(647) 243-4688

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!

Last week, there were 109 vulnerabilities disclosed in 98 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
WordPress Core 6.4-6.4.1 – Remote Code Execution POP Chain via Object Injection
(Note that the existence of the POP chain is not classified as a vulnerability on its own so it does not have a Wordfence Intelligence Entry. The rule is intended to block exploitation by any existing Object Injection vulnerability.)
Two additional firewall rules for vulnerabilities that have not yet been patched or publicly disclosed.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
63

Patched
46

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
88

High Severity
9

Critical Severity
12

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
28

Missing Authorization
28

Cross-Site Request Forgery (CSRF)
21

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
6

Unrestricted Upload of File with Dangerous Type
5

Deserialization of Untrusted Data
5

Information Exposure
3

Improper Authorization
2

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
2

Use of Less Trusted Source
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Uncontrolled Resource Consumption (‘Resource Exhaustion’)
1

Protection Mechanism Failure
1

Authorization Bypass Through User-Controlled Key
1

Server-Side Request Forgery (SSRF)
1

Improper Control of Generation of Code (‘Code Injection’)
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Improper Neutralization of Alternate XSS Syntax
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Nguyen Xuan Chien
13

Rafie Muhammad
12

Abdi Pranata
12

Dmitrii Ignatyev
7

Vladislav Pokrovsky (ΞX.MI)
7

Mika
6

Ngô Thiên An (ancorn_)
5

emad
4

István Márton(Wordfence Vulnerability Researcher)
4

Skalucy
4

Brandon James Roldan (tomorrowisnew)
3

thiennv
3

lttn
3

LVT-tholv2k
2

Marco Wotschka(Wordfence Vulnerability Researcher
2

Abu Hurayra (HurayraIIT)
2

Kyle Sanchez
2

qilin_99
2

Rafshanzani Suhada
1

Universe
1

German Ritter
1

DoYeon Park (p6rkdoye0n)
1

Naveen Muthusamy
1

Hong Quan
1

0x9567b
1

Luqman Hakim Y
1

Yuchen Ji
1

Labda
1

Enrico Marcolini
1

Claudio Marchesini (Dottormarc)
1

Rachit Arora
1

Muhammad Daffa
1

Huynh Tien Si
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Advanced Database Cleaner
advanced-database-cleaner

Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
advanced-page-visit-counter

Alma – Pay in installments or later for WooCommerce
alma-gateway-for-woocommerce

Alt Manager
alt-manager

Annual Archive
anual-archive

AppMySite – Create an app with the Best Mobile App Builder
appmysite

ArtPlacer Widget
artplacer-widget

Astra Pro Addon
astra-addon

Author Avatars List/Block
author-avatars

Awesome Support – WordPress HelpDesk & Support Plugin
awesome-support

BCorp Shortcodes
bcorp-shortcodes

Backup Migration
backup-backup

Bacola Core
bacola-core

Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo
biteship

Block for Font Awesome
block-for-font-awesome

Bold Page Builder
bold-page-builder

Bulk Edit Post Titles
bulk-edit-post-titles

Burst Statistics Pro
burst-pro

Burst Statistics – Privacy-Friendly Analytics for WordPress
burst-statistics

CSV Importer
csv-importer

CSprite
csprite

Caddy – Smart Side Cart for WooCommerce
caddy

Calculated Fields Form
calculated-fields-form

Clotya Core
clotya-core

Code Embed
simple-embed-code

Cookie Bar
cookie-bar

Cosmetsy Core
cosmetsy-core

Custom Login
custom-login

Custom Post Type Page Template
custom-post-type-page-template

Dashboard Widgets Suite
dashboard-widgets-suite

Digital Publications by Supsystic
digital-publications-by-supsystic

Duplicator Pro
duplicator-pro

Duplicator – WordPress Migration & Backup Plugin
duplicator

Elementor Timeline Widget
3r-elementor-timeline-widget

Elementor Website Builder – More than Just a Page Builder
elementor

Email Subscription Popup
email-subscribe

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
embedpress

Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin
wp-event-solution

FOX – Currency Switcher Professional for WooCommerce
woocommerce-currency-switcher

First Order Discount Woocommerce
first-order-discount-woocommerce

Fix My Feed RSS Repair
fix-my-feed-rss-repair

Flexible Woocommerce Checkout Field Editor
flexible-woocommerce-checkout-field-editor

Furnob Core
furnob-core

Genesis Simple Love
genesis-simple-love

Gift Up Gift Cards for WordPress and WooCommerce
gift-up

Guest Author
guest-author

Ibtana – WordPress Website Builder
ibtana-visual-editor

Import and export users and customers
import-users-from-csv-with-meta

Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
integrate-google-drive

LiveChat – WP live chat plugin for WordPress
wp-live-chat-software-for-wordpress

Login With Ajax
login-with-ajax

MW WP Form
mw-wp-form

Manage Notification E-mails
manage-notification-emails

Medibazar Core
medibazar-core

Menu Bar Cart Icon For WooCommerce By Binary Carpenter
bc-menu-cart-woo

Multi Currency For WooCommerce
wc-multi-currency

Optin Forms – Simple List Building Plugin for WordPress
optin-forms

Parto Core
partdo-core

PayTR Taksit Tablosu – WooCommerce
paytr-taksit-tablosu-woocommerce

Piotnet Forms
piotnetforms

Post Duplicator
post-duplicator

Product Catalog Feed by PixelYourSite
product-catalog-feed

Product Enquiry for WooCommerce
gm-woocommerce-quote-popup

Redirects
redirects

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager

Responsive Slick Slider WordPress
responsive-slick-slider

Rocket Maintenance Mode & Coming Soon Page
rocket-maintenance-mode

Sayfa Sayac
sayfa-sayac

SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy
woo-aliexpress-dropshipping

Shortcoder — Create Shortcodes for Anything
shortcoder

Shortcodes and extra features for Phlox theme
auxin-elements

Smart External Link Click Monitor [Link Log]
link-log

Smart Forms – when you need more than just a contact form
smart-forms

Social Media Feather | social media sharing
social-media-feather

Spectra – WordPress Gutenberg Blocks
ultimate-addons-for-gutenberg

SpeedyCache – Cache, Optimization, Performance
speedycache

Square Thumbnails
square-thumbnails

Structured Content (JSON-LD) #wpsc
structured-content

SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything!
suretriggers

Symbiostock – Sell Photos Online For Free!
symbiostock

System Dashboard
system-dashboard

Translate WordPress – Google Language Translator
google-language-translator

Tutor LMS – eLearning and online course solution
tutor

Ultimate Addons for Contact Form 7
ultimate-addons-for-contact-form-7

Ultimate Dashboard – Custom WordPress Dashboard
ultimate-dashboard

Video PopUp
video-popup

WP Booking System – Booking Calendar
wp-booking-system

WP Photo Album Plus
wp-photo-album-plus

WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
wedevs-project-manager

WPBakery Page Builder Addons by Livemesh
addons-for-visual-composer

WPPerformanceTester
wpperformancetester

WPsoonOnlinePage
wp-soononline-page

WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute
wapppress-builds-android-app-for-website

Webflow Pages
webflow-pages

Welcart e-Commerce
usc-e-shop

WooDiscuz – WooCommerce Comments
woodiscuz-woocommerce-comments

WooPayments – Fully Integrated Solution Built and Supported by Woo
woocommerce-payments

WordPress Simple HTML Sitemap
wp-simple-html-sitemap

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Adifier – Classified Ads WordPress Theme
adifier-system

Bacola – Grocery Store and Food eCommerce Theme
bacola

Clotya – Fashion Store eCommerce Theme
clotya

Cosmetsy – Beauty Cosmetics Shop Theme
cosmetsy

Couponis Demo
couponis-demo

Furnob – Furniture Store WooCommerce Theme
furnob

Machic – Electronics Store WooCommerce Theme
machic-core

Medibazar – Medical WooCommerce Theme
medibazar

Partdo – Auto Parts and Tools Shop WooCommerce Theme
partdo

Soledad
soledad

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WappPress <= 5.0.3 – Unauthenticated Arbitrary File Upload

Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 – Unauthenticated SQL Injection

Affected Software/s: Burst Statistics – Privacy-Friendly Analytics for WordPress, Burst Statistics Pro
CVE ID: CVE-2023-5761
CVSS Score: 9.8 (Critical)
Researcher/s: German Ritter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3

Couponis Demo < 2.2 – Unauthenticated SQL Injection

Affected Software: Couponis Demo
CVE ID: CVE-2023-49750
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd67a02-b0fb-4c4f-9564-c3ee0180e79c

Genesis Simple Love <= 2.0 – Unauthenticated PHP Object Injection

Affected Software: Genesis Simple Love
CVE ID: CVE-2023-49772
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55abf798-f336-4262-9f52-4526a4bae15a

Soledad <= 8.4.1 – Unauthenticated PHP Object Injection

Affected Software: Soledad
CVE ID: CVE-2023-49826
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e954190-7c58-4044-a85e-a188fe5b6d89

Adifier System < 3.1.4 – Unauthenticated SQL Injection

Affected Software: Adifier – Classified Ads WordPress Theme
CVE ID: CVE-2023-49752
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e64d865-5acc-419b-8c61-e8fd8207fa94

BCorp Shortcodes <= 0.23 – Unauthenticated PHP Object Injection

Affected Software: BCorp Shortcodes
CVE ID: CVE-2023-49773
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94696151-9f99-4847-bd67-8fb77f8b6a0e

Sayfa Sayaç <= 2.6 – Unauthenticated PHP Object Injection

Affected Software: Sayfa Sayac
CVE ID: CVE-2023-49778
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a29180-901d-447e-8f82-63161b9e11e0

MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload

Affected Software: MW WP Form
CVE ID: CVE-2023-6316
CVSS Score: 9.8 (Critical)
Researcher/s: István Márton(Wordfence Vulnerability Researcher
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2c03142-be30-4173-a140-14d73a16dd2b

Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 – Unauthenticated Sensitive Information Exposure

Affected Software/s: Duplicator Pro, Duplicator – WordPress Migration & Backup Plugin
CVE ID: CVE-2023-6114
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3f7a88c-a09b-46ac-b345-139c2d20a3d2

Adifier System < 3.1.4 – Unauthenticated Local File Inclusion

Affected Software: Adifier – Classified Ads WordPress Theme
CVE ID: CVE-2023-49753
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8574ff9-847c-4337-8c0e-2a717b51f66c

Backup Migration <= 1.3.5 – Unauthenticated Sensitive Information Exposure

Affected Software: Backup Migration
CVE ID: CVE-2023-6271
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f661f19d-fdd4-4cd3-8fb3-8b6073d94596

Structured Content <= 1.5.3 – Authenticated (Contributor+) PHP Object Injection

Affected Software: Structured Content (JSON-LD) #wpsc
CVE ID: CVE-2023-49819
CVSS Score: 8.8 (High)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b25252b-fad3-4212-be72-94e94779ef67

Smart Forms <= 2.6.84 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Affected Software: Smart Forms – when you need more than just a contact form
CVE ID: CVE-2023-49856
CVSS Score: 8.8 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac48cd9-1de5-4840-b3f3-dc24ca52442e

Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2023-48777
CVSS Score: 8.8 (High)
Researcher/s: Hong Quan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b6d0a38-ac28-41c9-9da1-b30b3657b463

Soledad <= 8.4.1 – Authenticated (Contributor+) SQL Injection

Affected Software: Soledad
CVE ID: CVE-2023-49825
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a9846c4-4678-4c25-84fd-b05d21ea34fb

Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox

Affected Software: Astra Pro Addon
CVE ID: CVE-2023-49830
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9769bc3-236f-4c9d-a4ce-544e49eee2ec

ArtPlacer Widget <= 2.20.6 – Authenticated (Editor+) SQL Injection

Affected Software: ArtPlacer Widget
CVE ID: CVE-2023-6373
CVSS Score: 8.8 (High)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bff3a160-5238-4478-ab11-3300cac51cf2

Piotnet Forms <= 1.0.26 – Unauthenticated Arbitrary File Upload

Affected Software: Piotnet Forms
CVE ID: CVE-2023-6220
CVSS Score: 8.1 (High)
Researcher/s: István Márton(Wordfence Vulnerability Researcher)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af2b7eac-a3f5-408f-b139-643e70b3f27a

Advanced Database Cleaner <= 3.1.2 – Authenticated (Administrator+) SQL Injection

Affected Software: Advanced Database Cleaner
CVE ID: CVE-2023-49764
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62c46925-8e97-4989-8c2c-56223d6911a2

Symbiostock Lite <= 6.0.0 – Authenticated (Shop Manager+) Arbitrary File Upload

Affected Software: Symbiostock – Sell Photos Online For Free!
CVE ID: CVE-2023-49814
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/666b8b39-fab0-4e99-b365-a4ac9f964494

Import and export users and customers <= 1.24.2 – Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality

Affected Software: Import and export users and customers
CVE ID: CVE-2023-6583
CVSS Score: 6.6 (Medium)
Researcher/s: Labda
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac709779-36f1-4f66-8db3-95a514a5ea59

Code Embed <= 2.3.6 – Authenticated(Contributor+) Denial of Service

Affected Software: Code Embed
CVE ID: CVE-2023-49837
CVSS Score: 6.5 (Medium)
Researcher/s: Universe
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef2ded1-dd56-4c33-98dc-d4c69e66568f

Alma – Pay in installments or later for WooCommerce <= 5.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Alma – Pay in installments or later for WooCommerce
CVE ID: CVE-2023-50369
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044d7480-ccd7-4ce8-bb5d-367ba5d0217c

Ibtana – WordPress Website Builder <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ibtana – WordPress Website Builder
CVE ID: CVE-2023-6684
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b09d496-0e03-48a4-acf7-57febe18ed0a

Spectra <= 2.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Spectra – WordPress Gutenberg Blocks
CVE ID: CVE-2023-49833
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0df493cb-2b5e-4a16-b6d8-4cd9a473540d

WooCommerce Payments <= 6.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooPayments – Fully Integrated Solution Built and Supported by Woo
CVE ID: CVE-2023-49828
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13617b70-9b57-4873-9942-12bffed411e2

Annual Archive <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Annual Archive
CVE ID: CVE-2023-49847
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20199c88-1800-4d18-a0ee-0219be77b429

Advanced Page Visit Counter <= 8.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
CVE ID: CVE-2023-50371
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b497a36-4929-413f-abfc-1d81bfaa7889

Livemesh Addons for WPBakery Page Builder <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WPBakery Page Builder Addons by Livemesh
CVE ID: CVE-2023-50370
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60af0a7c-014b-4f71-9918-7ddc1186bee4

Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Video PopUp
CVE ID: CVE-2023-4962
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89

Guest Author <= 2.3 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: Guest Author
CVE ID: CVE-2023-49747
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78fd9dcf-228e-46ec-b34f-2cb0c87cc895

Bold Page Builder <= 4.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Bold Page Builder
CVE ID: CVE-2023-49823
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c99f70b-77a6-4bd7-99b1-ad4ec76d50c6

Shortcodes and extra features for Phlox theme <= 2.15.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Shortcodes and extra features for Phlox theme
CVE ID: CVE-2023-50368
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95d61096-8e44-4b70-a409-c02cb3d1e32c

WP Project Manager <= 2.6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Author Avatars List/Block <= 2.1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Author Avatars List/Block
CVE ID: CVE-2023-49846
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7c8380b-02ae-49d2-8c64-debe7f73ee35

Structured Content <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Structured Content (JSON-LD) #wpsc
CVE ID: CVE-2023-49820
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e44ad307-2663-4613-ae53-9ef6208f08f9

Ultimate Addons for Contact Form 7 <= 3.2.0 – Reflected Cross-Site Scripting

Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2023-49766
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/364946a5-ce1e-4872-895d-e7cf795a04f7

Multiple Plugins by KlbTheme <= (Various Versions) – Reflected Cross-Site Scripting

Affected Software/s: Cosmetsy Core, Parto Core, Medibazar Core, Bacola Core, Clotya Core, Furnob Core
CVE ID: CVE-2023-49839
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fb06315-30ad-4d98-af75-b04933583be7

WP Photo Album Plus <= 8.5.02.005 – Cross-Site Scripting

Affected Software: WP Photo Album Plus
CVE ID: CVE-2023-49813
CVSS Score: 6.1 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5486d50c-8544-4368-b58b-66024a8ae86d

Email Subscription Popup <= 1.2.18 – Reflected Cross-Site Scripting

Affected Software: Email Subscription Popup
CVE ID: CVE-2023-6527
CVSS Score: 6.1 (Medium)
Researcher/s: 0x9567b
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f84814e-f7b7-4228-b331-63027a0770af

Machic Core <= 1.2.6 – Reflected Cross-Site Scripting

Affected Software: Machic – Electronics Store WooCommerce Theme
CVE ID: CVE-2023-49186
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4fc9628-b254-405b-a7cc-bb955618bc35

Smart External Link Click Monitor [Link Log] <= 5.0.2 – Reflected Cross-Site Scripting

Affected Software: Smart External Link Click Monitor [Link Log]
CVE ID: CVE-2023-49771
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d062bc7b-0cb0-46bd-b203-90cc9a44a403

Soledad <= 8.4.1 – Reflected Cross-Site Scripting

Affected Software: Soledad
CVE ID: CVE-2023-49827
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83b36fe-4e46-4ab7-a113-6dcfa7cce625

Biteship <= 2.2.22 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo
CVE ID: CVE-2023-49767
CVSS Score: 5.5 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78c46ac-22dd-48f2-a10b-016205f7e7fa

Cookie Bar <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Cookie Bar
CVE ID: CVE-2023-49836
CVSS Score: 5.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd58bc54-f16e-48ee-97f4-95b839d75350

WOOCS – WooCommerce Currency Switcher <= 1.4.1.4 – Cross-Site Request Forgery via delete_profiles_data

Affected Software: FOX – Currency Switcher Professional for WooCommerce
CVE ID: CVE-2023-49834
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/139d4ec2-1147-4332-a56d-633890f32560

Digital Publications by Supsystic <= 1.7.6 – Cross-Site Request Forgery via AJAX action

Affected Software: Digital Publications by Supsystic
CVE ID: CVE-2023-5756
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka(Wordfence Vulnerability Researcher)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2304e4dc-0dc6-4ded-b8e6-8d76d70f63d7

SpeedyCache <= 1.1.2 – Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: SpeedyCache – Cache, Optimization, Performance
CVE ID: CVE-2023-49746
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab922406-4af8-4ef2-bcc8-c326212546b1

Awesome Support <= 6.1.6 – Missing Authorization

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-49757
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd9f1385-6457-4bc9-9c75-0fcd399a5956

WP Photo Album Plus <= 8.5.02.005 – IP Spoofing

Affected Software: WP Photo Album Plus
CVE ID: CVE-2023-49774
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/017fe804-a1a5-4f8d-a531-e928d668dbc4

Manage Notification E-mails <= 1.8.5 – Missing Authorization

Affected Software: Manage Notification E-mails
CVE ID: CVE-2023-6496
CVSS Score: 5.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/048bc117-88df-44b3-a30c-692bad23050f

RegistrationMagic <= 5.2.3.0 – Missing Authorization

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-49831
CVSS Score: 5.3 (Medium)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d041b14-0d05-4bfe-bd5c-7e06d7b108b8

Square Thumbnails <= 1.1.0 – Missing Authorization

Affected Software: Square Thumbnails
CVE ID: CVE-2023-49851
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31cc30c7-262d-4582-8976-fc8095bdca5f

Awesome Support <= 6.1.6 – Missing Authorization

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-49857
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a1cbd74-e598-4edf-90c2-f97d5070f0cc

Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post

Affected Software: Gift Up Gift Cards for WordPress and WooCommerce
CVE ID: CVE-2023-49744
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e8d9909-7b98-4d98-8293-0c30eebc6c7b

Ultimate Dashboard <= 3.7.10 – Login Page Disclosure on Multi-site

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE-2023-49822
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56f3cb34-0452-4e3d-9442-0decc77f5e63

PayTR Taksit Tablosu <= 1.3.1 – Improper Authorization

Affected Software: PayTR Taksit Tablosu – WooCommerce
CVE ID: CVE-2023-49853
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5898944f-565c-4950-83e8-ad0de0f948d1

Flexible Woocommerce Checkout Field Editor <= 2.0.1 – Missing Authorization

Affected Software: Flexible Woocommerce Checkout Field Editor
CVE ID: CVE-2023-49817
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5947f7cb-de84-4a62-bef7-cbeb1f20bb72

WP Photo Album Plus <= 8.5.02.005 – Insecure Direct Object Reference

Affected Software: WP Photo Album Plus
CVE ID: CVE-2023-49812
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72f3925d-6b3a-43bf-bfd1-fef7e71d5e43

AppMySite <= 3.10.0 – Unauthenticated Information Disclsoure

Affected Software: AppMySite – Create an app with the Best Mobile App Builder
CVE ID: CVE-2023-49762
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b9f171f-56d8-4ab9-bf61-0daa7c0d928f

Redirects <= 1.2.1 – Missing Authorization

Affected Software: Redirects
CVE ID: CVE-2023-49845
CVSS Score: 5.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/903161b0-b64c-4986-8c94-b90221bc911b

Webflow Pages <= 1.0.8 – Missing Authorization

Affected Software: Webflow Pages
CVE ID: CVE-2023-49818
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a01141ed-9b9c-426f-96b3-c6ceade4d35c

Shortcoder <= 6.3.1 – Missing Authorization

Affected Software: Shortcoder — Create Shortcodes for Anything
CVE ID: CVE-2023-49849
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54ad0b4-b6e7-4eac-843e-261ec6c83d84

EmbedPress <= 3.9.4 – Missing Authorization

Alt Manager <= 1.5.9 – Missing Authorization

Affected Software: Alt Manager
CVE ID: CVE-2023-50373
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaa041a3-d8e5-4637-b8da-5f07c498685a

Custom Login <= 4.1.0 – Missing Authorization

Affected Software: Custom Login
CVE ID: CVE-2023-49858
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b23afc11-c31d-4569-8f4b-8141eef7b3d9

Google Language Translator <= 6.0.20 – Missing Authorization to Notice Dismissal

Affected Software: Translate WordPress – Google Language Translator
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec894433-53c8-4d04-bb8a-92c66cbd2ce7

WP Simple HTML Sitemap <= 2.4 – Missing Authorization

Affected Software: WordPress Simple HTML Sitemap
CVE ID: CVE-2023-49850
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eff4cb35-492b-448a-8d16-b9210917c567

Login With Ajax <= 4.1 – Missing Authorization

Affected Software: Login With Ajax
CVE ID: CVE-2023-49859
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f11926c8-2b31-4ad5-9fd0-225071a91b2a

WP Project Manager <= 2.6.7 – Missing Authorization

Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.1 – Missing Authorization

Affected Software: SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy
CVE ID: CVE-2023-49848
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbc7e515-c712-4a39-a0f7-c3f646083060

Rocket Maintenance Mode & Coming Soon Page <= 4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Rocket Maintenance Mode & Coming Soon Page
CVE ID: CVE-2023-49842
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/055cc26b-1e24-4e39-89c8-bdc4a69ce938

Optin Forms <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optin Forms – Simple List Building Plugin for WordPress
CVE ID: CVE-2023-49841
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35e0a997-190e-457a-b80c-7b4ecec97095

Smart External Link Click Monitor [Link Log] <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Smart External Link Click Monitor [Link Log]
CVE ID: CVE-2023-49770
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c1811f7-0fb4-4f50-93ac-6abd9e6a1d66

Calculated Fields Form <= 1.2.40 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Calculated Fields Form
CVE ID: CVE-2023-6446
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c879123c-531e-43d8-a7d3-16a3c86b68a3

Dashboard Widgets Suite <= 3.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Dashboard Widgets Suite
CVE ID: CVE-2023-49743
CVSS Score: 4.4 (Medium)
Researcher/s: Rachit Arora
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cba77ced-412e-4461-8d2a-980371c78a17

Tutor LMS <= 2.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-49829
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b2a90f-7a0a-4150-8a24-14b2ed11663e

Fix My Feed RSS Repair <= 1.4 – Cross-Site Request Forgery

Affected Software: Fix My Feed RSS Repair
CVE ID: CVE-2023-49816
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/038742d8-3da9-4e2a-bbd4-9ed6b31e8767

Product Catalog Feed by PixelYourSite <= 2.1.1 – Cross-Site Request Forgery

Affected Software: Product Catalog Feed by PixelYourSite
CVE ID: CVE-2023-49824
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09547dae-85dc-481d-9eb1-423d8faadc80

LiveChat <= 4.5.15 – Cross-Site Request Forgery

Affected Software: LiveChat – WP live chat plugin for WordPress
CVE ID: CVE-2023-49821
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b80e90d-72bd-4253-b84b-d2706e1abd4c

System Dashboard <= 2.8.8 – Missing Authorization to Information Disclosure (sd_php_info)

Affected Software: System Dashboard
CVE ID: CVE-2023-5711
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17bc3a9f-2bf9-44e3-81ef-bfa932085da9

CSV Importer <= 0.3.8 – Cross-Site Request Forgery

Affected Software: CSV Importer
CVE ID: CVE-2023-49775
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/252153ec-3811-484a-984f-eeb6ed9229a5

Integrate Google Drive <= 1.3.4 – Cross-Site Request Forgery

WPPerformanceTester <= 2.0.0 – Cross-Site Request Forgery

Affected Software: WPPerformanceTester
CVE ID: CVE-2023-49844
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fb35366-b09c-4667-8fb9-6f80ba6d09f0

Social Media Feather <= 2.1.3 – Missing Authorization

Affected Software: Social Media Feather | social media sharing
CVE ID: CVE-2023-49861
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4154aa02-7fa1-4858-bea7-092ec4a508ac

SureTriggers <= 1.0.23 – Cross-Site Request Forgery

Affected Software: SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything!
CVE ID: CVE-2023-49749
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/461211c9-951e-4ccd-abf5-84941290a6a5

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_db_specs)

Affected Software: System Dashboard
CVE ID: CVE-2023-5714
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53b3ac83-847d-4bd0-a79b-531af266e1b4

Block for Font Awesome <= 1.4.0 – Cross-Site Request Forgery

Affected Software: Block for Font Awesome
CVE ID: CVE-2023-49751
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d255ca7-37a5-4c1b-84be-356ae3900f7e

Multi Currency For WooCommerce <= 1.5.5 – Cross-Site Request Forgery

Affected Software: Multi Currency For WooCommerce
CVE ID: CVE-2023-49840
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a19d494-08d1-479a-8ba4-edeb2873866a

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_global_value)

Affected Software: System Dashboard
CVE ID: CVE-2023-5712
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70f14d9d-6ed6-4bcb-944d-f9c5aa6a17a6

WP Booking System <= 2.0.19.2 – Missing Authorization

Affected Software: WP Booking System – Booking Calendar
CVE ID: CVE-2023-49758
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/805c46ec-0b8a-4a40-bfc9-5d2d8d43a17b

Elementor Timeline Widget <= 2.0 – Missing Authorization to Notice Dismissal

Affected Software: Elementor Timeline Widget
CVE ID: CVE-2023-49755
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/819b3e0c-1cd0-45f9-8621-41817ad1de5e

Custom Post Type Page Template <= 1.1 – Cross-Site Request Forgery

Affected Software: Custom Post Type Page Template
CVE ID: CVE-2023-50372
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff05617-61b1-4d1f-9230-c771f23d3283

WPsoonOnlinePage <= 1.9 – Cross-Site Request Forgery

Affected Software: WPsoonOnlinePage
CVE ID: CVE-2023-49760
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a554b365-b54b-4696-87f6-df5099e15708

Caddy <= 1.9.7 – Cross-Site Request Forgery

Affected Software: Caddy – Smart Side Cart for WooCommerce
CVE ID: CVE-2023-49854
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b331c32e-7341-458b-80be-574cfa915159

First Order Discount Woocommerce <= 1.21 – Cross-Site Request Forgery

Affected Software: First Order Discount Woocommerce
CVE ID: CVE-2023-49843
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9d161a3-eb9f-447f-b2d2-b8b193678d20

Bulk Edit Post Titles <= 5.0.0 – Missing Authorization

Affected Software: Bulk Edit Post Titles
CVE ID: CVE-2023-49754
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbdeaa77-72c9-4afc-8913-7a1e44cdeb82

Responsive Slick Slider WordPress <= 1.4 – Authenticated (Contributor+) Content Injection

Affected Software: Responsive Slick Slider WordPress
CVE ID: CVE-2023-49852
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c59f1784-da65-4e6d-b284-d65ee2196be9

WooDiscuz – WooCommerce Comments <= 2.3.0 – Cross-Site Request Forgery

Affected Software: WooDiscuz – WooCommerce Comments
CVE ID: CVE-2023-49759
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0bfa461-5cea-40e8-af9f-800cdbb6efb5

Post Duplicator <= 2.31 – Missing Authorization via mtphr_duplicate_post

Affected Software: Post Duplicator
CVE ID: CVE-2023-49835
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5665931-8da9-44db-a5b1-46acebf14f3b

Multiple Themes by KlbTheme <= (Various Versions) – Cross-Site Request Forgery

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_option_value)

Affected Software: System Dashboard
CVE ID: CVE-2023-5713
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d1a33b-2518-48f7-90b6-a94a34473d1e

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_constants)

Affected Software: System Dashboard
CVE ID: CVE-2023-5710
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f170379e-e833-42e0-96fd-1e1722a8331c

Eventin <= 3.3.44 – Missing Authorization

Affected Software: Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin
CVE ID: CVE-2023-49756
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256036d-11e8-4311-baa0-d15193c72da0

Product Enquiry for WooCommerce <= 3.0 – Cross-Site Request Forgery

Affected Software: Product Enquiry for WooCommerce
CVE ID: CVE-2023-49761
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f37cc9d0-345e-4ab7-ae99-d9d7fee6c1e5

CSprite <= 1.1 – Cross-Site Request Forgery

Affected Software: CSprite
CVE ID: CVE-2023-49763
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5da3a4f-7084-4ba9-89c9-5a480efc7eca

BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter <= 1.49.3 – Cross-Site Request Forgery

Affected Software: Menu Bar Cart Icon For WooCommerce By Binary Carpenter
CVE ID: CVE-2023-49855
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc626bdb-e962-407c-95c3-3f9e28dc5876

Welcart e-Commerce <= 2.9.6 – Authenticated (Administrator+) Directory Traversal

Affected Software: Welcart e-Commerce
CVE ID: CVE-2023-6120
CVSS Score: 4.1 (Medium)
Researcher/s: Marco Wotschka(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2677cea6-d60d-4e10-afd7-e088a5592b19

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) appeared first on Wordfence.