Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
This vulnerability is being actively exploited. We have blocked over 600 exploit attempts in the past 24 hours, and expect this to continue. You can read more about this here.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
47
Patched
92
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
2
Medium Severity
119
High Severity
13
Critical Severity
5
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
64
Cross-Site Request Forgery (CSRF)
31
Missing Authorization
23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
8
Deserialization of Untrusted Data
2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2
URL Redirection to Untrusted Site (‘Open Redirect’)
2
Use of Less Trusted Source
1
Incorrect Authorization
1
Unrestricted Upload of File with Dangerous Type
1
Improper Authorization
1
Authorization Bypass Through User-Controlled Key
1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1
Unverified Password Change
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Lana Codes
Wordfence Vulnerability Researcher
14
thiennv
6
Mika
5
yuyudhn
4
Marco Wotschka
Wordfence Vulnerability Researcher
4
Alex Thomas
Wordfence Vulnerability Researcher
4
Justiice
2
konagash
2
Chloe Chamberland
Wordfence Vulnerability Researcher
2
rezaduty
1
Skalucy
1
Erwan LR
1
easyBug
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
10Web Social Post Feed
wd-facebook-feed
Active Directory Integration / LDAP Integration
ldap-login-for-intranet-sites
Add Posts to Pages
add-posts-to-pages
Announcement & Notification Banner – Bulletin
bulletin-announcements
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
stopbadbots
Block Referer Spam
block-referer-spam
Booking Ultra Pro Appointments Booking Calendar Plugin
booking-ultra-pro
Brands for WooCommerce
brands-for-woocommerce
Button
button
CALL ME NOW
lokalyze-call-now
CM On Demand Search And Replace
cm-on-demand-search-and-replace
Column-Matic
column-matic
Community by PeepSo – Social Network, Membership, Registration, User Profiles
peepso-core
Complianz – GDPR/CCPA Cookie Consent
complianz-gdpr
Custom Base Terms
custom-base-terms
Custom Field Suite
custom-field-suite
DBargain
d-bargain
DevBuddy Twitter Feed
devbuddy-twitter-feed
Directorist – WordPress Business Directory Plugin with Classified Ads Listings
directorist
Don8
don8
Donations Made Easy – Smart Donations
smart-donations
Download Manager
download-manager
Download Monitor
download-monitor
Dyslexiefont Free
dyslexiefont
Easy Form by AYS
easy-form
Easy Hide Login
easy-hide-login
Elementor Website Builder
elementor
Essential Addons for Elementor
essential-addons-for-elementor-lite
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
google-analytics-dashboard-for-wp
Featured Image Pro Post Grid
featured-image-pro
Forget About Shortcode Buttons
forget-about-shortcode-buttons
Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors
notifyvisitors-lead-form
Frontend Post WordPress Plugin – AccessPress Anonymous Post
accesspress-anonymous-post
GTmetrix for WordPress
gtmetrix-for-wordpress
Get your number
get-your-number
GiveWP – Donation Plugin and Fundraising Platform
give
Google Site Verification plugin using Meta Tag
google-site-verification-using-meta-tag
Hide My WP Ghost – Security Plugin
hide-my-wp
Hostel
hostel
Hyphenator
hyphenator
Injection Guard
injection-guard
LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress
letterpress
Link Whisper Free
link-whisper
Locatoraid Store Locator
locatoraid
MW WP Form
mw-wp-form
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
mailchimp-subscribe-sm
Manager for Icomoon
manager-for-icomoon
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
google-analytics-for-wordpress
My WP Customize Admin/Frontend
my-wp
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
mailin
Order Your Posts Manually
order-your-posts-manually
Owl Carousel
owl-carousel
Pinterest RSS Widget
pinterest-rss-widget
Portfolio Gallery – Responsive Image Gallery
gallery-portfolio
Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions
buddyforms
Post Snippets – Custom WordPress Code Snippets Customizer
post-snippets
Post State Tags
post-state-tags
Pricing Table Builder – AP Pricing Tables Lite
ap-pricing-tables-lite
Pro Mime Types
pro-mime-types
Product page shipping calculator for WooCommerce
product-page-shipping-calculator-for-woocommerce
QuBot – Chatbot Builder with Templates
qubotchat
Quick Page/Post Redirect Plugin
quick-pagepost-redirect-plugin
Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
radio-station
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager
Restaurant Menu – Food Ordering System – Table Reservation
menu-ordering-reservations
SALERT – Fake Sales Notification WooCommerce
salert
SEO by 10Web
seo-by-10web
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
shortpixel-adaptive-images
Simple Calendar – Google Calendar Plugin
google-calendar-events
Slimstat Analytics
wp-slimstat
Snow Monkey Forms
snow-monkey-forms
SoundCloud Is Gold
soundcloud-is-gold
Sunny Search
fast-search-powered-by-solr
Team Circle Image Slider With Lightbox
circle-image-slider-with-lightbox
Ultimate Addons for Contact Form 7
ultimate-addons-for-contact-form-7
VK All in One Expansion Unit
vk-all-in-one-expansion-unit
VK Blocks
vk-blocks
VK Blocks Pro
vk-blocks-pro
WCP Contact Form
wcp-contact-form
WP Abstracts
wp-abstracts-manuscripts-manager
WP All Backup
wp-all-backup
WP Category Post List Widget
wp-category-posts-list
WP Chinese Conversion
wp-chinese-conversion
WP Multi Store Locator
wp-multi-store-locator
WP Reactions Lite
wp-reactions-lite
WP Register Profile With Shortcode
wp-register-profile-with-shortcode
WP Replicate Post
wp-replicate-post
WP Responsive Tabs horizontal vertical and accordion Tabs
responsive-horizontal-vertical-and-accordion-tabs
WP-Chatbot for Messenger
wp-chatbot
WPCS – WordPress Currency Switcher Professional
currency-switcher
Web Stories for WordPress
UNKNOWN-CVE-2023-1979-1
Whydonate – FREE Donate button – Crowdfunding – Fundraising
wp-whydonate
Wise Chat
wise-chat
Woo Custom Emails
woo-custom-emails
Woodmart Core
woodmart-core
WordPress Online Booking and Scheduling Plugin – Bookly
bookly-responsive-appointment-booking-tool
YITH WooCommerce Gift Cards Premium
yith-woocommerce-gift-cards-premium
Yoast SEO Premium
wordpress-seo-premium
Yoast SEO: Local
wpseo-local
Zero Spam for WordPress
zero-spam
eBecas
ebecas
iframe popup
iframe-popup
itemprop WP for SERP/SEO Rich snippets
itempropwp
weebotLite
weebotlite
wordpress vertical image slider plugin
wp-vertical-image-slider
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
Divi
Divi
Woodmart
woodmart
Vulnerability Details
Woodmart Core <= 1.0.36 – Missing Authorization to Privilege Escalation
CVE ID: CVE-2023-32244
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60f043e9-7947-4fff-a9a8-94a1f421db7c
Manager for Icomoon <= 2.0 – Unauthenticated Arbitrary File Upload via ‘upload’
CVE ID: CVE-2023-29386
CVSS Score: 9.8 (Critical)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/854ab1f3-5f7c-40a4-85a5-db4e20dc72cc
Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation
CVE ID: CVE-2023-32243
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e988d042-147c-4782-b728-71f5a50cecd8
Woodmart Core <= 1.0.36 – PHP Object Injection
CVE ID: CVE-2023-32242
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef79e5a8-8bac-42b3-a064-6eea597701c9
Ultimate Addons for Contact Form 7 <= 3.1.23 – Unauthenticated SQL Injection via form_id
CVE ID: CVE-2022-47586
CVSS Score: 9.8 (Critical)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f10e5eef-1ccf-4f98-b0e9-5ed05b3881a6
WP Replicate Post <= 4.0.2 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-2237
CVSS Score: 8.8 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/916e6f8b-cb29-4062-9a05-0337cfdb382a
Bookly <= 21.7.1 – Arbitrary File Deletion
CVE ID: CVE-2023-26526
CVSS Score: 8.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a7609bf-5b20-440c-9984-eeb26962ada8
Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-32511
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01370a71-2611-4826-b08b-485839ca606a
Zero Spam for WordPress <= 5.4.4 – Authenticated(Administrator+) SQL Injection
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03d8b8e7-5702-42d4-8cd9-ae3ff1a74a7e
Active Directory Integration / LDAP Integration <= 4.1.4 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2484
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3eedc57b-79cc-4569-b6d6-676a22aa1e06
Slimstat Analytics <= 5.0.4 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2022-45373
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6334b02e-ffab-49f9-969b-d015c2babc29
Order Your Posts Manually <= 2.2.5 – Authenticated (Administrator+) SQL Injection via ‘sortdata’
CVE ID: CVE-2023-32508
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66da0ad7-18a3-42b9-b59a-5927c6bc836b
AP Pricing Tables Lite <= 1.1.6 – Authenticated (Admin+) SQL Injection
CVE ID: CVE-2023-0900
CVSS Score: 7.2 (High)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/869e57f8-7524-497a-8d24-bb9f2ee3898b
WP Chinese Conversion <= 1.1.16 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-32518
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95c47c7b-df83-43ee-9091-136b6622e88c
Zero Spam <= 5.4.4 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-32121
CVSS Score: 7.2 (High)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7576dd9-198b-49a7-950e-fc301e4bc5f8
QuBotChat <= 1.1.5 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd27aeb9-4257-4b15-8f14-8a8c89522c32
Directorist <= 7.5.3 – Authenticated (Administrator+) Local File Inclusion
CVE ID: CVE-2023-2252
CVSS Score: 7.2 (High)
Researcher/s: rSolutions Security Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e571ded0-ea7a-40ec-b90b-c5009b463d87
Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-32236
CVSS Score: 7.2 (High)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd8fb3e9-34eb-4b37-9a7e-00309a1ca81d
GiveWP <= 2.25.3 – Authenticated (Admin+) PHP Object Injection
CVE ID: CVE-2023-32513
CVSS Score: 6.6 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fa8c406-e64d-4093-a102-436ecfb7dd76
RegistrationMagic <= 5.2.0.5 – Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change
CVE ID: CVE-2023-2548
CVSS Score: 6.6 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfbc406b-49af-419e-adeb-0510794b7e3f
YITH WooCommerce Gift Cards Premium <= 3.23.1 – Missing Authorization
CVE ID: CVE-2022-44633
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e77760b-4e61-462c-9245-0e40f161d565
Portfolio Gallery – Responsive Image Gallery <= 1.4.5 – Missing Authorization to Arbitrary Gallery Deletion
CVE ID: CVE-2023-32585
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a4e66e0-85a6-4e9f-8ed7-b7ee8e75aae6
Hide My WP Ghost – Security Plugin <= 5.0.18 – IP Address Spoofing to Protection Mechanism Bypass
CVE ID: CVE-2022-4537
CVSS Score: 6.5 (Medium)
Researcher/s: rezaduty
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba
Pro Mime Types – Manage file media types <= 1.0.7 – Cross-Site Request Forgery via pmt_settings_section_callback_tab_1
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68ac2b8-33dc-4cc2-b0f3-8777450e39f9
VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Post
CVE ID: CVE-2023-27925
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03d05c74-da50-4175-86f5-f39a89dbffd4
Add Posts to Pages <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23826
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/139b081d-17b1-4e1f-9d22-cf3f9de123f5
WP Category Post List Widget <= 2.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-23828
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15d61530-5ef9-4dce-8ace-6d8cc07c7b5e
VK All in One Expansion Unit <= 9.88.1.0 – Stored (Contributor+) Cross-Site Scripting in CTA Post
CVE ID: CVE-2023-28367
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1da39f3d-512c-49e0-89cb-672783e5ca4e
Pinterest RSS Widget <= 2.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23877
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ec186b0-72f0-4017-ad24-1c82247a23ec
Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-25981
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20793de1-468f-4b9d-8e1f-b05dc204c0fb
VK All in One Expansion Unit <= 9.88.1.0 – Stored (Contributor+) Cross-Site Scripting in Profile Setting
CVE ID: CVE-2023-27926
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40c5dd26-6063-4ab2-a370-464e84d806b7
SALERT <= 1.2.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32118
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6748841a-0984-4840-90ba-0eeff8564198
ExactMetrics <= 7.14.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23880
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/687c86af-915e-4028-910e-ab83bcd86a1a
Brands for WooCommerce <= 3.7.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23667
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b6dc426-7066-46fb-886a-0bf005829abf
Owl Carousel <= 0.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-23829
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92bcdbd9-1f41-4990-9bea-587fb0e7355a
Download Manager <= 3.2.70 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2305
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a66bc196-e5f8-46b4-a81c-c888eb64021c
WP Multi Store Locator <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0152
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9da31ff-4173-4aee-a3a6-8eebaa0d71ab
WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-2558
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be054481-89b4-47d8-ad06-8622edea367f
Divi <= 4.20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29099
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c01cbc25-bdf7-4525-8c7b-194bd0aeb32b
Google Analytics by Monster Insights <= 8.14.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23999
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c87a80ad-27bf-404d-8adf-9acc91354515
VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Tag Edit
CVE ID: CVE-2023-27923
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e01f5bd8-de0f-48aa-8007-61a0ebd0ebf3
Locatoraid Store Locator <= 3.9.18 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32576
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e40cba5c-455c-44ba-bba2-c825697b837a
WoodMart <= 7.2.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32239
CVSS Score: 6.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9a60c4e-a524-4a99-858a-14787f37d60c
Announcement & Notification Banner – Bulletin <= 3.7.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-2067
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b808450f-0ebf-4c49-a9e3-f1c1f2b1f632
Announcement & Notification Banner – Bulletin <= 3.6.0 – Missing Authorization Checks
CVE ID: CVE-2023-2066
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d242a466-0611-4e64-8145-29f64100e62b
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_script_save
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1034f0f4-52e4-4f4c-81fc-51b4720f306a
Featured Image Pro Post Grid <= 5.14 – Reflected Cross-Site Scripting via page
CVE ID: CVE-2023-32598
CVSS Score: 6.1 (Medium)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1efb9215-542b-46a1-b358-f3d27339a920
Team Circle Image Slider With Lightbox <= 1.0.17 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2604
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2627ac2b-25a8-480d-ac83-ee0ca323b3a1
Radio Station <= 2.4.0.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32499
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36b2992d-4d1b-456d-94a0-54794ba59435
WP Abstracts <= 2.6.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29385
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/495df695-864e-4a77-bcd1-d1845c55a6c9
wordpress vertical image slider plugin <= 1.2.16 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-24413
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59c40a86-ea1c-4015-ac47-2b7b91cc3519
Menu – Ordering – Reservations <= 2.3.6 – Reflected Cross-Site Scripting via ‘redirect’
CVE ID: CVE-2023-32516
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/640f0b06-9af2-4b79-8f87-97f93b2c51c0
Donations Made Easy – Smart Donations <= 4.0.12 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32603
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cce2f9f-5f47-4e10-a846-0aab4bcad616
Slimstat Analytics <= 5.0.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2022-45366
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/875c6474-5bf3-4556-b529-299cd2f65afe
Order Your Posts Manually <= 2.2.5 – Reflected Cross-Site Scripting via ‘_user_request’
CVE ID: CVE-2023-32510
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d98a961-bef3-4bce-b493-410eee688bc6
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_script_add
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ef8f39e-6e5d-4ef6-a81d-0b2be3506ec1
MailChimp Subscribe Forms <= 4.0.9.1 – Open Redirect
CVE ID: CVE-2023-32517
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aba1ca3a-a937-400b-b175-2ca4e67a107d
GTmetrix for WordPress <= 0.4.6 – Reflected Cross-Site Scripting via ‘report_id’ and ‘event_id’
CVE ID: CVE-2023-32503
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abe50539-f6a9-476a-a408-4f94f7f31fcc
Yoast SEO: Local <= 14.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32300
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b239185f-c368-4768-8f6a-ef9bc593929d
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 – Reflected Cross-Site Scripting via ‘lang’
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6ad08fb-d029-4f84-818c-911ae2d97f33
10Web Social Post Feed <= 1.2.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2503
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db959eaf-300c-4ecd-ac15-216a17ec5a50
WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-24409
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de331d1d-b2f8-4cc6-a998-779595eca70c
Post State Tags <= 2.0.6 – Cross-Site Request Forgery to Settings Reset
CVE ID: CVE-2023-32588
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a938325-45f5-455b-b2b7-e19e6e22cd0c
WP-Chatbot for Messenger <= 4.7 – Missing Authorization
CVE ID: CVE-2023-32581
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432df51f-2855-4bf2-8be1-77a893e3aa29
Hyphenator <= 5.1.5 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-32594
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b87f741-4115-4ded-8dff-dc36cfdf1df1
ShortPixel Adaptive Images <= 3.7.1 – Cross-Site Request Forgery via shortpixel_ai_handle_page_action
CVE ID: CVE-2023-32512
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94ed918c-8f6f-4e1f-ab1d-e16632831951
Elementor <= 3.13.1 – Missing Authorization to Settings Update
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b66e2537-f187-4237-b248-f8a361f9cb00
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_delete_snapshot
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1c106e8-9642-4294-90fd-6838cc551b90
Order Your Posts Manually <= 2.2.5 – Reflected Cross-Site Scripting via ‘cat_id’
CVE ID: CVE-2023-32509
CVSS Score: 5.4 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5688bb7-cd2d-42c6-b8cf-d908448ccfc1
Download Monitor <= 4.7.60 – Sensitive Information Exposure via REST API
CVE ID: CVE-2022-45354
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddf67d69-f362-4380-a396-300c7edbd9f3
WP All Backup <= 2.4.3 – Cross-Site Request Forgery to Backup Storage Modification
CVE ID: CVE-2023-32583
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e087817e-9edb-4c93-96c6-e8d8e99d4d9b
WCP Contact Form <= 3.1.0 – Missing Authorization
CVE ID: CVE-2023-32519
CVSS Score: 5.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9844b47-427a-4f2f-9f42-00adcbcf133c
WCP Contact Form <= 3.1.0 – Missing Authorization via downloadCsv
CVE ID: CVE-2023-32520
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17a4bd5c-0cd3-46e4-b6ee-edf87f0e92ca
Link Whisper Free <= 0.6.3 – Missing Authorization via init()
CVE ID: CVE-2023-32506
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29b09367-6a27-4024-a71c-233aaee6c310
Woo Custom Emails <= 2.2 – Missing Authorization to Unauthenticated Settings Change
CVE ID: CVE-2023-32507
CVSS Score: 5.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee1660e-10c0-447b-8562-c3af07997f56
Snow Monkey Forms <= 5.0.6 – Directory Traversal via ‘view’ REST endpiont
CVE ID: CVE-2023-28413
CVSS Score: 5.3 (Medium)
Researcher/s: Monkey Wrench Inc.
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/83d935fc-7d7b-4c25-97f8-d3fe35307c7a
Injection Guard <= 1.2.1 – Missing Authorization to Whitelist Update
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Darius Sveikauskas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9c41797-b256-47de-a783-18df36dd2234
Yoast SEO Premium <= 20.4 – Missing Authorization to Zapier Key Reset
CVE ID: CVE-2023-28775
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c54770f1-1409-4208-a4ab-0ff3dbc3835d
MW WP Form <= 4.4.2 – Directory Traversal via _file_upload
CVE ID: CVE-2023-28409
CVSS Score: 5.3 (Medium)
Researcher/s: Shuya Ota
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7adeee0-30ff-4759-b42e-1ac2dea5a8a4
WP Register Profile With Shortcode <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23818
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c20f87e-3670-444c-aa8a-28988dfe2fd9
Post Snippets <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’
CVE ID: CVE-2023-25459
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d10f5cd-d449-46f1-a347-f45a1db65999
SEO By 10Web <= 1.2.6 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2224
CVSS Score: 4.4 (Medium)
Researcher/s: Taurus Omar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a850176-973c-49aa-a420-e379223b6dc3
iframe popup <= 3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-24394
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d2c6f19-025e-4c17-b5d9-4bbddbaf66d1
Get Your Number <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2634
CVSS Score: 4.4 (Medium)
Researcher/s: Ilyase Dehy, Aymane Mazguiti
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fb9dc9f-1ba5-4a2c-bead-3c3a6deb61b1
eBecas <= 3.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-32584
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33770bfd-c481-4e18-838b-89a5fb5b15f0
Product page shipping calculator for WooCommerce <= 1.3.25 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-32575
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3663b35d-13ac-4d65-80bd-5800ed74f759
StopBadBots <= 7.31 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32496
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38e536a5-b538-498c-b19d-adda36f76164
itemprop WP for SERP/SEO Rich snippets <= 3.5.201706131 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23819
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5975a107-8083-4f9e-b2b2-8c6ae1ac8f39
weebotLite <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-32596
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66518929-d5e7-4b4d-a04c-a96ad0df308c
My WP Customize Admin/Frontend <= 1.21.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a830fb8-de5f-40c7-bb6c-464ed916b440
Easy Hide Login <= 1.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32505
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/745cf98c-ad3a-4ec9-9ee8-ae817d5d7358
Easy Form by AYS <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32498
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/765b09ef-dd6d-4c4e-a381-7bb0dc8d6652
DevBuddy Twitter Feed <= 4.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-32577
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92a20a1f-6403-4561-acd8-5b076fe2999f
Button <= 1.1.20 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23871
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9905517f-236c-4e98-8026-8d54bf64c7c9
Custom Field Suite <= 2.6.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32515
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a15946b-c4df-43e8-9e1d-7a8367cfda6b
Column-Matic <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32578
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dc640c8-3740-4770-b729-fb45ecec2b45
Don8 <= 0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-32582
CVSS Score: 4.4 (Medium)
Researcher/s: Yash Kanchhal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9b2b094-9a2d-4c73-be5f-b2a6f3da9233
Sunny Search <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-32595
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b977e3f8-46e7-4294-ab5c-e42e81c900e0
Hostel <= 1.1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-0545
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb98b2ee-5c51-453f-9e55-52027237e732
Quick Page/Post Redirect <= 5.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-25063
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be841d6b-e3b6-46d2-aba8-fee20c21e933
LetterPress <= 1.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-27415
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3f9e624-c176-403c-a3c5-7bd11027ebe5
NotifyVisitors <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-27426
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dad9b612-5575-4e64-a1b3-52a2cf3f05a7
DBargain <= 3.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-32591
CVSS Score: 4.4 (Medium)
Researcher/s: Mahesh Nagabhairava
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3ab817c-3677-4251-adaf-f340bf4c5336
Custom Base Terms <= 1.0.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6292935-a67e-4b59-9b3c-0b71365193b7
CALL ME NOW <= 3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-32602
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05828bdc-74aa-4477-9178-f8cc6a34da42
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via maybe_install_suggested_plugins
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07300429-c445-4d2a-90aa-5072a17f8113
WoodMart <= 7.2.1 – Missing Authorization
CVE ID: CVE-2023-32240
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e0e0c15-caf6-4166-a365-a2a73cd9ebc4
Soundcloud Is Gold <= 2.5.1 – Missing Authorization to Soundcloud User Add
CVE ID: CVE-2023-32586
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14b2fa77-dc51-47b4-913a-9129f95ba766
Injection Guard <= 1.2.1 – Cross-Site Request Forgery to Whitelist Update
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Darius Sveikauskas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a6bc58f-9cf3-4d3f-a10e-0ccde0b890a3
Forget About Shortcode Buttons <= 2.1.2 – Missing Authorization via fasc_buttons
CVE ID: CVE-2023-32579
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/212dd123-42d4-4dd2-a2e2-bf0c43e805bf
Simple Calendar <= 3.1.43 – Cross-Site Request Forgery to Transient Cache Clearing
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/248b74d3-5228-473d-a79a-743566898606
Wise Chat <= 3.1.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-32504
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a9ed6f2-3def-420c-b6d5-6343fcd7b147
Easy Hide Login <= 1.0.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-31075
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42fff63c-62ec-466e-9a05-60d76f80039e
Injection Guard <= 1.2.1 – Cross-Site Request Forgery via ig_update
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a5c4bef-f871-4e6b-9b6e-85079f1233a2
WP Reactions Lite <= 1.3.8 – Cross-Site Request Forgery via AJAX action
CVE ID: CVE-2023-32587
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558b4b31-fd4f-4265-bddc-baf484d48fc5
Injection Guard <= 1.2.1 – Missing Authorization via ig_update
CVE ID: CVE-2023-32574
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c6a9cfc-0b30-456e-bac5-4ad79cd08dce
Web Stories for WordPress <= 1.31.0 – Insufficient Authorization
CVE ID: CVE-2023-1979
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63f2e02c-baa4-446c-bf1c-96ce099ad02e
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_create_pages
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74f92bd4-c752-4620-b506-d7588ff2e586
Yoast SEO: Local <= 14.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-28780
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d536acc-b297-4acd-97e2-87eae2e2b95a
Community by PeepSo <= 6.0.9.0 – Cross-Site Request Forgery to Field Duplication
CVE ID: CVE-2023-32092
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a8ac15a-9f9b-4bb8-81a4-1fdd11670a07
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_edit_item
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8edaf5ce-6a26-44cc-b4d8-e3b0ccfa9c11
Sunny Search <= 1.0.2 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-32592
CVSS Score: 4.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f1902e7-66e9-417f-97ba-4db766cf29f1
Booking Ultra Pro <= 1.1.4 – Missing Authorization via save_fields_settings
CVE ID: CVE-2023-32601
CVSS Score: 4.3 (Medium)
Researcher/s: Badromance 1337
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1c0f8f3-22fe-4139-93bb-0e9bacf9dafb
Download Manager <= 3.2.70 – Insufficient Authorization to Information Disclosure
CVE ID: CVE-2023-1524
CVSS Score: 4.3 (Medium)
Researcher/s: Johan Kragt
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b48bc632-c825-48e0-8766-3ac59e5b87c6
Pro Mime Types <= 1.0.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-32502
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7db3d45-2b96-4ba4-b258-08ee5e0b947b
WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion
CVE ID: CVE-2023-2556
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc44c95e-9ca0-46d0-8315-72612ef3f855
SALERT <= 1.2.1 – Missing Authorization via salert_save_settings_with_ajax()
CVE ID: CVE-2023-32126
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9e45ae8-e5b5-460b-80f8-de562ae7c56a
AccessPress Anonymous Post <= 2.8.4 – Authenticated (Contributor+) Arbitrary Redirect
CVE ID: CVE-2022-4946
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc727156-28dc-4b0a-b777-52a1bbc72f79
WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing
CVE ID: CVE-2023-2557
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4c79242-5c89-40c0-abcc-c112f7a64a74
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via run_sync
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5c704f9-4fcb-455e-a1c7-f48d47b12dec
Dyslexiefont Free <= 1.0.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-32589
CVSS Score: 4.3 (Medium)
Researcher/s: Yash Kanchhal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d75f6c80-ffbf-47a5-9180-5153b705cb28
WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Custom Drop-Down Currency Switcher Creation
CVE ID: CVE-2023-2555
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd6b5d6d-5f5b-4b38-a25a-02cc1c041d37
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via cmplz_duplicate_cookiebanner
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7b81559-93a2-4e50-b213-0e22eea8a219
Whydonate – FREE Donate button <= 3.12.13 – Cross-Site Request Forgery
CVE ID: CVE-2023-29238
CVSS Score: 4.3 (Medium)
Researcher/s: easyBug
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec1461a9-4504-4e60-9e38-a7257666e699
Google Site Verification plugin using Meta Tag <= 1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-32514
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ecfdd114-b7bb-45bf-84df-a92f10b2fd81
Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via cmplz_delete_cookiebanner
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f55af49e-82c8-462b-8c0b-a25e966a27af
CM On Demand Search And Replace <= 1.3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-28749
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fde1157b-5b99-4e9c-9c51-ebaa0eddfd73
Block Referer Spam <= 1.1.9.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32497
CVSS Score: 3.3 (Low)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd97fba9-513b-46e1-9613-2f64c4272f34
Active Directory Integration / LDAP Integration <= 4.1.4 – Cross-Site Request Forgery to SQL Injection
CVE ID: CVE-2023-2599
CVSS Score: 3.1 (Low)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74089b16-76fa-4654-9007-3f0c2e894894
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023) appeared first on Wordfence.