(647) 243-4688

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Stored Cross-Site Scripting via Block
WAF-RULE-666 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
WAF-RULE-665 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
12

Patched
55

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
54

High Severity
7

Critical Severity
5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Cross-Site Request Forgery (CSRF)
20

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
19

Missing Authorization
8

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4

Unrestricted Upload of File with Dangerous Type
4

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
3

Information Exposure
2

Information Exposure Through Debug Information
1

Exposure of Private Information (‘Privacy Violation’)
1

Use of Less Trusted Source
1

Protection Mechanism Failure
1

Server-Side Request Forgery (SSRF)
1

Authorization Bypass Through User-Controlled Key
1

Improper Access Control
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Francesco Carlucci
5

Rafie Muhammad
4

Dave Jong
3

Daniel Ruf
2

Nex Team
2

drop
2

Artem Guzhva (hexcat)
2

Ngô Thiên An (ancorn_)
2

Abdi Pranata
2

Brandon James Roldan (tomorrowisnew)
2

Webbernaut
2

Dateoljo of BoB 12th
1

Lucio Sá
1

LVT-tholv2k
1

Le Ngoc Anh
1

Huynh Tien Si
1

Mika
1

Joshua Chan
1

Abu Hurayra (HurayraIIT)
1

Akbar Kustirama
1

Yudistira Arya
1

Naveen Muthusamy
1

thiennv
1

Yuchen Ji
1

Dmitrii Ignatyev
1

Rafshanzani Suhada
1

Ulyses Saicha
1

Elliot
1

Nicolas Decayeux
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
ai-engine

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

Advanced Flamingo
advanced-flamingo

Advanced Woo Search
advanced-woo-search

Auto Affiliate Links
wp-auto-affiliate-links

Beds24 Online Booking
beds24-online-booking

Constant Contact Forms by MailMunch
constant-contact-forms-by-mailmunch

Contact Form 7 Connector
ari-cf7-connector

Contact Form 7 Extension For Mailchimp
contact-form-7-mailchimp-extension

Contact Form 7 – Dynamic Text Extension
contact-form-7-dynamic-text-extension

Customer Reviews for WooCommerce
customer-reviews-woocommerce

Download Monitor
download-monitor

Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
droit-elementor-addons

ElementsKit Elementor addons
elementskit-lite

Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks

EventON
eventon-lite

EventON Pro
eventon

Football Pool
football-pool

Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
formidable

GD Rating System
gd-rating-system

Gallery Plugin for WordPress – Envira Photo Gallery
envira-gallery-lite

Happy Addons for Elementor
happy-elementor-addons

Index Now
mihdan-index-now

InstaWP Connect – 1-click WP Staging & Migration
instawp-connect

List category posts
list-category-posts

MailerLite – WooCommerce integration
woo-mailerlite

Metform Elementor Contact Form Builder
metform

Newsletter – Send awesome emails from WordPress
newsletter

OneClick Chat to Order
oneclick-whatsapp-order

Order Export & Order Import for WooCommerce
order-import-export-for-woocommerce

PDF Invoices & Packing Slips for WooCommerce
woocommerce-pdf-invoices-packing-slips

POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
post-smtp

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
paid-memberships-pro

Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
contest-gallery

Plugin for Google Reviews
widget-google-reviews

Products, Order & Customers Export for WooCommerce
export-woocommerce

Profile Builder Pro
profile-builder-pro

RabbitLoader
rabbit-loader

Schema & Structured Data for WP & AMP
schema-and-structured-data-for-wp

Seraphinite Accelerator
seraphinite-accelerator

Seraphinite Alternative Slugs Manager
seraphinite-old-slugs-mgr

Shortcodes Finder
shortcodes-finder

Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
barcode-scanner-lite-pos-to-manage-products-inventory-and-orders

Swift SMTP (formerly Welcome Email Editor)
welcome-email-editor

TNC PDF viewer
pdf-viewer-by-themencode

The Events Calendar
the-events-calendar

Voting Record
voting-record

WP Register Profile With Shortcode
wp-register-profile-with-shortcode

WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
wp-sms

WP Spell Check
wp-spell-check

WP Testimonials
testimonial-widgets

WPS Hide Login
wps-hide-login

WooCommerce
woocommerce

Woocommerce Vietnam Checkout
woo-vietnam-checkout

Word Replacer Pro
word-replacer-ultra

WordPress Button Plugin MaxButtons
maxbuttons

WordPress Live Chat Plugin for Elementor – LiveChat
livechat-elementor

WordPress Live Chat Plugin for WooCommerce – LiveChat
livechat-woocommerce

WordPress Manutenção
wp-manutencao

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated Arbitrary File Upload via uploadFile

Customer Reviews for WooCommerce <= 5.38.9 – Authenticated (Author+) Arbitrary File Upload

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE-2023-6979
CVSS Score: 9.8 (Critical)
Researcher/s: Artem Guzhva (hexcat)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48

AI Engine: ChatGPT Chatbot <= 1.9.98 – Unauthenticated Arbitrary File Upload via rest_upload

Affected Software: AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
CVE ID: CVE-2023-51409
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7

Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated SQL Injection via userToken

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API

WP Testimonials <= 1.4.4 – Authenticated (Contributor+) SQL Injection

Affected Software: WP Testimonials
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4da18aad-3c82-4bc6-8dad-523643c12d5b

WP Register Profile With Shortcode <= 3.5.9 – Cross-Site Request Forgery to User Password Reset

Affected Software: WP Register Profile With Shortcode
CVE ID: CVE-2023-5448
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca564941-4780-4da2-b937-c9bd45966d81

Profile Builder Pro <= 3.10.0 – Cross-Site Request Forgery

Affected Software: Profile Builder Pro
CVE ID: CVE-2024-22140
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4c8932b-ede8-4f17-9612-5493c1130170

Download Monitor <= 4.9.4 – Authenticated (Admin+) SQL Injection

Affected Software: Download Monitor
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/105ae6be-2cb7-4ab2-8e4c-5d3ff84c5b9f

Order Export & Order Import for WooCommerce <= 2.4.3 – Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file

Affected Software: Order Export & Order Import for WooCommerce
CVE ID: CVE-2024-22135
CVSS Score: 7.2 (High)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15ce2e54-ca5a-4dbc-9795-6e989e85b330

PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 – Authenticated (Shop Manager+) SQL Injection

Affected Software: PDF Invoices & Packing Slips for WooCommerce
CVE ID: CVE-2024-22147
CVSS Score: 7.2 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92e307d-b3c0-441a-abac-580a60dd44cf

Index Now <= 2.6.3 – Cross-Site Request Forgery via reset_form

Affected Software: Index Now
CVE ID: CVE-2024-0428
CVSS Score: 7.1 (High)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91

EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta

Affected Software/s: EventON, EventON Pro
CVE ID: CVE-2023-6158
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea

List category posts <= 0.89.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: List category posts
CVE ID: CVE-2023-6994
CVSS Score: 6.5 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/611871cc-737f-44e3-baf5-dbaa8bd8eb81

EventON – WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery via save_virtual_event_settings

Affected Software/s: EventON, EventON Pro
CVE ID: CVE-2023-6244
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fcc3a82-f116-446e-9e5f-4f074e20403b

Profile Builder Pro <= 3.10.0 – Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure

Affected Software: Profile Builder Pro
CVE ID: CVE-2024-22141
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a388b406-1640-443d-9656-6a87588ce201

Word Replacer Pro <= 1.0 – Missing Authorization

Affected Software: Word Replacer Pro
CVE ID: CVE-2023-52229
CVSS Score: 6.5 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd31e8b0-6089-4521-a80f-e65e61ad062f

GD Rating System <= 3.5.0 – Unauthenticated Stored Cross-Site Scripting via IP

Affected Software: GD Rating System
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0b3662d-e369-4978-aa7a-debbb3ee37e4

EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Cross-Site Request Forgery via evo_eventpost_update_meta

Affected Software/s: EventON, EventON Pro
CVE ID: CVE-2023-6242
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e9a333-a6b7-4b5e-93c1-b95566e5d6fb

Formidable Forms <= 6.7 – HTML Injection

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2023-6830
CVSS Score: 6.5 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6

Happy Elementor Addons <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Happy Addons for Elementor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1453815d-4e28-41ec-9aa4-4fd2899c619a

Voting Record <= 2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Voting Record
CVE ID: CVE-2023-7084
CVSS Score: 6.4 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/286c3e26-07a8-4fca-9fdc-98e62ae88b67

OneClick Chat to Order <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: OneClick Chat to Order
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e4aaf2e-a0c6-47d2-9eb8-d65952a74424

Beds24 Online Booking <= 2.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Beds24 Online Booking
CVE ID: CVE-2023-52228
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fc2b2a5-00b0-424e-8678-c6b5cd76baec

TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: TNC PDF viewer
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5f29ce-e266-4f52-af63-159253e7987c

Constant Contact Forms by MailMunch <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Constant Contact Forms by MailMunch
CVE ID: CVE-2024-22137
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523

Plugin for Google Reviews <= 3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Plugin for Google Reviews
CVE ID: CVE-2023-6884
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599

WP SMS <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9141ad3-86cf-47ae-be99-d78f0337f2ca

Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers
CVE ID: CVE-2023-7070
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5afe6ea-93b8-4782-8593-76468e370a45

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-7071
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f969cb24-734f-46e5-a74d-fddf8e61e096

Football pool <= 2.11.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Football Pool
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff150706-5fbf-4881-976b-89fdaf637fb1

ARMember <= 4.0.22 – Cross-Site Request Forgery

WooCommerce < 8.4.0 – Reflected Cross-Site Scripting

Affected Software: WooCommerce
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43810a17-89b4-44f5-887e-1ad0989ea5b4

Profile Builder Pro <= 3.10.0 – Reflected Cross-Site Scripting

Affected Software: Profile Builder Pro
CVE ID: CVE-2024-22142
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578d8ca7-7042-493d-92b4-63241b4bdfca

Shortcodes Finder <= 1.5.4 – Reflected Cross-Site Scripting

Affected Software: Shortcodes Finder
CVE ID: CVE-2024-21750
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8eb77a53-4aea-46c3-8eea-a16f728dfa23

Advanced Woo Search <= 2.96 – Reflected Cross-Site Scripting

Affected Software: Advanced Woo Search
CVE ID: CVE-2024-0251
CVSS Score: 6.1 (Medium)
Researcher/s: Artem Guzhva (hexcat)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91358e40-e64f-4e8e-b5a3-7d2133db5fe9

Voting Record <= 2.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

Affected Software: Voting Record
CVE ID: CVE-2023-7083
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f93aa003-5b8b-4836-af65-80df2f9fbdb6

Auto Affiliate Links <= 6.4.2.7 – Cross-Site Request Forgery

Affected Software: Auto Affiliate Links
CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89918e1-b525-4d32-9b11-5e014eb02c16

Metform Elementor Contact Form Builder <= 3.8.1 – Cross-Site Request Forgery

Affected Software: Metform Elementor Contact Form Builder
CVE ID: CVE-2023-6788
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30fd2425-ee48-4777-91c1-03906d63793a

Schema & Structured Data for WP & AMP <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Schema & Structured Data for WP & AMP
CVE ID: CVE-2024-22146
CVSS Score: 5.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca21247-c443-4808-8397-790669453bfc

RabbitLoader <= 2.19.13 – Missing Authorization via multiple AJAX actions

Affected Software: RabbitLoader
CVE ID: CVE-2024-21751
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/958118ec-437e-45c8-a0f0-6aaf54e60d04

MailerLite – WooCommerce integration <= 2.0.8 – Cross-Site Request Forgery via Multiple AJAX Functions

Affected Software: MailerLite – WooCommerce integration
CVE ID: CVE-2023-52223
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ea7ccb0-c0fb-4ef3-8041-9bf5abe36e3f

Contact Form 7 Extension For Mailchimp <= 0.5.70 – Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: Contact Form 7 Extension For Mailchimp
CVE ID: CVE-2024-22134
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bed25977-040e-4427-b1e3-e9be9733b31f

Paid Memberships Pro <= 2.12.6 – Information Exposure in Debug Logs

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/852b1895-3bed-4c2f-912c-c136b38a09bb

Seraphinite Accelerator <= 2.20.45 – Unauthenticated Sensitive Information Exposure via Log File

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2024-22138
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5991df2-1aab-4d07-9e30-1257aa9ec884

WordPress Manutenção <= 1.0.6 – IP Spoofing to Maintenance Mode Bypass

Affected Software: WordPress Manutenção
CVE ID: CVE-2024-22139
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6664039-554b-43bf-8925-00c1e62e28f5

The Events Calendar <= 6.2.8.2 – Unauthenticated Sensitive Information Exposure

Affected Software: The Events Calendar
CVE ID: CVE-2023-6557
CVSS Score: 5.3 (Medium)
Researcher/s: Nicolas Decayeux
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61

ElementsKit Lite <= 3.0.3 – Unauthenticated Sensitive Information Exposure

Affected Software: ElementsKit Elementor addons
CVE ID: CVE-2023-6582
CVSS Score: 5.3 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff4ae5c8-d164-4c2f-9bf3-83934c22cf4c

Newsletter <= 8.0.6 – Cross-Site Request Forgery

Affected Software: Newsletter – Send awesome emails from WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c24ee66-7b57-4e4c-bbb5-0451fc24ce4b

Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery

Affected Software: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2b5213d-fdc5-4c98-9a05-15d83bd7308f

Formidable Forms <= 6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2023-6842
CVSS Score: 4.4 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce

Woocommerce Vietnam Checkout <= 2.0.8 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Woocommerce Vietnam Checkout
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5344499d-c183-4164-a52c-0dca7873f63d

WordPress Button Plugin MaxButtons <= 9.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Button Plugin MaxButtons
CVE ID: CVE-2023-6594
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfe2cabd-98f6-4ebc-8a02-e6951202aa88

Swift SMTP <= 5.0.6 – Cross-Site Request Forgery

Affected Software: Swift SMTP (formerly Welcome Email Editor)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b9ed184-814d-46cb-979c-908bc9359fae

LiveChat Elementor <= 1.0.13 – Cross-Site Request Forgery

Affected Software: WordPress Live Chat Plugin for Elementor – LiveChat
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32c2a25d-e660-4700-8df3-b043cf6aa78a

Envira Gallery Lite <= 1.8.7.2 – Missing Authorization to Gallery Modification via envira_gallery_insert_images

Affected Software: Gallery Plugin for WordPress – Envira Photo Gallery
CVE ID: CVE-2023-6742
CVSS Score: 4.3 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40655278-6915-4a76-ac2d-bb161d3cee92

InstaWP Connect <= 0.1.0.8 – Cross-Site Request Forgery via create_file_db_manager

Affected Software: InstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5954c35a-7d0a-4bc5-9cad-3223e7be56eb

Seraphinite Alternative Slugs Manager <= 1.3 – Cross-Site Request Forgery

Affected Software: Seraphinite Alternative Slugs Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66377ee2-cc87-4cfe-a4e4-cef4459bf2ec

MailerLite – WooCommerce integration <= 2.0.8 – Missing Authorization via Multiple Functions

Affected Software: MailerLite – WooCommerce integration
CVE ID: CVE-2023-52227
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/757690b0-6c59-4e74-aad2-f5fde9f7a2fb

LiveChat WooCommerce <= 2.2.16 – Cross-Site Request Forgery

Affected Software: WordPress Live Chat Plugin for WooCommerce – LiveChat
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/872f13bc-e6d0-4307-b2c9-b55a44df1016

Advanced Flamingo <= 1.0 – Cross-Site Request Forgery

Affected Software: Advanced Flamingo
CVE ID: CVE-2023-52226
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ce8ad5f-05e8-4279-915a-1c94559d4e56

WP Spell Check <= 9.17 – Cross-Site Request Forgery

Affected Software: WP Spell Check
CVE ID: CVE-2024-22143
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9eef053c-16a1-4624-8393-08e78b221d4f

Contact Form 7 – Dynamic Text Extension <= 4.1.0 – Insecure Direct Object Reference

Affected Software: Contact Form 7 – Dynamic Text Extension
CVE ID: CVE-2023-6630
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486

Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery

Affected Software: Contact Form 7 Connector
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b437020c-31a3-413e-a1da-b4781da34f10

Products & Order Export for WooCommerce <= 2.0.7 – Missing Authorization

Affected Software: Products, Order & Customers Export for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da1f68a5-8ca7-4744-9b73-09e767072885

Droit Elementor Addons <= 3.1.5 – Cross-Site Request Forgery

Affected Software: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
CVE ID: CVE-2024-22136
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7b49fd1-2d1e-4083-bc1d-010a9c8f4c2f

WPS Hide Login <= 1.9.11 – Hidden Login Page Location Disclosure

Affected Software: WPS Hide Login
CVE ID: CVE-2023-49748
CVSS Score: 3.7 (Low)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb81e90f-8da4-483c-9bc1-18b6c016df5e

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024) appeared first on Wordfence.