(647) 243-4688

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 52 vulnerabilities disclosed in 42 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
15

Patched
37

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
46

High Severity
5

Critical Severity
1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
25

Cross-Site Request Forgery (CSRF)
8

Missing Authorization
5

Improper Access Control
5

Deserialization of Untrusted Data
2

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
2

Use of Insufficiently Random Values
1

Improper Control of Generation of Code (‘Code Injection’)
1

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Inappropriate Source Code Style or Formatting
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Bob Matyas
8

Webbernaut
6

Francesco Carlucci
6

Krzysztof Zając
5

Daniel Ruf
4

Sh
2

Majed Refaea
2

Yuki Haruma
1

Tobias Weißhaar (kun_19)
1

Le Ngoc Anh
1

Byeongjun Jo
1

Pedro Cuco (Illex)
1

Bence Szalai
1

arpeetrathi
1

stealthcopter
1

Sam Pizzey (mopman)
1

Colin Xu
1

Ahmed Algohary
1

Akbar Kustirama
1

kodaichodai
1

Dipak Panchal (th3.d1p4k)
1

Nex Team
1

drop
1

Ma Long
1

SudoBash
1

Richard Telleng (stueotue)
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

(Simply) Guest Author Name
guest-author-name

10Web AI Assistant – AI content writing assistant
ai-assistant-by-10web

AMP for WP – Accelerated Mobile Pages
accelerated-mobile-pages

Add SVG Support for Media Uploader | inventivo
add-svg-support-for-media-uploader-inventivo

Advanced Database Cleaner
advanced-database-cleaner

Advanced Schedule Posts
advanced-schedule-posts

Allow SVG
allow-svg

Backuply – Backup, Restore, Migrate and Clone
backuply

Better Follow Button for Jetpack
better-follow-button-for-jetpack

Better Search Replace
better-search-replace

Category Discount Woocommerce
woo-product-category-discount

Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode)
content-views-query-and-display-post-page

Elementor Addons by Livemesh
addons-for-elementor

Exclusive Addons for Elementor
exclusive-addons-for-elementor

File Manager
wp-file-manager

File Manager Pro
wp-file-manager-pro

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
form-maker

Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
formidable

InstaWP Connect – 1-click WP Staging & Migration
instawp-connect

Mang Board WP
mangboard

Marketing Twitter Bot
wordpress-twitterbot

Meks Smart Social Widget
meks-smart-social-widget

PDF Generator For Fluent Forms – The Contact Form Plugin
fluentforms-pdf

PDF Poster – PDF Embedder Plugin for WordPress
pdf-poster

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
paid-memberships-pro

SVG Uploads Support
svg-uploads-support

Sticky Buttons – floating buttons builder
sticky-buttons

Ultimate Noindex Nofollow Tool
ultimate-noindex-nofollow-tool

Views for WPForms – Display & Edit WPForms Entries on your site frontend
views-for-wpforms-lite

WP Customer Area
customer-area

WP Dashboard Notes
wp-dashboard-notes

WP Go Maps (formerly WP Google Maps)
wp-google-maps

WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
wp-rss-aggregator

WP-Reply Notify
wp-reply-notify

WPFront Notification Bar
wpfront-notification-bar

WebSub (FKA. PubSubHubbub)
pubsubhubbub

WolfNet IDX for WordPress
wolfnet-idx-for-wordpress

WordPress Button Plugin MaxButtons
maxbuttons

WordPress Simple Shopping Cart
wordpress-simple-paypal-shopping-cart

aBitGone CommentSafe
abitgone-commentsafe

coreActivity: Activity Logging plugin for WordPress
coreactivity

illi Link Party!
link-party

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Better Search Replace <= 1.4.4 – Unauthenticated PHP Object Injection

Affected Software: Better Search Replace
CVE ID: CVE-2023-6933
CVSS Score: 9.8 (Critical)
Researcher/s: Sam Pizzey (mopman)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af

File Manager Pro <= 8.3.4 – Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: File Manager Pro
CVE ID: CVE-2023-6846
CVSS Score: 8.8 (High)
Researcher/s: Tobias Weißhaar (kun_19)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e8e0257-a745-495f-a103-c032b95209fc

InstaWP Connect <= 0.1.0.9 – Authenticated (Subscriber+) SQL Injection

Affected Software: InstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE-2024-23507
CVSS Score: 8.8 (High)
Researcher/s: Majed Refaea
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578cf704-e84d-469f-bf26-e60268506a78

File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames

Affected Software: File Manager
CVE ID: CVE-2024-0761
CVSS Score: 8.1 (High)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176

illi Link Party! <= 1.0 – Unauthenticated Stored Cross-Site Scripting

Affected Software: illi Link Party!
CVE ID: CVE-2023-7228
CVSS Score: 7.2 (High)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9df6d75b-a141-41a8-b965-6be7acee582d

coreActivity <= 1.8 – Unauthenticated Stored Cross-Site Scripting

Affected Software: coreActivity: Activity Logging plugin for WordPress
CVE ID: CVE-2024-0852
CVSS Score: 7.2 (High)
Researcher/s: Ahmed Algohary
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2432a0a-d262-4460-bd2d-2cb200d51f6f

Advanced Database Cleaner <= 3.1.3 – Authenticated(Administrator+) PHP Object Injection via process_bulk_action

Affected Software: Advanced Database Cleaner
CVE ID: CVE-2024-0668
CVSS Score: 6.6 (Medium)
Researcher/s: Richard Telleng (stueotue)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0b8c24b-3e51-4637-9d8e-da065077d082

10Web AI Assistant – AI content writing assistant <= 1.0.18 – Missing Authorization to Arbitrary Plugin Installation

Affected Software: 10Web AI Assistant – AI content writing assistant
CVE ID: CVE-2023-6985
CVSS Score: 6.5 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229245a5-468d-47b9-8f26-d23d593e91da

Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 – Authenticated (Administrator+) Directory Traversal

Affected Software: Backuply – Backup, Restore, Migrate and Clone
CVE ID: CVE-2024-0697
CVSS Score: 6.5 (Medium)
Researcher/s: Bence Szalai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70effa22-fbf6-44cb-9d1b-8625969c10ac

Elementor Addons by Livemesh <= 8.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addons by Livemesh
CVE ID: CVE-2024-0448
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/058d1aa0-2ef6-49a4-b978-43a91c8e55f3

(Simply) Guest Author Name <= 4.34 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: (Simply) Guest Author Name
CVE ID: CVE-2024-0254
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e9e2864-6624-497f-8bec-df8360ed3f4a

Add SVG Support for Media Uploader | inventivo <= 1.0.5 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: Add SVG Support for Media Uploader | inventivo
CVE ID: CVE-2023-7088
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ca2d1d4-fcf8-4943-b9c5-9560968ae2d8

Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything

Affected Software: Exclusive Addons for Elementor
CVE ID: CVE-2024-0824
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/925b0a86-ed23-471c-84e2-ae78a01b1876

SVG Uploads Support <= 2.1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: SVG Uploads Support
CVE ID: CVE-2023-7086
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad95f0b2-4d96-4f62-b495-050a89539177

WordPress Button Plugin MaxButtons <= 9.7.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WordPress Button Plugin MaxButtons
CVE ID: CVE-2023-7029
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bca0e8a0-d837-42d8-a9d3-35e0c820eb43

Allow SVG <= 1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: Allow SVG
CVE ID: CVE-2023-6541
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee725cff-959d-4078-9c2e-2d52bb904ca0

aBitGone CommentSafe <= 1.0.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery

Affected Software: aBitGone CommentSafe
CVE ID: CVE-2023-7174
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2375027c-9619-40fc-811d-7f4ba02bee53

PDF Poster – PDF Embedder Plugin for WordPress <= 2.1.17 – Reflected Cross-Site Scripting

Affected Software: PDF Poster – PDF Embedder Plugin for WordPress
CVE ID: CVE-2024-23508
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/341516d3-b785-4daf-98de-76f4f94b8c96

Ultimate Noindex Nofollow Tool <= 1.1.2 – Cross-Site Request Forgery to Settings Update

Affected Software: Ultimate Noindex Nofollow Tool
CVE ID: CVE-2023-7196
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d7ca3ff-eae4-425f-8340-9d9b4952ce4a

Advanced Schedule Posts <= 2.1.8 – Reflected Cross-Site Scripting

Affected Software: Advanced Schedule Posts
CVE ID: CVE-2024-0249
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47122866-8e40-42bc-84ed-60fc81247320

WP Customer Area <= 8.2.2 – Reflected Cross-Site Scripting

Affected Software: WP Customer Area
CVE ID: CVE-2024-0665
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/567d62ec-e868-45e2-b07a-8cc661d7c5e1

Accelerated Mobile Pages <= 1.0.92.1 – Reflected Cross-Site Scripting

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2024-0587
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85ca96a6-7992-424b-8b88-9a0751925223

WP Go Maps (formerly WP Google Maps) <= 9.0.28 – Reflected Cross-Site Scripting

Affected Software: WP Go Maps (formerly WP Google Maps)
CVE ID: CVE-2023-6697
CVSS Score: 6.1 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5

Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Marketing Twitter Bot <= 1.11 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

Affected Software: Marketing Twitter Bot
CVE ID: CVE-2023-7197
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2795202-64e6-488b-a0e1-da2923f6f791

Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Exclusive Addons for Elementor
CVE ID: CVE-2024-0823
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c5cdc3f-eaa6-4d0b-9e75-5483c723e15a

Form-Maker (twb_form-maker) <= 1.15.21 – Cross-Site Request Forgery to Limited Code Execution via Execute

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE ID: CVE-2024-0667
CVSS Score: 5.4 (Medium)
Researcher/s: SudoBash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1

illi Link Party! <= 1.0 – Missing Authorization to Unauthenticated Arbitrary Link Deletion

Affected Software: illi Link Party!
CVE ID: CVE-2023-7231
CVSS Score: 5.3 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d68293a-b98b-41e0-9f79-ccd2c0108e82

Category Discount Woocommerce <= 4.12 – Missing Authorization via wpcd_save_discount()

Affected Software: Category Discount Woocommerce
CVE ID: CVE-2024-0617
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/996b44bb-d1e0-4f82-b8ee-a98b0ae994f9

Paid Memberships Pro <= 2.12.7 – Cross-Site Request Forgery to Level Orders Update

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE-2024-0624
CVSS Score: 5.3 (Medium)
Researcher/s: kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae68d083-b6e2-409b-8c91-d4eb7e62dba9

Category Discount Woocommerce <= 4.11 – Cross-Site Request Forgery via wpcd_save_discount()

Affected Software: Category Discount Woocommerce
CVE ID: CVE-2024-0617
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f04dee5b-d16f-4ef0-88a4-1567e2287bd5

PDF Generator For Fluent Forms <= 1.1.7 – Cross-Site Scripting

Affected Software: PDF Generator For Fluent Forms – The Contact Form Plugin
CVE ID: CVE-2023-6953
CVSS Score: 4.9 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6675c48-43d4-4394-a4a3-f753bdaa5c4e

WPFront Notification Bar <= 3.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]

Affected Software: WPFront Notification Bar
CVE ID: CVE-2024-0625
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19a5a9f3-637c-42af-9775-5651a14cf516

Mang Board WP <= 1.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Mang Board WP
CVE ID: CVE-2024-22306
CVSS Score: 4.4 (Medium)
Researcher/s: Byeongjun Jo
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d8cfcdc-6258-4629-a3b4-d65e44ac82f1

Meks Smart Social Widget <= 1.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Meks Smart Social Widget
CVE ID: CVE-2024-0664
CVSS Score: 4.4 (Medium)
Researcher/s: arpeetrathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/722aae99-fcfb-4234-9245-5db57aaa03c5

WP RSS Aggregator <= 4.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source

Affected Software: WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
CVE ID: CVE-2024-0630
CVSS Score: 4.4 (Medium)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2

Content Views <= 3.6.2 – Authenticated(Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode)
CVE ID: CVE-2024-0612
CVSS Score: 4.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa4377a8-bcf4-45ba-824b-3505bd8e8c61

WordPress Simple Shopping Cart <= 4.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Simple Shopping Cart
CVE ID: CVE-2023-6497
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac6201a1-7ca9-461b-b9ad-16407120dfae

Sticky Buttons <= 3.2.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Sticky Buttons – floating buttons builder
CVE ID: CVE-2024-0703
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal (th3.d1p4k)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c070be-e955-4076-9878-0b1044766397

WolfNet IDX for WordPress <= 1.19.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WolfNet IDX for WordPress
CVE ID: CVE-2023-6783
CVSS Score: 4.4 (Medium)
Researcher/s: Ma Long
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c226ca9a-8a2e-4e56-a039-96c31526a379

illi Link Party! <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: illi Link Party!
CVE ID: CVE-2023-7230
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbf193ef-e172-4fe3-9bff-b5cbac9adb54

WebSub (FKA. PubSubHubbub) <= 3.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WebSub (FKA. PubSubHubbub)
CVE ID: CVE-2024-0688
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f07b166b-3436-4797-a2df-096ff7c27a09

Better Follow Button for Jetpack <= 8.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Better Follow Button for Jetpack
CVE ID: CVE-2023-7168
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fec06875-f6b4-4e57-917f-e80ece3744e1

Views for WPForms <= 3.2.2 – Missing Authorization via get_form_fields

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0372
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ab58add-ab81-4c84-b773-7daf382492b0

Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via create_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0374
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34c0c676-37f9-49f2-ad50-2d70831fda53

Views for WPForms <= 3.2.2 – Missing Authorization via save_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0370
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d

WP Dashboard Notes <= 1.0.10 – Missing Authorization to Arbitrary Private Notes Update

Affected Software: WP Dashboard Notes
CVE ID: CVE-2023-7239
CVSS Score: 4.3 (Medium)
Researcher/s: Pedro Cuco (Illex)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64a36778-c17c-44ee-8b09-c221d27184f8

WP-Reply Notify <= 1.1 – Cross-Site Request Forgery to Settings Update

Affected Software: WP-Reply Notify
CVE ID: CVE-2023-7195
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/837e596e-a4a7-4fcf-a761-aed35a789770

InstaWP Connect <= 0.1.0.9 – Missing Authorization to Sensitive Information Dislcosure

Affected Software: InstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE-2024-23506
CVSS Score: 4.3 (Medium)
Researcher/s: Majed Refaea
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a184384-9162-4509-957b-d97dd4089856

Views for WPForms <= 3.2.2 – Missing Authorization via create_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0371
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e

illi Link Party! <= 1.0 – Cross-Site Request Forgery to Settings Update

Affected Software: illi Link Party!
CVE ID: CVE-2023-7229
CVSS Score: 4.3 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd6b604-45dd-4688-a9b9-fabb12c418e2

Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via save_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0373
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2273c53-bc8a-45c7-914d-a3b934c2cb18

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024) appeared first on Wordfence.