgery

Affected Software: EasyRecipe
CVE ID: CVE-2023-46779
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35906df7-5eaf-494a-8184-48e2ca22301e

Mediabay <= 1.6 – Missing Authorization via AJAC actions

Affected Software: Mediabay – Media Library Folders
CVE ID: CVE-2023-46612
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a923f58-f6c7-47ee-87f6-27453b39d1cf

Remove Add to Cart WooCommerce <= 1.4.4 – Cross-Site Request Forgery to Settings Modification

Affected Software: Remove Add to Cart WooCommerce
CVE ID: CVE-2023-46629
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4938c1be-2356-4a9c-9795-108a2d5a6cc7

WP Word Count <= 3.2.4 – Missing Authorization via calculate_statistics

Affected Software: WP Word Count
CVE ID: CVE-2023-46628
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55dfd822-9034-4982-bfe7-eb86119e1f07

WP Helper Premium <= 4.5.1 – Cross-Site Request Forgery via whp_fields

Affected Software: WP Helper Premium
CVE ID: CVE-2023-46614
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73e2c5bd-c81d-48ee-a5fc-346dd820d0a4

TK Google Fonts GDPR Compliant <= 2.2.11 – Missing Authorization to Font Addition

Affected Software: TK Google Fonts GDPR Compliant
CVE ID: CVE-2023-5823
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7546b0b7-8081-4762-9e20-76dfb3c8a8a7

Export WP Page to Static HTML/CSS <= 2.1.9 – Cross-Site Request Forgery via Multiple AJAX Actions

Affected Software: Export WP Page to Static HTML/CSS
CVE ID: CVE-2023-31077
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7781e20b-c258-4bfd-9050-75a50a335628

Ni WooCommerce Sales Report <= 3.7.2 – Missing Authorization via ajax_sales_order

Affected Software: Ni WooCommerce Sales Report
CVE ID: CVE-2023-32299
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b509887-6d32-4e7f-bdff-fd4f6c76f6f2

WP EXtra <= 6.2 – Missing Authorization to Arbitrary Email Sending

Affected Software: WP EXtra
CVE ID: CVE-2023-5314
CVSS Score: 4.3 (Medium)
Researcher/s: TP Cyber Security
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93c10a58-c5f2-440b-a88e-5314143fdd90

Original texts Yandex WebMaster <= 1.18 – Cross-Site Request Forgery

Affected Software: Original texts Yandex WebMaster
CVE ID: CVE-2023-46775
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9c500fc-0d85-41b1-a2b8-9c8ba372a6e3

WP Knowledgebase <= 1.3.4 – Cross-Site Request Forgery

Affected Software: WordPress Knowledge base & Documentation Plugin – WP Knowledgebase
CVE ID: CVE-2023-5802
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa5ee133-e38a-4dfe-975c-f194aa6e90b8

Feather Login Page <= 1.1.3 – Cross-Site Request Forgery

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-46777
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a85bc2-0b00-4635-86f6-26e96cc0616e

DeepL Pro API translation <= 2.3.7.1 – Cross-Site Request Forgery via wpdeepl_prune_logs

Affected Software: DeepL API translation plugin
CVE ID: CVE-2023-46620
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b60cb1af-c9f3-4cea-9699-d66a52eb87eb

Thumbnail carousel slider <= 1.0 – Cross-Site Request Forgery to Mass Slider Deletion

Affected Software: Thumbnail carousel slider
CVE ID: CVE-2023-5821
CVSS Score: 4.3 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bde75c5a-b0b7-4f26-91e9-dd4816e276c9

WP iCal Availability <= 1.0.3 – Missing Authorization

Affected Software: WP iCal Availability
CVE ID: CVE-2023-46607
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c38ac30d-95dc-415e-8ea6-507ed87d34db

Seraphinite Accelerator (Base, cache only) <= 2.20.31 – Cross-Site Request Forgery

Affected Software: Seraphinite Accelerator
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2b32fdc-b73f-48e5-88bf-e836ec2f791f

WCP OpenWeather <= 2.5.0 – Cross-Site Request Forgery

Affected Software: WCP OpenWeather
CVE ID: CVE-2023-46638
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5b573e2-373f-41bc-8d9a-ea42e908ac4e

Current Menu Item for Custom Post Types <= 1.5 – Cross-Site Request Forgery

Affected Software: Current Menu Item for Custom Post Types
CVE ID: CVE-2023-46781
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d75f1475-fa81-4eed-87da-0a0fa48ac082

Category SEO Meta Tags <= 2.5 – Cross-Site Request Forgery via csmt_admin_options

Affected Software: Category SEO Meta Tags
CVE ID: CVE-2023-46618
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de6048e7-75c6-44b1-bc68-e36dce936c78

Custom My Account for Woocommerce <= 2.1 – Cross-Site Request Forgery

Affected Software: Custom My Account for Woocommerce
CVE ID: CVE-2023-46634
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd00c5cc-1a28-4d94-815d-46219ce0e0e9

Auto Limit Posts Reloaded <= 2.5 – Cross-Site Request Forgery

Affected Software: Auto Limit Posts Reloaded
CVE ID: CVE-2023-46778
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fedf20b2-6c21-4c91-8f79-9cac334a1313

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023) appeared first on Wordfence.