Last week, there were 97 vulnerabilities disclosed in 63 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Front End Users <= 3.2.24 – Missing Authorization in Multiple Functions
ACF Quick Edit Fields <= 3.2.2 – Authenticated (Contributor+) Insecure Direct Object Reference
WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation
Advanced Custom Fields <= 6.0.7 – Authenticated (Contributor+) PHP Object Injection
HappyFiles Pro <= 1.8.1 – Missing Authorization
WP Fastest Cache <= 1.1.2 – Missing Authorization
Formidable Forms <= 6.1.2 – Unauthenticated PHP Object Injection
WAF-RULE-579 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
WAF-RULE-576 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
WAF-RULE-577 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
25
Patched
72
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
0
Medium Severity
79
High Severity
14
Critical Severity
4
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
37
Cross-Site Request Forgery (CSRF)
29
Missing Authorization
17
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
6
Deserialization of Untrusted Data
3
Improper Authorization
2
Incorrect Privilege Assignment
1
Unrestricted Upload of File with Dangerous Type
1
Authorization Bypass Through User-Controlled Key
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Mika
7
yuyudhn
3
Erwan LR
3
FearZzZz
2
Elliot
1
jidle
1
xplo1t
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
Advanced Custom Fields (ACF)
advanced-custom-fields
Ajax Search Lite
ajax-search-lite
Ajax Search Pro
ajax-search-pro
Albo Pretorio On line
albo-pretorio-on-line
Appointment and Event Booking Calendar for WordPress – Amelia
ameliabooking
Call Now Accessibility Button
accessibility-help-button
Cancel order request / Return order / Repeat Order / Reorder for WooCommerce
cancel-order-request-woocommerce
Comment Reply Notification
comment-reply-notification
Comments Ratings
comments-ratings
Connections Business Directory
connections
CopySafe Web Protection
wp-copysafe-web
Cryptocurrency All-in-One
cryptocurrency-prices
Dynamics 365 Integration
integration-dynamics
Easy Sign Up
easy-sign-up
Email Subscription Popup
email-subscribe
Fancy Product Designer
fancy-product-designer
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
formidable
Front End Users
front-end-only-users
HT Builder – WordPress Theme Builder for Elementor
ht-builder
Hustle – Email Marketing, Lead Generation, Optins, Popups
wordpress-popup
IFrame Shortcode
flynsarmy-iframe-shortcode
IMPress Listings
wp-listings
Libsyn Publisher Hub
libsyn-podcasting
Limit Login Attempts
limit-login-attempts
Magic Post Thumbnail
magic-post-thumbnail
MapPress Maps for WordPress
mappress-google-maps-for-wordpress
Maps Widget for Google Maps
google-maps-widget
MasterStudy LMS WordPress Plugin – for Online Courses and Education
masterstudy-lms-learning-management-system
MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
mycryptocheckout
Optin Forms – Simple List Building Plugin for WordPress
optin-forms
PHP Compatibility Checker
php-compatibility-checker
PixTypes
pixtypes
Product Catalog Simple
post-type-x
Product Enquiry for WooCommerce, WooCommerce product catalog
enquiry-quotation-for-woocommerce
Product Feed PRO for WooCommerce
woo-product-feed-pro
Product page shipping calculator for WooCommerce
product-page-shipping-calculator-for-woocommerce
PropertyHive
propertyhive
Random Text
randomtext
SEOPress – On-site SEO
wp-seopress
SMTP Mailing Queue
smtp-mailing-queue
Simple Job Board
simple-job-board
SimpleModal Contact Form (SMCF)
simplemodal-contact-form-smcf
Site Reviews
site-reviews
Sp*tify Play Button for WordPress
spotify-play-button-for-wordpress
Spreadshop Plugin
spreadshop
StagTools
stagtools
Steveas WP Live Chat Shoutbox
wp-shoutbox-live-chat
Superb Social Media Share Buttons and Follow Buttons for WordPress
superb-social-share-and-follow-buttons
Tiny carousel horizontal slider plus
tiny-carousel-horizontal-slider-plus
Transbank Webpay REST
transbank-webpay-plus-rest
User Registration – Custom Registration Form, Login Form And User Profile For WordPress
user-registration
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
wc-multivendor-marketplace
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
wc-multivendor-membership
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
wc-frontend-manager
WP Data Access
wp-data-access
WP FEvents Book
wp-fevents-book
WP Fastest Cache
wp-fastest-cache
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
insert-headers-and-footers
YourChannel: Everything you want in a YouTube plugin.
yourchannel
ZYREX POPUP
popup-zyrex
amr ical events lists
amr-ical-events-list
qTranslate X Cleanup and WPML Import
qtranslate-to-wpml-export
tencentcloud-cos
tencentcloud-cos
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
Houzez
houzez
The7 — Website and eCommerce Builder for WordPress
dt-the7
TheRoof
theroof
Weaver Xtreme
weaver-xtreme
outdoor
outdoor
Vulnerability Details
WCFM Membership <= 2.10.0 – Unauthenticated Privilege Escalation
CVE ID: CVE-2022-4939
CVSS Score: 9.8 (Critical)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0870de2d-bca5-4d57-a07f-877a416ce0d5
Houzez <= 2.8.2 – Unauthenticated SQL Injection
CVE ID: CVE-2023-29432
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64087631-3514-4fec-ad2f-b095d7c727bd
Formidable Forms <= 6.1.2 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-1405
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7db04a93-a384-4093-8cab-6f1d6822f625
Steveas WP Live Chat Shoutbox <= 1.4.2 – Unauthenticated SQL Injection
CVE ID: CVE-2023-1020
CVSS Score: 9.8 (Critical)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4e1ca02-4eb5-4a46-99d5-89630f37d9ed
WCFM Marketplace <= 3.4.11 – Missing Authorization
CVE ID: CVE-2022-4935
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85730e9b-c5da-473c-a324-891c5c9f7ba3
MapPress Maps for WordPress <= 2.85.4 – Authenticated (Contributor+) SQL Injection via get_maps
CVE ID: CVE-2023-26015
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aab16b6f-4daf-4eb1-9526-dd05b2b41dee
Advanced Custom Fields <= 6.0.7 – Authenticated (Contributor+) PHP Object Injection
CVE ID: CVE-2023-1196
CVSS Score: 8.8 (High)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b13e1916-2a02-4a91-acf1-6e5d7c55bd57
Fancy Product Designer <= 4.6.9 – Insufficient Authorization to Arbitrary Options Update via fpd_update_options
CVE ID: CVE-2021-4334
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21
WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation
CVE ID: CVE-2023-1874
CVSS Score: 7.5 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f562e33-2aef-46f0-8a65-691155ede9e7
WCFM Membership <= 2.10.0 – Missing Authorization
CVE ID: CVE-2022-4940
CVSS Score: 7.3 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd
CopySafe Web Protection <= 3.13 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-29098
CVSS Score: 7.2 (High)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07e110b3-ef10-482d-a564-c9f23631e5f3
Magic Post Thumbnail <= 4.1.10 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-29171
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08bbde25-bb9a-469c-83de-b680bb501ad6
Steveas WP Live Chat Shoutbox <= 1.4.2 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-0899
CVSS Score: 7.2 (High)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2630dbfe-2e11-4671-9a75-377237ac1ea1
Transbank Webpay REST <= 1.6.6 – Authenticated (Administrator+) SQL Injection via orderby
CVE ID: CVE-2023-27610
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b737a26-e4ae-4c9f-a98a-a22a31ac4f99
Albo Pretorio Online <= 4.6.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-28993
CVSS Score: 7.2 (High)
Researcher/s: Romés Akhan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8fbcd728-d2a2-4787-841d-0ce77356f737
Limit Login Attempts <= 1.7.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-1912
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb8c80fc-3b51-4003-b221-6f02e74bead0
Zyrex Popup <= 1.1 – Authenticated (Admin+) Arbitrary File Upload
CVE ID: CVE-2023-0924
CVSS Score: 7.2 (High)
Researcher/s: Yogesh Verma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf992c75-a1ae-49c3-8110-2f3b31b23f6c
Ajax Search Lite <= 4.11 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1420
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5e6cb50-8262-406b-b01e-37d62a4bd394
SEOPress <= 6.5.0.2 – Authenticated (Administrator+) PHP Object Injection
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06863974-e428-418b-891a-ade59ee46c4f
Amr Ical Events Lists <= 6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1021
CVSS Score: 6.6 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4531261-d76e-4419-b915-749c72830608
YourChannel <= 1.2.3 – Missing Authorization to Plugin Settings Reset
CVE ID: CVE-2023-1865
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34817e32-d5a3-403a-85f0-1d60af8945de
YourChannel <= 1.2.3 – Missing Authorization to Plugin Cache Reset
CVE ID: CVE-2023-1868
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/541d202b-f3ed-44d8-93a6-e158209db885
Front End Users <= 3.2.24 – Missing Authorization to Unauthenticated Registered User Deletion
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ccfafaf-902f-4142-90b3-9f70800eb377
WP FEvents Book <= 0.46 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1126
CVSS Score: 6.4 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/088aead8-37bb-4277-81e0-b7e2c13e9072
IFrame Shortcode <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-29436
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f28b1b2-e751-423e-b4c5-893778eebf3f
Stagtools <= 2.3.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2023-0891
CVSS Score: 6.4 (Medium)
Researcher/s: xplo1t
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45754b5b-8f94-4806-a931-bb423450682c
Weaver Xtreme Theme <= 5.0.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
CVE ID: CVE-2023-1403
CVSS Score: 6.4 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b2bef63-c871-45e4-bb05-12bbba20ca5e
Cryptocurrency All-in-One <= 3.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29435
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7492cffe-6e17-4c59-8979-2fa168b4f41d
Easy Sign Up <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-23701
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af718d65-9f8f-4ed8-80ed-e7ed34169016
WCFM Membership <= 2.10.0 – Cross-Site Request Forgery
CVE ID: CVE-2022-4941
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3758db41-a3c5-436a-bb9a-5886f10d1519
WCFM Marketplace <= 3.4.12 – Cross-Site Request Forgery
CVE ID: CVE-2022-4936
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c2cc9a3-cd20-4c9e-baa4-1aea69f84331
Fancy Product Designer <= 4.6.9 – Insufficient Authorization on Mulitple AJAX Actions
CVE ID: CVE-2021-4335
CVSS Score: 6.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac
WCFM Frontend Manager <= 6.5.13 – Cross-Site Request Forgery
CVE ID: CVE-2022-4938
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4d-8a96b388b314
WCFM Frontend Manager <= 6.6.0 – Missing Authorization
CVE ID: CVE-2022-4937
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d946d4b5-bed7-4808-b133-783b2dcd7992
WP FEvents Book <= 0.46 – Authenticated (Subscriber+) Insecure Direct Object Reference to Booking Manipulation
CVE ID: CVE-2023-1129
CVSS Score: 6.3 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f63d494c-1d1e-4faa-930a-3fcf2b136182
The7 <= 11.6.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29100
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24c67243-0452-4820-bfb4-b7ac4804aa4b
TheRoof <= 1.0.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29430
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/624d9627-0ffc-409f-beb7-60e80177aa9b
Product Catalog Simple <= 1.6.17 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29388
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd58adb-31cd-49e2-9c9d-e248b4b0a778
MyCryptoCheckout <= 2.123 – Reflected Cross-Site Scripting via url
CVE ID: CVE-2023-1546
CVSS Score: 6.1 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7633b5cd-0e8f-4744-bfee-d6d54a44c143
Amelia <= 1.0.75 – Unauthenticated Reflected Cross-Site Scripting via ‘code’
CVE ID: CVE-2023-29427
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a41f96d-216f-4e5a-a28d-665b052666fb
PropertyHive <= 1.5.46 – Reflected Cross-Site Scripting via ‘merge_ids’
CVE ID: CVE-2023-29172
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f395100-cf1f-4a3e-a353-1aec6b4e7448
Ajax Search Pro <= 4.26.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1435
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1a0d54f-08f7-4ec5-8cfe-6c4a6eb26748
Outdoor <= 3.9.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-29236
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef60f4c3-e38f-4f95-80cd-5e1f5512ebf5
YourChannel <= 1.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1869
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317
YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Channel Reset
CVE ID: CVE-2023-1866
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45851efe-2584-4b5e-8e4c-24f289d3bc32
YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Settings Change
CVE ID: CVE-2023-1867
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c20db2d-f73d-4e52-a275-ab1975ae4b17
Random Text <= 0.3.0 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-0388
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6badba6d-1ff1-4d6f-bccf-1f0278edb17d
Connections Business Directory <= 10.4.36 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-29437
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae40fd4a-8448-48ea-9b31-067643972b44
IMPress Listings <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields
CVE ID: CVE-2023-22711
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d31b9022-ae45-4bc2-b820-fb88faf0796f
YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Language Translation Reset
CVE ID: CVE-2023-1871
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7ae863c-4638-49ab-bb1f-52346884c3aa
User Registration <= 2.3.2.1 – Missing Authorization via send_test_email
CVE ID: CVE-2023-29429
CVSS Score: 5.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a671128a-74e6-4f92-94af-9e5e37ed7b7a
Libsyn Publisher Hub <= 1.3.2 – Sensitive Information Exposure
CVE ID: CVE-2023-25057
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbafdc15-cf42-4a12-bd79-5c602ce10625
Email Subscription Popup <= 1.2.16 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63b30d03-43d2-4696-aa36-8b39ec2c4ed0
WPCode <= 2.0.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-1624
CVSS Score: 4.7 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e52c53c1-4f04-4075-9329-d93fabf5a6ce
Tiny carousel horizontal slider plus <= 3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24418
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/167ae586-1f18-43ac-a7c1-e67a00ce8787
SMTP Mailing Queue <= 1.4.7 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1090
CVSS Score: 4.4 (Medium)
Researcher/s: jidle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a0ba31d-d2d8-4614-8f77-a041c25c0519
Sp*tify Play Button for WordPress <= 2.07 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1840
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/308f6887-7c1c-4efd-85e2-b71bb6d26dab
Optin Forms <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29434
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3971c145-6dca-49af-bbb3-7ef4ce51507f
Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Taliya Bilal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/561821b3-e667-428a-9900-e93cab6019b6
Site Reviews <= 6.7.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1525
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c31072d-9921-4bef-809c-b97a1020a2cf
Cancel order request WooCommerce <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29423
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f49477f-7a43-489b-8d3c-db8d0efeb596
Product Enquiry for WooCommerce <= 2.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29170
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/889986f8-224e-4af4-a1d2-ef4b04a7e83f
SimpleModal Contact Form (SMCF) <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29438
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8c19868-49c2-4ee2-883a-93549e65d41a
Maps Widget for Google Maps <= 4.24 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1913
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de871598-e4e7-49f6-8530-68243544c06c
Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e74be387-1413-49c5-91c6-66e620562b42
Product page shipping calculator for WooCommerce <= 1.3.20 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-29094
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed0a37cc-49db-4919-8d0d-cb7739332229
Dynamics 365 Integration <= 1.3.13 – Missing Authorization via init
CVE ID: CVE-2023-29422
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01cc3955-ef2f-4e2b-8dc6-b26f5a3d2f89
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’
CVE ID: CVE-2023-1919
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/024f4058-065b-48b4-a08a-d9732d4375cd
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’
CVE ID: CVE-2023-1925
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/096257a4-6ee9-41e1-8a59-4ffcd309f83c
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’
CVE ID: CVE-2023-1921
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17c7c61d-c110-448e-ad8a-bc1c00393524
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_preload_single_callback’
CVE ID: CVE-2023-1918
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c8034ff-cf36-498f-9efc-a4e6bbb92b2c
MasterStudy LMS WordPress Plugin <= 2.9.34 – Missing Authorization via wp_ajax_stm_wpcfto_get_settings
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ddcd2eb-fd7a-48b7-b9ea-3632d49e9734
WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_purgecache_varnish_callback’
CVE ID: CVE-2023-1929
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e567aec-07e5-494a-936d-93b40d3e3043
Comment Reply Notification <= 1.4 – Cross-Site Request Forgery
CVE ID: CVE-2023-25051
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27eb0101-b3d1-458d-b7d7-69d92e3a4bb8
PixTypes <= 1.4.14 – Cross-Site Request Forgery
CVE ID: CVE-2023-25487
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ac7414c-8035-406a-ab1e-94d9f64e52fa
Comments Ratings <= 1.1.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-23704
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bbf9526-1a82-496e-b762-6fa114ba8d46
PHP Compatibility Checker <= 1.5.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-24421
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41fada19-c697-4078-825b-0bdf6a827b02
qTranslate X Cleanup and WPML Import <= 3.0.1 – Cross-Site Request Forgery via clean_ajx
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43d534f8-fb1c-4170-a66e-2cef72cd40de
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’
CVE ID: CVE-2023-1923
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49ba5cfa-c2cc-49ac-b22d-7e36ccca6ac5
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’
CVE ID: CVE-2023-1927
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d3858f5-3f13-400c-acf4-eb3dc3a43308
WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_preload_single_callback’
CVE ID: CVE-2023-1928
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56a90042-a6c0-4487-811b-ced23c97f9f4
Spreadshop Plugin <= 1.6.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-29426
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f15ac06-b5d3-4265-b69b-1d46b12a0522
tencentcloud-cos <= 1.0.7 – Missing Authorization via AJAX actions
CVE ID: CVE-2023-29433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ea157f-7a74-427f-b1eb-a9187f2d9096
Simple Job Board <= 2.10.3 – Cross-Site Request Forgery via sjb_save_settings_section
CVE ID: CVE-2023-29440
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bbd528a-94fe-4979-b30f-02c6872db086
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_pause_cdn_integration_ajax_request_callback’
CVE ID: CVE-2023-1922
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1743b26-861e-4a61-80de-b8cc82308228
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_toolbar_save_settings_callback’
CVE ID: CVE-2023-1924
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a87f610a-c1ef-4365-bd74-569989587d41
WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘deleteCssAndJsCacheToolbar’
CVE ID: CVE-2023-1931
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4bb2d72-ff31-4220-acb3-ed17bb9229b5
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘deleteCacheToolbar’
CVE ID: CVE-2023-1926
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b793a4cb-3130-428e-9b61-8ce29fcdaf70
WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_clear_cache_of_allsites_callback’
CVE ID: CVE-2023-1930
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bae67a68-4bd1-4b52-b3dd-af0eef014028
qTranslate X Cleanup and WPML Import <= 3.0.1 – Missing Authorization via clean_ajx
CVE ID: CVE-2023-29431
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbe973a3-a8bf-4037-9067-7cc0987291fe
YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Language Translation Update
CVE ID: CVE-2023-1870
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1cec0b1-b77c-4d21-a3d2-c79fd3250bb0
Product Feed PRO for WooCommerce <= 12.4.4 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c80833c3-8ffc-41a1-8d11-dafa962191fd
WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_purgecache_varnish_callback’
CVE ID: CVE-2023-1920
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e90994-3b5c-4ae6-a27f-890a9101b440
Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 – Missing Authorization via spbsmAjax
CVE ID: CVE-2023-29428
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4dead2-c6da-4613-8ce6-13699a7495a1
HT Builder <= 1.2.9 – Cross-Site Request Forgery via plugin_activation
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df413b9d-5c22-4276-a11b-4f193c48740d
Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 – Cross-Site Request Forgery via spbsmAjax
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: abdi paranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebea0ec0-f7ee-41c5-b0a5-a78e9cd11d41
Front End Users <= 3.2.24 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee13399f-0fc9-40f3-93f5-34c913d54aa0
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023) appeared first on Wordfence.