Last week, there were 64 vulnerabilities disclosed in 67 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Avada <= 7.11.1 – Authenticated(Contributor+) Server Side Request Forgery
Avada <= 7.11.1 – Authenticated(Author+) Arbitrary File Upload via Zip Extraction
Post Grid <= 2.2.50 – Missing Authorization to Sensitive Information Exposure via REST API
WAF-RULE-627, data redacted while we work with the developer to ensure this gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
24
Patched
40
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
1
Medium Severity
50
High Severity
9
Critical Severity
4
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
26
Missing Authorization
12
Cross-Site Request Forgery (CSRF)
9
Improper Privilege Management
2
Use of Less Trusted Source
2
Information Exposure
2
Deserialization of Untrusted Data
1
Server-Side Request Forgery (SSRF)
1
Improper Control of Generation of Code (‘Code Injection’)
1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1
URL Redirection to Untrusted Site (‘Open Redirect’)
1
Improper Authorization
1
Improper Access Control
1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1
Weak Password Recovery Mechanism for Forgotten Password
1
Unrestricted Upload of File with Dangerous Type
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Marco Wotschka
(Wordfence Vulnerability Researcher)
4
Lana Codes
(Wordfence Vulnerability Researcher)
4
Mika
4
thiennv
3
David
2
Ivy
1
TomS
1
Elliot
1
Dmitrii
1
Skalucy
1
yuyudhn
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
123.chat – 1:1 Live Video Chat Tool Plugin
123-chat-videochat
Accordion Slider
accordion-slider
Accordion and Accordion Slider
accordion-and-accordion-slider
Advanced File Manager
file-manager-advanced
Album and Image Gallery plus Lightbox
album-and-image-gallery-plus-lightbox
BigBlueButton
bigbluebutton
Blog Designer – Post and Widget
blog-designer-for-post-and-widget
CLUEVO LMS, E-Learning Platform
cluevo-lms
CT Commerce
ct-commerce
Carrrot
carrrot
Cleverwise Daily Quotes
cleverwise-daily-quotes
Comments Like Dislike
comments-like-dislike
Contact form 7 Custom validation
cf7-field-validation
Cookies and Content Security Policy
cookies-and-content-security-policy
Cost Calculator Builder
cost-calculator-builder
Countdown Timer Ultimate
countdown-timer-ultimate
Custom Admin Login Page | WPZest
custom-admin-login-styler-wpzest
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
charitable
Donations Made Easy – Smart Donations
smart-donations
Doofinder WP & WooCommerce Search
doofinder-for-woocommerce
Dynamic Pricing and Discount Rules for WooCommerce
woo-conditional-discount-rules-for-checkout
Enhanced Ecommerce Google Analytics for WooCommerce
woo-ecommerce-tracking-for-google-and-facebook
Event Tickets with Ticket Scanner
event-tickets-with-ticket-scanner
GD Security Headers
gd-security-headers
InfiniteWP Client
iwp-client
JS Help Desk – Best Help Desk & Support Plugin
js-support-ticket
Kanban Boards for WordPress
kanban
Make Paths Relative
make-paths-relative
Media from FTP
media-from-ftp
Meta Slider and Carousel with Lightbox
meta-slider-and-carousel-with-lightbox
Orders Tracking for WooCommerce
woo-orders-tracking
Paid Memberships Pro CCBill Gateway
pmpro-ccbill
Password Reset with Code for WordPress REST API
bdvs-password-reset
Plausible Analytics
plausible-analytics
Portfolio Gallery – Responsive Image Gallery
gallery-portfolio
Portfolio and Projects
portfolio-and-projects
Post Ticker Ultimate
ticker-ultimate
Post grid and filter ultimate
post-grid-and-filter-ultimate
Products Quick View for WooCommerce
woocommerce-products-quick-view
Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
woocommerce-putler-connector
RSVPMaker
rsvpmaker
Schedule Posts Calendar
schedule-posts-calendar
Serial Codes Generator and Validator with WooCommerce Support
serial-codes-generator-and-validator
Simple Org Chart
simple-org-chart
Simple Staff List
simple-staff-list
Smart SEO Tool – SEO优化插件
smart-seo-tool
Stripe Payment Plugin for WooCommerce
payment-gateway-stripe-and-woocommerce-integration
Tabs & Accordion
tabs
Team Slider and Team Grid Showcase plus Team Carousel
wp-team-showcase-and-slider
Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
wp-testimonial-with-widget
Timeline and History slider
timeline-and-history-slider
Trending/Popular Post Slider and Widget
wp-trending-post-slider-and-widget
Typing Effect
animated-typing-effect
User Activity Log
user-activity-log
User Submitted Posts – Enable Users to Submit Posts from the Front End
user-submitted-posts
Video Gallery for YouTube Videos and WordPress
youtube-showcase
Video gallery and Player
html5-videogallery-plus-player
WP LINE Notify
wp-line-notify
WP Remote Users Sync
wp-remote-users-sync
WP VR – 360 Panorama and Virtual Tour Builder For WordPress
wpvr
WP-PostRatings
wp-postratings
WebLibrarian
weblibrarian
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
woo-pdf-invoice-builder
WordPress Mortgage Calculator Estatik
estatik-mortgage-calculator
fitness calculators plugin
fitness-calculators
tagDiv Composer
td-composer
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
wpdatatables
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
Aapna
aapna
Anand
anand
Anfaust
anfaust
Arendelle
arendelle
Atlast Business
atlast-business
Bazaar Lite
bazaar-lite
Brain Power
brain-power
BunnyPressLite
bunnypresslite
Cafe Bistro
cafe-bistro
College
college
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Kanban Boards <= 2.5.21 – Authenticated (Administrator+) Remote Code Execution
CVE ID: CVE-2023-40606
CVSS Score: 9.8 (Critical)
Researcher/s: TomS
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adea276-6b55-422d-adc9-a767f569181c
Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation
CVE ID: CVE-2023-4404
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/522ecc1c-5834-4325-9234-79cf712213f3
Contact form 7 Custom validation <= 1.1.3 – Unauthenticated SQL Injection via ‘post’
CVE ID: CVE-2023-40609
CVSS Score: 9.8 (Critical)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbfc52a4-6c9d-480b-9247-1513318ff84b
Password Reset with Code for WordPress REST API <= 0.0.15 – Weak Password Recovery Mechanism
CVE ID: CVE-2023-35039
CVSS Score: 9.8 (Critical)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b9e6d-2f84-45f6-9f74-3f23b03c5a49
WP Remote Users Sync <= 1.2.12 – Authenticated (Subscriber+) Server Side Request Forgery
CVE ID: CVE-2023-3958
CVSS Score: 8.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46
InfiniteWP Client <= 1.11.1 – Authenticated (Subscriber+) Sensitive Information Exposure
CVE ID: CVE-2023-2916
CVSS Score: 7.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19
User Submitted Posts <= 20230809 – Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’
CVE ID: CVE-2023-4308
CVSS Score: 7.2 (High)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bb4d37c-c4c2-4523-9b4e-73ffb7be81ea
tagDiv Composer <= 4.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-3169
CVSS Score: 7.2 (High)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6998cf4c-6086-402b-a95f-ee6a4980dffb
Cleverwise Daily Quotes <= 3.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40335
CVSS Score: 7.2 (High)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71f7733a-1350-4e22-98d8-28be401aee69
GD Security Headers <= 1.6.1 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-40330
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ce32ecf-6995-4794-8559-2f84533ecf50
RSVPMarker <= 10.6.5 – Unauthenticated Stored Cross-Site Scripting via ’email’
CVE ID: CVE-2023-27616
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaf0e58c-0430-44fe-980f-8ea469802c86
Mortgage Calculator Estatik <= 2.0.7 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-40601
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb73e92b-b807-4406-b378-cef6cff9eb82
JS Help Desk – Best Help Desk & Support Plugin <= 2.7.7 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-25444
CVSS Score: 7.2 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa75366a-651c-43d0-a32b-cdabf5b07b66
wpDataTables – Tables & Table Charts <= 2.1.65 – Authenticated(Administrator+) PHP Object Injection
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c458644-a799-4bea-abcb-06a946dc19df
Advanced File Manager <= 5.1 – Authenticated(Administrator+) Arbitrary File and Folder Access
CVE ID: CVE-2023-3814
CVSS Score: 6.6 (Medium)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ceba35c3-16b0-4366-b33c-603bdc2c1006
Gallery Portfolio <= 1.4.6 – Missing Authorization via Multiple AJAX actions
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96112707-04ca-4647-9008-31954764486f
Event Tickets with Ticket Scanner <= 1.5.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ec40d89-9caa-44dc-8577-00fa6463348c
BigBlueButton <= 3.0.0-beta.4 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f829d21-5347-46ec-9218-2b3cbe7d7b95
Serial Codes Generator and Validator with WooCommerce Support <= 2.4.14 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4886822-3a05-45b3-ad1d-4d4a4f921817
Typing Effect <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40605
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db12f986-580e-4e81-8bd2-124393e5d21b
Media from FTP <= 11.16 – Authenticated (Author+) Improper Privilege Management
CVE ID: CVE-2023-4019
CVSS Score: 6.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9764d402-b8a2-43d5-882a-bc3886078b7f
LINE Notify <= 1.4.4 – Reflected Cross-Site Scripting via ‘uid’
CVE ID: CVE-2023-30497
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b4e7c02-48d3-4271-a3bc-e7d3256b7217
Multiple Themes (Various Versions) – Reflected Cross-Site Scripting via Search Field
CVE ID: CVE-2023-2813
CVSS Score: 6.1 (Medium)
Researcher/s: Random Robbie
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32253923-ffec-4312-bcdf-06c5aed77d30
Plausible Analytics <= 1.3.3 – Reflected Cross-Site Scripting via page-url
CVE ID: CVE-2023-40553
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed6d5e6-1094-46ec-afb9-43c142f334ed
WebLibrarian <= 3.5.8.1 – Reflected Cross-Site Scripting via multiple parameters
CVE ID: CVE-2023-29441
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b4b05a8-3a32-4fa9-9ff5-a2a62b11a05d
Donations Made Easy – Smart Donations <= 4.0.12 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-40664
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799975aa-44fe-48dc-8ac9-469c89a03c67
WP VR <= 8.3.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40663
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc08e4cf-3964-406e-9046-420e749df4b5
Fitness calculators plugin <= 2.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-40552
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aafbdd50-c78b-4aad-a3e2-f1339d698e77
Smart SEO Tool-WordPress SEO优化插件 <= 4.0.1 – Cross-Sitquest Forgery via ‘wp_ajax_wb_smart_seo_tool’
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/078d06ad-555b-4de4-a032-d81440c7dfb5
Doofinder for WooCommerce <= 1.5.49 – Unauthenticated Open Redirect
CVE ID: CVE-2023-40602
CVSS Score: 5.4 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7414779e-7241-4ab2-9b1f-34c3e1acc66b
Cost Calculator Builder <= 3.1.42 – Improper Authorization
CVE ID: CVE-2023-40011
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94d60fcb-a542-41a9-b6ac-6ac2607068aa
WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking <= 3.7.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-40561
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f7e1a4-88b2-4069-adb8-d51278b48234
Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘putler_connector_sync_complete’
CVE ID: CVE-2023-40327
CVSS Score: 5.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09a1388e-6c87-44cd-a137-4212b569423b
Multiple WPOnlineSupport Plugins <= (Various Versions) – Missing Authorization to Notice Dismissal
CVE ID: CVE-2023-40200
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2931fda2-edc8-44ea-9fff-ae9d94aa01bf
Paid Memberships Pro CCBill Gateway <= 0.3 – Insufficient Authorization
CVE ID: CVE-2023-40608
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47bb46df-3ed6-4331-8c05-c76331aa6995
Comments Like Dislike <= 1.2.0 – Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset
CVE ID: CVE-2023-3244
CVSS Score: 5.3 (Medium)
Researcher/s: Hung Duong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66019297-a8a8-4bbc-99db-4b47066f3e50
WP-PostRatings <= 1.91 – IP Spoofing
CVE ID: CVE-2023-40332
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6aed9434-1681-47d6-bbc1-0815db548a24
User Activity Log <= 1.6.6 – IP Address Spoofing
CVE ID: CVE-2023-4279
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77462f1f-f7d8-4d11-aaf1-82395897fcfa
Cookies and Content Security Policy <= 2.15 – Sensitive Information Exposure
CVE ID: CVE-2023-40662
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79e68c5b-1f1a-4af3-acf4-1a38f2d72424
Simple Org Chart <= 2.3.4 – Missing Authorization
CVE ID: CVE-2023-40603
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c674ec32-7959-414a-8c31-3455bebb47bb
Stripe Payment Plugin for WooCommerce <= 3.7.9 – Missing Authorization to Arbitrary Order Status Modification
CVE ID: CVE-2023-4040
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef543c61-2acc-4b72-81ff-883960d4c7c3
123.chat <= 1.3.0 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-4298
CVSS Score: 4.4 (Medium)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a0ced4d-368d-4f12-9099-1f8c0b0fe245
tagDiv Composer <= 4.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-3170
CVSS Score: 4.4 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3861f675-1a26-4947-91ef-8ab04646704f
CT Commerce <= 2.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-40007
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/399109be-7efe-428e-a9b8-7a68864b2790
Schedule Posts Calendar <= 5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-40560
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c815c2-a5ea-431c-bfde-c08a4eb5fda6
WooCommerce PDF Invoice Builder <= 1.2.90 – Authenticated (Administrator+) Cross-Site Scripting
CVE ID: CVE-2023-4160
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a765360-8603-4ba1-a6db-dd0175ff3ddf
Carrot <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40328
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77fa042d-1e4f-4344-bf5a-3860add7aae3
Custom Admin Login Page | WPZest <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40329
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/906dcf2a-6be1-4966-9a70-1ef9a8f1017d
RSVPMarker <= 10.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-27617
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfb27513-61ad-4cf0-a471-0ab7aeb0801b
Simple Staff List <= 2.2.3 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28790
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5880581-3505-4851-b32f-cd2873072f73
WooCommerce PDF Invoice Builder <= 1.2.89 – Missing Authorization to Sensitive Information Exposure
CVE ID: CVE-2023-4245
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/200fbfc1-df21-43b0-8eb1-b2ba0cc0c0df
WP Remote Users Sync <= 1.2.11 – Missing Authorization to Authenticated (Subscriber+) Log View
CVE ID: CVE-2023-4374
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb
Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘send_resync_request’
CVE ID: CVE-2023-40326
CVSS Score: 4.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38537f60-52f4-4007-b26f-6948b9263931
Products Quick View for WooCommerce <= 2.2.0 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c9f055-2527-4678-bda1-27a29ab24acd
WooCommerce PDF Invoice Builder <= 1.2.90 – Cross-Site Request Forgery to Custom Field Creation
CVE ID: CVE-2023-4161
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b7aac1c-6962-49cf-850f-ab7b1d220090
Accordion Slider <= 1.9.6 – Missing Authorization to Notice Dismissal
CVE ID: CVE-2023-40331
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3dc69bba-39e0-46bd-8cdb-7cf1f7d36282
CLUEVO LMS, E-Learning Platform <= 1.10.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-40607
CVSS Score: 4.3 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/414165a3-78f8-4254-ac24-2de177cad3dd
Schedule Posts Calendar <= 5.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-40556
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d4f490e-c86e-490e-8041-36c154b890aa
Make Paths Relative <= 1.3.0 – Cross-Site Request Forgery via ‘admin/class-make-paths-relative-admin.php’
CVE ID: CVE-2023-27433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85317781-7e77-4a78-af67-0a1dce39364c
Simple Org Chart <= 2.3.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-28791
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d413350-f520-4dd9-af7d-e776628aef1d
WooCommerce Dynamic Pricing and Discount Rules <= 2.4.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-40559
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d624f234-c57a-4a66-900d-362194a79d34
Video Gallery & Management <= 3.3.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-40558
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e226d75f-37b2-4af2-bba0-0fd3a96cc1a0
Tabs & Accordion <= 1.3.10 – Authenticated (Contributor+) Content Injection
CVE ID: CVE-2023-40557
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eaead805-b122-4418-a4a0-cf1b0925f3c3
Orders Tracking for WooCommerce <= 1.2.5 – Authenticated (Administrator+) Directory Traversal via ‘file_url’
CVE ID: CVE-2023-4216
CVSS Score: 2.7 (Low)
Researcher/s: Utkarsh Agrawal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a62e8b2-7606-4842-8be5-dff8634539d0
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023) appeared first on Wordfence.