Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager
ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
WAF-RULE-600 – Data redacted while we work with the developer to ensure the vulnerability gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
26
Patched
64
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
1
Medium Severity
67
High Severity
16
Critical Severity
6
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
35
Cross-Site Request Forgery (CSRF)
23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
11
Missing Authorization
6
Unrestricted Upload of File with Dangerous Type
3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2
Deserialization of Untrusted Data
2
Authentication Bypass Using an Alternate Path or Channel
2
Authorization Bypass Through User-Controlled Key
1
Information Exposure
1
Improper Authorization
1
Creation of Emergent Resource
1
Client-Side Enforcement of Server-Side Security
1
Guessable CAPTCHA
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher)
11
Alex Thomas
(Wordfence Vulnerability Researcher)
6
Mika
4
yuyudhn
3
Marco Wotschka
(Wordfence Vulnerability Researcher)
3
thiennv
3
Skalucy
2
Erwan LR
2
Cat
2
dc11
2
My Le
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
AI ChatBot
chatbot
Abandoned Cart Lite for WooCommerce
woocommerce-abandoned-cart
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
woo-bulk-editor
Bubble Menu – circle floating menu
bubble-menu
Button Generator – easily Button Builder
button-generation
Calculator Builder
calculator-builder
Conditional Menus
conditional-menus
Contact Form Entries – Contact Form 7, WPforms and more
contact-form-entries
Counter Box – WordPress plugin for countdown, timer, counter
counter-box
Custom Post Type Generator
custom-post-type-generator
Custom Twitter Feeds (Tweets Widget)
custom-twitter-feeds
Download Theme
download-theme
Duplicator Pro
duplicator-pro
Easy Admin Menu
easy-admin-menu
Easy Captcha
easy-captcha
Easy Google Maps
google-maps-easy
Elementor Website Builder – More than Just a Page Builder
elementor
EventPrime – Modern Events Calendar, Bookings and Tickets
eventprime-event-calendar-management
File Renaming on Upload
file-renaming-on-upload
Flickr Justified Gallery
flickr-justified-gallery
Float menu – awesome floating side menu
float-menu
Floating button
profit-button
Front End Users
front-end-only-users
Go Pricing – WordPress Responsive Pricing Tables
go_pricing
Google Map Shortcode
google-map-shortcode
Herd Effects – fake notifications and social proof plugin
mwp-herd-effect
IP Metaboxes
ip-metaboxes
Integration for Contact Form 7 and Zoho CRM, Bigin
cf7-zoho
JetFormBuilder — Dynamic Blocks Form Builder
jetformbuilder
LearnDash WordPress Plugin
sfwd-lms
Leyka
leyka
MStore API
mstore-api
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
mailchimp-subscribe-sm
Multiple Page Generator Plugin – MPG
multiple-pages-generator-by-porthas
Novelist
novelist
OAuth Single Sign On – SSO (OAuth Client)
miniorange-login-with-eve-online-google-facebook
Popup Box – new WordPress popup plugin
popup-box
Product Gallery Slider for WooCommerce
woo-product-gallery-slider
Product Vendors
woocommerce-product-vendors
QuBot – Chatbot Builder with Templates
qubotchat
QueryWall: Plug’n Play Firewall
querywall
Recently Viewed Products
recently-viewed-products
Responsive Tabs For WPBakery Page Builder (formerly Visual Composer)
responsive-tabs-for-wpbakery
SIS Handball
sis-handball
SKU Label Changer For WooCommerce
woo-sku-label-changer
Shopping Cart & eCommerce Store
wp-easycart
Side Menu Lite – add sticky fixed buttons
side-menu-lite
SlideOnline
slideonline
Slider Revolution
revslider
Sticky Buttons – floating buttons builder
sticky-buttons
SupportCandy – Helpdesk & Support Ticket System
supportcandy
This Day In History
this-day-in-history
Tutor LMS – eLearning and online course solution
tutor
UTM Tracker
utm-tracker
Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress
uncanny-automator
Unite Gallery Lite
unite-gallery-lite
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
unlimited-elements-for-elementor
Upload Resume
resume-upload-form
User Activity Log
user-activity-log
Video Contest WordPress Plugin
video-contest
WIP Custom Login
wip-custom-login
WP Coder – add custom html, css and js code
wp-coder
WP Tiles
wp-tiles
WP-Hijri
wp-hijri
WP-Matomo Integration (WP-Piwik)
wp-piwik
WS Form LITE – Drag & Drop Contact Form Builder for WordPress
ws-form
WooCommerce Product Categories Selection Widget
woocommerce-product-category-selection-widget
WooCommerce Shipping & Tax
woocommerce-services
WordPress Backup & Migration
wp-migration-duplicator
WordPress File Upload
wp-file-upload
WordPress File Upload Pro
wordpress-file-upload-pro
Wow Skype Buttons
mwp-skype
Yoast SEO: Local
wpseo-local
YouTube Playlist Player
youtube-playlist-player
seo-by-rank-math-pro
seo-by-rank-math-pro
woocommerce-follow-up-emails
woocommerce-follow-up-emails
woocommerce-warranty
woocommerce-warranty
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 – Arbitrary File Upload in File Manager
CVE ID: CVE-2023-31090
CVSS Score: 9.9 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a09102c-391e-4057-b883-3d2eef1671ce
WooCommerce Follow-Up Emails <= 4.9.40 – Authenticated Arbitrary File Upload in Template Editing
CVE ID: CVE-2023-33318
CVSS Score: 9.9 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a169934d-17ce-4d34-be00-c5ac0b488066
Leyka <= 3.30 – Privilege Escalation via Admin Password Reset
CVE ID: CVE-2023-33327
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0152bcc9-6d24-4475-848d-71fe88aa7e2a
Recently Viewed Products <= 1.0.0 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-34027
CVSS Score: 9.8 (Critical)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46f31a60-0a0e-449d-a10a-3cafd0492a9c
MStore API <= 3.9.1 – Authentication Bypass
CVE ID: CVE-2023-2734
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5881d16c-84e8-4610-8233-cfa5a94fe3f9
MStore API <= 3.9.2 – Authentication Bypass
CVE ID: CVE-2023-2732
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f00761a7-fe24-49a3-b3e3-a471e05815c1
LearnDash LMS <= 4.5.3 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-28777
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40a57493-b99b-4e71-8603-e668c6283a5a
Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) SQL Injection via shortcode
CVE ID: CVE-2023-31212
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b475ada-3b31-40a3-9a81-5a7b1a1e190a
OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 – Missing Authorization
CVE ID: CVE-2022-34155
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d166a77-d57b-4827-96ca-b8eb423861f0
SupportCandy <= 3.1.6 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-2719
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1d2b6bd-a75a-4a07-b2f0-8ec206d41211
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Subscriber+) PHP Object Injection
CVE ID: CVE-2023-2500
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7686b11-97a8-4f09-bbfa-d77120cc35b7
Easy Captcha <= 1.0 – Missing Authorization via easy_captcha_update_settings
CVE ID: CVE-2023-33324
CVSS Score: 7.5 (High)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8efe2ccf-33cb-4db3-bc3d-ead826adb7d0
Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 – Authenticated (Admin+) SQL Injection
CVE ID: CVE-2023-2527
CVSS Score: 7.2 (High)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4e6dae-f38c-4f5b-ae1d-cf998946c675
QueryWall <= 1.1.1 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2492
CVSS Score: 7.2 (High)
Researcher/s: Chien Vuong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/306c98ad-0d42-4ad5-b82a-bf4579865aa9
Slider Revolution <= 6.6.12 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-2359
CVSS Score: 7.2 (High)
Researcher/s: Marco Frison
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fa00dae-c51d-4586-81da-b568cd6d8124
SupportCandy <= 3.1.6 – Authenticated (Admin+) SQL Injection
CVE ID: CVE-2023-2805
CVSS Score: 7.2 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75f01eb4-5d53-441d-9bee-e97857dadaf9
SIS Handball <= 1.0.45 – Authenticated (Administrator+) SQL Injection via ‘orderby’
CVE ID: CVE-2023-33924
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cabdc9db-2d1c-4390-a4b7-65648ef9f16a
Multiple Page Generator Plugin – MPG <= 3.3.19 – Authenticated (Administrator+) SQL Injection in projects_list and total_projects
CVE ID: CVE-2023-33927
CVSS Score: 7.2 (High)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d18d800b-647f-4706-9ec1-a8ea4e643965
WooCommerce Follow-Up Emails <= 4.9.50 – Authenticated (Follow-up emails manager+) SQL Injection
CVE ID: CVE-2023-33330
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc5276e2-e9de-4409-bbe0-4d0b37244367
WooCommerce Product Vendors <= 2.1.76 – Authenticated (Vendor admin+) SQL Injection
CVE ID: CVE-2023-33331
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed8f8984-bea6-44aa-9bde-5b40b455767f
WooCommerce Warranty Requests <= 2.1.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33317
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1665fda6-005d-42ba-883d-2e3ad7abe0ba
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Improper Authorization to Arbitrary File Upload
CVE ID: CVE-2023-2496
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/477c6fa2-16a8-4461-b4d4-d087e13e3ca7
User Activity Log <= 1.6.1 – Authenticated(Administrator+) SQL Injection via txtsearch
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17a787da-5630-42ec-b5b0-47435db765a7
WIP Custom Login <= 1.2.9 – Cross-Site Request Forgery via save_option
CVE ID: CVE-2023-33313
CVSS Score: 6.5 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15b93e63-5ef2-4fb1-8c6b-28fcfab8e34d
BEAR <= 1.1.3.1 – Cross-Site Request Forgery via Multiple Functions
CVE ID: CVE-2023-33314
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7e3818c-883f-4633-a460-a8c0446edffc
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_delete_product
CVE ID: CVE-2023-2892
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_delete_product
CVE ID: CVE-2023-2891
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2498
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c3d4c96-63a7-4f3b-a9ac-095be241f840
Google Map Shortcode <= 3.1.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-2899
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f6656e2-35f5-41d8-a330-7904c296ba29
Contact Form Entries <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode
CVE ID: CVE-2023-33311
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51986a76-933b-4c25-af79-d0c3f9e1d513
SlideOnline <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0489
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778e2191-d764-44a1-9f52-9698e9183fd2
Yoast SEO: Local <= 14.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28785
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb6457ea-6353-4a69-ad72-cd5acd47ed8c
Responsive Tabs For WPBakery Page Builder <= 1.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-0368
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1c3ddae-046a-4080-ac2b-90fb89fbff7b
Duplicator Pro <= 4.5.11 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33309
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1426bebe-d3c4-4f83-9b50-fae8c2373209
EventPrime <= 2.8.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33326
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22479c6a-83ea-4c09-b192-4384ffbdcbf7
WooCommerce Follow-Up Emails <= 4.9.40 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33319
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4487391e-baa4-4320-a23d-b52a42e2de90
This Day In History <= 3.10.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34026
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b88a8a9-d3e1-4c21-a4e8-d9afa34d7a2e
Conditional Menus <= 1.2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2654
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57d3506c-8db8-4e1b-9587-7f2bdb632890
WP-Hijri <= 1.5.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33320
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/67aaf9fa-e92b-42f2-94ac-f27c5d073002
Multiple Wow-Company Plugins (Various Versions) — Reflected Cross-Site Scripting via ‘page’ parameter
CVE ID: CVE-2023-2362
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a95af34-559c-4644-9941-7bd1551aba33
WooCommerce Product Categories Selection Widget <= 2.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33925
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f68c70b-9fde-43a6-8a7c-00938aa0e109
WooCommerce Product Vendors <= 2.1.76 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33332
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a93c0dd4-8341-438d-8730-470e9a230d97
Rank Math SEO PRO <= 3.0.35 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32800
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4ec9001-c4aa-4db3-b7d7-29afa243f78a
Leyka <= 3.30 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33325
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/baf54eb2-0b29-4718-a994-f722cefd7317
Easy Captcha <= 1.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33312
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd73cf64-289d-4401-bef7-9a4398a85055
Front End Users <= 3.2.25 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-33322
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e076e054-6a0b-4c08-b0cc-bd3a5b0751e5
IP Metaboxes <= 2.1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30753
CVSS Score: 6.1 (Medium)
Researcher/s: WON JOON HWANG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f611d609-97c5-4b77-9657-c8d9d10e786a
WooCommerce Shipping & Tax <= 2.2.4 – Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 5.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57156ebc-2858-4295-ba08-57bcab6db229
Easy Google Maps <= 1.11.7 – Cross-Site Request Forgery via AJAX action
CVE ID: CVE-2023-2526
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4ea4ca00-185b-4f5d-9c5c-f81ba4edad05
Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item
CVE ID: CVE-2023-33922
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/525cb51c-23f1-446f-a247-0f69ec5029d8
IP Metaboxes <= 2.1.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-30745
CVSS Score: 5.4 (Medium)
Researcher/s: WON JOON HWANG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9163861b-735b-4007-97f7-8f9095d93ec9
Uncanny Automator <= 4.14 – Cross-Site Request Forgery via update_automator_connect
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd0d8661-4725-41dd-88ce-8e94e285d5b8
Tutor LMS <= 2.1.10 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-25799
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf16617d-cec2-4943-bd20-7ade31878714
Easy Google Maps <= 1.11.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-33926
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee52c6c0-c69e-46c4-9e4b-94aa69c00737
EventPrime <= 2.8.6 – Sensitive Information Exposure
CVE ID: CVE-2023-33321
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fdd0a4c-ce47-44bc-b9a5-a8f2af12da85
Download Theme <= 1.0.9 – Cross-Site Request Forgery via dtwap_download()
CVE ID: CVE-2022-38062
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50ca7cf8-bb47-42ea-badc-8bfe0328cbb0
SKU Label Changer For WooCommerce <= 3.0 – Missing Authorization
CVE ID: CVE-2023-29174
CVSS Score: 5.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/793594f7-6325-4561-ad74-a08aebc20c53
Button Generator – easily Button Builder <= 2.3.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-25443
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af803612-96ae-41ee-8ad3-8f9319b147e8
WS Form LITE <= 1.9.117 – CAPTCHA Bypass
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d99f81ea-1e74-4b67-a6c5-3dbc7865a68a
Upload Resume <= 1.2.0 – Captcha Bypass via resume_upload_form
CVE ID: CVE-2023-2751
CVSS Score: 5.3 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc0acff9-6852-4ecb-84f9-98a15dd30fc6
Unite Gallery Lite <= 1.7.59 – Authenticated(Administrator+) Local File Inclusion via ‘view’ parameter
CVE ID: CVE-2023-33310
CVSS Score: 5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c2925c1-f5c6-45b9-bc61-96f325c0372f
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 – Authenticated (Administrator+) Path Traversal
CVE ID: CVE-2023-2688
CVSS Score: 4.9 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abd6eeac-0a7e-4762-809f-593cd85f303d
Go Pricing – WordPress Responsive Pricing Tables <= 3.3.19 – Missing Authorization to Limited Privilege Granting
CVE ID: CVE-2023-2494
CVSS Score: 4.6 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5779914a-a168-4835-8aea-e0ab2b3be4f6
AI ChatBot <= 4.5.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2811
CVSS Score: 4.4 (Medium)
Researcher/s: Hao Huynh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/114bd025-74c5-40a2-82e8-5947497fc836
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2767
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23334d94-e5b8-4c88-8765-02ad19e17248
Custom Post Type Generator <= 2.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-33329
CVSS Score: 4.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23a2b1ac-2183-48ae-8376-fb950fe83fd9
QuBotChat <= 1.1.5 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2401
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45f98c00-0bfd-405e-a6b3-581841d803de
File Renaming on Upload <= 2.5.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2684
CVSS Score: 4.4 (Medium)
Researcher/s: Hao Huynh, My Le
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/550c3f56-d188-4be1-82cd-db076c09cf61
WP-Piwik <= 1.0.27 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name
CVE ID: CVE-2023-33211
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68a520bb-261a-43f0-993d-de208035afe5
Novelist <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields
CVE ID: CVE-2023-32958
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b8f64ed-abf8-4a8b-b32f-75afeaccea5c
Video Contest WordPress Plugin <= 3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-45827
CVSS Score: 4.4 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86079059-11c7-4545-b254-6bf524367b46
MailChimp Subscribe Forms <= 4.0.9.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33328
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86f6e8b8-ebfd-4d9f-a285-9d0aa2e961ff
AI ChatBot <= 4.5.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2811
CVSS Score: 4.4 (Medium)
Researcher/s: NGO VAN TU
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9df97805-b425-49b1-86c1-e66213dacd2b
Easy Admin Menu <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33929
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fefab999-12e0-4866-a5a2-60f8faa64f89
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_activate_product
CVE ID: CVE-2023-2895
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_duplicate_product
CVE ID: CVE-2023-2896
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_deactivate_product
CVE ID: CVE-2023-2893
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f
YouTube Playlist Player <= 4.6.4 – Cross-Site Request Forgery in ytpp_settings
CVE ID: CVE-2023-33931
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39aed7e9-05c6-4251-b489-de7a33ed2c2e
WooCommerce Follow-Up Emails <= 4.9.40 – Cross-Site Request Forgery
CVE ID: CVE-2023-33316
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fee61cd-7359-4193-8cf2-86e0527a8ef1
WP Tiles <= 1.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-25482
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52876909-3d2a-480d-9c47-39e96d088ff3
Video Contest WordPress Plugin <= 3.2 – Cross-Site Request Forgery
CVE ID: CVE-2022-45823
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/597fe53e-769e-4edd-b0b9-2bd2cff50da6
Flickr Justified Gallery <= 3.5 – Cross-Site Request Forgery via fjgwpp_settings()
CVE ID: CVE-2023-25473
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76a1d39e-8d69-4507-b75c-d376a2122d15
Abandoned Cart Lite for WooCommerce <= 5.14.1 – Cross-Site Request Forgery via delete_expired_used_coupon_code
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1e51a99-f5d4-47d4-bead-00ca1f5f72c2
Custom Twitter Feeds (Tweets Widget) <= 1.8.4 – Cross-Site Request Forgery
CVE ID: CVE-2022-33974
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5a5f8c2-3fd6-4d31-a3b5-60bdb8c18491
WP EasyCart <= 5.4.8 – Cross-Site Request Forgery via process_bulk_deactivate_product
CVE ID: CVE-2023-2894
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a
WordPress Backup & Migration <= 1.4.0 – Missing Authorization via wt_delete_schedule
CVE ID: CVE-2023-33928
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce978334-42e1-4334-a2d1-c3966339e4fc
Product Gallery Slider for WooCommerce <= 2.2.8 – Cross-Site Request Forgery
CVE ID: CVE-2022-45372
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df911497-8504-424e-8717-42d0bb6c90f1
Abandoned Cart Lite for WooCommerce <= 5.14.1 – Cross-Site Request Forgery via ts_reset_tracking_setting
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e743e656-2dd9-43ed-a190-b03af7c75c54
JetFormBuilder <= 3.0.6 – Cross-Site Request Fogery via ‘do_admin_action’
CVE ID: CVE-2023-33212
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f37c4b2c-6f41-46b5-8427-b1883b39322e
UTM Tracker <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23822
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/077ec165-edd3-4c2c-b1ea-01ca5b80f779
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023) appeared first on Wordfence.