(647) 243-4688

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
40

Patched
86

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
2

Medium Severity
105

High Severity
14

Critical Severity
5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
43

Missing Authorization
36

Cross-Site Request Forgery (CSRF)
26

Unrestricted Upload of File with Dangerous Type
4

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
3

Information Exposure
2

Deserialization of Untrusted Data
2

Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
1

Improper Privilege Management
1

Unverified Password Change
1

Protection Mechanism Failure
1

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1

Use of Less Trusted Source
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Improper Authorization
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Abdi Pranata
23

Rafie Muhammad
18

Ngô Thiên An (ancorn_)
10

Le Ngoc Anh
5

István Márton
(Wordfence Vulnerability Researcher)
4

Mika
4

Marco Wotschka
(Wordfence Vulnerability Researcher)
4

Paolo Tresso
(Wordfence Vulnerability Researcher)
4

emad
3

Huynh Tien Si
3

Ala Arfaoui
2

Vincenzo Turturro
2

Gianluca Parisi
2

Vincenzo Cantatore
2

Revan Arifio
1

Enrico Marcolini
1

Claudio Marchesini (Dottormarc)
1

wpdabh
1

RIN MIYACHI
1

Nicolas Surribas
1

Naveen Muthusamy
1

Vladislav Pokrovsky (ΞX.MI)
1

niclo
1

LEE SE HYOUNG
1

Muhammad Daffa
1

Brandon James Roldan (tomorrowisnew)
1

BuShiYue
1

Alex Sanford
1

thiennv
1

Nguyen Xuan Chien
1

Furkan ÖZER
1

DoYeon Park (p6rkdoye0n)
1

Dmitrii Ignatyev
1

Bartłomiej Marek
1

Tomasz Swiadek
1

resecured.io
1

Ivy (TOOR, Lisa)
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

10WebAnalytics
wd-google-analytics

AMP+ Plus
amp-plus

ARI Stream Quiz – WordPress Quizzes Builder
ari-stream-quiz

AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
aweber-web-form-widget

Accordion
accordions-wp

Acme Fix Images
acme-fix-images

Add Widgets to Page
add-widgets-to-page

Ajax Domain Checker
ajax-domain-checker

Anywhere Flash Embed
anywhere-flash-embed

AppPresser – Mobile App Framework
apppresser

Audio Merchant
audio-merchant

BMI Calculator Plugin
bmi-calculator-shortcode

BP Profile Shortcodes Extra
bp-profile-shortcodes-extra

BSK Contact Form 7 Blacklist
bsk-contact-form-7-blacklist

Bamboo Columns
bamboo-columns

Better RSS Widget
better-rss-widget

BetterDocs – Best Documentation & Knowledge Base Plugin
betterdocs

Big File Uploads – Increase Maximum File Upload Size
tuxedo-big-file-uploads

Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
bus-ticket-booking-with-seat-reservation

Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
sprout-invoices

CodeBard’s Patron Button and Widgets for Patreon
patron-button-and-widgets-by-codebard

Comments – wpDiscuz
wpdiscuz

Community by PeepSo – Social Network, Membership, Registration, User Profiles
peepso-core

Conditional Fields for Contact Form 7
cf7-conditional-fields

Customer Reviews for WooCommerce
customer-reviews-woocommerce

Daily Prayer Time
daily-prayer-time-for-mosques

Delete Duplicate Posts
delete-duplicate-posts

Ditty – Responsive News Tickers, Sliders, and Lists
ditty-news-ticker

DrawIt (draw.io)
drawit

EWWW Image Optimizer
ewww-image-optimizer

Easy Call Now by ThikShare
easy-call-now

EasyAzon – Amazon Associates Affiliate Plugin
easyazon

Elementor Addon Elements
addon-elements-for-elementor-page-builder

Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle

Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
miniorange-otp-verification

Embed Privacy
embed-privacy

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
embedpress

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks

Essential Grid Portfolio – Photo Gallery
essential-grid

Events Addon for Elementor
events-addon-for-elementor

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
chaty

Footer Putter
footer-putter

FormCraft – Contact Form Builder for WordPress
formcraft-form-builder

Forminator – Contact Form, Payment Form & Custom Form Builder
forminator

Frontend File Manager Plugin
nmedia-user-file-uploader

Hreflang Manager
hreflang-manager-lite

Image Compressor & Optimizer – iLoveIMG
iloveimg

Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
cf7-constant-contact

Interactive World Map
interactive-world-map

Jetpack – WP Security, Backup, Speed, & Growth
jetpack

LWS Hide Login
lws-hide-login

LayerSlider
layerslider

Leadster
leadster-marketing-conversacional

Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
legal-pages

Live Preview for Contact Form 7
cf7-live-preview

LuckyWP Scripts Control
luckywp-scripts-control

MP3 Audio Player for Music, Radio & Podcast by Sonaar
mp3-music-player-by-sonaar

Namaste! LMS
namaste-lms

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
paid-memberships-pro

Permalinks Customizer
permalinks-customizer

Phlox Shop
auxin-shop

Popup Box – Best WordPress Popup Plugin
ays-popup-box

Post Status Notifier Lite
post-status-notifier-lite

Premium Portfolio Features for Phlox theme
auxin-portfolio

Premmerce Redirect Manager
premmerce-redirect-manager

Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
shareaholic

Pz-LinkCard
pz-linkcard

Quick Call Button
quick-call-button

Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
quiz-master-next

Restaurant & Cafe Addon for Elementor
restaurant-cafe-addon-for-elementor

SearchIQ – The Search Solution
searchiq

Shortcodes and extra features for Phlox theme
auxin-elements

Simple 301 Redirects by BetterLinks
simple-301-redirects

Simply Excerpts
simply-excerpts

Slider Revolution
revslider

Slider – Ultimate Responsive Image Slider
ultimate-responsive-image-slider

Star CloudPRNT for WooCommerce
star-cloudprnt-for-woocommerce

Theater for WordPress
theatre

URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
url-shortify

Ultimate Dashboard – Custom WordPress Dashboard
ultimate-dashboard

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
wp-courses

WP Custom Admin Interface
wp-custom-admin-interface

WP EXtra
wp-extra

WP Fastest Cache
wp-fastest-cache

WP Like Button
wp-like-button

WP Maintenance
wp-maintenance

WP Meta and Date Remover
wp-meta-and-date-remover

WP Not Login Hide (WPNLH)
wp-not-login-hide-wpnlh

WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation
wp-cafe

Website Optimization – Plerdy
plerdy-heatmap

Welcart e-Commerce
usc-e-shop

Welcome Email Editor
welcome-email-editor

WooCommerce
woocommerce

WooCommerce Blocks
woo-gutenberg-products-block

WooCommerce Bookings
woocommerce-bookings

WooCommerce Product Carousel Slider
product-carousel-slider-for-woocommerce

Woocommerce Shipping Canada Post
woocommerce-shipping-canada-post

WordPress File Upload
wp-file-upload

YOP Poll
yop-poll

avalex – Automatisch sichere Rechtstexte
avalex

eCommerce Product Catalog Plugin for WordPress
ecommerce-product-catalog

wpMandrill
wpmandrill

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Betheme
betheme

Thrive Themes Builder
thrive-theme

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Shortcodes and extra features for Phlox theme <= 2.14.0 – Unauthenticated Local File Inclusion

Affected Software: Shortcodes and extra features for Phlox theme
CVE ID: CVE-2023-37888
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09437329-f01a-4998-90ec-e4b2e271e896

WP Fastest Cache <= 1.2.2 – Unauthenticated SQL Injection

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-6063
CVSS Score: 9.8 (Critical)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/876efd71-8867-44b8-8017-86fad2a1b89f

Phlox Shop <= 2.0.0 – Unauthenticated Local File Inclusion

Affected Software: Phlox Shop
CVE ID: CVE-2023-39163
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e11e4bab-f8a9-4ecb-b36e-09a55e47f1ae

Phlox Portfolio <= 2.3.1 – Unauthenticated Local File Inclusion

Affected Software: Premium Portfolio Features for Phlox theme
CVE ID: CVE-2023-38399
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6f3f82e-6b1b-4138-b8f3-82e8dcd24479

Frontend File Manager Plugin <= 22.5 – Authenticated (Editor+) Directory Traversal

Affected Software: Frontend File Manager Plugin
CVE ID: CVE-2023-5105
CVSS Score: 9.1 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b59b5c41-6173-485e-869d-4165dc18e2bd

Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Arbitrary File Upload

Affected Software: Audio Merchant
CVE ID: CVE-2023-6196
CVSS Score: 8.8 (High)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06513dfe-f263-48b7-ba01-2c205247095b

Thrive Theme Builder <= 3.20.1 – Cross-Site Request Forgery

Affected Software: Thrive Themes Builder
CVE ID: CVE-2023-47781
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353c3cd9-5ada-466b-b8e5-d40e0ec4e867

Thrive Theme Builder <= 3.20.1 – Privilege Escalation

Affected Software: Thrive Themes Builder
CVE ID: CVE-2023-47782
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b345dfe-3945-405a-9825-c88816b2adee

WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a6f7952-cb64-4cff-aae7-0f03692cd95f

Welcart e-Commerce <= 2.9.4 – Cross-Site Request Forgery

Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59004bb-b026-4137-a332-f46a09237e7b

Welcart e-Commerce <= 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f690e67c-119f-4ea6-9505-101e7f7a3dea

Essential Grid <= 3.0.18 – Missing Authorization

Affected Software: Essential Grid Portfolio – Photo Gallery
CVE ID: CVE-2023-47771
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/326618eb-186b-44a2-a779-00d5366bfff2

Thrive Theme Builder <= 3.20.1 – Missing Authorization

Affected Software: Thrive Themes Builder
CVE ID: CVE-2023-47783
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd6fa4f-8f4d-4d2f-ac67-98124cfa9592

AppPresser <= 4.2.5 – Insecure Password Reset Mechanism

Affected Software: AppPresser – Mobile App Framework
CVE ID: CVE-2023-4214
CVSS Score: 8.1 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde

Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload

Image Compressor & Optimizer – iLoveIMG <= 1.0.5 – Authenticated (Administrator+) PHP Object Injection

Affected Software: Image Compressor & Optimizer – iLoveIMG
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/501e9cd1-1187-4d01-a3cc-5edba64c391f

Welcart e-Commerce <= 2.9.5 – Authenticated (Administrator+) PHP Object Injection

Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91f86c22-94db-4c43-985a-2f3dd96ece21

Slider Revolution <= 6.6.15 – Authenticated (Author+) Arbitrary File Upload

Affected Software: Slider Revolution
CVE ID: CVE-2023-47784
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2d29afd-06e8-461a-918f-38228441a51a

Bus Ticket Booking with Seat Reservation <= 5.2.5 – Unauthenticated Cross-Site Scripting

Affected Software: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
CVE ID: CVE-2023-30496
CVSS Score: 7.2 (High)
Researcher/s: Ivy (TOOR, Lisa)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9960282-4730-4ee8-b338-adcc57f01cc6

Forminator <= 1.27.0 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE-2023-6133
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3

Email Encoder Bundle <= 2.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers
CVE ID: CVE-2023-47821
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09f328f6-8a66-46bf-80d9-3ffeaecfec32

Better RSS Widget <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Better RSS Widget
CVE ID: CVE-2023-47813
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12660e7a-51fc-42c5-8a09-49df1db51efb

eCommerce Product Catalog for WordPress <= 3.3.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: eCommerce Product Catalog Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39695b53-9af7-42f0-8bde-3969398a7186

LayerSlider <= 7.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: LayerSlider
CVE ID: CVE-2023-47786
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/441bc9fe-3dd6-40a6-b7f3-36511115c083

WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute

Affected Software/s: WooCommerce, WooCommerce Blocks
CVE ID: CVE-2023-47777
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/525dec5b-b457-483c-ab2d-09dd320edcaa

Quiz And Survey Master <= 8.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE-2023-47834
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c482b6e-ce1e-46e2-8847-10c485594448

Ajax Domain Checker <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ajax Domain Checker
CVE ID: CVE-2023-47810
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/699459a1-d407-4561-9d08-dd5d918ea601

Add Widgets to Page <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Add Widgets to Page
CVE ID: CVE-2023-47808
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af20a2c-065c-48d5-a95c-2883ceeb50c6

Slider Revolution <= 6.6.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Slider Revolution
CVE ID: CVE-2023-47772
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/772e843b-00ea-45f5-b730-c9a793d4c2db

Jetpack <= 12.8-a.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-45050
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/824360ab-c797-465a-8480-baeae941af29

BMI Calculator Plugin <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BMI Calculator Plugin
CVE ID: CVE-2023-47814
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bf0e224-d8c7-4bf9-b9a3-97545da9d90c

Bamboo Columns <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Bamboo Columns
CVE ID: CVE-2023-47812
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e7b40e4-c80a-4317-acff-77696fd8098f

Anywhere Flash Embed <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Anywhere Flash Embed
CVE ID: CVE-2023-47811
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a95d7ff6-55ce-4d63-8433-60cece306628

DrawIt (draw.io) <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: DrawIt (draw.io)
CVE ID: CVE-2023-47831
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddde9db5-3ed7-42f7-97c1-4ff9b9d1f627

WooCommerce Product Carousel Slider <= 3.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WooCommerce Product Carousel Slider
CVE ID: CVE-2023-47755
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6f6dab2-da03-43b6-b9c1-ebc6a7e1d1c9

BP Profile Shortcodes Extra <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BP Profile Shortcodes Extra
CVE ID: CVE-2023-47815
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea9eaca6-3441-4976-8556-0ce288d1a0c6

ARI Stream Quiz <= 1.2.32 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-47835
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edb4f4b7-a59c-454b-82b5-d8e91c1c82a3

Daily Prayer Time <= 2023.10.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Daily Prayer Time
CVE ID: CVE-2023-47817
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0ccd265-2e64-4b23-a032-aaeb9941df34

Shareaholic <= 9.7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
CVE ID: CVE-2023-4889
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff6932c6-f3ec-46a8-a03b-95512eee5bf1

AWeber <= 7.3.9 – Missing Authorization via AJAX actions

Betheme <= 27.1.1 – Missing Authorization

Affected Software: Betheme
CVE ID: CVE-2023-47770
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72bdc81e-1a9d-4dd8-93a5-fb1026d6a2d9

Interactive World Map <= 3.2.0 – Reflected Cross-Site Scripting

Affected Software: Interactive World Map
CVE ID: CVE-2023-47767
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09b0bfd3-93a7-4f13-828d-772f54085a60

BSK Contact Form 7 Blacklist <= 1.0.1 – Reflected Cross-Site Scripting

Affected Software: BSK Contact Form 7 Blacklist
CVE ID: CVE-2023-5141
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e27b0a8-e052-49ed-8744-a2376aa386f5

Star CloudPRNT for WooCommerce <= 2.0.3 – Reflected Cross-Site Scripting

Affected Software: Star CloudPRNT for WooCommerce
CVE ID: CVE-2023-4603
CVSS Score: 6.1 (Medium)
Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/110c6d41-e814-41c9-a3e7-d94ec3d953e6

AMP+ Plus <= 3.0 – Reflected Cross Site Scripting

Affected Software: AMP+ Plus
CVE ID: CVE-2023-5210
CVSS Score: 6.1 (Medium)
Researcher/s: Nicolas Surribas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ff4fd-e514-4366-b9a6-c04d7434eac1

EmbedPress <= 3.9.1 – Reflected Cross-Site Scripting

Footer Putter <= 6.1.3 – Reflected Cross-Site Scripting

Affected Software: Footer Putter
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/688353c9-e4e5-4717-9651-15d05248554f

Post Status Notifier Lite <= 1.11.0 – Reflected Cross-Site Scripting

Affected Software: Post Status Notifier Lite
CVE ID: CVE-2023-47766
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af1224e-0ed3-4770-96c0-c15cc895d36d

Permalinks Customizer <= 2.8.2 – Reflected Cross-Site Scripting

Affected Software: Permalinks Customizer
CVE ID: CVE-2023-47773
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/702dca65-fa8c-48c7-89e4-cba4b151e2c4

Namaste! LMS <= 2.6.1.1 – Reflected Cross-Site Scripting

Affected Software: Namaste! LMS
CVE ID: CVE-2023-4602
CVSS Score: 6.1 (Medium)
Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d014f512-9030-49ce-945d-4900594fb373

Accordion <= 2.6 – Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings

Affected Software: Accordion
CVE ID: CVE-2023-47809
CVSS Score: 5.5 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff656409-2344-4190-a731-5a282e21375c

Embed Privacy <= 1.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Embed Privacy
CVE ID: CVE-2023-48300
CVSS Score: 5.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26d9dfc7-151c-4b32-9ae4-3085d08f137c

Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-4689
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/472cdbc4-3bfa-4254-b35a-be7ae10782e6

MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10 – Missing Authorization to Template Import

Affected Software: MP3 Audio Player for Music, Radio & Podcast by Sonaar
CVE ID: CVE-2023-47822
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6bcb9d95-acb4-4405-b785-1e5eace10dc9

Legal Pages <= 1.3.8 – Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data

Pz-LinkCard <= 2.4.8 – Cross-Site Request Forgery via page_cacheman

Affected Software: Pz-LinkCard
CVE ID: CVE-2023-47790
CVSS Score: 5.4 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6de97ac-127d-47ec-8b74-03e7fa4932f6

eCommerce Product Catalog for WordPress <= 3.3.25 – Cross-Site Request Forgery

Affected Software: eCommerce Product Catalog Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba70f811-543f-4da4-ba45-715dbd6be6be

Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting

Affected Software: Audio Merchant
CVE ID: CVE-2023-6197
CVSS Score: 5.4 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7911337-57fa-4268-8366-d37ff13fae86

Delete Duplicate Posts <= 4.8.9 – Missing Authorization via AJAX Actions

Affected Software: Delete Duplicate Posts
CVE ID: CVE-2023-47754
CVSS Score: 5.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f603a25f-7d56-4cf4-89aa-de87ee49522a

Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-4690
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd53b4e1-c6b7-4111-911a-04b14c7a9c4e

Restaurant & Cafe Addon for Elementor <= 1.5.2 – Missing Authorization

Affected Software: Restaurant & Cafe Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07712191-03b6-4de4-b0a4-e6f03ce9dc81

Ditty <= 3.1.24 – Missing Authorization via save_ditty_permissions_check

Affected Software: Ditty – Responsive News Tickers, Sliders, and Lists
CVE ID: CVE-2023-47764
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08630dfd-df43-4a5a-8fc7-ba8ff753db3d

FormCraft <= 1.2.7 – Missing Authorization via formcraft_nag_update

Affected Software: FormCraft – Contact Form Builder for WordPress
CVE ID: CVE-2023-47823
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25d5735a-8eed-4b4a-9bbe-9e42fb18ddf2

SearchIQ <= 4.4 – Missing Authorization via getSIQPluginSettings

Affected Software: SearchIQ – The Search Solution
CVE ID: CVE-2023-47832
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3001829b-f63b-4b99-91a0-53d615ac96c1

YOP Poll <= 6.5.26 – Race Condition to Vote Manipulation

Affected Software: YOP Poll
CVE ID: CVE-2023-6109
CVSS Score: 5.3 (Medium)
Researcher/s: RIN MIYACHI
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c

WPCafe <= 2.2.19 – Missing Authorization via dismiss_ajax_call

LWS Hide Login <= 2.1.8 – Protection Mechanism Bypass

Affected Software: LWS Hide Login
CVE ID: CVE-2023-47818
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/532cffdb-16e8-4ced-9477-483c96db343c

avalex – Automatisch sichere Rechtstexte <= 3.0.8 – Missing Authorization

Affected Software: avalex – Automatisch sichere Rechtstexte
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7319293e-f921-46d1-aea6-2578d1a251a7

WP Maintenance <= 6.1.3 – IP Restriction Bypass

Affected Software: WP Maintenance
CVE ID: CVE-2023-47769
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87a1cc00-330c-40c3-a174-8ea50075c4bd

Elementor Addon Elements <= 1.12.7 – Missing Authorization to Sensitive Information Exposure

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-4723
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89489218-263f-4157-a5cd-a12bc6a0dfe6

Welcome Email Editor <= 5.0.5 – Missing Authorization via ajax_handler

Affected Software: Welcome Email Editor
CVE ID: CVE-2023-47756
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/943cd10b-1b58-4803-ba6f-291f73353422

Events Addon for Elementor <= 2.1.2 – Missing Authorization

Affected Software: Events Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7f52e71-da35-4b46-b658-d293f81b5dc9

Acme Fix Images <= 1.0.0 – Missing Authorization via acme_fix_images_ajax_callback

Affected Software: Acme Fix Images
CVE ID: CVE-2023-47793
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9047775-2d72-4eb5-9339-419f95aa19b2

EWWW Image Optimizer <= 7.2.0 – Unauthenticated Sensitive Information Exposure via Debug Log

Affected Software: EWWW Image Optimizer
CVE ID: CVE-2023-40600
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d20ff1a8-8794-41e1-9e66-1cda90f9ff77

WP Meta and Date Remover <= 2.3.0 – Cross-Site Request Forgery via updateSettings

Affected Software: WP Meta and Date Remover
CVE ID: CVE-2023-47836
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/faa9ad87-44b2-47b3-a05c-52e59af7255a

Jetpack < 12.7 – Authenticated(Contributor+) Clickjacking via Iframe Injection

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-47774
CVSS Score: 5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92a3e622-b3b2-450e-82a7-0a942711e8c0

Integration for Contact Form 7 and Constant Contact <= 1.1.4 – Open Redirect

Affected Software: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
CVE ID: CVE-2023-47779
CVSS Score: 4.7 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c8404d2-7b37-40df-b756-328f827f273d

Chaty <= 3.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Popup Box <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Popup Box – Best WordPress Popup Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a40bac7-d3b8-486d-938a-30591ff3016c

Simply Excerpts <= 1.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Simply Excerpts
CVE ID: CVE-2023-5137
CVSS Score: 4.4 (Medium)
Researcher/s: niclo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e6a7f09-2166-426e-a548-daafb23363a6

Quick Call Button <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Quick Call Button
CVE ID: CVE-2023-47829
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b5e9c7f-e0c9-4c27-8b39-87e15fd29604

Ultimate Dashboard <= 3.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE-2023-4726
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79cce1fc-a27f-4842-b1a2-2c53857add4c

WP Not Login Hide <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Not Login Hide (WPNLH)
CVE ID: CVE-2023-5940
CVSS Score: 4.4 (Medium)
Researcher/s: Furkan ÖZER
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fc46de4-af1c-4e38-9caa-55b7b18a69ae

Theater for WordPress <= 0.18.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Theater for WordPress
CVE ID: CVE-2023-47833
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0fdad22-5aee-468f-885c-f65c068cf413

Premmerce Redirect Manager <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Premmerce Redirect Manager
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3d4f658-e9ce-490b-bcaa-1061a463dbb2

Elementor Addon Elements <= 1.12.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-5381
CVSS Score: 4.4 (Medium)
Researcher/s: Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd2bc2e7-960e-40db-9dcc-a6a60117bd83

Website Optimization – Plerdy <= 1.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Website Optimization – Plerdy
CVE ID: CVE-2023-5715
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db18ac07-2e7a-466d-b00c-a598401f8633

URL Shortify <= 1.7.9 – Authenticated (Admin+) Stored Cross-Site Scripting

wpDiscuz <= 7.6.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Comments – wpDiscuz
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68bc7e9-3bfe-4b2f-82a1-92bbde1a133a

Community by PeepSo <= 6.1.6.0 – Cross-Site Request Forgery via delete

Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles
CVE ID: CVE-2023-39925
CVSS Score: 4.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0aea5564-b1b9-4d57-9f7e-81dd791c8d48

WP Courses LMS <= 3.2.3 – Missing Authorization

Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1127fe1e-4359-4dff-93a7-392a8bfded51

Sprout Invoices <= 20.5.3 – Sensitive Information Exposure

Affected Software: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2330b18e-0907-47e1-b91f-1fe466bcf76b

BetterDocs <= 2.5.2 – Missing Authorization via AJAX actions

Affected Software: BetterDocs – Best Documentation & Knowledge Base Plugin
CVE ID: CVE-2023-47762
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a7d6059-4cef-4bd1-a14d-ad544bfaeea3

Conditional Fields for Contact Form 7 <= 2.4.1 – Missing Authorization

Affected Software: Conditional Fields for Contact Form 7
CVE ID: CVE-2023-47838
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cfd8b2d-cf2a-439d-9f9a-dbe499b1cd48

WP Courses LMS <= 3.2.3 – Cross-Site Request Forgery

Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/487e23c9-9100-4240-8992-c4c85930c4a6

LuckyWP Scripts Control <= 1.2.1 – Missing Authorization

Affected Software: LuckyWP Scripts Control
CVE ID: CVE-2023-47778
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51c42ca2-cdba-49f5-bea2-83c9b8cf0db7

Events Addon for Elementor <= 2.1.2 – Cross-Site Request Forgery

Affected Software: Events Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5256ef2b-e1fc-4746-b35e-07a265f47f95

wpDiscuz <= 7.6.11 – Cross-Site Request Forgery

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-47775
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f

Ultimate Responsive Image Slider <= 3.5.11 – Missing Authorization via AJAX action

Affected Software: Slider – Ultimate Responsive Image Slider
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c92beb0-1fcf-4352-bd34-00e31b265c04

10WebAnalytics <= 1.2.12 – Missing Authorization via gawd_wd_bp_install_notice_status

Affected Software: 10WebAnalytics
CVE ID: CVE-2023-47807
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd2a4cb-dd74-4b00-82f5-3bf1452e71a3

miniorange otp verification <= 4.2.1 – Missing Authorization via dismiss_notice

WP EXtra <= 6.4 – Cross-Site Request Forgery ToolImport

Affected Software: WP EXtra
CVE ID: CVE-2023-47825
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e3f3104-e213-4b0f-9821-b3f1a5c06191

Leadster <= 1.1.2 – Cross-Site Request Forgery via leadster_script_code_action

Affected Software: Leadster
CVE ID: CVE-2023-47791
CVSS Score: 4.3 (Medium)
Researcher/s: BuShiYue
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86837f87-ea91-404a-92ac-38d1abf14cde

Live Preview for Contact Form 7 <= 1.2.0 – Missing Authorization via update_option

Affected Software: Live Preview for Contact Form 7
CVE ID: CVE-2023-47830
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89dbf14f-1cc8-4a66-b3d3-3568cba9a0aa

WP Custom Admin Interface <= 7.31 – Missing Authorization via wpcai_pro_notice_disable

Affected Software: WP Custom Admin Interface
CVE ID: CVE-2023-47763
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b040f47-b126-4640-9fc5-bda8650f6c69

EasyAzon – Amazon Associates Affiliate <= 5.1.0 – Missing Authorization on AJAX actions

Affected Software: EasyAzon – Amazon Associates Affiliate Plugin
CVE ID: CVE-2023-47780
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ba93de-4c5f-4611-8296-adfc85c8dd2b

LayerSlider <= 7.7.9 – Cross-Site Request Forgery

Affected Software: LayerSlider
CVE ID: CVE-2023-47785
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9225ebc6-bff9-4176-a86e-022ff8ec3b05

Big File Uploads <= 2.1.1 – Cross-Site Request Forgery via actions

Affected Software: Big File Uploads – Increase Maximum File Upload Size
CVE ID: CVE-2023-47792
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93b527a8-30c0-4e47-bb2b-522380b21699

Easy Call Now by ThikShare <= 1.1.0 – Cross-Site Request Forgery via settings_page

Affected Software: Easy Call Now by ThikShare
CVE ID: CVE-2023-47819
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bd8c4e5-ef53-47e8-8658-291509e9b987

Restaurant & Cafe Addon for Elementor <= 1.5.2 – Cross-Site Request Forgery

Affected Software: Restaurant & Cafe Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d986739-d6a5-491d-948f-4c58af75369a

Conditional Fields for Contact Form 7 <= 2.4.0 – Missing Authorization

Affected Software: Conditional Fields for Contact Form 7
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a175d2b2-0a35-4c5a-b05b-4d334e444e85

CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Cross-Site Request Forgery

Affected Software: CodeBard’s Patron Button and Widgets for Patreon
CVE ID: CVE-2023-47765
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ea53bd-2ce7-4dce-8c57-51ba81838f1a

WooCommerce Bookings <= 2.0.3 – Cross-Site Request Forgery

Affected Software: WooCommerce Bookings
CVE ID: CVE-2023-47787
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54841af-65ce-4434-a67e-79ea673ec8f9

Customer Reviews for WooCommerce <= 5.38.1 – Cross-Site Request Forgery via manual review reminders

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b243722e-6510-48bd-be26-95ccbe79fa57

WordPress File Upload 4.24.0 – Cross-Site Request Forgery

Affected Software: WordPress File Upload
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6048088-c11c-4741-8dde-da707f8f84f2

ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6c5f933-b71b-4475-abdf-4cffff2a1a6c

wpMandrill <= 1.33 – Missing Authorization via getAjaxStats

Affected Software: wpMandrill
CVE ID: CVE-2023-47828
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89cf8ef-9fa0-4ede-8ec9-c166d0db74fe

Essential Blocks for Gutenberg <= 4.2.0 – Missing Authorization via AJAX actions

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-47760
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2136e1c-5f69-434d-bdc7-72a144da744b

Hreflang Manager <= 1.06 – Cross-Site Request Forgery

Affected Software: Hreflang Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c357e34f-2d0f-4af4-bb67-cbbc6cd4e141

Customer Reviews for WooCommerce <= 5.38.1 – Missing Authorization via manual review reminders

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6e2710f-f51a-487d-a4bb-a19f614ff254

Legal Pages <= 1.3.8 – Missing Authorization

Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db0508dd-143f-4674-8193-d46967d2799f

Simple 301 Redirects by BetterLinks <= 2.0.7 – Missing Authorization via clicked

Affected Software: Simple 301 Redirects by BetterLinks
CVE ID: CVE-2023-47761
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddacd612-0cd5-4b07-9184-bec6f1adbb4c

Jetpack <= 12.6.2 – Improper Authorization via WPCom External Media REST endpoints

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-47788
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e62fa16f-a4a1-44a7-9a66-abafd8dddf67

WooCommerce Canada Post Shipping <= 2.8.3 – Cross-Site Request Forgery

Affected Software: Woocommerce Shipping Canada Post
CVE ID: CVE-2023-47789
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff850f88-6e89-48dd-ad70-dda4018c22fc

Restaurant & Cafe Addon for Elementor <= 1.5.3 – Missing Authorization via multiple AJAX functions

Affected Software: Restaurant & Cafe Addon for Elementor
CVE ID: CVE-2023-47826
CVSS Score: 3.1 (Low)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad003d57-a573-473e-80a9-5bf60d42a707

WP Like Button <= 1.7.0 – Missing Authorization via crublabFBLBAjax

Affected Software: WP Like Button
CVE ID: CVE-2023-47820
CVSS Score: 3.1 (Low)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da550fd7-3c1a-4b07-afc0-2366e0f5cccd

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) appeared first on Wordfence.