(647) 243-4688

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-675 – data redacted while we work with the vendor on a patch.
WAF-RULE-676 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
13

Patched
82

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
2

Medium Severity
82

High Severity
7

Critical Severity
4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
30

Cross-Site Request Forgery (CSRF)
21

Missing Authorization
18

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
5

Information Exposure
3

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
3

Deserialization of Untrusted Data
2

Authorization Bypass Through User-Controlled Key
2

Improper Access Control
2

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Uncontrolled Resource Consumption (‘Resource Exhaustion’)
1

Server-Side Request Forgery (SSRF)
1

Insecure Storage of Sensitive Information
1

Incorrect Authorization
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Improper Authorization
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Francesco Carlucci
24

Lucio Sá
10

Dhabaleshwar Das
7

Webbernaut
6

Dimas Maulana
3

Ngô Thiên An (ancorn_)
3

Krzysztof Zając
3

beluga
2

Sh
2

Rhynorater
2

kodaichodai
2

Kyle Sanchez
2

Felipe Restrepo Rodriguez (pfelilpe)
2

István Márton
(Wordfence Vulnerability Researcher)
2

Rafie Muhammad
2

Sean Murphy
2

stealthcopter
2

hir0ot
1

Dave Jong
1

Le Ngoc Anh
1

villu164
1

Colin Xu
1

Christian Angel
1

LVT-tholv2k
1

wesley (wcraft)
1

Dmitrii Ignatyev
1

Abu Hurayra (HurayraIIT)
1

Muhammad Hassham Nagori
1

Abdi Pranata
1

Skalucy
1

Pham Ho Anh Dung
1

Savphill
1

Scott Kingsley Clark
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

3D Tag Cloud
cardoza-3d-tag-cloud

AMP for WP – Accelerated Mobile Pages
accelerated-mobile-pages

Admin Menu Editor
admin-menu-editor

Advanced Forms for ACF
advanced-forms

All 404 Pages Redirect to Homepage
all-404-pages-redirect-to-homepage

All-In-One Security (AIOS) – Security and Firewall
all-in-one-wp-security-and-firewall

Apollo13 Framework Extensions
apollo13-framework-extensions

Awesome Support – WordPress HelpDesk & Support Plugin
awesome-support

Backuply – Backup, Restore, Migrate and Clone
backuply

Basic Log Viewer
wpsimpletools-log-viewer

Before After Image Slider WP
before-after-image-slider

Buttons Shortcode and Widget
buttons-shortcode-and-widget

Contact Form 7 Connector
ari-cf7-connector

Content Cards
content-cards

Coupon Referral Program
coupon-referral-program

Custom Twitter Feeds – A Tweets Widget or X Feed Widget
custom-twitter-feeds

Customer Reviews for WooCommerce
customer-reviews-woocommerce

Elementor Addon Elements
addon-elements-for-elementor-page-builder

Elementor Addons by Livemesh
addons-for-elementor

Elementor Website Builder – More than Just a Page Builder
elementor

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
wp-event-solution

Honeypot for WP Comment
honeypot-for-wp-comment

ImageRecycle pdf & image compression
imagerecycle-pdf-image-compression

InfiniteWP Client
iwp-client

Insert PHP Code Snippet
insert-php-code-snippet

Internal Link Juicer: SEO Auto Linker for WordPress
internal-links

Link Library
link-library

Login Lockdown – Protect Login Form
login-lockdown

Matomo Analytics – Ethical Stats. Powerful Insights.
matomo

Meta Box – WordPress Custom Fields Framework
meta-box

Minimal Coming Soon – Coming Soon Page
minimal-coming-soon-maintenance-mode

My Calendar
my-calendar

NextMove Lite – Thank You Page for WooCommerce
woo-thank-you-page-nextmove-lite

PPWP – Password Protect Pages
password-protect-page

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
paid-memberships-pro

Passster – Password Protect Pages and Content
content-protector

Payment Forms for Paystack
payment-forms-for-paystack

Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
contest-gallery

Podlove Podcast Publisher
podlove-podcasting-plugin-for-wordpress

Podlove Subscribe button
podlove-subscribe-button

Polls CP
cp-polls

Portugal CTT Tracking for WooCommerce
portugal-ctt-tracking-woocommerce

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
powerpack-lite-for-elementor

Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider)
bdthemes-prime-slider-lite

Product Labels For Woocommerce (Sale Badges)
aco-product-labels-for-woocommerce

Quiz Maker
quiz-maker

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
feedzy-rss-feeds

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
wp-rss-aggregator

Royal Elementor Addons and Templates
royal-elementor-addons

Shariff Wrapper
shariff

Shield Security – Smart Bot Blocking & Intrusion Prevention Security
wp-simple-firewall

Simple Page Access Restriction
simple-page-access-restriction

Starbox – the Author Box for Humans
starbox

Themify Builder
themify-builder

Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
timeline-widget-addon-for-elementor

VK Poster Group
vk-poster-group

WP 404 Auto Redirect to Similar Post
wp-404-auto-redirect-to-similar-post

WP Booking Calendar
booking

WP Club Manager – WordPress Sports Club Plugin
wp-club-manager

WP Contact Form
wp-contact-form

WP Recipe Maker
wp-recipe-maker

WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
wp-sms

WP Shortcodes Plugin — Shortcodes Ultimate
shortcodes-ultimate

Wonder Slider Lite
wonderplugin-slider-lite

Woocommerce Vietnam Checkout
woo-vietnam-checkout

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Blocksy
blocksy

Royal Elementor Kit
royal-elementor-kit

brooklyn
brooklyn

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention Security
CVE ID: CVE-2023-6989
CVSS Score: 9.8 (Critical)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c

Coupon Referral Program <= 1.7.2 – Unauthenticated PHP Object Injection

Affected Software: Coupon Referral Program
CVE ID: CVE-2024-25100
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e556ca2-1b83-4589-bff8-64323eb594e7

Booking Calendar <= 9.9 – Unauthenticated SQL Injection

Affected Software: WP Booking Calendar
CVE ID: CVE-2024-1207
CVSS Score: 9.8 (Critical)
Researcher/s: Muhammad Hassham Nagori
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2

Honeypot for WP Comment <= 2.2.3 – Directory Traversal to Unauthenticated Arbitrary File Deletion

Affected Software: Honeypot for WP Comment
CVE ID: CVE-2024-1350
CVSS Score: 9.1 (Critical)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6b0bb48-eb61-4236-a03f-19d5d2084a75

Elementor <= 3.19.0 – Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2024-24934
CVSS Score: 8.8 (High)
Researcher/s: Rhynorater
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4915b769-9499-40ac-835e-279e3a910558

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Authenticated (Subscriber+) SQL Injection

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2024-0594
CVSS Score: 8.8 (High)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a

WP Recipe Maker <= 9.1.2 – Missing Authorization to Authenticated (Subscriber+) SQL Injecton

Affected Software: WP Recipe Maker
CVE ID: CVE-2024-1206
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362

RSS Aggregator by Feedzy <= 4.4.2 – Authenticated(Contributor+) SQL Injection

Podlove Subscribe button <= 1.3.10 – Authenticated (Contributor+) SQL Injection

Affected Software: Podlove Subscribe button
CVE ID: CVE-2024-1118
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f234f05f-e377-4e89-81e1-f47ff44eebc5

Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service

Affected Software: Backuply – Backup, Restore, Migrate and Clone
CVE ID: CVE-2024-0842
CVSS Score: 7.5 (High)
Researcher/s: villu164
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716

Brooklyn <= 4.9.7.6 – PHP Object Injection

Affected Software: brooklyn
CVE ID: CVE-2024-24926
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd962a5-ec0e-415f-8efa-91e78bb80d16

NextMove Lite <= 2.17.0 – Missing Authorization to Authenticated(Subscriber+) Plugin Activation

Affected Software: NextMove Lite – Thank You Page for WooCommerce
CVE ID: CVE-2024-25092
CVSS Score: 6.5 (Medium)
Researcher/s: beluga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b04ab77-880b-423a-bba6-59822f0463bc

RSS Aggregator by Feedzy <= 4.4.2 – Missing Authorization to Arbitrary Page Creation and Publication

AMP for WP <= 1.0.93.1 – Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2024-1043
CVSS Score: 6.5 (Medium)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffb70e82-355b-48f3-92d0-19659ed2550e

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2024-0792
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d8c043c-e347-4dc8-8a72-943a7e6c4394

Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings

Affected Software: Starbox – the Author Box for Humans
CVE ID: CVE-2023-6806
CVSS Score: 6.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f413fc2-8543-4478-987d-d983581027bf

Royal Elementor Addons and Templates <= 1.3.87 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0442
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/256b4818-290b-4660-8e83-c18b068a8959

Meta Box – WordPress Custom Fields Framework <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Meta Box – WordPress Custom Fields Framework
CVE ID: CVE-2023-6526
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc

Apollo13 Framework Extensions <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Apollo13 Framework Extensions
CVE ID: CVE-2024-24880
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33386b7b-fae3-42a4-96d3-df3cdc342317

Content Cards <= 0.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Content Cards
CVE ID: CVE-2024-24928
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e7d10ab-2525-407b-b814-ef7d884d5287

Elementor Website Builder – More than Just a Page Builder <= 3.18.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2024-0506
CVSS Score: 6.4 (Medium)
Researcher/s: wesley (wcraft)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4473d3f6-e324-40f5-b92b-167f76b17332

Elementor Addon Elements <= 1.12.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addon Elements
CVE ID: CVE-2024-0834
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ebb5654-ba3e-4f18-8720-a6595a771964

Elementor Addons by Livemesh <= 8.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addons by Livemesh
CVE ID: CVE-2024-1235
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bda4b7-e442-4956-b3cb-8df96043bcde

Payment Forms for Paystack <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Payment Forms for Paystack
CVE ID: CVE-2023-5665
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f

Before After Image Slider WP <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Before After Image Slider WP
CVE ID: CVE-2024-24931
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af76e32b-ba7d-4eaa-97c8-ed6a25e8f387

My Calendar <= 3.4.23 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: My Calendar
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d039ba8f-0452-4c14-a655-7f6880c1f1b4

Buttons Shortcode and Widget <= 1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Buttons Shortcode and Widget
CVE ID: CVE-2024-24930
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea6e0856-ba3d-4fa1-ac90-45a51ff994ef

VK Poster Group <= 2.0.3 – Reflected Cross-Site Scripting via vkp_repost

Affected Software: VK Poster Group
CVE ID: CVE-2024-24932
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14f030bd-8d8d-4152-817d-d72c9b7a0152

Matomo <= 4.15.3 – Reflected Cross-Site Scripting via idsite

Affected Software: Matomo Analytics – Ethical Stats. Powerful Insights.
CVE ID: CVE-2023-6923
CVSS Score: 6.1 (Medium)
Researcher/s: Felipe Restrepo Rodriguez (pfelilpe)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e2d54eb-c176-49c4-a4fc-833e17189cad

WP SMS <= 6.5.2 – Reflected Cross-Site Scripting via ‘page’

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE-2024-24881
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31f7dc1e-2008-4672-85ba-56fa35f4f0e1

WP 404 Auto Redirect to Similar Post <= 1.0.3 – Reflected Cross-Site Scripting via request

Affected Software: WP 404 Auto Redirect to Similar Post
CVE ID: CVE-2024-0509
CVSS Score: 6.1 (Medium)
Researcher/s: kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eef5549-3f89-4d6f-8c4e-6e4ee6082042

Wonder Slider Lite <= 13.9 – Reflected Cross-Site Scripting via ‘page’

Affected Software: Wonder Slider Lite
CVE ID: CVE-2024-24877
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/712d2d8b-2103-4262-807e-bb26cabb771c

Brooklyn <= 4.9.7.6 – Reflected Cross-Site Scripting

Affected Software: brooklyn
CVE ID: CVE-2024-24927
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8382-cef3-4584-a255-c2ecc7c986b3

Link Library <= 7.5.13 – Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’

Affected Software: Link Library
CVE ID: CVE-2024-24879
CVSS Score: 6.1 (Medium)
Researcher/s: beluga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d5f9d2e-6719-4ce7-bbdd-afaf437bd080

Portugal CTT Tracking for WooCommerce <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Portugal CTT Tracking for WooCommerce
CVE ID: CVE-2024-24878
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a69e6ca8-efd6-4b89-ae63-b320f9936842

All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 – Reflected Cross-Site Scripting

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE-2024-1037
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba

Honeypot for WP Comment <= 2.2.3 – Reflected Cross-Site Scripting via page

Affected Software: Honeypot for WP Comment
CVE ID: CVE-2024-24933
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1441e68-5c41-4c90-ba99-1656af87a29d

All 404 Pages Redirect to Homepage <= 1.9 – Unauthenticated Stored Cross-Site Scripting

Affected Software: All 404 Pages Redirect to Homepage
CVE ID: CVE-2024-24889
CVSS Score: 6.1 (Medium)
Researcher/s: Pham Ho Anh Dung
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de5d5ffc-e76a-4ea9-be68-9ca5f847a363

InfiniteWP Client <= 1.12.3 – Unauthenticated Sensitive Information Exposure

Affected Software: InfiniteWP Client
CVE ID: CVE-2023-6565
CVSS Score: 5.9 (Medium)
Researcher/s: Christian Angel
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
CVE ID: CVE-2024-1055
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/036cf299-80c2-48a8-befc-02899ab96e3c

Basic Log Viewer <= 1.0.4 – Cross-Site Request Forgery via wpst_lw_viewer

Affected Software: Basic Log Viewer
CVE ID: CVE-2024-24935
CVSS Score: 5.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18acd104-a5a5-4811-9aea-abc227a1712c

Login Lockdown – Protect Login Form <= 2.08 – Missing Authorization

Affected Software: Login Lockdown – Protect Login Form
CVE ID: CVE-2024-1340
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c

3D Tag Cloud <= 3.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: 3D Tag Cloud
CVE ID: CVE-2022-41990
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfa825c-b0f7-4588-9bf8-cd186a5fc0ff

Prime Slider – Addons For Elementor <= 3.11.10 – Incorrect Authorization via bdt_duplicate_as_draft

Passster – Password Protect Pages and Content <= 4.2.6.2 – Missing Authorization to Sensitive Information Exposure

Affected Software: Passster – Password Protect Pages and Content
CVE ID: CVE-2024-0616
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00b81467-8d00-4816-895a-89d67c541c17

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 – Missing Authorization to Unauthenticated Events Export

Affected Software: Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
CVE ID: CVE-2024-1122
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be

CP Polls <= 1.0.71 – Unauthenticated Poll Limit Bypass

Affected Software: Polls CP
CVE ID: CVE-2024-24873
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c80de83-3996-4048-8aa3-3611b002fc01

Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Settings Import

Affected Software: Podlove Podcast Publisher
CVE ID: CVE-2024-1110
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c9cf461-572c-4be8-96e6-659acf3208f3

PPWP – Password Protect Pages <= 1.8.9 – Protection Mechanism Bypass

Affected Software: PPWP – Password Protect Pages
CVE ID: CVE-2024-0620
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58

Customer Reviews for WooCommerce <= 5.38.12 – Improper Authorization via submit_review

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE-2024-1044
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8

Quiz Maker <= 6.5.2.4 – Missing Authorization to Unauthenticated Quiz Data Retrieval

Affected Software: Quiz Maker
CVE ID: CVE-2024-1079
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/602df370-cd5b-46dc-a653-6522aef0c62f

WP Club Manager – WordPress Sports Club Plugin <= 2.2.10 – Missing Authorization to Unauthenticated Event Permalink Update

Affected Software: WP Club Manager – WordPress Sports Club Plugin
CVE ID: CVE-2024-1177
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64c2c8c2-58f5-4b7d-b226-39ba39e887d5

Advanced Forms for ACF <= 1.9.3.2 – Missing Authorization to Unauthenticated Form Settings Export

Affected Software: Advanced Forms for ACF
CVE ID: CVE-2024-1121
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b33f2ee-3f20-4494-bdae-3f8cc3c6dc73

Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Unauthenticated Data Export

Affected Software: Podlove Podcast Publisher
CVE ID: CVE-2024-1109
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635

Royal Elementor Addons and Templates <= 1.3.87 – Missing Authorization via wpr_update_form_action_meta

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0516
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3457b87-c860-4cf2-ac3d-2c6521b629ea

Simple Page Access Restriction <= 1.0.21 – Improper Access Control to Sensitive Information Exposure via REST API

Affected Software: Simple Page Access Restriction
CVE ID: CVE-2024-0965
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d99dc270-1b28-4e76-9346-38b2b96be01c

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via editor_html()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2024-0596
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd

CP Polls <= 1.0.71 – Unauthenticated Content Injection

Affected Software: Polls CP
CVE ID: CVE-2024-24874
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f28d7659-9244-4da8-97e9-4539d7d874f7

Paid Memberships Pro <= 2.12.8 – Authenticated (Contributor+) User Meta Disclosure

Woocommerce Vietnam Checkout <= 2.0.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Woocommerce Vietnam Checkout
CVE ID: CVE-2024-24885
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02402620-89db-448d-9028-379856735a2a

Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
CVE ID: CVE-2024-0977
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03073726-58d0-45b3-b7a6-7d12dbede919

Product Labels For Woocommerce <= 1.5.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Product Labels For Woocommerce (Sale Badges)
CVE ID: CVE-2024-24886
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24226595-6ae7-44c2-a159-5b69808273fa

Internal Link Juicer <= 2.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Internal Link Juicer: SEO Auto Linker for WordPress
CVE ID: CVE-2024-0657
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d39fe4-b114-4612-92f6-75d6597610f7

Shariff Wrapper <= 4.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Shariff Wrapper
CVE ID: CVE-2024-1106
CVSS Score: 4.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ab9c383-14da-479d-9709-1ae154dae398

My Calendar <= 3.4.23 – Authenticated (Admin+) Stored Cross-Site Scripting via Events

Affected Software: My Calendar
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad98db62-4253-4fd5-90b3-c28a563c7697

Insert PHP Code Snippet <= 1.3.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Insert PHP Code Snippet
CVE ID: CVE-2024-0658
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez (pfelilpe)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4a6b786-d0ef-41f6-b2bf-83307ec02b91

Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Blocksy
CVE ID: CVE-2024-24871
CVSS Score: 4.4 (Medium)
Researcher/s: Savphill
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e781e1aa-7fa2-4cea-913b-4aa582ec6a4f

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in enableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1334
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0318ec4a-185a-405d-90f8-008ba373114b

All In One WP Security <= 5.2.6 – Cross-Site Request Forgery to IP Blocking

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05991bf2-ee61-4bf7-89df-c2f66db7caec

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in enableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-0983
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/175dd04d-ce06-45a0-8cfe-14498e2f9198

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 – Cross-Site Request Forgery to Plugin Options Update

Affected Software: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CVE ID: CVE-2024-0379
CVSS Score: 4.3 (Medium)
Researcher/s: Rhynorater, kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29e2ff11-053b-45cc-adf1-d276f1ee576e

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Plugin Data Removal in reinitialize

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1339
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d08e462-8297-477e-89da-47f26bd6beae

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Plugin Data Removal in reinitialize

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1091
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb8b08c-a028-48bd-acad-c00313fe06b8

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_wishlist

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0513
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d3516e7-cce4-4def-be38-d16be3110d59

Admin Menu Editor <= 1.12 – Cross-Site Request Forgery via ajax_hide_hint()

Affected Software: Admin Menu Editor
CVE ID: CVE-2024-24876
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53fa9be4-a2b3-458c-af6e-d3ada639a622

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in stopOptimizeAll

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1338
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e3dd131-dbd8-431c-96f4-4ab2c3be4dbd

Royal Elementor Kit <= 1.0.116 – Missing Authorization to Arbitrary Transient Update

Affected Software: Royal Elementor Kit
CVE ID: CVE-2024-0835
CVSS Score: 4.3 (Medium)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c

Themify Builder <= 7.0.5 – Cross-Site Request Forgery

Affected Software: Themify Builder
CVE ID: CVE-2024-24872
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6840c91f-a5d9-4940-8a08-d62acc5d43eb

Quiz Maker <= 6.5.2.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification

Affected Software: Quiz Maker
CVE ID: CVE-2024-1078
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in optimizeAllOn

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1089
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff16906-2516-4b3c-8217-e3fb24924e27

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_compare

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0515
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4178271-c09e-4094-a616-5a00d28f39a3

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_compare

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0514
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0955689-43a0-442c-974b-5db5e4171f6a

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_wishlist

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0512
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ff2954-f494-4cd7-9f29-ee0e8551e339

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in disableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1335
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3900e4f-4ae4-4026-89df-b63bd869a763

Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery

Affected Software: Contact Form 7 Connector
CVE ID: CVE-2024-24884
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b74a5a4c-250a-46bc-bf08-2dd720de41ae

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via wpas_get_users()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2024-0595
CVSS Score: 4.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982

WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage

Affected Software: WP Contact Form
CVE ID: CVE-2024-24929
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5decbb3-05a0-403f-918a-9b516df85778

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in optimizeAllOn

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1336
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4cf299-9dee-4ebf-83f3-4c3471bd9fb0

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in disableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-0984
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc9dd55d-3c37-4f24-81a1-fdc8ca284566

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via wpr_update_form_action_meta

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0511
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc8bef03-51e0-4448-bddd-85300104e875

Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in stopOptimizeAll

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1090
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3fae909-5564-4e0a-9114-edd0e45865e5

Link Library <= 7.5.13 – Cross-Site Request Forgery via action_admin_init

Affected Software: Link Library
CVE ID: CVE-2024-24875
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fefe4499-8b03-4c07-b248-ae0ae5153b4f

WP RSS Aggregator <= 4.23.5 – Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source

Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
CVE ID: CVE-2024-0628
CVSS Score: 3.8 (Low)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb

Minimal Coming Soon – Coming Soon Page <= 2.37 – Unauthenticated Maintenance Mode Bypass

Affected Software: Minimal Coming Soon – Coming Soon Page
CVE ID: CVE-2024-1075
CVSS Score: 3.7 (Low)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) appeared first on Wordfence.