Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!
Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week:
wp-autoload.php backdoor – while we typically write firewall rules for vulnerabilities, we wrote a firewall rule to block successful exploitation of this piece of malware we wrote about here.
Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
66
Patched
58
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
0
Medium Severity
113
High Severity
10
Critical Severity
1
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
53
Missing Authorization
24
Cross-Site Request Forgery (CSRF)
21
Information Exposure
7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4
Unrestricted Upload of File with Dangerous Type
3
Server-Side Request Forgery (SSRF)
2
Incorrect Authorization
1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1
Authorization Bypass Through User-Controlled Key
1
Guessable CAPTCHA
1
Use of Less Trusted Source
1
Protection Mechanism Failure
1
Improper Access Control
1
Improper Authorization
1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1
Reliance on Untrusted Inputs in a Security Decision
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
emad
7
Mika
7
qilin_99
4
Skalucy
3
yuyudhn
2
István Márton
(Wordfence Vulnerability Researcher)
2
thiennv
2
Elliot
2
Phd
2
Brandon James Roldan (tomorrowisnew)
1
Alex Thomas
(Wordfence Vulnerability Researcher)
1
Arvandy
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
12 Step Meeting List
12-step-meeting-list
360 Javascript Viewer
360deg-javascript-viewer
AMP for WP – Accelerated Mobile Pages
accelerated-mobile-pages
Abandoned Cart Lite for WooCommerce
woocommerce-abandoned-cart
AdFoxly – Ad Manager, AdSense Ads & Ads.txt
adfoxly
Add to Cart Text Changer and Customize Button, Add Custom Icon
woo-add-to-cart-text-change
Ads by datafeedr.com
ads-by-datafeedrcom
Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
affiliatebooster-blocks
Antispam Bee
antispam-bee
Aparat
aparat
Aruba HiSpeed Cache
aruba-hispeed-cache
Author Box, Guest Author and Co-Authors for Your Posts – Molongui
molongui-authorship
Automatic Youtube Video Posts Plugin
automatic-youtube-video-posts
BSK Forms Blacklist
bsk-gravityforms-blacklist
Backup Migration
backup-backup
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
bp-better-messages
BigCommerce For WordPress
bigcommerce
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
bookingpress-appointment-booking
BrainCert – HTML5 Virtual Classroom
html5-virtual-classroom
Bravo Translate
bravo-translate
Button Generator – easily Button Builder
button-generation
CF7 Google Sheets Connector
cf7-google-sheets-connector
Campaign Monitor for WordPress
forms-for-campaign-monitor
Chartify – WordPress Chart Plugin
chart-builder
Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
chat-bubble
Client Dash
client-dash
Coming soon and Maintenance mode
coming-soon-page
CommentLuv
commentluv
Contact Form 7
contact-form-7
Contact Form – Custom Builder, Payment Form, and More
powr-pack
Credit Tracker
credit-tracker
Crypto Converter Widget
crypto-converter-widget
Currency Converter Calculator
currency-converter-calculator
Database for CF7
database-for-cf7
Debug Log Manager
debug-log-manager
Delete Post Revisions In WordPress
delete-post-revisions-on-single-click
Doofinder WP & WooCommerce Search
doofinder-for-woocommerce
Ecwid Ecommerce Shopping Cart
ecwid-shopping-cart
Email Address Encoder
email-address-encoder
Enhanced Text Widget
enhanced-text-widget
Event post
event-post
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media
evergreen-content-poster
Export WP Page to Static HTML/CSS
export-wp-page-to-static-html
File Gallery
file-gallery
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms
happyforms
Forms by CaptainForm – Form Builder for WordPress
captainform
Formzu WP
formzu-wp
GDPR Cookie Consent by Supsystic
gdpr-compliance-by-supsystic
Gift Up Gift Cards for WordPress and WooCommerce
gift-up
GoDaddy Email Marketing
godaddy-email-marketing-sign-up-forms
Guest Author
guest-author
HDW Player Plugin (Video Player & Video Gallery)
hdw-player-video-player-video-gallery
HUSKY – Products Filter for WooCommerce Professional
woocommerce-products-filter
Hubbub Lite (formerly Grow Social)
social-pug
IdeaPush
ideapush
Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More
importify
Innovs HR – Complete Human Resource Management System for Your Business
innovs-hr-manager
JetBlocks for Elementor
jet-blocks
JetBlog for Elementor
jet-blog
JetCompareWishlist for Elementor
jet-compare-wishlist
JetElements
jet-elements
JetEngine
jet-engine
JetFormBuilder — Dynamic Blocks Form Builder
jetformbuilder
JetMenu for Elementor
jet-menu
JetPopup
jet-popup
JetProductGallery
jet-woo-product-gallery
JetReviews for Elementor
jet-reviews
JetSearch
jet-search
JetSmartFilters for Elementor
jet-smart-filters
JetTabs for Elementor
jet-tabs
JetThemeCore for Elementor
jet-theme-core
JetTricks for Elementor
jet-tricks
JetWooBuilder for Elementor
jet-woo-builder
KP Fastest Tawk.to Chat
kp-fastest-tawk-to-chat
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
ladipage
List all posts by Authors, nested Categories and Titles
list-all-posts-by-authors-nested-categories-and-titles
MSync
msync
Media File Renamer: Rename Files (Manual, Auto & AI)
media-file-renamer
MkRapel Regiones y Ciudades de Chile para WC
wc-ciudades-y-regiones-de-chile
Mollie Payments for WooCommerce
mollie-payments-for-woocommerce
Multiple Post Passwords
multiple-post-passwords
MyTube PlayList
mytube
Nested Pages
wp-nested-pages
NextScripts: Social Networks Auto-Poster
social-networks-auto-poster-facebook-twitter-g
Ocean Extra
ocean-extra
Page Builder: Pagelayer – Drag and Drop website builder
pagelayer
Parallax Slider Block
parallax-slider-block
Participants Database
participants-database
Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
wp-retina-2x
PowerPack Pro for Elementor
powerpack-elements
Prevent Landscape Rotation
prevent-landscape-rotation
Product Size Chart For WooCommerce
product-size-chart-for-woo
Qode Essential Addons
qode-essential-addons
Quotes for WooCommerce
quotes-for-woocommerce
Razorpay for WooCommerce
woo-razorpay
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager
Related Post
related-post
Responsive Lightbox & Gallery
responsive-lightbox
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share
wp-scheduled-posts
Seraphinite Accelerator
seraphinite-accelerator
Sign In Scheduling Online Appointment Booking System
10to8-online-booking
Simple Long Form
simple-long-form
Site Offline Or Coming Soon Or Maintenance Mode
site-offline
SiteOrigin Widgets Bundle
so-widgets-bundle
Social Share Buttons & Analytics Plugin – GetSocial.io
wp-share-buttons-analytics-by-getsocial
SoundCloud Shortcode
soundcloud-shortcode
SpeedyCache – Cache, Optimization, Performance
speedycache
Spiffy Calendar
spiffy-calendar
Swift Performance Lite
swift-performance-lite
Track Geolocation Of Users Using Contact Form 7
track-geolocation-of-users-using-contact-form-7
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping
wc-multishipping
WP Catalogue
wp-catalogue
WP CleanFix
wp-cleanfix
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
wp-event-manager
WP Forms Puzzle Captcha
wp-forms-puzzle-captcha
WP Pocket URLs
wp-pocket-urls
WP Shortcodes Plugin — Shortcodes Ultimate
shortcodes-ultimate
WordPress Brute Force Protection – Stop Brute Force Attacks
guardgiant
YASR – Yet Another Star Rating Plugin for WordPress
yet-another-stars-rating
affiliate-toolkit – WordPress Affiliate Plugin
affiliate-toolkit-starter
canvasio3D Light
canvasio3d-light
teachPress
teachpress
which template file
which-template-file
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
adifier
adifier
restricted-site-access
restricted-site-access
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Unauthenticated SQL Injection via search terms
CVE ID: CVE-2023-40010
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba
JetEngine <= 3.2.4 – Authenticated (Contributor+) Privilege Escalation
CVE ID: CVE-2023-48757
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b
CommentLuv <= 3.0.4 – Server Side Request Forgery via do_click
CVE ID: CVE-2023-49159
CVSS Score: 8.2 (High)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c
Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure
CVE ID: CVE-2023-6266
CVSS Score: 7.5 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612
CF7 Google Sheets Connector <= 5.0.5 – Unauthenticated Sensitive Information Exposure via Debug Log
CVE ID: CVE-2023-44989
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4
Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization to Unauthenticated Unauthorized Action
CVE ID: CVE-2023-48760
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7addc83b-cde5-4f91-b286-70db6f384a9f
MSync <= 1.0.0 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-49166
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf
Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload
CVE ID: CVE-2023-6090
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c
BookingPress <= 1.0.76 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-6219
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29
JetEngine <= 3.2.4 – Missing Authorization
CVE ID: CVE-2023-48758
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c
WP Cleanfix <= 5.5.0 – Missing Authorization via register
CVE ID: CVE-2023-48775
CVSS Score: 7.1 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac
WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 – Authenticated (Administrator+) SQL Injection via orderby
CVE ID: CVE-2023-48764
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056
Contact Form 7 <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload
CVE ID: CVE-2023-6449
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6
Bravo Translate <= 1.2 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-49161
CVSS Score: 6.6 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d
Chat Bubble <= 2.3 – Cross-Site Request Forgery via cbb_submit_settings_data
CVE ID: CVE-2023-48769
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/206261fa-58b6-4407-b8e1-2315836b6c88
Prevent Landscape Rotation <= 2.0 – Cross-Site Request Forgery via adminpage.php
CVE ID: CVE-2023-48772
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6
Database for CF7 <= 1.2.4 – Missing Authorization via wpcf7db_delete AJAX action
CVE ID: CVE-2023-49167
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61
MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 – Cross-Site Request Forgery via multiple functions
CVE ID: CVE-2023-48781
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487
Product Size Chart For WooCommerce <= 1.1.5 – Cross-Site Request Forgery via get_save_option
CVE ID: CVE-2023-48778
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46
Guest Author <= 2.3 – Authenticated Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455
Powr Pack <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-45609
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a
Responsive Lightbox <= 2.4.5 – Authenticated (Author+) Stored Cross-Site Scripting via name
CVE ID: CVE-2023-49174
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08
12 Step Meeting List <= 3.14.24 – Authenticated (Contributor+) Server-Side Request Forgery
CVE ID: CVE-2023-46641
CVSS Score: 6.4 (Medium)
Researcher/s: Shahzaib Ali Khan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92
WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6225
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574
WP Catalogue <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-48780
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66
Ads by datafeedr.com <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49169
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f
Event post <= 5.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49179
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131
Formzu WP <= 1.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id
CVE ID: CVE-2023-49160
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd
Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-48321
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1
Currency Converter Calculator <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49149
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe
10to8 Online Appointment Booking System <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49173
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510
BP Better Messages <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-49168
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ccc7f8-c8e0-457a-b437-2a23530a9df4
Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48765
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e
Parallax Slider Block <= 1.2.4 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49184
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8
Credit Tracker <= 1.1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49152
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955
Crypto Converter Widget <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49150
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2
Aparat <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-48770
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4
Related Post <= 2.0.53 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f08ca5e3-8b48-4333-9c42-cc103d40394c
Spiffy Calendar <= 4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5
Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization
CVE ID: CVE-2023-48761
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/893500ba-cc16-4429-bbe1-725aa65589c9
File Gallery <= 1.8.5.4 – Reflected Cross-Site Scripting via post_id
CVE ID: CVE-2023-48771
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64
affiliate-toolkit – WordPress Affiliate Plugin <= 3.4.3 – Reflected Cross-Site Scripting via keyword
CVE ID: CVE-2023-46086
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752
NextScripts <= 4.4.2 – Reflected Cross-Site Scripting via code
CVE ID: CVE-2023-49183
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1
Adifier (Premium Theme) < 3.1.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49187
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30
JetBlocks For Elementor <= 1.3.8 – Reflected Cross Site Scripting
CVE ID: CVE-2023-48756
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1
WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting
CVE ID: CVE-2023-48278
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc
PowerPack Pro for Elementor <= 2.9.23 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49739
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504
MyTube PlayList <= 2.0.3 – Reflected Cross-Site Scripting via addplaylistid
CVE ID: CVE-2023-48767
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792
Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via rt
CVE ID: CVE-2023-49740
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f
List all posts by Authors, nested Categories and Title <= 2.7.10 – Cross-Site Scripting
CVE ID: CVE-2023-49182
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10
BrainCert – HTML5 Virtual Classroom <= 1.30 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49172
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea
HDW Player Plugin (Video Player & Video Gallery) <= 5.0 – Cross-Site Scripting
CVE ID: CVE-2023-49178
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd
Forms by CaptainForm <= 2.5.3 – Reflected Cross-Site Scripting via REQUEST_URI
CVE ID: CVE-2023-49170
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62
WP Pocket URLs <= 1.0.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49176
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920
Campaign Monitor for WordPress <= 2.8.12 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-38474
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b
which template file <= 4.9.0 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-49177
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d
Doofinder for WooCommerce <= 2.1.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49185
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90
Innovs HR <= 1.0.3.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-49171
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b
Happyforms <= 1.25.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-48752
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff986a66-93f7-4926-8818-7af745c0166c
SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion
CVE ID: CVE-2023-6295
CVSS Score: 5.9 (Medium)
Researcher/s: Sebastian Neef
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda
Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-49180
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b
Client Dash <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-49165
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441
WP Event Manager <= 3.1.39 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49181
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f
Download canvasio3D Light <= 2.4.6 – Missing Authorization
CVE ID: CVE-2023-48776
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b
Export WP Page to Static HTML/CSS <= 2.1.9 – Missing Authorization via Multiple AJAX Actions
CVE ID: CVE-2023-6369
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1
Abandoned Cart Lite for WooCommerce <= 5.16.1 – Missing Authorization via multiple AJAX functions
CVE ID: CVE-2023-41671
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86
Chronopost & Mondial relay pour WooCommerce – WCMultiShipping <= 2.3.7 – Incorrect Authorization
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5
Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726
Social Pug <= 1.20.3 – Missing Authorization via multiple admin_init actions
CVE ID: CVE-2023-49193
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5
Enhanced Text Widget <= 1.6.2 – Missing Authorization via etw_hide_admin_notification_callback
CVE ID: CVE-2023-49192
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc
360 Javascript Viewer <= 1.7.11 – Missing Authorization
CVE ID: CVE-2023-48779
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead
Yet Another Stars Rating <= 3.4.3 – Missing Authorization via init
CVE ID: CVE-2023-39305
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c
PageLayer <= 1.7.7 – Cross-Site Request Forgery via pagelayer_load_plugin
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0
Participants Database <= 2.5.5 – Missing Authorization
CVE ID: CVE-2023-48751
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4
WP Retina 2x <= 6.4.5 – Sensitive Information Exposure
CVE ID: CVE-2023-44982
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7
WP Forms Puzzle Captcha <= 4.1 – Captcha Bypass
CVE ID: CVE-2023-48276
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917
Media File Renamer <= 5.6.9 – Sensitive Information Exposure via Log File
CVE ID: CVE-2023-44991
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba
Aruba HiSpeed Cache <= 2.0.6 – Sensitive Information Exposure via Log File
CVE ID: CVE-2023-44983
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0
Button Generator – easily Button Builder <= 2.3.8 – Missing Authorization
CVE ID: CVE-2023-49154
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56
Restricted Site Access <= 7.4.1 – IP Spoofing to Protection Mechanism Bypass
CVE ID: CVE-2023-48753
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4
Importify <= 1.0.4 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-49194
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52
Swift Performance Lite <= 2.3.6.14 – Missing Authorization to Unauthenticated Settings Export
CVE ID: CVE-2023-6289
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7
Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f
teachPress <= 9.0.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-48755
CVSS Score: 5.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f
Coming soon and Maintenance mode <= 3.7.3 – IP Address Spoofing via get_real_ip
CVE ID: CVE-2023-49741
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2
JetElements For Elementor <= 2.6.13 – Missing Authorization to Unauthenticated Arbitrary Attachment Download
CVE ID: CVE-2023-48759
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d
BigCommerce <= 5.0.6 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-49162
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df
JetFormBuilder <= 3.1.4 – Unauthenticated Content Injection
CVE ID: CVE-2023-48763
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635
Antispam Bee <= 2.11.3 – IP Address Spoofing via get_client_ip
CVE ID: CVE-2023-41134
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b
KP Fastest Tawk.to Chat <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49175
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69
GDPR Cookie Consent by Supsystic <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49191
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2
Molongui <= 4.6.19 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-39921
CVSS Score: 4.4 (Medium)
Researcher/s: Abdullah Hussam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d
Chart Builder <= 1.9.6 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9
SoundCloud Shortcode <= 3.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34018
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82
Social Share Buttons & Analytics Plugin – GetSocial.io <= 4.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49189
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c
Simple Long Form <= 2.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41136
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d
Track Geolocation Of Users Using Contact Form 7 <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49188
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6
BSK Forms Blacklist <= 3.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-5980
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7
Multiple Post Passwords <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49157
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366
Site Offline <= 1.5.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49190
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c
Evergreen Content Poster <= 1.3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41127
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7b67c83-7fb7-4bac-a8eb-7fc318f2ff50
Nested Pages <= 3.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-49195
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9
Multiple Plugins by Crocoblock <= (Various Versions) – Cross-Site Request Forgery
CVE ID: CVE-2023-48762
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c85e5e0-d8ee-46d3-99b1-df6c6744f020
teachPress <= 9.0.5 – Cross-Site Request Forgery via delete_database()
CVE ID: CVE-2023-49163
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d
Qode Essential Addons <= 1.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
CVE ID: CVE-2023-47840
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1
WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Insecure Direct Object Reference to Information Disclosure
CVE ID: CVE-2023-6226
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7
IdeaPush <= 8.53 – Missing Authorization
CVE ID: CVE-2023-48774
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72
Quotes for WooCommerce <= 2.0.1 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8
Quotes for WooCommerce <= 2.0.1 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6954364e-567c-407c-afc6-983b7257cc88
RegistrationMagic <= 5.2.2.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-47645
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521
Debug Log Manager <= 2.2.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-5772
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a
LadiApp <= 4.3 – Missing Authorization
CVE ID: CVE-2023-49158
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6
Ocean Extra <= 2.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation
CVE ID: CVE-2023-49164
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca
SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812
Button Generator – easily Button Builder <= 2.3.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-49155
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b
Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 – Cross-Site Request Forgery via wactc_text_form
CVE ID: CVE-2023-49153
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5
GoDaddy Email Marketing <= 1.4.3 – Missing Authorization
CVE ID: CVE-2023-49156
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618
SchedulePress <= 5.0.4 – Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd
Ecwid Ecommerce Shopping Cart <= 6.12.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-46617
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569
Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 – Cross-Site Request Forgery via process_bulk_action
CVE ID: CVE-2023-49148
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a
Razorpay for WooCommerce <= 4.5.6 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e
Delete Post Revisions In WordPress <= 4.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-48754
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36
Razorpay for WooCommerce <= 4.5.6 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023) appeared first on Wordfence.