Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 122 vulnerabilities disclosed in 110 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
SlimStat Analytics <= 5.1.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting
WAF-RULE-670 – data redacted while we work with the developer on a patch.
WAF-RULE-671 – data redacted while we work with the developer on a patch.
WAF-RULE-672 – data redacted while we work with the developer on a patch.
WAF-RULE-674 – data redacted while we work with the developer on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
32
Patched
90
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
1
Medium Severity
104
High Severity
12
Critical Severity
5
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
34
Missing Authorization
29
Cross-Site Request Forgery (CSRF)
24
Information Exposure
9
Deserialization of Untrusted Data
5
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
3
Improper Authorization
3
Improper Access Control
3
Unrestricted Upload of File with Dangerous Type
2
Authentication Bypass by Spoofing
1
Improper Input Validation
1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1
Server-Side Request Forgery (SSRF)
1
URL Redirection to Untrusted Site (‘Open Redirect’)
1
Client-Side Enforcement of Server-Side Security
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Mika
5
Lucio Sá
4
emad
3
István Márton
(Wordfence Vulnerability Researcher)
1
Skalucy
1
wpdabh
1
Vulzap
1
0x9567b
1
Elliot
1
Friday
1
isacaya
1
thiennv
1
Savphill
1
Sh
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
A no-code page builder for beautiful performance-based content
setka-editor
ACF Photo Gallery Field
navz-photo-gallery
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership
Accessibility
accessibility
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store
profit-products-tables-for-woocommerce
Add Customer for WooCommerce
add-customer-for-woocommerce
Advanced iFrame
advanced-iframe
Affiliates Manager
affiliates-manager
Anonymous Restricted Content
anonymous-restricted-content
Auto Listings – Car Listings & Car Dealership Plugin for WordPress
auto-listings
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
woo-bulk-editor
Beds24 Online Booking
beds24-online-booking
Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo
biteship
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More.
print-google-cloud-print-gcp-woocommerce
Booking Calendar | Appointment Booking | BookIt
bookit
CC BMI Calculator
cc-bmi-calculator
CP Media Player – Audio Player and Video Player
audio-and-video-player
Calculated Fields Form
calculated-fields-form
CalculatorPro Calculators
calculatorpro-calculators
Chartify – WordPress Chart Plugin
chart-builder
Cincopa video and media plug-in
video-playlist-and-gallery-plugin
Click To Tweet
click-to-tweet
Cookie Information | Free GDPR Consent Solution
wp-gdpr-compliance
Custom Order Numbers for WooCommerce
custom-order-numbers-for-woocommerce
Custom Order Status for WooCommerce
custom-order-statuses-woocommerce
Database for Contact Form 7, WPforms, Elementor forms
contact-form-entries
Debug
debug
Don’t Muck My Markup
dont-muck-my-markup
ERE Recently Viewed – Essential Real Estate Add-On
ere-recently-viewed
Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
easy-digital-downloads
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid)
bdthemes-element-pack-lite
Email Before Download
email-before-download
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
essential-addons-for-elementor-lite
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
mage-eventpress
EventON Pro
eventon
EventPrime – Events Calendar, Bookings and Tickets
eventprime-event-calendar-management
FG Drupal to WordPress
fg-drupal-to-wp
FG Joomla to WordPress
fg-joomla-to-wordpress
FG PrestaShop to WooCommerce
fg-prestashop-to-woocommerce
Fatal Error Notify
fatal-error-notify
Feed Them Social – Page, Post, Video, and Photo Galleries
feed-them-social
Five Star Restaurant Reviews
good-reviews-wp
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms
happyforms
GDPR Data Request Form
gdpr-data-request-form
Happy Addons for Elementor
happy-elementor-addons
Heateor Social Login WordPress
heateor-social-login
Html5 Video Player
UNKNOWN-CVE-2023-6485-1
Icons Font Loader
icons-font-loader
Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
instant-images
JTRT Responsive Tables
jtrt-responsive-tables
JetBackup – WP Backup, Migrate & Restore
backup
Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce
map-location-picker-at-checkout-for-woocommerce
Knowledge Base for Documentation, FAQs with AI Assistance
echo-knowledge-base
LearnDash LMS
sfwd-lms
Load More Anything
ajax-load-more-anything
MW WP Form
mw-wp-form
MapPress Maps for WordPress
mappress-google-maps-for-wordpress
Mighty Addons for Elementor
mighty-addons
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution
dc-woocommerce-multi-vendor
NEX-Forms – Ultimate Form Builder – Contact forms and much more
nex-forms-express-wp-form-builder
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
ninja-forms
OWL Carousel – WordPress Owl Carousel Slider
lgx-owl-carousel
Orbit Fox by ThemeIsle
themeisle-companion
Order Delivery Date for WP e-Commerce
order-delivery-date
PDF Flipbook, 3D Flipbook – DearFlip
3d-flipbook-dflip-lite
PT Sign Ups – Beautiful volunteer sign ups and management made easy
ptoffice-sign-ups
Page Builder: Pagelayer – Drag and Drop website builder
pagelayer
Page Restrict
pagerestrict
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
wp-user-avatar
Persian Fonts
persian-fonts
PilotPress
pilotpress
Popup More Popups, Lightboxes, and more popup modules
popup-more
PopupAlly
popupally
Post Thumbnail Editor
post-thumbnail-editor
PowerPack Pro for Elementor
powerpack-elements
Premium Addons for Elementor
premium-addons-for-elementor
ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks
product-blocks
Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
shareaholic
PropertyHive
propertyhive
Quicksand Post Filter jQuery Plugin
quicksand-jquery-post-filter
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
feedzy-rss-feeds
Relevanssi – A Better Search (Pro)
relevanssi-premium
Restrict Usernames Emails Characters
restrict-usernames-emails-characters
SEO Plugin by Squirrly SEO
squirrly-seo
SP Project & Document Manager
sp-client-document-manager
Scheduling Plugin – Online Booking for WordPress
calendar-booking
Scroll Triggered Box
dreamgrow-scroll-triggered-box
SiteOrigin Widgets Bundle
so-widgets-bundle
SlimStat Analytics
wp-slimstat
Starbox – the Author Box for Humans
starbox
Structured Content (JSON-LD) #wpsc
structured-content
TablePress – Tables in WordPress made easy
tablepress
The Plus Addons for Elementor
the-plus-addons-for-elementor-page-builder
Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
boldgrid-backup
Ultra Companion – Companion plugin for WPoperation Themes
ultra-companion
User Activity Tracking and Log
user-activity-tracking-and-log
UserPro – Community and User Profile WordPress Plugin
userpro
W3SPEEDSTER
w3speedster-wp
WOLF – WordPress Posts Bulk Editor and Manager Professional
bulk-editor
WP Dummy Content Generator
wp-dummy-content-generator
WP Hotel Booking
wp-hotel-booking
WP STAGING WordPress Backup Plugin – Migration Backup Restore
wp-staging
WP Visitor Statistics (Real Time Traffic)
wp-stats-manager
WP-CFM
wp-cfm
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
coming-soon
WooCommerce Box Office
woocommerce-box-office
WooCommerce Conversion Tracking
woocommerce-conversion-tracking
Woostify Sites Library
woostify-sites-library
WordPress Review & Structure Data Schema Plugin – Review Schema
review-schema
WordPress Toolbar
wordpress-toolbar
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Knowledge Base for Documentation, FAQs with AI Assistance <= 11.30.2 – Unauthenticated PHP Object Injection in is_article_recently_viewed
CVE ID: CVE-2024-24842
CVSS Score: 9.8 (Critical)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41cfe1d7-2fab-413c-80e5-40d77133d229
ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks <= 3.1.4 – PHP Object Injection via wopb_wishlist and wopb_compare
CVE ID: CVE-2024-23512
CVSS Score: 9.8 (Critical)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/470285d6-b309-409c-b2c3-8766a0cf9e98
ERE Recently Viewed <= 1.3 – Unauthenticated PHP Object Injection
CVE ID: CVE-2024-24797
CVSS Score: 9.8 (Critical)
Researcher/s: Yudistira Arya
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7332fe2e-9bef-42b7-946e-4a2ee812ca26
JetBackup <= 2.0.9.7 – Sensitive Information Exposure via Directory Listing
CVE ID: CVE-2023-7165
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd978ac0-42f2-4746-9430-37458375b588
Quicksand Post Filter jQuery Plugin <= 3.1.1 – Missing Authorization via quicksand_admin_ajax
CVE ID: CVE-2024-24850
CVSS Score: 9.1 (Critical)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6f3b765-396f-422f-864d-a48bee8c69cb
Instant Images <= 6.1.0 – Authenticated (Author+) Arbitrary Options Update
CVE ID: CVE-2024-0869
CVSS Score: 8.8 (High)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395
Cookie Information | Free GDPR Consent Solution <= 2.0.22 – Authenticated (Subscriber+) Arbitrary Options Update
CVE ID: CVE-2023-6700
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently <= 4.1.1 – Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save
CVE ID: CVE-2024-24796
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50812a8b-7d49-41fa-ba50-47d07a4b6caa
SP Project & Document Manager <= 4.69 – Authenticated (Contributor+) SQL Injection via Shortcode
CVE ID: CVE-2024-24868
CVSS Score: 8.8 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcdeba37-ba65-400d-9c07-36503a03e857
MultiVendorX Marketplace <= 4.1.2 – Missing Authorization
CVE ID: CVE-2024-24703
CVSS Score: 8.6 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26e07115-efee-4db5-ba24-25a063286e90
TablePress <= 2.2.4 – Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files
CVE ID: CVE-2024-23825
CVSS Score: 8.5 (High)
Researcher/s: isacaya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8de52b68-c273-4561-98b0-e51afd6cd47b
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpage
CVE ID: CVE-2024-1072
CVSS Score: 8.2 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb
Woostify Sites Library
CVE ID: CVE-2023-6279
CVSS Score: 8.1 (High)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/977ab23a-06b2-4f54-a2c2-3be2316eaceb
PropertyHive <= 2.0.5 – Unauthenticated PHP Object Injection via propertyhive_currency
CVE ID: CVE-2024-23513
CVSS Score: 8.1 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8ee82cf-916c-41e9-82d2-f25cc7a632ae
Total Upkeep <= 1.15.8 – Improper Authorization to Unauthenticated Arbitrary File Download
CVE ID: CVE-2024-24869
CVSS Score: 7.5 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/159e14fc-0512-421a-8bbe-d16c0b04ddf9
PowerPack Pro for Elementor <= 2.10.6 – Missing Authorization to Settings Reset
CVE ID: CVE-2024-24844
CVSS Score: 7.5 (High)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/883e1f3c-7e47-4522-ae8c-a9a6b4160be2
Contact Form Entries <= 1.3.2 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2024-1069
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/120313be-9f98-4448-9f5d-a77186a6ff08
Icons Font Loader <= 1.1.4 – Authenticated(Administrator+) Arbitrary File Upload
CVE ID: CVE-2024-24714
CVSS Score: 6.6 (Medium)
Researcher/s: Vulzap
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37426991-7778-4dc4-8cae-2725584fb8b8
HTML5 Video Player <= 2.5.24 – Unauthenticated SQL Injection via id
CVE ID: CVE-2024-1061
CVSS Score: 6.5 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0abd2533-5cb3-4568-8ad2-f2852ab3a8db
Quicksand Post Filter jQuery Plugin <= 3.1.1 – Cross-Site Request Forgery via renderAdmin
CVE ID: CVE-2024-24849
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dd63ea6-7821-42b8-9b52-e721a8b2382d
Order Delivery Date for WP e-Commerce <= 1.2 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2024-0678
CVSS Score: 6.5 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71fb90b6-a484-4a70-a9dc-795cbf2e275e
WP Hotel Booking <= 2.0.9.2 – Improper Authorization on Multiple REST API Routes
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86f15e94-6ca7-4eb2-8a38-b4add9251dab
Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Display Name and Social Settings
CVE ID: CVE-2024-0256
CVSS Score: 6.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0eafe473-9177-47c4-aa1e-2350cb827447
Heateor Social Login <= 1.1.30 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2024-24712
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a3ebfba-7523-48a4-a315-4395be2cebef
Advanced iFrame <= 2023.10 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7069
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b
Five Star Restaurant Reviews <= 2.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Review URL
CVE ID: CVE-2024-24838
CVSS Score: 6.4 (Medium)
Researcher/s: Steven Julian
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fe44e46-dfbf-4286-889c-606280d62218
SlimStat Analytics <= 5.1.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2024-1073
CVSS Score: 6.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33cba63c-4629-48fd-850f-f68dad626a67
Ultra Companion <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24803
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3639d0a6-6d9f-4f3e-bb25-85d4eb40b547
OWL Carousel <= 1.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24801
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/511957c0-e4c3-4a50-b604-3b604d52d32f
SiteOrigin Widgets Bundle <= 1.58.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0961
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f7c164f-2f78-4857-94b9-077c2dea13df
Scheduling Plugin – Online Booking for WordPress <= 3.5.10 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-23517
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71a0aa95-f2a9-4537-a8d1-d78336e36125
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.14.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-1046
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7911c774-3fb0-4d6c-a847-101e5ad8637a
Click To Tweet <= 2.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-23514
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7eee591c-2676-479c-ab15-96da10f51ae0
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0954
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/875db71d-c799-40b9-95e1-74d53046b0a9
Structured Content <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode
CVE ID: CVE-2024-24839
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a013106b-4e2a-4dd9-a0ab-7e6c91e715dd
Auto Listings <= 2.6.5 – Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2024-24713
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a97776-03c7-403d-b803-023647b9d0f2
Calculated Fields Form <= 1.2.52 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0963
CVSS Score: 6.4 (Medium)
Researcher/s: Richard Telleng (stueotue)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d870ff8d-ea4b-4777-9892-0d9982182b9f
The Plus Addons for Elementor <= 5.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-23511
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e66b5c12-3acb-41f7-ae5f-8a9130053e45
CC BMI Calculator <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-23516
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed0e7717-d9ac-4333-8e79-fc030a410dab
GDPR Data Request Form <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24836
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0b8fd44-75af-4fb8-bcc1-94cb5fc9e4eb
Premium Addons for Elementor <= 4.10.16 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24831
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7222c7e-939a-4666-9d01-f715d2827954
MapPress <= 2.88.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings
CVE ID: CVE-2023-7225
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fce76126-0cfd-464f-b644-45d4301e958d
CalculatorPro Calculators <= 1.1.7 – Reflected Cross-Site Scripting via CP_preview_calc
CVE ID: CVE-2024-24847
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0de79672-f0ba-42d3-a44a-01b93801d7de
Mighty Addons for Elementor <= 1.9.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-24846
CVSS Score: 6.1 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/484d8d14-049d-4fd5-adb8-ad9942bba794
Biteship <= 2.2.24 – Reflected Cross-Site Scripting via biteship_error and biteship_message
CVE ID: CVE-2024-24866
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0247ba6-d193-4b7d-969d-0cd239c57faa
PT Sign Ups <= 1.0.4 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2024-24848
CVSS Score: 6.1 (Medium)
Researcher/s: Faizal Abroni
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b751191b-35a8-4331-ac3f-f6090221c65f
EventON <= 4.4.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-7200
CVSS Score: 6.1 (Medium)
Researcher/s: kauenavarro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0d5b1a5-0078-402b-b834-8091bfc02dd5
PowerPack Pro for Elementor < 2.10.8 – Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting
CVE ID: CVE-2024-24843
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e68bbee2-1c1a-4751-988e-dde423f8aab3
Ninja Forms Contact Form <= 3.7.1 – Unauthenticated Second Order SQL Injection
CVE ID: CVE-2024-0685
CVSS Score: 5.9 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866d-f7bb369a8ce4
Easy Digital Downloads <= 3.2.6 – Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options
CVE ID: CVE-2024-0659
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7
BEAR <= 1.1.4 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options
CVE ID: CVE-2024-24834
CVSS Score: 5.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32682598-ad1c-4aa1-bdf2-a7966a4d1dbe
Scroll Triggered Box <= 2.3 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24865
CVSS Score: 5.5 (Medium)
Researcher/s: Savphill
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b92c3d68-2e3e-4500-8da9-f89373126445
MW WP Form <= 5.0.6 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24804
CVSS Score: 5.5 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2126761-cbff-4d46-a6df-4566d15216d7
Accessibility <= 1.0.6 – Cross-Site Request Forgery
CVE ID: CVE-2024-24705
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432effd4-5c94-4ef9-bc19-b4eacd082264
PilotPress <= 2.0.29 – Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions
CVE ID: CVE-2024-23524
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a8d121d-434d-4445-874f-d3cf6b6e7233
WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 – Cross-Site Request Forgery
CVE ID: CVE-2024-0790
CVSS Score: 5.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3
Load More Anything <= 3.3.3 – Missing Authorization to Plugin Settings Modification
CVE ID: CVE-2024-24704
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/797554c9-7008-451a-8e8d-3242a207347e
PDF Flipbook, 3D Flipbook – DearFlip <= 2.2.26 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0895
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92e37b28-1a17-417a-b40f-cb4bbe6ec759
Happyforms <= 1.25.10 – Missing Authorization
CVE ID: CVE-2024-23521
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0578c49e-f820-42dd-bd53-f4a281843e69
User Activity Tracking and Log <= 4.1.3 – IP Spoofing
CVE ID: CVE-2024-0970
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e2268fc-5f29-4c69-9585-81240354ae77
EventPrime <= 3.3.9 – Improper Input Validation via save_event_booking
CVE ID: CVE-2024-24832
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17cbcf67-f10d-41bc-acf7-98e5d99b50af
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via restore_records()
CVE ID: CVE-2024-0907
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4
WP Dummy Content Generator <= 3.1.2 – Missing Authorization
CVE ID: CVE-2024-24805
CVSS Score: 5.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b44d23c-4872-491f-8a91-b0feb888ac54
BEAR <= 1.1.4 – Missing Authorization via Several Functions
CVE ID: CVE-2024-24835
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/411b7889-c2c6-48cb-967d-091585705e17
BizPrint <= 4.5.1 – Missing Authorization in showTemplatePreview
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fc76e1c-546f-4ecd-bd3b-a6f21b2c65bf
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via set_starred()
CVE ID: CVE-2024-1129
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53db0f72-3353-42bb-ad75-4c5aa32d7939
Relevanssi Pro < 2.25 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/550872c8-3663-48fa-ab3f-f90351f3e169
Orbit Fox by ThemeIsle <= 2.10.28 – Missing Authorization
CVE ID: CVE-2024-1047
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d
LearnDash LMS <= 4.10.1 – Sensitive Information Exposure via API
CVE ID: CVE-2024-1210
CVSS Score: 5.3 (Medium)
Researcher/s: Karl Emil Nikka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61ca5ab6-5fe9-4313-9b0d-8736663d0e89
LearnDash LMS <= 4.10.1 – Sensitive Information Exposure via assignments
CVE ID: CVE-2024-1209
CVSS Score: 5.3 (Medium)
Researcher/s: Karl Emil Nikka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7191955e-0db1-4ad1-878b-74f90ca59c91
PropertyHive <= 2.0.6 – Missing Authorization via activate_pro_feature
CVE ID: CVE-2024-24718
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/84d55f24-c4de-4574-b0cc-cc1b4935d281
LearnDash LMS <= 4.10.2 – Sensitive Information Exposure via API
CVE ID: CVE-2024-1208
CVSS Score: 5.3 (Medium)
Researcher/s: Karl Emil Nikka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae735117-e68b-448e-ad41-258d1be3aebc
Post Thumbnail Editor <= 2.4.8 – Sensitive Information Exposure
CVE ID: CVE-2024-24845
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b102af8f-2bc3-4548-9a90-d1280b058173
UserPro <= 5.1.6 – Disabled Membership Registration Bypass
CVE ID: CVE-2024-0701
CVSS Score: 5.3 (Medium)
Researcher/s: Rob Stevens
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea070d9c-c04c-432f-a110-47b9eaa67614
ARMember <= 4.0.24 – Improper Access Control to Sensitive Information Exposure via REST API
CVE ID: CVE-2024-0969
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea4e6718-4e1e-44ce-8463-860f0d3d80f5
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 – Missing Authorization via set_read()
CVE ID: CVE-2024-1130
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74
WP Visitor Statistics (Real Time Traffic) <= 6.9.4 – Sensitive Information Exposure via Log File
CVE ID: CVE-2024-24867
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2d69d59-390d-4f3c-96ba-487707cac7a6
Anonymous Restricted Content <= 1.6.2 – Protection Mechanism Bypass
CVE ID: CVE-2024-0909
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f478ff7c-7193-4c59-a84f-c7cafff9b6c0
Email Before Download <= 6.9.7 – Cross-Site Request Forgery
CVE ID: CVE-2024-23519
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa918a65-0021-4c32-9f6d-d978926c3ef3
WP STAGING WordPress Backup Plugin < 3.2.0 – Sensitive Information Exposure via cache files
CVE ID: CVE-2023-7204
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe8816d8-1687-4a3c-9f2a-23f21d679cc5
BookIt <=2.4.0 – Price Bypass
CVE ID: CVE-2024-24715
CVSS Score: 4.9 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9938c7d-ef0d-45a2-900f-ac8bda9ce75a
Popup More <= 2.2.4 – Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion
CVE ID: CVE-2024-0844
CVSS Score: 4.7 (Medium)
Researcher/s: 0x9567b
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7894a19c-b873-4c5b-8c82-6656cc306ee2
Restrict Usernames Emails Characters <= 3.1.3 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6165
CVSS Score: 4.4 (Medium)
Researcher/s: Yuhang Liu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12532f84-bc76-4968-a01f-f879ab41b901
Persian Fonts <= 1.6 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7167
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a427b26-4a0d-4351-8a8b-ec5da1345ebd
Chartify <= 2.0.6 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-47526
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee(Roronoa)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49d0315e-fcb2-4232-8797-0421cf5d3cd8
SEO Plugin by Squirrly SEO <= 12.3.15 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2024-0597
CVSS Score: 4.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a61a8d8b-f22f-4a16-95f6-6cf52cf545ad
Pagelayer <= 1.7.9 – Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code
CVE ID: CVE-2023-5124
CVSS Score: 4.4 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8bd08d0-5c78-40a8-abc1-de387908df9d
Add Customer for WooCommerce <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24841
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba08695e-009e-434a-9db0-06aa1dd6d57a
Beds24 Online Booking <= 2.0.23 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24717
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca5bc2af-394b-4fc1-b6c3-ed9ff0a5959a
Fatal Error Notify <= 1.5.2 – Cross-Site Request Forgery to Test Error Email Sending
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b75cac-7b1d-4bed-a1b7-bd1e872f2b4f
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 – Missing Authorization
CVE ID: CVE-2024-0797
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a94841f-b1dd-44f4-b7a1-65a9fdf7b18d
WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 – Missing Authorization
CVE ID: CVE-2024-0791
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13c66a8f-b35f-4943-8880-0799b0d150f7
Element Pack Elementor Addons <= 5.4.11 – Missing Authorization via bdt_duplicate_as_draft
CVE ID: CVE-2024-24840
CVSS Score: 4.3 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/164a1e09-e967-450c-8938-84c18ebf267d
Happy Addons for Elementor <= 3.10.1 – Missing Authorization via add_row_actions
CVE ID: CVE-2024-24833
CVSS Score: 4.3 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b25df18-dd9a-4b24-8187-283d5f3f334e
Post Video Players <= 1.158 – Cross-Site Request Forgery via cincopa_mp_mt_options_page
CVE ID: CVE-2024-23515
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/285d2b85-cdd0-4447-8cdc-b641751e4a5f
Affiliates Manager <= 2.9.34 – Cross-Site Request Forgery
CVE ID: CVE-2024-0859
CVSS Score: 4.3 (Medium)
Researcher/s: Nathaniel Oh (0x4n3)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7
WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization via wcct_install_happy_addons
CVE ID: CVE-2024-24711
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4775ef21-01d6-4c5a-9e3e-f9b6e093fc7f
BizPrint <= 4.5.1 – Cross-Site Request Forgery in Printer Management
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/487a131e-4911-42d6-bfd7-fc697c89552d
Fatal Error Notify <= 1.5.2 – Missing Authorization to Test Error Email Sending
CVE ID: CVE-2023-7202
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50499cd6-0e27-494a-892c-5ca827d4433b
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 – Cross-Site Request Forgery
CVE ID: CVE-2024-0796
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5069fbc4-b3c4-4c0b-892c-2c83f35dc2fe
Shareaholic <= 9.7.11 – Missing Authorization via accept_terms_of_service
CVE ID: CVE-2024-24709
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cde239c-20bf-41fa-b7d6-e21b14dcbc22
Setka Editor <= 2.1.20 – Cross-Site Request Forgery via handleRequest
CVE ID: CVE-2024-24701
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7058306f-ec20-4722-aaa1-552a75945a1e
Location Picker at Checkout for WooCommerce <= 1.8.9 – Missing Authorization via checkout_map_rules_order_ajax_handler
CVE ID: CVE-2024-24719
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7394be7e-9a1f-4c85-ac2d-cace39def330
FG Drupal to WordPress <= 3.67.0 – Cross-Site Request Forgery via ajax_importer
CVE ID: CVE-2024-24837
CVSS Score: 4.3 (Medium)
Researcher/s: Friday
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dc34ff1-1b7e-4974-907a-745911df5dc8
Orbit Fox by ThemeIsle <= 2.10.29 – Cross-Site Request Forgery
CVE ID: CVE-2024-1162
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88f6a24f-f14a-4d0a-be5a-f8c84910b4fc
JTRT Responsive Tables <= 4.1.9 – Cross-Site Request Forgery
CVE ID: CVE-2024-24802
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89ca9214-145e-43c6-a642-7c371f635332
Page Restrict <= 2.5.5 – Cross-Site Request Forgery via pr_admin_page
CVE ID: CVE-2024-24702
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/956984d4-4f8b-4e20-8002-4e9809b3872c
WP-CFM <= 1.7.8 – Cross-Site Request Forgery via multiple AJAX functions
CVE ID: CVE-2024-24706
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9790c592-1445-4f9d-987e-ae5ab49c4dcd
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.1 – Missing Authorization
CVE ID: CVE-2024-1092
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98053141-fe97-4bd4-b820-b6cca3426109
Custom Order Numbers for WooCommerce <= 1.6.0 – Cross-Site Request Forgery to Notice Dismissal
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/981908d3-e1e7-4093-a2ee-69aa50127731
PopupAlly <= 2.1.0 – Cross-Site Request Forgery via optin_submit_callback
CVE ID: CVE-2024-23520
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6bef410-8706-4440-b50f-08824ef754f6
Debug <= 1.10 – Cross-Site Request Forgery
CVE ID: CVE-2024-24798
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa7276bb-6a9b-4cbd-8333-14c4dfac4108
Custom Order Status for WooCommerce <= 2.3.0 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab2a4903-2c69-48da-bd4a-79b39b78806c
WordPress Review & Structure Data Schema Plugin – Review Schema <= 2.1.14 – Missing Authorization to Arbitrary Review Update
CVE ID: CVE-2024-0836
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7039206-a25a-4aa0-87e2-be11dd1f12eb
Starbox – the Author Box for Humans <= 3.4.7 – Insecure Direct Object Reference
CVE ID: CVE-2024-0366
CVSS Score: 4.3 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67
CP Media Player <= 1.1.3 – Cross-Site Request Forgery to Player Deletion and Duplication
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ced380a5-04a6-40c1-a731-0d3b929e4428
Don’t Muck My Markup <= 1.8 – Cross-Site Request Forgery
CVE ID: CVE-2024-23510
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1390c22-3c8d-47f1-b225-1bcbc215832a
W3SPEEDSTER <= 7.19 – Cross-Site Request Forgery via launch
CVE ID: CVE-2024-24708
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e358355e-097c-4a6d-a21a-3d08098efff0
WordPress Toolbar Plugin <= 2.2.6 – Open Redirect via wptbto
CVE ID: CVE-2023-6389
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e88a45e5-f882-419e-b0b0-612912666693
ACF Photo Gallery Field <= 2.6 – Missing Authorization
CVE ID: CVE-2024-23518
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f557ddf1-cee3-498c-87bc-fa81bf574591
WooCommerce Box Office <= 1.2.2 – Missing Authorization
CVE ID: CVE-2024-24799
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff2097a9-fe7a-48f3-be9c-dc0caef74262
Feed Them Social <= 4.2.0 – Cross-Site Request Forgery via review_nag_check
CVE ID: CVE-2024-24710
CVSS Score: 3.5 (Low)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e86152a6-cd8d-4466-bcc5-830413500e12
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024) appeared first on Wordfence.