Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Stored Cross-Site Scripting via Block
WAF-RULE-666 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
WAF-RULE-665 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
12
Patched
55
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
1
Medium Severity
54
High Severity
7
Critical Severity
5
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Cross-Site Request Forgery (CSRF)
20
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
19
Missing Authorization
8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4
Unrestricted Upload of File with Dangerous Type
4
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
3
Information Exposure
2
Information Exposure Through Debug Information
1
Exposure of Private Information (‘Privacy Violation’)
1
Use of Less Trusted Source
1
Protection Mechanism Failure
1
Server-Side Request Forgery (SSRF)
1
Authorization Bypass Through User-Controlled Key
1
Improper Access Control
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Nex Team
2
drop
2
Brandon James Roldan (tomorrowisnew)
2
Lucio Sá
1
Mika
1
thiennv
1
Elliot
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
ai-engine
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership
Advanced Flamingo
advanced-flamingo
Advanced Woo Search
advanced-woo-search
Auto Affiliate Links
wp-auto-affiliate-links
Beds24 Online Booking
beds24-online-booking
Constant Contact Forms by MailMunch
constant-contact-forms-by-mailmunch
Contact Form 7 Connector
ari-cf7-connector
Contact Form 7 Extension For Mailchimp
contact-form-7-mailchimp-extension
Contact Form 7 – Dynamic Text Extension
contact-form-7-dynamic-text-extension
Customer Reviews for WooCommerce
customer-reviews-woocommerce
Download Monitor
download-monitor
Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
droit-elementor-addons
ElementsKit Elementor addons
elementskit-lite
Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks
EventON
eventon-lite
EventON Pro
eventon
Football Pool
football-pool
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
formidable
GD Rating System
gd-rating-system
Gallery Plugin for WordPress – Envira Photo Gallery
envira-gallery-lite
Happy Addons for Elementor
happy-elementor-addons
Index Now
mihdan-index-now
InstaWP Connect – 1-click WP Staging & Migration
instawp-connect
List category posts
list-category-posts
MailerLite – WooCommerce integration
woo-mailerlite
Metform Elementor Contact Form Builder
metform
Newsletter – Send awesome emails from WordPress
newsletter
OneClick Chat to Order
oneclick-whatsapp-order
Order Export & Order Import for WooCommerce
order-import-export-for-woocommerce
PDF Invoices & Packing Slips for WooCommerce
woocommerce-pdf-invoices-packing-slips
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
post-smtp
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
paid-memberships-pro
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
contest-gallery
Plugin for Google Reviews
widget-google-reviews
Products, Order & Customers Export for WooCommerce
export-woocommerce
Profile Builder Pro
profile-builder-pro
RabbitLoader
rabbit-loader
Schema & Structured Data for WP & AMP
schema-and-structured-data-for-wp
Seraphinite Accelerator
seraphinite-accelerator
Seraphinite Alternative Slugs Manager
seraphinite-old-slugs-mgr
Shortcodes Finder
shortcodes-finder
Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Swift SMTP (formerly Welcome Email Editor)
welcome-email-editor
TNC PDF viewer
pdf-viewer-by-themencode
The Events Calendar
the-events-calendar
Voting Record
voting-record
WP Register Profile With Shortcode
wp-register-profile-with-shortcode
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
wp-sms
WP Spell Check
wp-spell-check
WP Testimonials
testimonial-widgets
WPS Hide Login
wps-hide-login
WooCommerce
woocommerce
Woocommerce Vietnam Checkout
woo-vietnam-checkout
Word Replacer Pro
word-replacer-ultra
WordPress Button Plugin MaxButtons
maxbuttons
WordPress Live Chat Plugin for Elementor – LiveChat
livechat-elementor
WordPress Live Chat Plugin for WooCommerce – LiveChat
livechat-woocommerce
WordPress Manutenção
wp-manutencao
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated Arbitrary File Upload via uploadFile
CVE ID: CVE-2023-52221
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34439db4-1b66-4ccb-bf84-fddef6bc1f88
Customer Reviews for WooCommerce <= 5.38.9 – Authenticated (Author+) Arbitrary File Upload
CVE ID: CVE-2023-6979
CVSS Score: 9.8 (Critical)
Researcher/s: Artem Guzhva (hexcat)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48
AI Engine: ChatGPT Chatbot <= 1.9.98 – Unauthenticated Arbitrary File Upload via rest_upload
CVE ID: CVE-2023-51409
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7
Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated SQL Injection via userToken
CVE ID: CVE-2023-52215
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba18bd0c-ba6c-4f98-ac29-660a79affa6c
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API
CVE ID: CVE-2023-6875
CVSS Score: 9.8 (Critical)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af
WP Testimonials <= 1.4.4 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4da18aad-3c82-4bc6-8dad-523643c12d5b
WP Register Profile With Shortcode <= 3.5.9 – Cross-Site Request Forgery to User Password Reset
CVE ID: CVE-2023-5448
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca564941-4780-4da2-b937-c9bd45966d81
Profile Builder Pro <= 3.10.0 – Cross-Site Request Forgery
CVE ID: CVE-2024-22140
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4c8932b-ede8-4f17-9612-5493c1130170
Download Monitor <= 4.9.4 – Authenticated (Admin+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/105ae6be-2cb7-4ab2-8e4c-5d3ff84c5b9f
Order Export & Order Import for WooCommerce <= 2.4.3 – Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file
CVE ID: CVE-2024-22135
CVSS Score: 7.2 (High)
Researcher/s: Dateoljo of BoB 12th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15ce2e54-ca5a-4dbc-9795-6e989e85b330
PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 – Authenticated (Shop Manager+) SQL Injection
CVE ID: CVE-2024-22147
CVSS Score: 7.2 (High)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92e307d-b3c0-441a-abac-580a60dd44cf
Index Now <= 2.6.3 – Cross-Site Request Forgery via reset_form
CVE ID: CVE-2024-0428
CVSS Score: 7.1 (High)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91
EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta
CVE ID: CVE-2023-6158
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea
List category posts <= 0.89.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-6994
CVSS Score: 6.5 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/611871cc-737f-44e3-baf5-dbaa8bd8eb81
EventON – WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery via save_virtual_event_settings
CVE ID: CVE-2023-6244
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fcc3a82-f116-446e-9e5f-4f074e20403b
Profile Builder Pro <= 3.10.0 – Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure
CVE ID: CVE-2024-22141
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a388b406-1640-443d-9656-6a87588ce201
Word Replacer Pro <= 1.0 – Missing Authorization
CVE ID: CVE-2023-52229
CVSS Score: 6.5 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd31e8b0-6089-4521-a80f-e65e61ad062f
GD Rating System <= 3.5.0 – Unauthenticated Stored Cross-Site Scripting via IP
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0b3662d-e369-4978-aa7a-debbb3ee37e4
EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Cross-Site Request Forgery via evo_eventpost_update_meta
CVE ID: CVE-2023-6242
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e9a333-a6b7-4b5e-93c1-b95566e5d6fb
Formidable Forms <= 6.7 – HTML Injection
CVE ID: CVE-2023-6830
CVSS Score: 6.5 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6
Happy Elementor Addons <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1453815d-4e28-41ec-9aa4-4fd2899c619a
Voting Record <= 2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7084
CVSS Score: 6.4 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/286c3e26-07a8-4fca-9fdc-98e62ae88b67
OneClick Chat to Order <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e4aaf2e-a0c6-47d2-9eb8-d65952a74424
Beds24 Online Booking <= 2.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52228
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fc2b2a5-00b0-424e-8678-c6b5cd76baec
TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5f29ce-e266-4f52-af63-159253e7987c
Constant Contact Forms by MailMunch <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-22137
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523
Plugin for Google Reviews <= 3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-6884
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599
WP SMS <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9141ad3-86cf-47ae-be99-d78f0337f2ca
Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7070
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5afe6ea-93b8-4782-8593-76468e370a45
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7071
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f969cb24-734f-46e5-a74d-fddf8e61e096
Football pool <= 2.11.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff150706-5fbf-4881-976b-89fdaf637fb1
ARMember <= 4.0.22 – Cross-Site Request Forgery
CVE ID: CVE-2023-52200
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88907f28-7b1d-4a5a-b846-67dfd21d6488
WooCommerce < 8.4.0 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43810a17-89b4-44f5-887e-1ad0989ea5b4
Profile Builder Pro <= 3.10.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-22142
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578d8ca7-7042-493d-92b4-63241b4bdfca
Shortcodes Finder <= 1.5.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-21750
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8eb77a53-4aea-46c3-8eea-a16f728dfa23
Advanced Woo Search <= 2.96 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-0251
CVSS Score: 6.1 (Medium)
Researcher/s: Artem Guzhva (hexcat)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91358e40-e64f-4e8e-b5a3-7d2133db5fe9
Voting Record <= 2.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
CVE ID: CVE-2023-7083
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f93aa003-5b8b-4836-af65-80df2f9fbdb6
Auto Affiliate Links <= 6.4.2.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89918e1-b525-4d32-9b11-5e014eb02c16
Metform Elementor Contact Form Builder <= 3.8.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-6788
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30fd2425-ee48-4777-91c1-03906d63793a
Schema & Structured Data for WP & AMP <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-22146
CVSS Score: 5.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca21247-c443-4808-8397-790669453bfc
RabbitLoader <= 2.19.13 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2024-21751
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/958118ec-437e-45c8-a0f0-6aaf54e60d04
MailerLite – WooCommerce integration <= 2.0.8 – Cross-Site Request Forgery via Multiple AJAX Functions
CVE ID: CVE-2023-52223
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ea7ccb0-c0fb-4ef3-8041-9bf5abe36e3f
Contact Form 7 Extension For Mailchimp <= 0.5.70 – Authenticated (Subscriber+) Server-Side Request Forgery
CVE ID: CVE-2024-22134
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bed25977-040e-4427-b1e3-e9be9733b31f
Paid Memberships Pro <= 2.12.6 – Information Exposure in Debug Logs
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/852b1895-3bed-4c2f-912c-c136b38a09bb
Seraphinite Accelerator <= 2.20.45 – Unauthenticated Sensitive Information Exposure via Log File
CVE ID: CVE-2024-22138
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5991df2-1aab-4d07-9e30-1257aa9ec884
WordPress Manutenção <= 1.0.6 – IP Spoofing to Maintenance Mode Bypass
CVE ID: CVE-2024-22139
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6664039-554b-43bf-8925-00c1e62e28f5
The Events Calendar <= 6.2.8.2 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6557
CVSS Score: 5.3 (Medium)
Researcher/s: Nicolas Decayeux
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61
ElementsKit Lite <= 3.0.3 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6582
CVSS Score: 5.3 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff4ae5c8-d164-4c2f-9bf3-83934c22cf4c
Newsletter <= 8.0.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c24ee66-7b57-4e4c-bbb5-0451fc24ce4b
Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2b5213d-fdc5-4c98-9a05-15d83bd7308f
Formidable Forms <= 6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6842
CVSS Score: 4.4 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce
Woocommerce Vietnam Checkout <= 2.0.8 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5344499d-c183-4164-a52c-0dca7873f63d
WordPress Button Plugin MaxButtons <= 9.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6594
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfe2cabd-98f6-4ebc-8a02-e6951202aa88
Swift SMTP <= 5.0.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b9ed184-814d-46cb-979c-908bc9359fae
LiveChat Elementor <= 1.0.13 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32c2a25d-e660-4700-8df3-b043cf6aa78a
Envira Gallery Lite <= 1.8.7.2 – Missing Authorization to Gallery Modification via envira_gallery_insert_images
CVE ID: CVE-2023-6742
CVSS Score: 4.3 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40655278-6915-4a76-ac2d-bb161d3cee92
InstaWP Connect <= 0.1.0.8 – Cross-Site Request Forgery via create_file_db_manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5954c35a-7d0a-4bc5-9cad-3223e7be56eb
Seraphinite Alternative Slugs Manager <= 1.3 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66377ee2-cc87-4cfe-a4e4-cef4459bf2ec
MailerLite – WooCommerce integration <= 2.0.8 – Missing Authorization via Multiple Functions
CVE ID: CVE-2023-52227
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/757690b0-6c59-4e74-aad2-f5fde9f7a2fb
LiveChat WooCommerce <= 2.2.16 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/872f13bc-e6d0-4307-b2c9-b55a44df1016
Advanced Flamingo <= 1.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-52226
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ce8ad5f-05e8-4279-915a-1c94559d4e56
WP Spell Check <= 9.17 – Cross-Site Request Forgery
CVE ID: CVE-2024-22143
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9eef053c-16a1-4624-8393-08e78b221d4f
Contact Form 7 – Dynamic Text Extension <= 4.1.0 – Insecure Direct Object Reference
CVE ID: CVE-2023-6630
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486
Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b437020c-31a3-413e-a1da-b4781da34f10
Products & Order Export for WooCommerce <= 2.0.7 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da1f68a5-8ca7-4744-9b73-09e767072885
Droit Elementor Addons <= 3.1.5 – Cross-Site Request Forgery
CVE ID: CVE-2024-22136
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7b49fd1-2d1e-4083-bc1d-010a9c8f4c2f
WPS Hide Login <= 1.9.11 – Hidden Login Page Location Disclosure
CVE ID: CVE-2023-49748
CVSS Score: 3.7 (Low)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb81e90f-8da4-483c-9bc1-18b6c016df5e
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024) appeared first on Wordfence.