Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023)

Last week, there were 97 vulnerabilities disclosed in 63 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Front End Users <= 3.2.24 – Missing Authorization in Multiple Functions
ACF Quick Edit Fields <= 3.2.2 – Authenticated (Contributor+) Insecure Direct Object Reference
WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation
Advanced Custom Fields <= 6.0.7 – Authenticated (Contributor+) PHP Object Injection
HappyFiles Pro <= 1.8.1 – Missing Authorization
WP Fastest Cache <= 1.1.2 – Missing Authorization
Formidable Forms <= 6.1.2 – Unauthenticated PHP Object Injection
WAF-RULE-579 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
WAF-RULE-576 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
WAF-RULE-577 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
25

Patched
72

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
79

High Severity
14

Critical Severity
4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
37

Cross-Site Request Forgery (CSRF)
29

Missing Authorization
17

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
6

Deserialization of Untrusted Data
3

Improper Authorization
2

Incorrect Privilege Assignment
1

Unrestricted Upload of File with Dangerous Type
1

Authorization Bypass Through User-Controlled Key
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Marco Wotschka
24

Chloe Chamberland
8

Mika
7

minhtuanact
5

Lana Codes
5

yuyudhn
3

Ramuel Gall
3

MyungJu Kim
3

Rafshanzani Suhada
3

Erwan LR
3

Ameen Alkurdy
2

Rafie Muhammad
2

Simone Onofri
2

Donato Onofri
2

Rio Darmawan
2

Shreya Pohekar
2

FearZzZz
2

Nguyen Huu Do
2

Abdi Pranata
2

Elliot
1

jidle
1

xplo1t
1

Taliya Bilal
1

Dave Jong
1

Pablo Sanchez
1

Romés Akhan
1

Yogesh Verma
1

abdi paranata
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Advanced Custom Fields (ACF)
advanced-custom-fields

Ajax Search Lite
ajax-search-lite

Ajax Search Pro
ajax-search-pro

Albo Pretorio On line
albo-pretorio-on-line

Appointment and Event Booking Calendar for WordPress – Amelia
ameliabooking

Call Now Accessibility Button
accessibility-help-button

Cancel order request / Return order / Repeat Order / Reorder for WooCommerce
cancel-order-request-woocommerce

Comment Reply Notification
comment-reply-notification

Comments Ratings
comments-ratings

Connections Business Directory
connections

CopySafe Web Protection
wp-copysafe-web

Cryptocurrency All-in-One
cryptocurrency-prices

Dynamics 365 Integration
integration-dynamics

Easy Sign Up
easy-sign-up

Email Subscription Popup
email-subscribe

Fancy Product Designer
fancy-product-designer

Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
formidable

Front End Users
front-end-only-users

HT Builder – WordPress Theme Builder for Elementor
ht-builder

Hustle – Email Marketing, Lead Generation, Optins, Popups
wordpress-popup

IFrame Shortcode
flynsarmy-iframe-shortcode

IMPress Listings
wp-listings

Libsyn Publisher Hub
libsyn-podcasting

Limit Login Attempts
limit-login-attempts

Magic Post Thumbnail
magic-post-thumbnail

MapPress Maps for WordPress
mappress-google-maps-for-wordpress

Maps Widget for Google Maps
google-maps-widget

MasterStudy LMS WordPress Plugin – for Online Courses and Education
masterstudy-lms-learning-management-system

MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
mycryptocheckout

Optin Forms – Simple List Building Plugin for WordPress
optin-forms

PHP Compatibility Checker
php-compatibility-checker

PixTypes
pixtypes

Product Catalog Simple
post-type-x

Product Enquiry for WooCommerce, WooCommerce product catalog
enquiry-quotation-for-woocommerce

Product Feed PRO for WooCommerce
woo-product-feed-pro

Product page shipping calculator for WooCommerce
product-page-shipping-calculator-for-woocommerce

PropertyHive
propertyhive

Random Text
randomtext

SEOPress – On-site SEO
wp-seopress

SMTP Mailing Queue
smtp-mailing-queue

Simple Job Board
simple-job-board

SimpleModal Contact Form (SMCF)
simplemodal-contact-form-smcf

Site Reviews
site-reviews

Sp*tify Play Button for WordPress
spotify-play-button-for-wordpress

Spreadshop Plugin
spreadshop

StagTools
stagtools

Steveas WP Live Chat Shoutbox
wp-shoutbox-live-chat

Superb Social Media Share Buttons and Follow Buttons for WordPress
superb-social-share-and-follow-buttons

Tiny carousel horizontal slider plus
tiny-carousel-horizontal-slider-plus

Transbank Webpay REST
transbank-webpay-plus-rest

User Registration – Custom Registration Form, Login Form And User Profile For WordPress
user-registration

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
wc-multivendor-marketplace

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
wc-multivendor-membership

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
wc-frontend-manager

WP Data Access
wp-data-access

WP FEvents Book
wp-fevents-book

WP Fastest Cache
wp-fastest-cache

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
insert-headers-and-footers

YourChannel: Everything you want in a YouTube plugin.
yourchannel

ZYREX POPUP
popup-zyrex

amr ical events lists
amr-ical-events-list

qTranslate X Cleanup and WPML Import
qtranslate-to-wpml-export

tencentcloud-cos
tencentcloud-cos

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Houzez
houzez

The7 — Website and eCommerce Builder for WordPress
dt-the7

TheRoof
theroof

Weaver Xtreme
weaver-xtreme

outdoor
outdoor

Vulnerability Details

WCFM Membership <= 2.10.0 – Unauthenticated Privilege Escalation

Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVE ID: CVE-2022-4939
CVSS Score: 9.8 (Critical)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0870de2d-bca5-4d57-a07f-877a416ce0d5

Houzez <= 2.8.2 – Unauthenticated SQL Injection

Affected Software: Houzez
CVE ID: CVE-2023-29432
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64087631-3514-4fec-ad2f-b095d7c727bd

Formidable Forms <= 6.1.2 – Unauthenticated PHP Object Injection

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
CVE ID: CVE-2023-1405
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7db04a93-a384-4093-8cab-6f1d6822f625

Steveas WP Live Chat Shoutbox <= 1.4.2 – Unauthenticated SQL Injection

Affected Software: Steveas WP Live Chat Shoutbox
CVE ID: CVE-2023-1020
CVSS Score: 9.8 (Critical)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4e1ca02-4eb5-4a46-99d5-89630f37d9ed

WCFM Marketplace <= 3.4.11 – Missing Authorization

Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
CVE ID: CVE-2022-4935
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85730e9b-c5da-473c-a324-891c5c9f7ba3

MapPress Maps for WordPress <= 2.85.4 – Authenticated (Contributor+) SQL Injection via get_maps

Affected Software: MapPress Maps for WordPress
CVE ID: CVE-2023-26015
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aab16b6f-4daf-4eb1-9526-dd05b2b41dee

Advanced Custom Fields <= 6.0.7 – Authenticated (Contributor+) PHP Object Injection

Affected Software: Advanced Custom Fields (ACF)
CVE ID: CVE-2023-1196
CVSS Score: 8.8 (High)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b13e1916-2a02-4a91-acf1-6e5d7c55bd57

Fancy Product Designer <= 4.6.9 – Insufficient Authorization to Arbitrary Options Update via fpd_update_options

Affected Software: Fancy Product Designer
CVE ID: CVE-2021-4334
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21

WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation

Affected Software: WP Data Access
CVE ID: CVE-2023-1874
CVSS Score: 7.5 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f562e33-2aef-46f0-8a65-691155ede9e7

WCFM Membership <= 2.10.0 – Missing Authorization

Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVE ID: CVE-2022-4940
CVSS Score: 7.3 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd

CopySafe Web Protection <= 3.13 – Unauthenticated Stored Cross-Site Scripting

Affected Software: CopySafe Web Protection
CVE ID: CVE-2023-29098
CVSS Score: 7.2 (High)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07e110b3-ef10-482d-a564-c9f23631e5f3

Magic Post Thumbnail <= 4.1.10 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Magic Post Thumbnail
CVE ID: CVE-2023-29171
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08bbde25-bb9a-469c-83de-b680bb501ad6

Steveas WP Live Chat Shoutbox <= 1.4.2 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Steveas WP Live Chat Shoutbox
CVE ID: CVE-2023-0899
CVSS Score: 7.2 (High)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2630dbfe-2e11-4671-9a75-377237ac1ea1

Transbank Webpay REST <= 1.6.6 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: Transbank Webpay REST
CVE ID: CVE-2023-27610
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b737a26-e4ae-4c9f-a98a-a22a31ac4f99

Albo Pretorio Online <= 4.6.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Albo Pretorio On line
CVE ID: CVE-2023-28993
CVSS Score: 7.2 (High)
Researcher/s: Romés Akhan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8fbcd728-d2a2-4787-841d-0ce77356f737

Limit Login Attempts <= 1.7.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Limit Login Attempts
CVE ID: CVE-2023-1912
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb8c80fc-3b51-4003-b221-6f02e74bead0

Zyrex Popup <= 1.1 – Authenticated (Admin+) Arbitrary File Upload

Affected Software: ZYREX POPUP
CVE ID: CVE-2023-0924
CVSS Score: 7.2 (High)
Researcher/s: Yogesh Verma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf992c75-a1ae-49c3-8110-2f3b31b23f6c

Ajax Search Lite <= 4.11 – Reflected Cross-Site Scripting

Affected Software: Ajax Search Lite
CVE ID: CVE-2023-1420
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5e6cb50-8262-406b-b01e-37d62a4bd394

SEOPress <= 6.5.0.2 – Authenticated (Administrator+) PHP Object Injection

Affected Software: SEOPress – On-site SEO
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06863974-e428-418b-891a-ade59ee46c4f

Amr Ical Events Lists <= 6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: amr ical events lists
CVE ID: CVE-2023-1021
CVSS Score: 6.6 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4531261-d76e-4419-b915-749c72830608

YourChannel <= 1.2.3 – Missing Authorization to Plugin Settings Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1865
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34817e32-d5a3-403a-85f0-1d60af8945de

YourChannel <= 1.2.3 – Missing Authorization to Plugin Cache Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1868
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/541d202b-f3ed-44d8-93a6-e158209db885

Front End Users <= 3.2.24 – Missing Authorization to Unauthenticated Registered User Deletion

Affected Software: Front End Users
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ccfafaf-902f-4142-90b3-9f70800eb377

WP FEvents Book <= 0.46 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: WP FEvents Book
CVE ID: CVE-2023-1126
CVSS Score: 6.4 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/088aead8-37bb-4277-81e0-b7e2c13e9072

IFrame Shortcode <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: IFrame Shortcode
CVE ID: CVE-2023-29436
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f28b1b2-e751-423e-b4c5-893778eebf3f

Stagtools <= 2.3.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: StagTools
CVE ID: CVE-2023-0891
CVSS Score: 6.4 (Medium)
Researcher/s: xplo1t
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45754b5b-8f94-4806-a931-bb423450682c

Weaver Xtreme Theme <= 5.0.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name

Affected Software: Weaver Xtreme
CVE ID: CVE-2023-1403
CVSS Score: 6.4 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b2bef63-c871-45e4-bb05-12bbba20ca5e

Cryptocurrency All-in-One <= 3.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Cryptocurrency All-in-One
CVE ID: CVE-2023-29435
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7492cffe-6e17-4c59-8979-2fa168b4f41d

Easy Sign Up <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Easy Sign Up
CVE ID: CVE-2023-23701
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af718d65-9f8f-4ed8-80ed-e7ed34169016

WCFM Membership <= 2.10.0 – Cross-Site Request Forgery

Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVE ID: CVE-2022-4941
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3758db41-a3c5-436a-bb9a-5886f10d1519

WCFM Marketplace <= 3.4.12 – Cross-Site Request Forgery

Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
CVE ID: CVE-2022-4936
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c2cc9a3-cd20-4c9e-baa4-1aea69f84331

Fancy Product Designer <= 4.6.9 – Insufficient Authorization on Mulitple AJAX Actions

Affected Software: Fancy Product Designer
CVE ID: CVE-2021-4335
CVSS Score: 6.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac

WCFM Frontend Manager <= 6.5.13 – Cross-Site Request Forgery

WCFM Frontend Manager <= 6.6.0 – Missing Authorization

WP FEvents Book <= 0.46 – Authenticated (Subscriber+) Insecure Direct Object Reference to Booking Manipulation

Affected Software: WP FEvents Book
CVE ID: CVE-2023-1129
CVSS Score: 6.3 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f63d494c-1d1e-4faa-930a-3fcf2b136182

The7 <= 11.6.0 – Reflected Cross-Site Scripting

Affected Software: The7 — Website and eCommerce Builder for WordPress
CVE ID: CVE-2023-29100
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24c67243-0452-4820-bfb4-b7ac4804aa4b

TheRoof <= 1.0.3 – Reflected Cross-Site Scripting

Affected Software: TheRoof
CVE ID: CVE-2023-29430
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/624d9627-0ffc-409f-beb7-60e80177aa9b

Product Catalog Simple <= 1.6.17 – Reflected Cross-Site Scripting

Affected Software: Product Catalog Simple
CVE ID: CVE-2023-29388
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd58adb-31cd-49e2-9c9d-e248b4b0a778

MyCryptoCheckout <= 2.123 – Reflected Cross-Site Scripting via url

Affected Software: MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
CVE ID: CVE-2023-1546
CVSS Score: 6.1 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7633b5cd-0e8f-4744-bfee-d6d54a44c143

Amelia <= 1.0.75 – Unauthenticated Reflected Cross-Site Scripting via ‘code’

Affected Software: Appointment and Event Booking Calendar for WordPress – Amelia
CVE ID: CVE-2023-29427
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a41f96d-216f-4e5a-a28d-665b052666fb

PropertyHive <= 1.5.46 – Reflected Cross-Site Scripting via ‘merge_ids’

Affected Software: PropertyHive
CVE ID: CVE-2023-29172
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f395100-cf1f-4a3e-a353-1aec6b4e7448

Ajax Search Pro <= 4.26.1 – Reflected Cross-Site Scripting

Affected Software: Ajax Search Pro
CVE ID: CVE-2023-1435
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1a0d54f-08f7-4ec5-8cfe-6c4a6eb26748

Outdoor <= 3.9.6 – Reflected Cross-Site Scripting

Affected Software: outdoor
CVE ID: CVE-2023-29236
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef60f4c3-e38f-4f95-80cd-5e1f5512ebf5

YourChannel <= 1.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1869
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Channel Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1866
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45851efe-2584-4b5e-8e4c-24f289d3bc32

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Settings Change

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1867
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c20db2d-f73d-4e52-a275-ab1975ae4b17

Random Text <= 0.3.0 – Authenticated (Subscriber+) SQL Injection

Affected Software: Random Text
CVE ID: CVE-2023-0388
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6badba6d-1ff1-4d6f-bccf-1f0278edb17d

Connections Business Directory <= 10.4.36 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Connections Business Directory
CVE ID: CVE-2023-29437
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae40fd4a-8448-48ea-9b31-067643972b44

IMPress Listings <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields

Affected Software: IMPress Listings
CVE ID: CVE-2023-22711
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d31b9022-ae45-4bc2-b820-fb88faf0796f

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Language Translation Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1871
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7ae863c-4638-49ab-bb1f-52346884c3aa

User Registration <= 2.3.2.1 – Missing Authorization via send_test_email

Libsyn Publisher Hub <= 1.3.2 – Sensitive Information Exposure

Affected Software: Libsyn Publisher Hub
CVE ID: CVE-2023-25057
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbafdc15-cf42-4a12-bd79-5c602ce10625

Email Subscription Popup <= 1.2.16 – Reflected Cross-Site Scripting

Affected Software: Email Subscription Popup
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63b30d03-43d2-4696-aa36-8b39ec2c4ed0

WPCode <= 2.0.8 – Cross-Site Request Forgery

Affected Software: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
CVE ID: CVE-2023-1624
CVSS Score: 4.7 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e52c53c1-4f04-4075-9329-d93fabf5a6ce

Tiny carousel horizontal slider plus <= 3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Tiny carousel horizontal slider plus
CVE ID: CVE-2023-24418
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/167ae586-1f18-43ac-a7c1-e67a00ce8787

SMTP Mailing Queue <= 1.4.7 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: SMTP Mailing Queue
CVE ID: CVE-2023-1090
CVSS Score: 4.4 (Medium)
Researcher/s: jidle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a0ba31d-d2d8-4614-8f77-a041c25c0519

Sp*tify Play Button for WordPress <= 2.07 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Sp*tify Play Button for WordPress
CVE ID: CVE-2023-1840
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/308f6887-7c1c-4efd-85e2-b71bb6d26dab

Optin Forms <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optin Forms – Simple List Building Plugin for WordPress
CVE ID: CVE-2023-29434
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3971c145-6dca-49af-bbb3-7ef4ce51507f

Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: Call Now Accessibility Button
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Taliya Bilal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/561821b3-e667-428a-9900-e93cab6019b6

Site Reviews <= 6.7.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Site Reviews
CVE ID: CVE-2023-1525
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c31072d-9921-4bef-809c-b97a1020a2cf

Cancel order request WooCommerce <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cancel order request / Return order / Repeat Order / Reorder for WooCommerce
CVE ID: CVE-2023-29423
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f49477f-7a43-489b-8d3c-db8d0efeb596

Product Enquiry for WooCommerce <= 2.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Product Enquiry for WooCommerce, WooCommerce product catalog
CVE ID: CVE-2023-29170
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/889986f8-224e-4af4-a1d2-ef4b04a7e83f

SimpleModal Contact Form (SMCF) <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SimpleModal Contact Form (SMCF)
CVE ID: CVE-2023-29438
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8c19868-49c2-4ee2-883a-93549e65d41a

Maps Widget for Google Maps <= 4.24 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Maps Widget for Google Maps
CVE ID: CVE-2023-1913
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de871598-e4e7-49f6-8530-68243544c06c

Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Hustle – Email Marketing, Lead Generation, Optins, Popups
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e74be387-1413-49c5-91c6-66e620562b42

Product page shipping calculator for WooCommerce <= 1.3.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Product page shipping calculator for WooCommerce
CVE ID: CVE-2023-29094
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed0a37cc-49db-4919-8d0d-cb7739332229

Dynamics 365 Integration <= 1.3.13 – Missing Authorization via init

Affected Software: Dynamics 365 Integration
CVE ID: CVE-2023-29422
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01cc3955-ef2f-4e2b-8dc6-b26f5a3d2f89

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1919
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/024f4058-065b-48b4-a08a-d9732d4375cd

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1925
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/096257a4-6ee9-41e1-8a59-4ffcd309f83c

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1921
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17c7c61d-c110-448e-ad8a-bc1c00393524

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_preload_single_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1918
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c8034ff-cf36-498f-9efc-a4e6bbb92b2c

MasterStudy LMS WordPress Plugin <= 2.9.34 – Missing Authorization via wp_ajax_stm_wpcfto_get_settings

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ddcd2eb-fd7a-48b7-b9ea-3632d49e9734

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_purgecache_varnish_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1929
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e567aec-07e5-494a-936d-93b40d3e3043

Comment Reply Notification <= 1.4 – Cross-Site Request Forgery

Affected Software: Comment Reply Notification
CVE ID: CVE-2023-25051
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27eb0101-b3d1-458d-b7d7-69d92e3a4bb8

PixTypes <= 1.4.14 – Cross-Site Request Forgery

Affected Software: PixTypes
CVE ID: CVE-2023-25487
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ac7414c-8035-406a-ab1e-94d9f64e52fa

Comments Ratings <= 1.1.6 – Cross-Site Request Forgery

Affected Software: Comments Ratings
CVE ID: CVE-2023-23704
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bbf9526-1a82-496e-b762-6fa114ba8d46

PHP Compatibility Checker <= 1.5.2 – Cross-Site Request Forgery

Affected Software: PHP Compatibility Checker
CVE ID: CVE-2023-24421
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41fada19-c697-4078-825b-0bdf6a827b02

qTranslate X Cleanup and WPML Import <= 3.0.1 – Cross-Site Request Forgery via clean_ajx

Affected Software: qTranslate X Cleanup and WPML Import
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43d534f8-fb1c-4170-a66e-2cef72cd40de

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1923
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49ba5cfa-c2cc-49ac-b22d-7e36ccca6ac5

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1927
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d3858f5-3f13-400c-acf4-eb3dc3a43308

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_preload_single_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1928
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56a90042-a6c0-4487-811b-ced23c97f9f4

Spreadshop Plugin <= 1.6.5 – Cross-Site Request Forgery

Affected Software: Spreadshop Plugin
CVE ID: CVE-2023-29426
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f15ac06-b5d3-4265-b69b-1d46b12a0522

tencentcloud-cos <= 1.0.7 – Missing Authorization via AJAX actions

Affected Software: tencentcloud-cos
CVE ID: CVE-2023-29433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ea157f-7a74-427f-b1eb-a9187f2d9096

Simple Job Board <= 2.10.3 – Cross-Site Request Forgery via sjb_save_settings_section

Affected Software: Simple Job Board
CVE ID: CVE-2023-29440
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bbd528a-94fe-4979-b30f-02c6872db086

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_pause_cdn_integration_ajax_request_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1922
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1743b26-861e-4a61-80de-b8cc82308228

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_toolbar_save_settings_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1924
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a87f610a-c1ef-4365-bd74-569989587d41

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘deleteCssAndJsCacheToolbar’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1931
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4bb2d72-ff31-4220-acb3-ed17bb9229b5

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘deleteCacheToolbar’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1926
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b793a4cb-3130-428e-9b61-8ce29fcdaf70

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_clear_cache_of_allsites_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1930
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bae67a68-4bd1-4b52-b3dd-af0eef014028

qTranslate X Cleanup and WPML Import <= 3.0.1 – Missing Authorization via clean_ajx

Affected Software: qTranslate X Cleanup and WPML Import
CVE ID: CVE-2023-29431
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbe973a3-a8bf-4037-9067-7cc0987291fe

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Language Translation Update

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1870
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1cec0b1-b77c-4d21-a3d2-c79fd3250bb0

Product Feed PRO for WooCommerce <= 12.4.4 – Cross-Site Request Forgery

Affected Software: Product Feed PRO for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c80833c3-8ffc-41a1-8d11-dafa962191fd

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_purgecache_varnish_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1920
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e90994-3b5c-4ae6-a27f-890a9101b440

Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 – Missing Authorization via spbsmAjax

Affected Software: Superb Social Media Share Buttons and Follow Buttons for WordPress
CVE ID: CVE-2023-29428
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4dead2-c6da-4613-8ce6-13699a7495a1

HT Builder <= 1.2.9 – Cross-Site Request Forgery via plugin_activation

Affected Software: HT Builder – WordPress Theme Builder for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df413b9d-5c22-4276-a11b-4f193c48740d

Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 – Cross-Site Request Forgery via spbsmAjax

Affected Software: Superb Social Media Share Buttons and Follow Buttons for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: abdi paranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebea0ec0-f7ee-41c5-b0a5-a78e9cd11d41

Front End Users <= 3.2.24 – Cross-Site Request Forgery

Affected Software: Front End Users
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee13399f-0fc9-40f3-93f5-34c913d54aa0

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023) appeared first on Wordfence.

Leave a Comment