Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation
Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
WAF-RULE-603 – data redacted while we work with the developer to ensure the vulnerability this rule protects against gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
68
Patched
48
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
3
Medium Severity
93
High Severity
16
Critical Severity
4
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
36
Cross-Site Request Forgery (CSRF)
35
Missing Authorization
22
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
6
Improper Input Validation
2
Improper Authorization
2
Authorization Bypass Through User-Controlled Key
2
Authentication Bypass Using an Alternate Path or Channel
2
URL Redirection to Untrusted Site (‘Open Redirect’)
1
Improper Privilege Management
1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1
Insufficient Verification of Data Authenticity
1
Server-Side Request Forgery (SSRF)
1
Use of Less Trusted Source
1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1
Deserialization of Untrusted Data
1
Improper Control of Generation of Code (‘Code Injection’)
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher)
22
Mika
7
yuyudhn
6
thiennv
6
Alex Thomas
(Wordfence Vulnerability Researcher)
4
Ramuel Gall
(Wordfence Vulnerability Researcher)
2
Justiice
1
Skalucy
1
Elliot
1
40826d
1
konagash
1
TomS
1
Hamed
1
Marco Wotschka
(Wordfence Vulnerability Researcher)
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
Ajax Pagination and Infinite Scroll
malinky-ajax-pagination
B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More
b2bking-wholesale-for-woocommerce
BBS e-Popup
bbs-e-popup
Blog-in-Blog
blog-in-blog
Brizy – Page Builder
brizy
CRM Perks Forms – WordPress Form Builder
crm-perks-forms
CRM and Lead Management by vcita
crm-customer-relationship-management-by-vcita
Call Now Accessibility Button
accessibility-help-button
Call Now Icon Animate
call-now-icon-animate
Cart2Cart: Magento to WooCommerce Migration
cart2cart-magento-to-woocommerce-migration
Change WooCommerce Add To Cart Button Text
change-woocommerce-add-to-cart-button-text
Chilexpress woo oficial
chilexpress-oficial
Complianz – GDPR/CCPA Cookie Consent
complianz-gdpr
Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping
advanced-free-flat-shipping-woocommerce
Constant Contact Forms
constant-contact-forms
Contact Form Builder by vcita
contact-form-with-a-meeting-scheduler-by-vcita
Contact Form and Calls To Action by vcita
lead-capturing-call-to-actions-by-vcita
Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
feather-login-page
Directorist – WordPress Business Directory Plugin with Classified Ads Listings
directorist
Disable WordPress Update Notifications and auto-update Email Notifications
disable-update-notifications
Display post meta, term meta, comment meta, and user meta
display-metadata
Donation Platform for WooCommerce: Fundraising & Donation Management
wc-donation-platform
Download Monitor
download-monitor
Dynamic QR Code Generator
dynamic-qr-code-generator
Dynamic Visibility for Elementor
dynamic-visibility-for-elementor
Event Registration Calendar By vcita
event-registration-calendar-by-vcita
Extended Post Status
extended-post-status
Favorites
favorites
File Manager Advanced Shortcode WordPress
file-manager-advanced-shortcode
Floating Action Button
floating-action-button
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
formidable
GDPR Cookie Consent Notice Box
cookie-consent-box
Google Fonts For WordPress
free-google-fonts
Gravityforms
gravityforms
Headless CMS
headless-cms
Interactive Image Map Plugin – Draw Attention
draw-attention
JS Job Manager
js-jobs
Jetpack – WP Security, Backup, Speed, & Growth
jetpack
Kanban Boards for WordPress
kanban
Kebo Twitter Feed
kebo-twitter-feed
LH Password Changer
lh-password-changer
LWS Hide Login
lws-hide-login
Login Configurator
login-configurator
Nested Pages
wp-nested-pages
Online Booking & Scheduling Calendar for WordPress by vcita
meeting-scheduler-by-vcita
Online Payments – Get Paid with PayPal, Square & Stripe
paypal-payment-button-by-vcita
Page Builder with Image Map by AZEXO
page-builder-by-azexo
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
photo-gallery
Quick/Bulk Order Form for WooCommerce
woocommerce-bulk-order-form
ReviewX – Multi-criteria Rating & Reviews for WooCommerce
reviewx
Social Media Share Buttons & Social Sharing Icons
ultimate-social-media-icons
Social Share, Social Login and Social Comments Plugin – Super Socializer
super-socializer
SpamReferrerBlock
spamreferrerblock
TPG Redirect
tpg-redirect
TS Webfonts for さくらのレンタルサーバ
ts-webfonts-for-sakura
Telegram Bot & Channel
telegram-bot
Tutor LMS – eLearning and online course solution
tutor
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
ultimate-member
Uncanny Toolkit for LearnDash
uncanny-learndash-toolkit
Unite Gallery Lite
unite-gallery-lite
User Email Verification for WooCommerce
woo-confirmation-email
VK Blocks
vk-blocks
WOLF – WordPress Posts Bulk Editor and Manager Professional
bulk-editor
WP Directory Kit
wpdirectorykit
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
erp
WP Full Auto Tags Manager
wp-full-auto-tags-manager
WP Hide Post
wp-hide-post
WP Inventory Manager
wp-inventory-manager
WP Report Post
wp-report-post
WP User Switch
wp-user-switch
WP-Cache.com
wp-cachecom
WP-Cirrus
wp-cirrus
WPC Smart Wishlist for WooCommerce
woo-smart-wishlist
Web Directory Free
web-directory-free
WooCommerce Box Office
woocommerce-box-office
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
cartflows
Woocommerce Order address Print
woocommerce-order-address-print
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
groundhogg
WordPress NextGen GalleryView
wordpress-nextgen-galleryview
WordPress Online Booking and Scheduling Plugin – Bookly
bookly-responsive-appointment-booking-tool
WordPress Social Login
wordpress-social-login
Wordapp
wordapp
Worthy – VG WORT Integration für WordPress
wp-worthy
Yandex Metrica Counter
counter-yandex-metrica
bbPress Toolkit
bbp-toolkit
bbp style pack
bbp-style-pack
premium-addons-pro
premium-addons-pro
wpForo Forum
wpforo
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
HashOne
hashone
Viral
viral
Viral News
viral-news
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
CVE ID: CVE-2023-2987
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d
Tutor LMS <= 2.1.10 – Unauthenticated SQL Injection
CVE ID: CVE-2023-25700
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dfee325-9001-4483-b3eb-846da0314529
Gravity Forms <= 2.7.3 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-28782
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc1e5fb7-92d0-4e7f-9b1b-15673e3b852a
File Manager Advanced Shortcode WordPress <= 2.3.2 – Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode
CVE ID: CVE-2023-2068
CVSS Score: 9.8 (Critical)
Researcher/s: Mateus Machado Tesser
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea40d06e-672c-42db-9378-d382de5838d4
Directorist <= 7.5.4 – Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation
CVE ID: CVE-2023-1888
CVSS Score: 8.8 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7
Feather Login Page 1.0.7 – 1.1.1 – Cross-Site Request Forgery to Privilege Escalation
CVE ID: CVE-2023-2549
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12560b8e-9c47-4f7f-ac9c-d86f17914ba3
Tutor LMS <= 2.2.0 – Authenticated (Student+) SQL Injection
CVE ID: CVE-2023-25800
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a64b1ff-0d3f-42fa-bab2-4f31bb8f0476
ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
CVE ID: CVE-2023-2833
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70e1d701-2cff-4793-9e4c-5b16a4038e8d
Tutor LMS <= 2.1.10 – Authenticated (Tutor Instructor+) SQL Injection
CVE ID: CVE-2023-25990
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d623512-ee99-4a73-a752-ecbb6ad96b63
wpForo Forum <= 2.1.7 – Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
CVE ID: CVE-2023-2249
CVSS Score: 8.8 (High)
Researcher/s: Hamed
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb
Web Directory Free <= 1.6.7 – Authenticated (Contributor+) SQL Injection via post_id
CVE ID: CVE-2023-2201
CVSS Score: 8.8 (High)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d831fa81-4714-4757-b75d-0a8f5edda910
WP User Switch <= 1.0.2 – Authenticated (Subscriber+) Authentication Bypass via Cookie
CVE ID: CVE-2023-2546
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e89d912d-fa7a-4fb1-8872-95fa861c21ca
Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation
CVE ID: CVE-2023-2545
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ab2178-7438-43ef-961e-b54d0d230f4a
User Email Verification for WooCommerce <= 3.5.0 – Authentication Bypass
CVE ID: CVE-2023-2781
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1e31357-7fbc-414b-a4f4-53fa5f2fc715
bbPress Toolkit <= 1.0.12 – Cross-Site Scripting
CVE ID: CVE-2023-34032
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11305d35-07d6-4c61-a0c7-035671229f07
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-2298
CVSS Score: 7.2 (High)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e6a0bf9-4767-4d4c-9a1e-adcb3c7719d9
WP Report Post <= 2.1.2 – Authenticated (Editor+) SQL Injection
CVE ID: CVE-2023-34168
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8dae13e5-cee7-4392-af71-7d466ba6f6c4
Groundhogg <= 2.7.10.3 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-34179
CVSS Score: 7.2 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4f2554d-c047-4be2-a4e6-2ae51f077376
Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Local File Inclusion via Shortcode
CVE ID: CVE-2023-2435
CVSS Score: 7.2 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d53161ad-cc5f-4433-b288-a8095cdfd7db
Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 – Missing Authorization via setToken
CVE ID: CVE-2023-34379
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d9ab83f-6d0b-4fe4-a121-87b09dcc0953
Headless CMS <= 2.0.3 – Missing Authorization
CVE ID: CVE-2023-34186
CVSS Score: 6.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d1414f5-e705-4fd4-847b-b46d2d20943b
Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation
CVE ID: CVE-2023-2996
CVSS Score: 6.5 (Medium)
Researcher/s: Miguel Neto
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dfca4cb-71dc-4b2d-bcf3-0ca9f88f88df
B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Price Modification
CVE ID: CVE-2023-3125
CVSS Score: 6.5 (Medium)
Researcher/s: Jerome Bruandet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3f2c4c3-73d6-4b3b-8eb3-c494f52dc183
Directorist <= 7.5.4 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
CVE ID: CVE-2023-1889
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b47edd57-cac7-463f-88cc-8922f1b34612
Uncanny Toolkit for LearnDash <= 3.6.4.3 – Missing Authorization via review-banner-visibility REST route
CVE ID: CVE-2023-34019
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdaa7450-3b51-470d-8903-52fd1d4215a2
Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9f060bd-029a-462e-b308-8366e82be383
Contact Form Builder by vcita <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2300
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12ce97ba-8053-481f-bcd7-05d5e8292adb
Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2406
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ab05954-9999-43ff-8e3c-a987e2da1956
Page Builder by AZEXO <= 1.27.133 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-3051
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24486605-9324-4f19-9ca3-340d006432db
WooCommerce Box Office <= 1.1.50 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34004
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ebd05d5-a65d-49df-a865-882e9d17fc0f
Contact Form and Calls To Action by vcita <= 2.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2302
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfc237a-9157-4da9-ba8f-9daf2ba4f20b
Favorites <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2304
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bd03cd0-34f0-491c-8247-79656eba32a8
Display post meta, term meta, comment meta, and user meta <= 0.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1661
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f90c0d8-ede6-4f24-870f-19e888238e93
CRM and Lead Management by vcita <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2404
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e26ccd06-22e0-4d91-a53a-df6ead8a8e3b
Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Post Creation/Modification/Deletion
CVE ID: CVE-2023-3052
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4e26035-ce4e-4b4b-aa3c-cd86b29b199a
Chilexpress woo oficial <= 1.2.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34176
CVSS Score: 6.1 (Medium)
Researcher/s: Le Hong Minh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0999a738-9fae-4043-99eb-ff222a7608fa
CRM and Lead Management by vcita <= 2.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-2405
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f75c6bf-1b93-49d5-b5fb-e59b4e67432f
Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-2407
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990b-f05cbbf8fb8e
Contact Form and Calls To Action by vcita <= 2.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-2303
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2
Woocommerce Order address Print <= 3.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34184
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bbf4e86-308c-43f3-a54c-e1c6ee21260e
Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
CVE ID: CVE-2023-3055
CVSS Score: 6.1 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2efeffa2-b21a-4aa1-93b0-51c775758ab1
bbp style pack <= 5.5.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-33997
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49e82146-e8ad-4bc5-94a7-a4ae694b7039
Contact Form Builder by vcita <= 4.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2023-2301
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c39f5f-3b17-4e4d-824e-241159a73400
Social Share, Social Login and Social Comments <= 7.13.51 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2779
CVSS Score: 6.1 (Medium)
Researcher/s: 40826d
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6257739a-cd7c-4797-882a-016a01fe84b4
Dynamic QR Code Generator <= 0.0.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34022
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65f30cd4-1d47-4ebe-a6de-acdb3a813c9c
WP Directory Kit <= 1.2.3 – Reflected Cross-Site Scripting via ‘search’
CVE ID: CVE-2023-2835
CVSS Score: 6.1 (Medium)
Researcher/s: Dongzhu Li
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/847f1c00-0e8f-4d38-84af-fe959e2efe5c
BBS e-Popup <= 2.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34174
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f715947-e379-4a05-9ab8-5d9e94ffc136
Premium Addons PRO <= 2.8.24 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34012
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9445a54c-06b9-400a-a8ae-a58f1b968196
Google Fonts For WordPress <= 3.0.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34180
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94712f92-5045-420b-9d6d-59a4c031e998
Login Configurator <= 2.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34175
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89a1265-6e26-498c-a2b4-da12d38463c9
WP ERP <= 1.12.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34008
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5863e9b-3f98-41ea-97ed-26563493cffd
Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2436
CVSS Score: 5.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c6a88c3-18b7-470f-8014-373ead66dcfa
Quick/Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34170
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/898af9aa-72c4-46a6-afc2-76dd17672fbc
Download Monitor <= 4.8.1 – Authenticated (Admin+) Server-Side Request Forgery
CVE ID: CVE-2023-31219
CVSS Score: 5.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a03f0780-796c-41a3-8f06-04f76e0da2da
JS Job Manager <= 2.0.0 – Cross-Site Request Forgery via multiple functions
CVE ID: CVE-2023-31087
CVSS Score: 5.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0131921b-6f60-4da1-b5d9-d44a33d35cae
Groundhogg <= 2.7.10.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-34178
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22506d45-40db-47c4-91b2-ab4f49703bf9
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Settings Update and Media Upload
CVE ID: CVE-2023-2414
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5
Dynamic Visibility for Elementor <= 5.0.5 – Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e704333-ad88-42c9-b632-babc9d54cb13
Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion
CVE ID: CVE-2023-2547
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d58a6a4-de2c-485f-a8b0-7a7d144fbf3c
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Account Logout
CVE ID: CVE-2023-2415
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18
Worthy – VG WORT Integration für WordPress <= 1.6.5-6497609 – Cross-Site Request Forgery
CVE ID: CVE-2023-24417
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7717cd0f-6aac-4cb0-b27e-2517d5d7ecd9
Extended Post Status <= 1.0.19 – Missing Authorization via wp_insert_post_data
CVE ID: CVE-2023-32094
CVSS Score: 5.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6369b41-d93f-4959-8fad-be69ef724b24
Change WooCommerce Add To Cart Button Text <= 1.3 – Missing Authorization via rexvs_settings_submit
CVE ID: CVE-2023-34376
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d47f5d90-dc7d-4500-a6e6-e585e4a5c11b
Page Builder by AZEXO <= 1.27.133 – Missing Authorization to Post Creation
CVE ID: CVE-2023-3053
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd56cb73-1c40-44b1-b713-c0291832d988
WordPress Social Login <= 3.0.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34023
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8b03deb-4134-4dde-8545-a14977a47209
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Cross-Site Request Forgery to Account Logout
CVE ID: CVE-2023-2416
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization on REST-API
CVE ID: CVE-2023-2299
CVSS Score: 5.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557
WooCommerce Box Office <= 1.1.51 – Missing Authorization
CVE ID: CVE-2023-34003
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8872eca8-4812-4f5f-b775-cbfab90ba2ca
Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28933
CVSS Score: 4.4 (Medium)
Researcher/s: Juampa Rodríguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04df6505-46c1-4e66-a363-4ccebacb5e42
Yandex Metrica Counter <= 1.4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34173
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/173661aa-6895-41d6-8869-6abfd2eadf31
Unite Gallery Lite <= 1.7.60 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34183
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/577d8986-edc5-445f-80cf-7a7f2cca9749
Download SpamReferrerBlock <= 2.22 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34372
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/692e995d-cdfc-4ab8-8a8a-5423eb7f8d15
Telegram Bot & Channel <= 3.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34006
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eb099c3-f6f6-4d9c-a9c7-fa1b81ce082e
Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34368
CVSS Score: 4.4 (Medium)
Researcher/s: TomS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fe3e55e-7286-4d12-b24f-fce69248a446
Call Now Icon Animate <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34187
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82f5e976-2564-4f8b-96d5-cfac9945737c
WordPress Social Login <= 3.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34172
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc2c3bdb-65b9-4e0b-899f-bd08077bc8ba
Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d549fcd5-6808-4d7d-bf1f-df8cfa458744
CRM Perks Forms <= 1.1.1 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2836
CVSS Score: 4.4 (Medium)
Researcher/s: Dongzhu Li
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de11636b-a051-4e76-bc26-ed76f66fe0df
GDPR Cookie Consent Notice Box <= 1.1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32294
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b8e21-4bfd-487f-96f1-d264d335f54f
TS Webfonts for さくらのレンタルサーバ <= 3.1.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-34169
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/025d576b-7342-4863-ac30-f1ff0205d638
NextGen GalleryView <= 0.5.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-34185
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/052ea3af-96d8-4e83-b4e7-3db30b556d0d
WP Report Post <= 2.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-34171
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09e28b72-55c6-4f2f-b689-a8989945651b
Ajax Pagination and Infinite Scroll <= 2.0.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-34033
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0bc7f5dd-a1eb-442d-9913-e391208e7f26
VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update
CVE ID: CVE-2023-0583
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a94f5b-bc30-4a65-b397-54488c836ec3
Floating Action Button <= <=1.2.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-31088
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14bf654e-c4f1-4267-811e-6d796c14834a
Photo Gallery <= 1.8.15 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1534f67d-cf3f-4185-9aa6-01ae5dee4f26
Multiple Themes (Various Versions) – Missing Authorization to Arbitrary Plugin Activation
CVE ID: CVE-2023-33923
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/154a838c-f8bb-4568-b066-a78264c75eea
Draw Attention <= 2.0.11 – Missing Authorization to Arbitrary Post Featured Image Modification
CVE ID: CVE-2023-2764
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18530601-a294-448c-a1b2-c3995f9042ac
LH Password Changer <= 1.55 – Cross-Site Request Forgery
CVE ID: CVE-2023-34182
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19d08a16-51c1-4255-b0e0-01307e1783ca
Social Media & Share Icons <= 2.8.1 – Missing Authorization via handle_installation
CVE ID: CVE-2023-34009
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bfb5d34-738d-4842-be93-9668fceb3334
Advanced Flat rate shipping Woocommerce <= 1.6.4.4 – Cross-Site Request Forgery via enableDisable and deletePost
CVE ID: CVE-2023-34015
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27b14c6e-44fe-4acb-8058-613f65b6baa4
Donation Platform for WooCommerce: Fundraising & Donation Management <= 1.2.9 – Cross-Site Request Forgery to Survey Submission
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c8602ed-6c0d-4357-93e6-bab1ab38ffb2
WP Hide Post <= 2.0.10 – Cross-Site Request Forgery via save_bulk_edit_data
CVE ID: CVE-2023-34378
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c957f3f-fb98-49ff-b317-93b1accd0d47
WP Full Auto Tags Manager <= 2.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-34024
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bf209b8-7c12-4fc3-af7f-4fd25777caab
WPC Smart Wishlist for WooCommerce <= 4.6.7 – Cross-Site Request Forgery via wishlist_add and wishlist_remove
CVE ID: CVE-2023-34386
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/655fc91d-5920-4214-8ef1-8191e2683f9d
Disable WordPress Update Notifications <= 2.3.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-34029
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/658ba848-fbfe-4cee-b997-77bc4cae53dc
Uncanny Toolkit for LearnDash <= 3.6.4.3 – Open Redirect
CVE ID: CVE-2023-34020
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e5a569-1dd5-40e9-8356-d7c82c8e30ed
WP-Cirrus <= 0.6.11 – Cross-Site Request Forgery
CVE ID: CVE-2023-34181
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710aa0fd-34e2-4f0e-b354-0722d9692410
LWS Hide Login <= 2.1.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-34025
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7678b80f-3184-4979-b1f4-25cd75836010
Constant Contact Forms <= 1.14.0 – Missing Authorization via constant_contact_optin_ajax_handler
CVE ID: CVE-2023-34387
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85b6262c-2576-4177-a683-44464dba0978
bbPress Toolkit <= 1.0.12 – Cross-Site Request Forgery
CVE ID: CVE-2023-34031
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a9b2ec2-edbe-45c5-bd36-45a6101356d1
WP Inventory Manager <= 2.1.0.13 – Cross-Site Request Forgery via delete_item
CVE ID: CVE-2023-34002
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95986a4d-94fb-4afe-ba1e-382d6f4c550f
Ultimate Member <= 2.6.0 – Cross-Site Request Forgery to Form Duplication
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97ced4ed-915b-4234-b59d-75db983f90e8
WOLF <= 1.0.7 – Cross-Site Request Forgery via create_profile
CVE ID: CVE-2023-34028
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98dffc17-ac45-4ccd-ae57-96b36bd02be3
Complianz | GDPR/CCPA Cookie Consent <= 6.4.5 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92d5176-4cf0-4a31-9dcc-a2dc3259d29b
VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update
CVE ID: CVE-2023-0584
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b90b7f6c-df7f-48a5-b283-cf5facbd71e5
B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Information Disclosure
CVE ID: CVE-2023-3126
CVSS Score: 4.3 (Medium)
Researcher/s: Jerome Bruandet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2e3ac14-1421-49f0-9c60-7f7d5c9d7654
Multiple Themes (Various Versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVE ID: CVE-2023-33923
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3543a39-ad88-40be-93b8-36ec638db4bd
Kebo Twitter Feed <= 1.5.12 – Cross-Site Request Forgery via kebo_twitter_menu_render
CVE ID: CVE-2023-34384
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d56aaa20-f40c-4f99-bc38-0b14fa39a175
SpamReferrerBlock <= 2.22 – Cross-Site Request Forgery
CVE ID: CVE-2023-34371
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d70e9d4e-2137-411b-bc01-28388a7b2519
TPG Redirect <= 1.0.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-32093
CVSS Score: 4.3 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d92b9c21-067b-41c3-a385-a65faa8dd0ae
WP-Cache.com <= 1.1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-34177
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9a28625-19e4-4696-bb51-7115368120d3
Bookly <= 21.7 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1159
CVSS Score: 4 (Medium)
Researcher/s: Vinay Kumar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4cdf774-c93b-4b94-85ba-aa56bf401873
Nested Pages <= 3.2.3 – Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
CVE ID: CVE-2023-2434
CVSS Score: 3.8 (Low)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd
Brizy Page Builder <= 2.4.18 – IP Address Spoofing to Protection Mechanism Bypass
CVE ID: CVE-2023-2897
CVSS Score: 3.7 (Low)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316
CartFlows <= 1.11.11 – Insecure Direct Object Reference to Arbitrary Post Deletion
CVE ID: CVE Unknown
CVSS Score: 2.7 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9002f6e-4345-4908-9cb8-9841a2458eb7
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023) appeared first on Wordfence.