(647) 243-4688

Last week, there were 64 vulnerabilities disclosed in 67 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Avada <= 7.11.1 – Authenticated(Contributor+) Server Side Request Forgery
Avada <= 7.11.1 – Authenticated(Author+) Arbitrary File Upload via Zip Extraction
Post Grid <= 2.2.50 – Missing Authorization to Sensitive Information Exposure via REST API
WAF-RULE-627, data redacted while we work with the developer to ensure this gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
24

Patched
40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
50

High Severity
9

Critical Severity
4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
26

Missing Authorization
12

Cross-Site Request Forgery (CSRF)
9

Improper Privilege Management
2

Use of Less Trusted Source
2

Information Exposure
2

Deserialization of Untrusted Data
1

Server-Side Request Forgery (SSRF)
1

Improper Control of Generation of Code (‘Code Injection’)
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Improper Authorization
1

Improper Access Control
1

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Weak Password Recovery Mechanism for Forgotten Password
1

Unrestricted Upload of File with Dangerous Type
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Abdi Pranata
5

Marco Wotschka
(Wordfence Vulnerability Researcher)
4

Lana Codes
(Wordfence Vulnerability Researcher)
4

Mika
4

minhtuanact
3

thiennv
3

David
2

Truoc Phan
2

Rio Darmawan
2

LEE SE HYOUNG
2

Yuki Haruma
2

Muhammad Arsalan Diponegoro
2

Jonatas Souza Villa Flor
1

Ivy
1

Random Robbie
1

Nithissh S
1

TomS
1

NGÔ THIÊN AN
1

Le Ngoc Anh
1

Debangshu Kundu
1

Arpeet Rathi
1

Rafie Muhammad
1

Utkarsh Agrawal
1

Hung Duong
1

Bartłomiej Marek
1

Tomasz Swiadek
1

Prasanna V Balaji
1

Nguyen Xuan Chien
1

Elliot
1

Lokesh Dachepalli
1

Rafshanzani Suhada
1

Dmitrii Ignatyev
1

Dmitrii
1

Skalucy
1

yuyudhn
1

Francesco Carlucci
1

Jonas Höbenreich
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

123.chat – 1:1 Live Video Chat Tool Plugin
123-chat-videochat

Accordion Slider
accordion-slider

Accordion and Accordion Slider
accordion-and-accordion-slider

Advanced File Manager
file-manager-advanced

Album and Image Gallery plus Lightbox
album-and-image-gallery-plus-lightbox

BigBlueButton
bigbluebutton

Blog Designer – Post and Widget
blog-designer-for-post-and-widget

CLUEVO LMS, E-Learning Platform
cluevo-lms

CT Commerce
ct-commerce

Carrrot
carrrot

Cleverwise Daily Quotes
cleverwise-daily-quotes

Comments Like Dislike
comments-like-dislike

Contact form 7 Custom validation
cf7-field-validation

Cookies and Content Security Policy
cookies-and-content-security-policy

Cost Calculator Builder
cost-calculator-builder

Countdown Timer Ultimate
countdown-timer-ultimate

Custom Admin Login Page | WPZest
custom-admin-login-styler-wpzest

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
charitable

Donations Made Easy – Smart Donations
smart-donations

Doofinder WP & WooCommerce Search
doofinder-for-woocommerce

Dynamic Pricing and Discount Rules for WooCommerce
woo-conditional-discount-rules-for-checkout

Enhanced Ecommerce Google Analytics for WooCommerce
woo-ecommerce-tracking-for-google-and-facebook

Event Tickets with Ticket Scanner
event-tickets-with-ticket-scanner

GD Security Headers
gd-security-headers

InfiniteWP Client
iwp-client

JS Help Desk – Best Help Desk & Support Plugin
js-support-ticket

Kanban Boards for WordPress
kanban

Make Paths Relative
make-paths-relative

Media from FTP
media-from-ftp

Meta Slider and Carousel with Lightbox
meta-slider-and-carousel-with-lightbox

Orders Tracking for WooCommerce
woo-orders-tracking

Paid Memberships Pro CCBill Gateway
pmpro-ccbill

Password Reset with Code for WordPress REST API
bdvs-password-reset

Plausible Analytics
plausible-analytics

Portfolio Gallery – Responsive Image Gallery
gallery-portfolio

Portfolio and Projects
portfolio-and-projects

Post Ticker Ultimate
ticker-ultimate

Post grid and filter ultimate
post-grid-and-filter-ultimate

Products Quick View for WooCommerce
woocommerce-products-quick-view

Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
woocommerce-putler-connector

RSVPMaker
rsvpmaker

Schedule Posts Calendar
schedule-posts-calendar

Serial Codes Generator and Validator with WooCommerce Support
serial-codes-generator-and-validator

Simple Org Chart
simple-org-chart

Simple Staff List
simple-staff-list

Smart SEO Tool – SEO优化插件
smart-seo-tool

Stripe Payment Plugin for WooCommerce
payment-gateway-stripe-and-woocommerce-integration

Tabs & Accordion
tabs

Team Slider and Team Grid Showcase plus Team Carousel
wp-team-showcase-and-slider

Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
wp-testimonial-with-widget

Timeline and History slider
timeline-and-history-slider

Trending/Popular Post Slider and Widget
wp-trending-post-slider-and-widget

Typing Effect
animated-typing-effect

User Activity Log
user-activity-log

User Submitted Posts – Enable Users to Submit Posts from the Front End
user-submitted-posts

Video Gallery for YouTube Videos and WordPress
youtube-showcase

Video gallery and Player
html5-videogallery-plus-player

WP LINE Notify
wp-line-notify

WP Remote Users Sync
wp-remote-users-sync

WP VR – 360 Panorama and Virtual Tour Builder For WordPress
wpvr

WP-PostRatings
wp-postratings

WebLibrarian
weblibrarian

WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
woo-pdf-invoice-builder

WordPress Mortgage Calculator Estatik
estatik-mortgage-calculator

fitness calculators plugin
fitness-calculators

tagDiv Composer
td-composer

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
wpdatatables

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Aapna
aapna

Anand
anand

Anfaust
anfaust

Arendelle
arendelle

Atlast Business
atlast-business

Bazaar Lite
bazaar-lite

Brain Power
brain-power

BunnyPressLite
bunnypresslite

Cafe Bistro
cafe-bistro

College
college

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Kanban Boards <= 2.5.21 – Authenticated (Administrator+) Remote Code Execution

Affected Software: Kanban Boards for WordPress
CVE ID: CVE-2023-40606
CVSS Score: 9.8 (Critical)
Researcher/s: TomS
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adea276-6b55-422d-adc9-a767f569181c

Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation

Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
CVE ID: CVE-2023-4404
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/522ecc1c-5834-4325-9234-79cf712213f3

Contact form 7 Custom validation <= 1.1.3 – Unauthenticated SQL Injection via ‘post’

Affected Software: Contact form 7 Custom validation
CVE ID: CVE-2023-40609
CVSS Score: 9.8 (Critical)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbfc52a4-6c9d-480b-9247-1513318ff84b

Password Reset with Code for WordPress REST API <= 0.0.15 – Weak Password Recovery Mechanism

Affected Software: Password Reset with Code for WordPress REST API
CVE ID: CVE-2023-35039
CVSS Score: 9.8 (Critical)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b9e6d-2f84-45f6-9f74-3f23b03c5a49

WP Remote Users Sync <= 1.2.12 – Authenticated (Subscriber+) Server Side Request Forgery

Affected Software: WP Remote Users Sync
CVE ID: CVE-2023-3958
CVSS Score: 8.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46

InfiniteWP Client <= 1.11.1 – Authenticated (Subscriber+) Sensitive Information Exposure

Affected Software: InfiniteWP Client
CVE ID: CVE-2023-2916
CVSS Score: 7.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19

User Submitted Posts <= 20230809 – Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’

Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End
CVE ID: CVE-2023-4308
CVSS Score: 7.2 (High)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bb4d37c-c4c2-4523-9b4e-73ffb7be81ea

tagDiv Composer <= 4.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: tagDiv Composer
CVE ID: CVE-2023-3169
CVSS Score: 7.2 (High)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6998cf4c-6086-402b-a95f-ee6a4980dffb

Cleverwise Daily Quotes <= 3.2 – Reflected Cross-Site Scripting

Affected Software: Cleverwise Daily Quotes
CVE ID: CVE-2023-40335
CVSS Score: 7.2 (High)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71f7733a-1350-4e22-98d8-28be401aee69

GD Security Headers <= 1.6.1 – Unauthenticated Cross-Site Scripting

Affected Software: GD Security Headers
CVE ID: CVE-2023-40330
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ce32ecf-6995-4794-8559-2f84533ecf50

RSVPMarker <= 10.6.5 – Unauthenticated Stored Cross-Site Scripting via ’email’

Affected Software: RSVPMaker
CVE ID: CVE-2023-27616
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaf0e58c-0430-44fe-980f-8ea469802c86

Mortgage Calculator Estatik <= 2.0.7 – Unauthenticated Cross-Site Scripting

Affected Software: WordPress Mortgage Calculator Estatik
CVE ID: CVE-2023-40601
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb73e92b-b807-4406-b378-cef6cff9eb82

JS Help Desk – Best Help Desk & Support Plugin <= 2.7.7 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: JS Help Desk – Best Help Desk & Support Plugin
CVE ID: CVE-2023-25444
CVSS Score: 7.2 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa75366a-651c-43d0-a32b-cdabf5b07b66

wpDataTables – Tables & Table Charts <= 2.1.65 – Authenticated(Administrator+) PHP Object Injection

Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c458644-a799-4bea-abcb-06a946dc19df

Advanced File Manager <= 5.1 – Authenticated(Administrator+) Arbitrary File and Folder Access

Affected Software: Advanced File Manager
CVE ID: CVE-2023-3814
CVSS Score: 6.6 (Medium)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ceba35c3-16b0-4366-b33c-603bdc2c1006

Gallery Portfolio <= 1.4.6 – Missing Authorization via Multiple AJAX actions

Affected Software: Portfolio Gallery – Responsive Image Gallery
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96112707-04ca-4647-9008-31954764486f

Event Tickets with Ticket Scanner <= 1.5.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Event Tickets with Ticket Scanner
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ec40d89-9caa-44dc-8577-00fa6463348c

BigBlueButton <= 3.0.0-beta.4 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: BigBlueButton
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f829d21-5347-46ec-9218-2b3cbe7d7b95

Serial Codes Generator and Validator with WooCommerce Support <= 2.4.14 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Serial Codes Generator and Validator with WooCommerce Support
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4886822-3a05-45b3-ad1d-4d4a4f921817

Typing Effect <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Typing Effect
CVE ID: CVE-2023-40605
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db12f986-580e-4e81-8bd2-124393e5d21b

Media from FTP <= 11.16 – Authenticated (Author+) Improper Privilege Management

Affected Software: Media from FTP
CVE ID: CVE-2023-4019
CVSS Score: 6.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9764d402-b8a2-43d5-882a-bc3886078b7f

LINE Notify <= 1.4.4 – Reflected Cross-Site Scripting via ‘uid’

Affected Software: WP LINE Notify
CVE ID: CVE-2023-30497
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b4e7c02-48d3-4271-a3bc-e7d3256b7217

Multiple Themes (Various Versions) – Reflected Cross-Site Scripting via Search Field

Affected Software/s: College, Anfaust, Brain Power, BunnyPressLite, Bazaar Lite, Cafe Bistro, Arendelle, Anand, Atlast Business, Aapna
CVE ID: CVE-2023-2813
CVSS Score: 6.1 (Medium)
Researcher/s: Random Robbie
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32253923-ffec-4312-bcdf-06c5aed77d30

Plausible Analytics <= 1.3.3 – Reflected Cross-Site Scripting via page-url

Affected Software: Plausible Analytics
CVE ID: CVE-2023-40553
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed6d5e6-1094-46ec-afb9-43c142f334ed

WebLibrarian <= 3.5.8.1 – Reflected Cross-Site Scripting via multiple parameters

Affected Software: WebLibrarian
CVE ID: CVE-2023-29441
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b4b05a8-3a32-4fa9-9ff5-a2a62b11a05d

Donations Made Easy – Smart Donations <= 4.0.12 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Donations Made Easy – Smart Donations
CVE ID: CVE-2023-40664
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799975aa-44fe-48dc-8ac9-469c89a03c67

WP VR <= 8.3.4 – Reflected Cross-Site Scripting

Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
CVE ID: CVE-2023-40663
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc08e4cf-3964-406e-9046-420e749df4b5

Fitness calculators plugin <= 2.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: fitness calculators plugin
CVE ID: CVE-2023-40552
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aafbdd50-c78b-4aad-a3e2-f1339d698e77

Smart SEO Tool-WordPress SEO优化插件 <= 4.0.1 – Cross-Sitquest Forgery via ‘wp_ajax_wb_smart_seo_tool’

Affected Software: Smart SEO Tool – SEO优化插件
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/078d06ad-555b-4de4-a032-d81440c7dfb5

Doofinder for WooCommerce <= 1.5.49 – Unauthenticated Open Redirect

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-40602
CVSS Score: 5.4 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7414779e-7241-4ab2-9b1f-34c3e1acc66b

Cost Calculator Builder <= 3.1.42 – Improper Authorization

Affected Software: Cost Calculator Builder
CVE ID: CVE-2023-40011
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94d60fcb-a542-41a9-b6ac-6ac2607068aa

WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking <= 3.7.1 – Cross-Site Request Forgery

Affected Software: Enhanced Ecommerce Google Analytics for WooCommerce
CVE ID: CVE-2023-40561
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f7e1a4-88b2-4069-adb8-d51278b48234

Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘putler_connector_sync_complete’

Affected Software: Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
CVE ID: CVE-2023-40327
CVSS Score: 5.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09a1388e-6c87-44cd-a137-4212b569423b

Multiple WPOnlineSupport Plugins <= (Various Versions) – Missing Authorization to Notice Dismissal

Paid Memberships Pro CCBill Gateway <= 0.3 – Insufficient Authorization

Affected Software: Paid Memberships Pro CCBill Gateway
CVE ID: CVE-2023-40608
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47bb46df-3ed6-4331-8c05-c76331aa6995

Comments Like Dislike <= 1.2.0 – Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset

Affected Software: Comments Like Dislike
CVE ID: CVE-2023-3244
CVSS Score: 5.3 (Medium)
Researcher/s: Hung Duong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66019297-a8a8-4bbc-99db-4b47066f3e50

WP-PostRatings <= 1.91 – IP Spoofing

Affected Software: WP-PostRatings
CVE ID: CVE-2023-40332
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6aed9434-1681-47d6-bbc1-0815db548a24

User Activity Log <= 1.6.6 – IP Address Spoofing

Affected Software: User Activity Log
CVE ID: CVE-2023-4279
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77462f1f-f7d8-4d11-aaf1-82395897fcfa

Cookies and Content Security Policy <= 2.15 – Sensitive Information Exposure

Affected Software: Cookies and Content Security Policy
CVE ID: CVE-2023-40662
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79e68c5b-1f1a-4af3-acf4-1a38f2d72424

Simple Org Chart <= 2.3.4 – Missing Authorization

Affected Software: Simple Org Chart
CVE ID: CVE-2023-40603
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c674ec32-7959-414a-8c31-3455bebb47bb

Stripe Payment Plugin for WooCommerce <= 3.7.9 – Missing Authorization to Arbitrary Order Status Modification

Affected Software: Stripe Payment Plugin for WooCommerce
CVE ID: CVE-2023-4040
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef543c61-2acc-4b72-81ff-883960d4c7c3

123.chat <= 1.3.0 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: 123.chat – 1:1 Live Video Chat Tool Plugin
CVE ID: CVE-2023-4298
CVSS Score: 4.4 (Medium)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a0ced4d-368d-4f12-9099-1f8c0b0fe245

tagDiv Composer <= 4.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: tagDiv Composer
CVE ID: CVE-2023-3170
CVSS Score: 4.4 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3861f675-1a26-4947-91ef-8ab04646704f

CT Commerce <= 2.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: CT Commerce
CVE ID: CVE-2023-40007
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/399109be-7efe-428e-a9b8-7a68864b2790

Schedule Posts Calendar <= 5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: Schedule Posts Calendar
CVE ID: CVE-2023-40560
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c815c2-a5ea-431c-bfde-c08a4eb5fda6

WooCommerce PDF Invoice Builder <= 1.2.90 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-4160
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a765360-8603-4ba1-a6db-dd0175ff3ddf

Carrot <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Carrrot
CVE ID: CVE-2023-40328
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77fa042d-1e4f-4344-bf5a-3860add7aae3

Custom Admin Login Page | WPZest <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom Admin Login Page | WPZest
CVE ID: CVE-2023-40329
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/906dcf2a-6be1-4966-9a70-1ef9a8f1017d

RSVPMarker <= 10.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: RSVPMaker
CVE ID: CVE-2023-27617
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfb27513-61ad-4cf0-a471-0ab7aeb0801b

Simple Staff List <= 2.2.3 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Simple Staff List
CVE ID: CVE-2023-28790
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5880581-3505-4851-b32f-cd2873072f73

WooCommerce PDF Invoice Builder <= 1.2.89 – Missing Authorization to Sensitive Information Exposure

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-4245
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/200fbfc1-df21-43b0-8eb1-b2ba0cc0c0df

WP Remote Users Sync <= 1.2.11 – Missing Authorization to Authenticated (Subscriber+) Log View

Affected Software: WP Remote Users Sync
CVE ID: CVE-2023-4374
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb

Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘send_resync_request’

Affected Software: Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
CVE ID: CVE-2023-40326
CVSS Score: 4.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38537f60-52f4-4007-b26f-6948b9263931

Products Quick View for WooCommerce <= 2.2.0 – Missing Authorization

Affected Software: Products Quick View for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c9f055-2527-4678-bda1-27a29ab24acd

WooCommerce PDF Invoice Builder <= 1.2.90 – Cross-Site Request Forgery to Custom Field Creation

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-4161
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b7aac1c-6962-49cf-850f-ab7b1d220090

Accordion Slider <= 1.9.6 – Missing Authorization to Notice Dismissal

Affected Software: Accordion Slider
CVE ID: CVE-2023-40331
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3dc69bba-39e0-46bd-8cdb-7cf1f7d36282

CLUEVO LMS, E-Learning Platform <= 1.10.0 – Cross-Site Request Forgery

Affected Software: CLUEVO LMS, E-Learning Platform
CVE ID: CVE-2023-40607
CVSS Score: 4.3 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/414165a3-78f8-4254-ac24-2de177cad3dd

Schedule Posts Calendar <= 5.2 – Cross-Site Request Forgery

Affected Software: Schedule Posts Calendar
CVE ID: CVE-2023-40556
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d4f490e-c86e-490e-8041-36c154b890aa

Make Paths Relative <= 1.3.0 – Cross-Site Request Forgery via ‘admin/class-make-paths-relative-admin.php’

Affected Software: Make Paths Relative
CVE ID: CVE-2023-27433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85317781-7e77-4a78-af67-0a1dce39364c

Simple Org Chart <= 2.3.4 – Cross-Site Request Forgery

Affected Software: Simple Org Chart
CVE ID: CVE-2023-28791
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d413350-f520-4dd9-af7d-e776628aef1d

WooCommerce Dynamic Pricing and Discount Rules <= 2.4.0 – Cross-Site Request Forgery

Affected Software: Dynamic Pricing and Discount Rules for WooCommerce
CVE ID: CVE-2023-40559
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d624f234-c57a-4a66-900d-362194a79d34

Video Gallery & Management <= 3.3.5 – Cross-Site Request Forgery

Affected Software: Video Gallery for YouTube Videos and WordPress
CVE ID: CVE-2023-40558
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e226d75f-37b2-4af2-bba0-0fd3a96cc1a0

Tabs & Accordion <= 1.3.10 – Authenticated (Contributor+) Content Injection

Affected Software: Tabs & Accordion
CVE ID: CVE-2023-40557
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eaead805-b122-4418-a4a0-cf1b0925f3c3

Orders Tracking for WooCommerce <= 1.2.5 – Authenticated (Administrator+) Directory Traversal via ‘file_url’

Affected Software: Orders Tracking for WooCommerce
CVE ID: CVE-2023-4216
CVSS Score: 2.7 (Low)
Researcher/s: Utkarsh Agrawal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a62e8b2-7606-4842-8be5-dff8634539d0

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023) appeared first on Wordfence.