Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 27, 2023 to Apr 2, 2023)

Last week, there were 82 vulnerabilities disclosed in 70 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Elementor Pro
Filebird
Themeflection Numbers

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
21

Patched
61

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
65

High Severity
14

Critical Severity
2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
37

Cross-Site Request Forgery (CSRF)
23

Missing Authorization
11

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
7

Information Exposure
2

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Deserialization of Untrusted Data
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
9

Rio Darmawan
8

thiennv
5

Erwan LR
4

yuyudhn
4

Dave Jong
3

MyungJu Kim
3

dc11
3

Mika
2

minhtuanact
2

TEAM WEBoB of BoB 11th
2

Juampa Rodríguez
1

nlpro
1

Abdi Pranata
1

muhga
1

Shreya Pohekar
1

Muhammad Daffa
1

Cat
1

Junsu Yeo
1

Jerome Bruandet
1

Kunal Sharma
1

Daniel Krohmer
1

Le Ngoc Anh
1

Alex Sanford
1

Joshua Martinelle
1

Marco Wotschka
1

Jeong Seong Ho
1

Phd
1

qilin_99
1

pilvar
1

Alex Thomas
1

Rafshanzani Suhada
1

Justiice
1

Yuki Haruma
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

AI ChatBot
chatbot

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

Advanced Local Pickup for WooCommerce
advanced-local-pickup-for-woocommerce

Advanced Page Visit Counter – Advanced WordPress Visit Counter
advanced-page-visit-counter

Advanced Shipment Tracking for WooCommerce
woo-advanced-shipment-tracking

Affiliates Manager
affiliates-manager

Albo Pretorio On line
albo-pretorio-on-line

Conditional cart fee / Extra charge rule for WooCommerce extra fees
conditional-extra-fees-for-woocommerce

Configurable Tag Cloud (CTC)
configurable-tag-cloud-widget

Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
contest-gallery

Continuous Image Carousel With Lightbox
continuous-image-carousel-with-lightbox

Coupon Affiliates – WooCommerce Affiliate Plugin
woo-coupon-usage

Custom More Link Complete
custom-more-link-complete

Custom Post Type UI
custom-post-type-ui

Custom Post Type and Taxonomy GUI Manager
custom-post-type-cpt-cusom-taxonomy-ct-manager

Direct checkout, Add to cart redirect, Quick purchase button, Buy now button, Quick View button for WooCommerce
add-to-cart-direct-checkout-for-woocommerce

Easy Forms for Mailchimp
yikes-inc-easy-mailchimp-extender

Easy Media Replace
easy-media-replace

Easy Quiz Maker
n-media-wp-simple-quiz

Elementor Website Builder Pro
elementor-pro

Enhanced WP Contact Form
enhanced-wordpress-contactform

Feed Them Social – Page, Post, Video, and Photo Galleries
feed-them-social

FileBird – WordPress Media Library Folders & File Manager
filebird

Full Width Banner Slider Wp
full-width-responsive-slider-wp

GMAce
gmace

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
gallery-plugin

Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
gift-voucher

HT Menu – WordPress Mega Menu Builder for Elementor
ht-menu-lite

Happy Addons for Elementor
happy-elementor-addons

HappyFiles Pro
happyfiles-pro

Health Check & Troubleshooting
health-check

JustTables – WooCommerce Product Table
just-tables

LionScripts: IP Blocker Lite
ip-address-blocker

MS-Reviews
ms-reviews

Maps Widget for Google Maps
google-maps-widget

Mega Main Menu
mega_main_menu

Mobile Banner
mobile-banner

Newsletter – Send awesome emails from WordPress
newsletter

Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce
pi-woocommerce-order-date-time-and-type

Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
pagination

Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
wp-user-avatar

PixFields
pixfields

Popup Anything – A Marketing Popup and Lead Generation Conversions
popup-anything-on-click

Premmerce Redirect Manager
premmerce-redirect-manager

Product Specifications for Woocommerce
product-specifications

Quick Paypal Payments
quick-paypal-payments

Really Simple Google Tag Manager
really-simple-google-tag-manager

Responsive Vertical Icon Menu
wpdevart-vertical-menu

Review Stream
review-stream

Simple Author Box
simple-author-box

Slimstat Analytics
wp-slimstat

Social Proof (Testimonial) Slider
social-proof-testimonials-slider

Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches)
swatchly

Themeflection Numbers – Number Counter and Animated Numbers
tf-numbers-number-counter-animaton

Trending/Popular Post Slider and Widget
wp-trending-post-slider-and-widget

Video Central for WordPress
video-central

WC Fields Factory
wc-fields-factory

WP Image Carousel
wp-image-carousel

WP Meta SEO
wp-meta-seo

WP VR – 360 Panorama and Virtual Tour Builder For WordPress
wpvr

WPMobile.App — Android and iOS Mobile Application
wpappninja

Weaver Show Posts
show-posts

Welcome Bar
intelly-welcome-bar

WishSuite – Wishlist for WooCommerce
wishsuite

Woocommerce Custom Checkout Fields Editor With Drag & Drop
woo-custom-checkout-fields

WordPress Contact Forms by Cimatti
contact-forms

Wp Ultimate Review
wp-ultimate-review

Zippy
zippy

affiliate-toolkit – WordPress Affiliate Plugin
affiliate-toolkit-starter

iThemes Security
better-wp-security

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Viral Mag
viral-mag

Vulnerability Details

ARMember <= 3.4.11 – Unauthenticated SQL Injection

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2022-46808
CVSS Score: 9.8 (Critical)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ff230b0-c186-41fc-93a5-2ed90e8aab4d

Gift Cards (Gift Vouchers and Packages) <= 4.3.1 – Unauthenticated SQL Injection

Affected Software: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
CVE ID: CVE-2023-28662
CVSS Score: 9.8 (Critical)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a10a3f01-082d-4a94-89c6-b5b46891aa4d

Elementor Pro <= 3.11.6 – Authenticated(Subscriber+) Privilege Escalation via update_page_option

Affected Software: Elementor Website Builder Pro
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Jerome Bruandet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/570474f2-c118-45e1-a237-c70b849b2d3c

WC Fields Factory <= 4.1.5 – Authenticated(Subscriber+) SQL Injection

Affected Software: WC Fields Factory
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c51f55f-6e8c-467c-999b-4e6a1a6f7bbc

GMAce <= 1.5.2 – Cross-Site Request Forgery to Arbitrary File Modification (Creation/Overwrite/Deletion)

Affected Software: GMAce
CVE ID: CVE-2023-1509
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826b3913-9a37-4e15-80fd-b35cefb51af8

Advanced Page Visit Counter <= 6.4.2 – Authenticated (Contributor+) SQL Injection

Affected Software: Advanced Page Visit Counter – Advanced WordPress Visit Counter
CVE ID: CVE-2023-28788
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/871e5091-bb20-4a53-83e2-85ed6f26247a

WP Meta SEO <= 4.5.4 – Authenticated (Author+) PHAR Deserialization

Affected Software: WP Meta SEO
CVE ID: CVE-2023-1381
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f07d76e-1973-4ea7-b448-666466cd688f

Slimstat Analytics <= 4.9.3.3 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Slimstat Analytics
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af075ffe-553a-4351-a696-5c678788f3b9

Gallery by BestWebSoft <= 4.6.9 – Authenticated (Author+) SQL Injection

Affected Software: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
CVE ID: CVE-2023-0765
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbfbb06c-f048-4912-9ff7-59aa10bc96bd

Themeflection Numbers <= 1.8.1 – Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses

Affected Software: Themeflection Numbers – Number Counter and Animated Numbers
CVE ID: CVE-2023-0889
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db6616b5-4c4e-4cc7-83eb-22fac94f47f2

Easy Media Replace <= 0.1.3 – Authenticated (Author+) Arbitrary File Deletion

Affected Software: Easy Media Replace
CVE ID: CVE-2022-46850
CVSS Score: 8.1 (High)
Researcher/s: Jeong Seong Ho
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abb4af63-37fe-49b7-8f70-ac9c7e47e939

WC Fields Factory <= 4.1.5 – Authenticated (Administrator+) SQL Injection

Affected Software: WC Fields Factory
CVE ID: CVE-2023-0277
CVSS Score: 7.2 (High)
Researcher/s: Kunal Sharma, Daniel Krohmer
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70ca7ad4-6848-4f87-ae2d-4b9c2ffa668e

Easy Quiz Maker <= 1.5 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Easy Quiz Maker
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8566a5ad-df8a-4843-82c9-05da9d44582d

Coupon Affiliates <= 5.4.3 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Coupon Affiliates – WooCommerce Affiliate Plugin
CVE ID: CVE-2023-28992
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0d93ee4-63e1-4fa7-9346-f56354124b9a

WordPress Contact Forms by Cimatti <= 1.5.4 – Unauthenticated Stored Cross-Site Scripting

Affected Software: WordPress Contact Forms by Cimatti
CVE ID: CVE-2023-28781
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4b2587a-e84e-4149-b9ac-ecf36451f815

ProfilePress <= 4.5.3 – Unauthenticated Cross-Site Scripting

WP Image Carousel WordPress – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Image Carousel
CVE ID: CVE-2023-0589
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f4bb514-80bd-4d66-a60f-0a6a287af5de

Easy Forms for MailChimp <= 6.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Easy Forms for Mailchimp
CVE ID: CVE-2023-1325
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1be5da88-723a-4386-a73e-3fe90eefb6ba

MS-Reviews <= 1.5 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: MS-Reviews
CVE ID: CVE-2023-0424
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68fd5e6f-9883-4e8f-9c4f-5905b487629a

Video Central for WordPress <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Video Central for WordPress
CVE ID: CVE-2023-0418
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87eb6644-fd70-42a1-b05d-b166cb89c45c

Gallery by BestWebSoft <= 4.6.9 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
CVE ID: CVE-2023-0764
CVSS Score: 6.4 (Medium)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94868d48-2d36-49f1-9da1-7965ecaeae3c

Weaver Show Posts <= 1.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name

Affected Software: Weaver Show Posts
CVE ID: CVE-2023-1404
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8647c44-4879-4895-bd07-19f7d62a7326

PixFields <= 0.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: PixFields
CVE ID: CVE-2022-46844
CVSS Score: 6.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7f86396-2f3f-4cd6-b3d4-e518b074a579

HappyFiles Pro <= 1.8.1 – Missing Authorization to Arbitrary File Deletion

Affected Software: HappyFiles Pro
CVE ID: CVE-2023-25446
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bfabeb4-c57d-412a-b27b-a6387d30081f

HappyFiles Pro <= 1.8.1 – Missing Authorization

Affected Software: HappyFiles Pro
CVE ID: CVE-2023-25445
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d293f35a-a42f-441f-b521-da0ba9887c45

Health Check & Troubleshooting <= 1.5.1 – Cross-Site Request Forgery via health_check_troubleshoot_get_captures

Affected Software: Health Check & Troubleshooting
CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8d75eb6-2a9f-4c33-9e15-db7db037b67e

Continuous Image Carousel With Lightbox <= 1.0.15 – Reflected Cross-Site Scripting via search_term, order_by and order_pos

Affected Software: Continuous Image Carousel With Lightbox
CVE ID: CVE-2023-28792
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4651d8-dad7-4f6f-a47d-2095b9d2bdca

Custom Post Type and Taxonomy GUI Manager <= 1.1 – Cross-Site Request Forgery to Cross-Site Scripting

Affected Software: Custom Post Type and Taxonomy GUI Manager
CVE ID: CVE-2023-0420
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26c75a0a-8590-4ac7-814e-29e0c2d0822e

Contest Gallery <= 21.1.2 – Reflected Cross-Site Scripting

Affected Software: Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
CVE ID: CVE-2023-28784
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dbd3b23-cebc-4212-bcae-c6f23031c040

Product Specifications for Woocommerce <= 0.6.0 – Unauthenticated Reflected Cross-Site Scripting via Arbitrary Query String Parameter

Affected Software: Product Specifications for Woocommerce
CVE ID: CVE-2022-46858
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/916d4f2f-769b-4902-9464-f55d8f64c9d2

Responsive Vertical Icon Menu <= 1.5.8 – Reflected Cross-Site Scripting via ‘id’

Affected Software: Responsive Vertical Icon Menu
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a999044-5d4a-4415-a3b9-28c564e63a25

Woocommerce Custom Checkout Fields Editor With Drag & Drop <= 0.1 – Reflected Cross-Site Scripting via ‘tab’

Affected Software: Woocommerce Custom Checkout Fields Editor With Drag & Drop
CVE ID: CVE-2022-46864
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9e3899d8-170e-481f-8c80-90addc66eb41

Albo Pretorio Online <= 4.6 – Reflected Cross-Site Scripting via ‘Errore’

Affected Software: Albo Pretorio On line
CVE ID: CVE-2023-28750
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad8f8c41-a3b9-4287-b6b2-489fb77b7553

Contact Forms by Cimatti <= 1.5.4 – Reflected Cross-Site Scripting via ‘form-field-id’, ‘edit-fid’, ‘id’, ‘name’, ‘type’, ‘description’ Parameters

Affected Software: WordPress Contact Forms by Cimatti
CVE ID: CVE-2023-28789
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b512f9a9-6c83-416c-bacc-ee3bba8dfe29

Easy Forms for MailChimp <= 6.8.7 – Reflected Cross-Site Scripting

Affected Software: Easy Forms for Mailchimp
CVE ID: CVE-2023-1324
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c30d517b-e051-408c-a022-4399c3d62390

Full Width Banner Slider Wp <= 1.1.7 – Reflected Cross-Site Scripting via search_term and setacrionpage

Affected Software: Full Width Banner Slider Wp
CVE ID: CVE-2023-24392
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb4bb127-360d-4f17-9da9-f7be17140ff3

affiliate-toolkit – WordPress Affiliate Plugin <= 3.3.3 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: affiliate-toolkit – WordPress Affiliate Plugin
CVE ID: CVE-2023-23786
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8dda7b14-c341-434b-85f1-029f384c65d6

Mega Main Menu <= 2.2.2 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: Mega Main Menu
CVE ID: CVE-2023-1575
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a44ce6a3-0a9d-4bce-9251-f3a38b000645

Continuous Image Carousel With Lightbox <= 1.0.15 – Reflected Cross-Site Scripting via search_term, order_by and order_pos

Affected Software: Continuous Image Carousel With Lightbox
CVE ID: CVE-2023-28776
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a196177-2786-4f6d-8076-f0232e4d5a5d

IP Blocker Lite <= 11.1.1 – Cross-Site Request Forgery

Affected Software: LionScripts: IP Blocker Lite
CVE ID: CVE-2023-23993
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45d3f82b-9e19-4678-8995-7fe265606fd2

AI ChatBot <= 4.4.7 – Missing Authorization on openai_settings_option_callback

Affected Software: AI ChatBot
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b33bf55c-0397-44a2-8c18-ea5f8f1e2ec9

Filebird <= 5.1.4 – Missing Authorization via resAdminPermissionsCheck

Affected Software: FileBird – WordPress Media Library Folders & File Manager
CVE ID: CVE-2023-25966
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5a6e9f4-dbc3-4af0-b9e4-4c9ad7b5fe9f

Custom Post Type UI <= 1.13.4 – Cross-Site Request Forgery to Sensitive Information Exposure

Affected Software: Custom Post Type UI
CVE ID: CVE-2023-1623
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f28afb93-b72a-4a56-994b-144124202147

JustTables – WooCommerce Product Table <= 1.4.9 – Cross-Site Request Forgery via plugin_activation()

Affected Software: JustTables – WooCommerce Product Table
CVE ID: CVE-2023-23803
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2b795d8-3cab-4d81-a016-b4498315ddf4

iThemes Security <= 8.1.4 – Open Redirection via redirect_to_https

Affected Software: iThemes Security
CVE ID: CVE-2023-28786
CVSS Score: 4.7 (Medium)
Researcher/s: nlpro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/047cd34e-f2a1-4643-a1c5-3ead926b83ca

Newsletter <= 7.6.8 – Reflected Cross-Site Scripting

Affected Software: Newsletter – Send awesome emails from WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa49346c-726e-41f9-8a74-adaa4a8fa5d9

WPMobile.App <= 11.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WPMobile.App — Android and iOS Mobile Application
CVE ID: CVE-2023-28932
CVSS Score: 4.4 (Medium)
Researcher/s: Juampa Rodríguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02b5aefe-ba27-4273-927c-7779df83eb18

Quick Paypal Payments <= 5.7.26.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Quick Paypal Payments
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a507489-f337-4b47-9506-daea1b426798

Review Stream <= 1.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Review Stream
CVE ID: CVE-2023-28774
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b645d0e-daee-4926-af47-05cacf811fbf

Conditional cart fee / Extra charge rule for WooCommerce extra fees <= 1.0.96 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Conditional cart fee / Extra charge rule for WooCommerce extra fees
CVE ID: CVE-2023-29093
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/797840ba-5589-42d6-9d50-52bf8c131d6e

Enhanced WP Contact Form <= 2.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Enhanced WP Contact Form
CVE ID: CVE-2023-23812
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e91a6bd-05ae-4088-8c1f-bc5598545606

Custom More Link Complete <= 1.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom More Link Complete
CVE ID: CVE-2023-23788
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/698079d0-b539-431c-98c3-c69d0352d214

Direct checkout, Add to cart redirect for Woocommerce <= 2.1.48 – Authenticated (Administrator+) Stored Cross-Site Scripting

Enhanced WP Contact Form <= 2.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Enhanced WP Contact Form
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71548a7f-43a5-4f71-8add-45f675e8aa66

Premmerce Redirect Manager <= 1.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Premmerce Redirect Manager
CVE ID: CVE-2023-23789
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2e8f9b7-1fce-46be-8198-eeff58a563c6

Wp Ultimate Review <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Wp Ultimate Review
CVE ID: CVE-2023-28751
CVSS Score: 4.4 (Medium)
Researcher/s: qilin_99
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c198008f-271e-431e-beb9-3a9f93cbbf8e

Social Proof (Testimonial) Slider <= 2.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Social Proof (Testimonial) Slider
CVE ID: CVE-2023-24389
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e324cd49-beaf-44bf-8890-5377731f0cc5

Order date time for WooCommerce <= 3.0.19 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce
CVE ID: CVE-2023-28991
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f19006a0-6848-467b-90ed-33b3ebd2c7ba

Pagination by BestWebSoft <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
CVE ID: CVE-2023-28778
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffbb85c5-e949-4c0f-8c02-2c022b802e05

Maps Widget for Google Maps <= 4.23 – Cross-Site Request Forgery via dismiss_notice

Affected Software: Maps Widget for Google Maps
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0472804e-00cc-4c4c-97aa-86f433f65782

Feed Them Social <= 4.0.7 – Cross-Site Request Forgery

Affected Software: Feed Them Social – Page, Post, Video, and Photo Galleries
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/057ab824-8071-4c3c-9a57-f9a0043a9ad5

Advanced Local Pickup for WooCommerce <= 1.5.2 – Missing Authorization

Affected Software: Advanced Local Pickup for WooCommerce
CVE ID: CVE-2022-40702
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05ff8080-59e5-4d48-a69b-275a89eef758

Configurable Tag Cloud <= 5.2 – Cross-Site Request Forgery via ctc_options_page()

Affected Software: Configurable Tag Cloud (CTC)
CVE ID: CVE-2023-28995
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0775b36b-d543-41f9-a20d-f629b40c70d7

Advanced Local Pickup for WooCommerce <= 1.5.2 – Cross-Site Request Forgery

Affected Software: Advanced Local Pickup for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b3fa78c-d97f-43bf-b3e9-47d6aa41b458

WP OnlineSupport, Essential Plugin Popup Anything <= 2.2.1 – Cross Site Request Forgery

Affected Software: Popup Anything – A Marketing Popup and Lead Generation Conversions
CVE ID: CVE-2022-38077
CVSS Score: 4.3 (Medium)
Researcher/s: muhga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11ea3e40-8802-43ea-9816-973a15d7904d

Happy Addons for Elementor <= 3.8.2 – Cross-Site Request Forgery via handle_optin_optout()

Affected Software: Happy Addons for Elementor
CVE ID: CVE-2023-28989
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27439d44-f2ff-4c20-965f-25d12c83781c

Viral Mag <= 1.0.9 – Missing Authorization to Arbitrary Plugin Activation

Affected Software: Viral Mag
CVE ID: CVE-2023-28990
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/48aa5be8-a5d9-4f5e-ba30-d6afb3f0fee0

Trending/Popular Post Slider and Widget <= 1.5.7 – Cross-Site Request Forgery via wtpsw_post_view_count

Affected Software: Trending/Popular Post Slider and Widget
CVE ID: CVE-2022-46846
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a0cffca-94d8-46b8-8b84-57e76a5bfd94

Zippy <= 1.6.1 – Authenticated (Contributor+) Sensitive Information Disclosure

Affected Software: Zippy
CVE ID: CVE-2023-26533
CVSS Score: 4.3 (Medium)
Researcher/s: Junsu Yeo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c306428-8880-483f-be3a-6f6b87e55eef

WP VR <= 8.2.9 – Missing Authorization

Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
CVE ID: CVE-2023-1414
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54b495e8-f641-444d-a3d4-a54bb0836c40

Premmerce Redirect Manager <= 1.0.9 – Cross-Site Request Forgery via deleteRedirect()

Affected Software: Premmerce Redirect Manager
CVE ID: CVE-2023-23787
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d84fa60-f780-41e2-96dc-57057c646e01

Welcome Bar <= 2.0.3 – Cross-Site Request Forgery

Affected Software: Welcome Bar
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82a26836-44fc-47cf-ad09-bd3d264e8635

Wp Ultimate Review <= 2.0.3 – Cross-Site Request Forgery

Affected Software: Wp Ultimate Review
CVE ID: CVE-2023-28987
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/892372c9-380c-43b2-b928-b5964574c414

Welcome Bar <= 2.0.3 – Missing Authorization

Affected Software: Welcome Bar
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98730677-200b-4b1a-8568-7af8b2b0e94b

WishSuite <= 1.3.3 – Cross-Site Request Forgery via plugin_activation()

Affected Software: WishSuite – Wishlist for WooCommerce
CVE ID: CVE-2023-23731
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2f3fcd1-6dff-409b-b8c1-46c5485980ee

Advanced Shipment Tracking for WooCommerce <= 3.5.2 – Cross-Site Request Forgery via paginate_shipping_provider_list and filter_shipping_provider_list

Affected Software: Advanced Shipment Tracking for WooCommerce
CVE ID: CVE-2022-41635
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b55a80ed-5e27-4087-a792-e78066a41399

Really Simple Google Tag Manager <= 1.0.6 – Cross-Site Request Forgery via plugin_activation

Affected Software: Really Simple Google Tag Manager
CVE ID: CVE-2023-23801
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c579825b-e92e-48d2-925e-d1fc81374c4a

Affiliates Manager <= 2.9.20 – Cross-Site Request Forgery via process_bulk_action()

Affected Software: Affiliates Manager
CVE ID: CVE-2023-28986
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1a6bdc8-ae74-4d0b-9c47-f4bf69158a44

HT Menu <= 1.2.1 – Cross-Site Request Forgery via plugin_activation

Affected Software: HT Menu – WordPress Mega Menu Builder for Elementor
CVE ID: CVE-2023-23791
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/deb2544f-75ac-4d6c-bec7-9f35cfe0028d

Mobile Banner <= 1.5 – Cross-Site Request Forgery leading to Plugin Settings Changes

Affected Software: Mobile Banner
CVE ID: CVE-2023-28930
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e98aa389-9113-4997-8b96-1ca03cdfc235

Simple Author Box <= 2.50 – Cross-Site Request Forgery via save_user_profile

Affected Software: Simple Author Box
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f670b93e-da2e-43e7-a28a-6cacba4df3a1

Swatchly – WooCommerce Variation Swatches for Products <= 1.1.9 – Cross-Site Request Forgery via plugin_activation

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 27, 2023 to Apr 2, 2023) appeared first on Wordfence.

Leave a Comment