Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)

Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it’s more important than ever to review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
81

Patched
71

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
134

High Severity
16

Critical Severity
2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
93

Cross-Site Request Forgery (CSRF)
30

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
11

Missing Authorization
10

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2

Deserialization of Untrusted Data
2

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Information Exposure
1

Improper Access Control
1

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
30

Marco Wotschka
11

Yuki Haruma
9

yuyudhn
7

Muhammad Daffa
6

LEE SE HYOUNG
6

Rio Darmawan
6

Sajjad Shariati
6

Shreya Pohekar
5

minhtuanact
5

Justiice
4

Ramuel Gall
4

TEAM WEBoB of BoB 11th
3

Mika
3

Ivan Kuzymchak
3

Le Ngoc Anh
3

Erwan LR
3

Cat
3

WPScanTeam
2

Lokesh Dachepalli
2

Nguyen Xuan Chien
2

Joshua Martinelle
1

Rafie Muhammad
1

Rafshanzani Suhada
1

Nguyen Huu Do
1

Ryo Sato
1

Skalucy
1

Shezad Master
1

zhangyunpei
1

Yeting Li VARAS@IIE
1

Ameen Alkurdy
1

Nithissh S
1

Chien Vuong
1

thiennv
1

Alexander Schmid
1

cydave
1

easyBug
1

Daniel Ruf
1

Alex Thomas
1

deokhunKim
1

Lucio Sá
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

AI ChatBot
chatbot

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

Accessibility Suite by Online ADA
online-accessibility

Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin
helpie-faq

Active Directory Integration / LDAP Integration
ldap-login-for-intranet-sites

ActiveCampaign – Forms, Site Tracking, Live Chat
activecampaign-subscription-forms

Ad Inserter – Ad Manager & AdSense Ads
ad-inserter

Album Gallery – WordPress Gallery
new-album-gallery

ApexChat
apexchat

Avirato hotels online booking engine
avirato-calendar

BBSpoiler
bbspoiler

BadgeOS
badgeos

Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra
yatra

Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
woo-altcoin-payment-gateway

BizLibrary
bizlibrary

Booking calendar, Appointment Booking System
booking-calendar

Button Builder – Buttons X
buttons-x

CMP – Coming Soon & Maintenance Plugin by NiteoThemes
cmp-coming-soon-maintenance

CMS Tree Page View
cms-tree-page-view

Cab Grid
cab-grid

Captcha Them All
captcha-them-all

Category Specific RSS feed Subscription
category-specific-rss-feed-menu

Church Admin
church-admin

Clock In Portal- Staff & Attendance Management
clock-in-portal

Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
contact-form-to-db

Continuous announcement scroller
continuous-announcement-scroller

Custom Post Type List Shortcode
custom-post-type-list-shortcode

Customer Support Software, Live Chat, & Marketing Automation
formilla-chat-and-marketing

Dave’s WordPress Live Search
daves-wordpress-live-search

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
charitable

EZP Maintenance Mode
easy-pie-maintenance-mode

Easy Ad Manager
easy-ad-manager

Easy Slider Revolution
easy-slider-revolution

Ebook Store
ebook-store

Email posts to subscribers
email-posts-to-subscribers

Enable/Disable Auto Login when Register
auto-login-when-resister

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks

File Gallery
file-gallery

Flyzoo Chat
flyzoo

Form Block
form-block

FormCraft – Contact Form Builder for WordPress
formcraft-form-builder

Formilla Edge Targeted Messaging Platform for Sales and Marketing
formilla-edge

Freshdesk (official)
freshdesk-support

GDPR Compliance & Cookie Consent
gdpr-compliance-cookie-consent

Gallery Metabox
gallery-metabox

Google Analytics Top Content Widget
google-analytics-top-posts-widget

Gps Plotter
gps-plotter

Help Desk WP
helpdeskwp

Image Optimizer by 10web – Image Optimizer and Compression plugin
image-optimizer-wd

Japanized For WooCommerce
woocommerce-for-japan

Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
zero-bs-crm

Kaya QR Code Generator
kaya-qr-code-generator

Kiwiz – Certification de facturation – Woocommerce
woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz

Kodex Posts likes
kodex-posts-likes

LIQUID SPEECH BALLOON
liquid-speech-balloon

Layer Slider
slider-slideshow

LearnPress Export Import – WordPress extension for LearnPress
learnpress-import-export

Live Chat by Formilla – Real-time Chat & Chatbots Plugin
formilla-live-chat

Locatoraid Store Locator
locatoraid

Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login
login-page-styler

Mail Subscribe List
mail-subscribe-list

Mega Addons For WPBakery Page Builder
mega-addons-for-visual-composer

Membership Database
member-database

Modal Dialog
modal-dialog

Motors – Car Dealer, Classifieds & Listing
motors-car-dealership-classified-listings

NEX-Forms – Ultimate Form Builder – Contact forms and much more
nex-forms-express-wp-form-builder

Ninja Tables – Best Data Table Plugin for WordPress
ninja-tables

OoohBoi Steroids for Elementor
ooohboi-steroids-for-elementor

Panorama – WordPress Project Management Plugin
project-panorama-lite

Post Shortcode
post-shortcode

PowerPress Podcasting plugin by Blubrry
powerpress

Pretty Url
pretty-url

Product Slider For WooCommerce Lite
product-slider-for-woocommerce-lite

PropertyHive
propertyhive

Query Wrangler
query-wrangler

RapidExpCart
rapidexpcart

Redirect After Login
redirect-after-login

Reservation.Studio widget
reservation-studio-widget

Responsive Filterable Portfolio
responsive-filterable-portfolio

ReviewX – Multi-criteria Rating & Reviews for WooCommerce
reviewx

Robokassa payment gateway for Woocommerce
robokassa

Semalt Blocker
semalt

ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution
shopengine

Shortcode IMDB
shortcode-imdb

Simple Share Buttons Adder
simple-share-buttons-adder

Simple Tooltips
simple-tooltips

SiteAlert – Uptime, Speed, and Security Monitoring for WordPress
my-wp-health-check

Sloth Logo Customizer
sloth-logo-customizer

Smart WooCommerce Search
smart-woocommerce-search

Social Share Boost
social-share-boost

SparkPost
sparkpost

Stock Exporter for WooCommerce
stock-exporter-for-woocommerce

Stream
stream

Subscribers – Free Web Push Notifications
subscribers-com

Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT )
tablesome

TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
simple-tags

The School Management – Education & Learning Management
school-management-system

Themify Portfolio Post
themify-portfolio-post

Thumbnail carousel slider
wp-responsive-thumbnail-slider

Uji Popup
uji-popup

Ultimate Carousel For Elementor
ultimate-carousel-for-elementor

Ultimate Carousel For WPBakery Page Builder
ultimate-carousel-for-visual-composer

Update Image Tag Alt Attribute
update-alt-attribute

Verified Reviews (Avis Vérifiés)
netreviews

Video Grid
video-grid

Video List Manager
video-list-manager

Visual CSS Style Editor
yellow-pencil-visual-theme-customizer

WCP Contact Form
wcp-contact-form

WP Cerber Security, Anti-spam & Malware Scan
wp-cerber

WP Custom Author URL
wp-custom-author-url

WP Docs
wp-docs

WP Links Page
wp-links-page

WP Login Box
wp-login-box

WP Original Media Path
wp-original-media-path

WP Popups – WordPress Popup builder
wp-popups-lite

WP Responsive Tabs horizontal vertical and accordion Tabs
responsive-horizontal-vertical-and-accordion-tabs

WP-FormAssembly
formassembly-web-forms

WP-dTree
wp-dtree-30

WPJAM Basic
wpjam-basic

White Label Branding for Elementor Page Builder
white-label-branding-elementor

WooCommerce Easy Duplicate Product
woo-easy-duplicate-product

WooCommerce Order Status Change Notifier
woocommerce-order-status-change-notifier

Woocommerce Email Report
wooemailreport

Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals
woocommerce-products-designer

WordPress Header Builder Plugin – Pearl
pearl-header-builder

Wp-D3
wp-d3

YARPP – Yet Another Related Posts Plugin
yet-another-related-posts-plugin

YML for Yandex Market
yml-for-yandex-market

YourChannel: Everything you want in a YouTube plugin.
yourchannel

Zendesk Support for WordPress
zendesk

eRocket
erocket

f(x) TOC
fx-toc

miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login
miniorange-2-factor-authentication

vSlider Multi Image Slider for WordPress
vslider

Vulnerability Details

Email posts to subscribers <= 6.2 – Unauthenticated SQL Injection

Affected Software: Email posts to subscribers
CVE ID: CVE-2022-46818
CVSS Score: 9.8 (Critical)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51f73041-927d-42da-92cc-14242a397356

Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.1 – Unauthenticated SQL Injection

Affected Software: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
CVE ID: CVE-2022-4118
CVSS Score: 9.8 (Critical)
Researcher/s: cydave
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4e1315b-31e5-428c-9a48-6185b4eeb2fc

ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 – Authenticated (Subscriber+) SQL Injection

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
CVE ID: CVE-2023-26325
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/072092ef-17bc-4b8b-bf8b-bd69a761c56a

YARPP <= 5.30.2 – Authenticated (Subscriber+) Local File Inclusion

Affected Software: YARPP – Yet Another Related Posts Plugin
CVE ID: CVE-2022-45374
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1091862b-784b-496f-a951-6784544cb51b

Accessibility Suite by Online ADA <= 4.11 – Authenticated (Subscriber+) SQL Injection

Affected Software: Accessibility Suite by Online ADA
CVE ID: CVE-2022-47420
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71c21af1-a007-4535-98ea-a6f25142bcf6

Avirato hotels online booking engine <= 5.0.5 – Authenticated (Subscriber+) SQL Injection

Affected Software: Avirato hotels online booking engine
CVE ID: CVE-2023-0768
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b62fb1a8-d62d-4d1f-bcce-a081432b9e61

Contact Form to DB by BestWebSoft <= 1.7.0 – Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department

Affected Software: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
CVE ID: CVE-2023-29096
CVSS Score: 8.8 (High)
Researcher/s: easyBug
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba317acb-d45c-42c0-b5fb-b163bcd59340

Kiwiz – Certification de facturation – Woocommerce <= 2.1.3 – Unauthenticated Arbitrary File Download

Affected Software: Kiwiz – Certification de facturation – Woocommerce
CVE ID: CVE-2023-2180
CVSS Score: 7.5 (High)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603f0c9d-6964-4911-b4a5-bdad24a1a8dd

miniOrange’s Google Authenticator <= 5.6.5 – Missing Authorization to Plugin Settings Change

Jetpack CRM <= 5.3.1 – Cross-Site Request Forgery and PHAR Deserialization

Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CVE ID: CVE-2022-3342
CVSS Score: 7.5 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80

The School Management – Education & Learning Management <= 4.1 – Authenticated (Administrator+) SQL Injection

Affected Software: The School Management – Education & Learning Management
CVE ID: CVE-2022-47430
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1268bdb9-7f80-4fdc-a95a-d51b0ab83e17

Ad Inserter <= 2.7.25 – Authenticated (Admin+) PHP Object Injection

Affected Software: Ad Inserter – Ad Manager & AdSense Ads
CVE ID: CVE-2023-1549
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c94028c-a774-45ac-817d-ad9b966a3b51

Shortcode IMDB <= 6.0.8 – Authenticated (Administrator+) SQL Injection

Affected Software: Shortcode IMDB
CVE ID: CVE-2022-47432
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ae6bf2e-b39a-4bb3-9203-22ff4c23ddf4

WP Cerber Security <= 9.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: WP Cerber Security, Anti-spam & Malware Scan
CVE ID: CVE-2022-4712
CVSS Score: 7.2 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd9cbba-10b0-4fb0-ad49-4593a307a615

Video List Manager <= 1.7 – Authenticated (Admin+) SQL Injection

Affected Software: Video List Manager
CVE ID: CVE-2023-1408
CVSS Score: 7.2 (High)
Researcher/s: zhangyunpei, Yeting Li VARAS@IIE
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b2d42ab-46c1-4c3e-b99a-1cdcade1b5bb

Help Desk WP <= 1.2.0 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Help Desk WP
CVE ID: CVE-2023-1019
CVSS Score: 7.2 (High)
Researcher/s: Ameen Alkurdy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ec5173b-7b0d-4887-8c13-f48137aa8593

Booking calendar, Appointment Booking System <= 3.2.6 – Authenticated (Administrator+) SQL Injection via *_selected

Affected Software: Booking calendar, Appointment Booking System
CVE ID: CVE-2022-47428
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c44b6e5-7fb2-402e-8c8c-79d811ff0e9a

NEX-Forms <= 8.3.3 – Authenticated (Administrator+) SQL Injection

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2023-2114
CVSS Score: 7.2 (High)
Researcher/s: Alexander Schmid
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d19be8b-3e0b-4d74-97e0-f17132d2d34c

Ebook Store <= 5.775 – Missing Authorization via ebook_store_export_orders

Affected Software: Ebook Store
CVE ID: CVE-2023-22701
CVSS Score: 6.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4b17cce-bb52-4125-8c85-6da15517275f

f(x) TOC <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: f(x) TOC
CVE ID: CVE-2023-0490
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09479df1-ff7e-4df8-9aea-8c7622ecea4e

Easy Slider Revolution <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via esrcpt_slider_allow_iframes_filter

Affected Software: Easy Slider Revolution
CVE ID: CVE-2023-28622
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14a20f9c-cf5a-4d57-b723-ad29a12c8881

Button Builder – Buttons X <= 0.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Button Builder – Buttons X
CVE ID: CVE-2023-23867
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aea8fe3-7c75-4d3a-847a-ce0d1f9700f1

Uji Popup <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode

Affected Software: Uji Popup
CVE ID: CVE-2023-23641
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e81208c-771f-409e-b665-b07def0ca774

WPJAM Basic <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WPJAM Basic
CVE ID: CVE-2023-23709
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a5ccc0b-a80a-41df-991c-5c356eb10512

ActiveCampaign – Forms, Site Tracking, Live Chat <= 8.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ActiveCampaign – Forms, Site Tracking, Live Chat
CVE ID: CVE-2023-0233
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e25cfa-fedf-413a-bfe7-18a1de429bc3

Mail Subscribe List <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode

Affected Software: Mail Subscribe List
CVE ID: CVE-2023-23657
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55b39859-b8a0-418b-ae7a-cd42d6e0bf00

BBSpoiler <= 2.01 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BBSpoiler
CVE ID: CVE-2023-23873
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/789497b1-36cf-4de2-bca0-52c0c2a08f72

Product Slider For WooCommerce Lite <= 1.1.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys

Affected Software: Product Slider For WooCommerce Lite
CVE ID: CVE-2023-0537
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8159ee7c-69ac-4422-ba8b-664f1fee8e07

Wp-D3 <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Wp-D3
CVE ID: CVE-2023-0536
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89409461-c87e-4882-bf53-cc789e459b4f

Social Share Boost <= 4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode

Affected Software: Social Share Boost
CVE ID: CVE-2023-23688
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9290532f-58d7-4e7d-9fa0-89c7f82b0466

WP Links Page <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Links Page
CVE ID: CVE-2023-22720
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ef3297d-8686-44aa-ac73-793b644be3f2

WP-FormAssembly <= 2.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP-FormAssembly
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3b164e0-de2e-40d5-935e-31f5bebd87cf

Mega Addons For WPBakery Page Builder <= 4.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Mega Addons For WPBakery Page Builder
CVE ID: CVE-2023-0268
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a443b20e-1686-4519-890d-e6f1838fb05c

WP Popups – WordPress Popup builder <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Popups – WordPress Popup builder
CVE ID: CVE-2023-1905
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9747cda-735c-4087-8c4d-9c445c6d1596

Ultimate Carousel For Elementor <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ultimate Carousel For Elementor
CVE ID: CVE-2023-0280
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0e35280-0c2a-4fe1-bfbe-3321338ff1a5

Custom Post Type List Shortcode <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Custom Post Type List Shortcode
CVE ID: CVE-2023-0542
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b702f507-475a-4d45-8bb1-635f5f377c88

File Gallery <= 1.8.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode

Affected Software: File Gallery
CVE ID: CVE-2023-23676
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c11be4ba-1bed-4234-b475-468394b7be90

Ultimate Carousel For WPBakery Page Builder <= 2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ultimate Carousel For WPBakery Page Builder
CVE ID: CVE-2023-0267
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c97fc289-1ee3-4401-a57e-b4c8d998259e

FormCraft <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode

Affected Software: FormCraft – Contact Form Builder for WordPress
CVE ID: CVE-2023-22717
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf17a817-6f61-43d5-9da2-58fbbef458d9

Post Shortcode <= 2.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Post Shortcode
CVE ID: CVE-2023-0526
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3e1d66d-34cf-491c-8a07-0f9efd3c9669

Kaya QR Code Generator <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute

Affected Software: Kaya QR Code Generator
CVE ID: CVE-2023-30784
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4f0bb58-d904-4bf4-9e15-4ee6289c2df4

vSlider Multi Image Slider <= 4.1.2 – Cross-Site Request Forgery

Affected Software: vSlider Multi Image Slider for WordPress
CVE ID: CVE-2023-22672
CVSS Score: 6.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14376064-13c4-4874-afea-395af2a1933d

WP Docs <= 1.9.8 – Missing Authorization via multiple AJAX actions

Affected Software: WP Docs
CVE ID: CVE-2023-30873
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45a870f4-7ad1-447b-81ea-5d9e9b67b1bb

Membership Database <= 1.0 – Reflected Cross-Site Scripting

Affected Software: Membership Database
CVE ID: CVE-2023-0514
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07ede585-c0d2-4643-9c36-7b5da5f721bd

CMS Tree Page View <= 1.6.7 – Reflected Cross-Site Scripting

Affected Software: CMS Tree Page View
CVE ID: CVE-2023-30868
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19796773-3d5f-458d-aab1-743b6835c71b

Church Admin <= 3.7.5 – Reflected Cross-Site Scripting

Affected Software: Church Admin
CVE ID: CVE-2023-30782
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2204017a-0363-4f2f-909a-e0826463477c

Update Image Tag Alt Attribute <= 2.4.5 – Reflected Cross-Site Scripting

Affected Software: Update Image Tag Alt Attribute
CVE ID: CVE-2023-27455
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25b13322-d305-45db-8ac7-20762398dc21

Charitable <= 1.7.0.10 – Reflected Cross-Site Scripting

WCP Contact Form <= 3.1.0 – Reflected Cross-Site Scripting via tab parameter

Affected Software: WCP Contact Form
CVE ID: CVE-2023-22703
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33fd4542-0a46-4779-be02-d713dcbc8f96

Google Analytics Top Content Widget <= 1.5.5 – Reflected Cross-Site Scripting

Affected Software: Google Analytics Top Content Widget
CVE ID: CVE-2015-10101
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4522480a-dfbf-4ff4-93c2-68b8cc15367c

RapidExpCart <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: RapidExpCart
CVE ID: CVE-2023-0520
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52fde632-f3a4-48d5-8c2c-c42b9d20dcb7

ChatBot <= 4.4.4 – Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery

Affected Software: AI ChatBot
CVE ID: CVE-2023-1011
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56fad8de-6646-4305-83a9-0ed443c3aa7d

WooCommerce Easy Duplicate Product <= 0.3.0.0 – Reflected Cross-Site Scripting via wedp_duplicated

Affected Software: WooCommerce Easy Duplicate Product
CVE ID: CVE-2023-30747
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b06d68e-153d-4cee-94d5-cbeac7468665

Tablesome <= 1.0.8 – Reflected Cross-Site Scripting

Affected Software: Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT )
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d769308-6273-4ed2-b64a-d9f065de4cce

YellowPencil Visual CSS Style Editor <= 7.5.8 – Reflected Cross-Site Scripting liveLink

Affected Software: Visual CSS Style Editor
CVE ID: CVE-2022-33961
CVSS Score: 6.1 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/967ff273-33f3-4580-928a-7764583429aa

Sloth Logo Customizer <= 2.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Sloth Logo Customizer
CVE ID: CVE-2023-0603
CVSS Score: 6.1 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/974f14e8-1a59-4ba5-8806-b4d8b135315e

Modal Dialog <= 3.5.14 – Reflected Cross-Site Scripting

Affected Software: Modal Dialog
CVE ID: CVE-2023-31071
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99140d47-88bb-48a1-863a-93a558541800

Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting

Affected Software: Thumbnail carousel slider
CVE ID: CVE-2023-1915
CVSS Score: 6.1 (Medium)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99711f41-d21b-4725-acc8-9542283daf12

Yml for Yandex Market <= 3.10.7 – Reflected Cross-Site Scripting

Affected Software: YML for Yandex Market
CVE ID: CVE-2023-30473
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a823a21e-78b5-4186-bb67-88799509970d

Woocommerce Email Report <= 2.4 – Unauthenticated Cross-Site Scripting

Affected Software: Woocommerce Email Report
CVE ID: CVE-2023-27627
CVSS Score: 6.1 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abdbee50-b8c3-4254-a828-37629a798c92

Stock Exporter for WooCommerce <= 1.1.0 – Reflected Cross-Site Scripting

Affected Software: Stock Exporter for WooCommerce
CVE ID: CVE-2023-30871
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b65184e6-8072-4dd7-8291-c92817e55beb

Query Wrangler <= 1.5.51 – Reflected Cross-Site Scripting via page parameter

Affected Software: Query Wrangler
CVE ID: CVE-2023-30779
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c79d781e-4c11-43e9-8c5f-aa89e8fbf635

Video Grid <= 1.21 – Reflected Cross-Site Scripting

Affected Software: Video Grid
CVE ID: CVE-2023-30785
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c92e166d-2ede-4280-a875-d30c0cf6f467

RapidExpCart <= 1.0 – Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting

Affected Software: RapidExpCart
CVE ID: CVE-2023-0520
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc1e480c-577a-467a-8297-747512286a39

Video Grid <= 1.21 – Reflected Cross-Site Scripting

Affected Software: Video Grid
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5247ad-dbbf-4d8e-92f5-3a673b97d080

Responsive Filterable Portfolio <= 1.0.19 – Reflected Cross-Site Scripting

Affected Software: Responsive Filterable Portfolio
CVE ID: CVE-2023-2119
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e67dfe0f-ac1c-4a78-bfc9-0cfd6c3040d4

Japanized For WooCommerce <= 2.5.6 – Reflected Cross-Site Scripting

Affected Software: Japanized For WooCommerce
CVE ID: CVE-2023-0948
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea7d643c-3388-469f-b4a9-5c68341e2af0

PropertyHive <= 1.5.48 – Reflected Cross-Site Scripting via date_post_id

Affected Software: PropertyHive
CVE ID: CVE-2023-22706
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea82e978-a653-4ae3-94aa-bc77b94a176c

Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting

Affected Software: Thumbnail carousel slider
CVE ID: CVE-2023-2120
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4bf4e12-5cbb-45bc-938e-62163baaa15d

ARMember <= 4.0 – Reflected Cross-Site Scripting

WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting

Affected Software: WP Responsive Tabs horizontal vertical and accordion Tabs
CVE ID: CVE-2023-2184
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe54c37f-1421-48aa-b502-045847d13ae3

Themify Portfolio Post <= 1.2.2 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Themify Portfolio Post
CVE ID: CVE-2022-32970
CVSS Score: 5.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3c3629-b7a9-4f83-a821-64119ed662ce

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
CVE ID: CVE-2023-2168
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c051bfd-2754-4faf-8062-91752555166c

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
CVE ID: CVE-2023-2169
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52574d99-1ffe-4152-bf13-9cdd11d7300a

YourChannel <= 1.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1869
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
CVE ID: CVE-2023-2170
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e98ed932-4e4c-4127-ae72-500e2a34f371

Motors – Car Dealer & Classified Ads <= 1.4.4 – Cross-Site Request Forgery via Multiple Functions

Affected Software: Motors – Car Dealer, Classifieds & Listing
CVE ID: CVE-2022-38716
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ca9e920-3c7a-4991-8c24-2e55c4f4767c

LearnPress – Export/Import Courses <= 4.0.2 – Reflected Cross-Site Scripting

Affected Software: LearnPress Export Import – WordPress extension for LearnPress
CVE ID: CVE-2023-30487
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1322e229-5e0b-4c3d-ae96-e211a2831842

PowerPress <= 10.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE-2023-30778
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c40c28f-554f-42d0-9f6d-a899d8f61519

Smart WooCommerce Search <= 2.5.0 – Missing Authorization

Affected Software: Smart WooCommerce Search
CVE ID: CVE-2023-30783
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59931266-766f-42d2-bcde-04d694a444b0

ShopEngine <= 4.1.1 – Cross-Site Request Forgery

Freshdesk (official) <= 1.7 – Open Redirect

Affected Software: Freshdesk (official)
CVE ID: CVE-2015-10102
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6f20fc3-41e5-4220-ac8b-54eb11719f07

Locatoraid Store Locator <= 3.9.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Locatoraid Store Locator
CVE ID: CVE-2023-2031
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dba0a90b-f13c-4914-b6b7-278227ffc122

Active Directory Integration / LDAP Integration <= 4.1.0 – Unauthenticated Information Disclosure

Affected Software: Active Directory Integration / LDAP Integration
CVE ID: CVE-2023-0812
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2568018b-29f3-4261-ae0d-658ca9d96846

CMP – Coming Soon & Maintenance <= 4.1.7 – Maintenance Mode Bypass

Affected Software: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
CVE ID: CVE-2023-2159
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05e-6a57a5f16dfa

Helpie FAQ <= 1.9.6 – Reflected Cross-Site Scripting

Affected Software: Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f389f4bf-ffff-4862-b4e2-4465ca0556ef

Formilla Live Chat <= 1.3.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’

Affected Software: Live Chat by Formilla – Real-time Chat & Chatbots Plugin
CVE ID: CVE-2023-23727
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044e110d-2435-41b8-8aec-917c329b944c

Dave’s WordPress Live Search <= 4.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Dave’s WordPress Live Search
CVE ID: CVE-2023-30876
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/046ecbe5-4b2f-40d3-8585-4d4230ba33f0

Yatra <= 2.1.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Ebook Store <= 5.775 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Ebook Store
CVE ID: CVE-2023-22690
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/097f6887-e15f-4e35-ab12-1115630e13cc

WP Original Media Path <= 2.4.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP Original Media Path
CVE ID: CVE-2023-23674
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/277eb517-c949-41e9-becf-af056fd32f35

Verified Reviews (Avis Vérifiés) <= 2.3.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Verified Reviews (Avis Vérifiés)
CVE ID: CVE-2023-23720
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3044dbfc-e12d-47e0-a297-67ff0510eded

Login Page Styler <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP Custom Author URL <= 1.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Custom Author URL
CVE ID: CVE-2023-1614
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f3a57ce-eead-4631-93da-ba1a0a33ec2d

Formilla Edge <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaPluginID’

Affected Software: Formilla Edge Targeted Messaging Platform for Sales and Marketing
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59f7a1b2-f718-40e7-8030-b9212edf71b7

Captcha Them All <= 1.3.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Captcha Them All
CVE ID: CVE-2023-30786
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e2c83b6-3444-4cd1-82ec-567937c563b9

WP Login Box <= 2.0.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Login Box
CVE ID: CVE-2023-0544
CVSS Score: 4.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66c58d4c-8c36-40af-827d-0e86f2110e3c

Subscribers – Free Web Push Notifications <= 1.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Subscribers – Free Web Push Notifications
CVE ID: CVE-2023-22684
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e78219-b3fd-40e9-a58c-8e27ef3c5e4a

Pretty Url <= 1.5.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Pretty Url
CVE ID: CVE-2023-2009
CVSS Score: 4.4 (Medium)
Researcher/s: Shezad Master
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f54fb59-03c1-45e9-a498-1fa1409c4466

Flyzoo Chat <= 2.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Flyzoo Chat
CVE ID: CVE-2022-46817
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74ea8f1e-d6ff-4a32-b8bf-5d4c8e69433e

Robokassa payment gateway for Woocommerce <= 1.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Robokassa payment gateway for Woocommerce
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75824b96-8674-4340-9e56-b0cb0f52503d

White Label Branding for Elementor Page Builder <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: White Label Branding for Elementor Page Builder
CVE ID: CVE-2023-23683
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e187b71-860e-4404-bbe2-193c6ecfd485

Category Specific RSS feed Subscription <= v2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Category Specific RSS feed Subscription
CVE ID: CVE-2023-22685
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ac9c146-5065-46fc-b2ae-20b820a8016b

Formilla Chat and Marketing Automation <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaToolsID’

Affected Software: Customer Support Software, Live Chat, & Marketing Automation
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5436d14-cbb5-420f-9f3a-698ce59c1e1e

Semalt Blocker <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Semalt Blocker
CVE ID: CVE-2023-23794
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a658d150-bcd5-4334-b07a-e09b3995169d

SparkPost <= 3.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: SparkPost
CVE ID: CVE-2023-23654
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab86ddc9-9b43-4949-b150-7b944bc40558

EZP Maintenance Mode <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: EZP Maintenance Mode
CVE ID: CVE-2023-23682
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac1239c9-72a6-44d8-911f-70a528c66c62

Redirect After Login <= 0.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Redirect After Login
CVE ID: CVE-2023-27624
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad1a79f3-274f-4a33-a752-669c09c2d47d

GPS Plotter <= 5.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Gps Plotter
CVE ID: CVE-2023-30874
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca449d15-b05e-4341-99b0-472a14cab8f4

WP-dTree <= 4.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP-dTree
CVE ID: CVE-2022-47423
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cde92185-d63a-47b3-a17e-3f2b2b20270c

Panorama – WordPress Project Management Plugin <= 1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Panorama – WordPress Project Management Plugin
CVE ID: CVE-2023-23810
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d131115b-e2c9-42c6-9262-a19272944652

Continuous announcement scroller <= 13.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Continuous announcement scroller
CVE ID: CVE-2022-46819
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d88eb628-09c9-451c-b5ae-f26a93514447

ApexChat <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: ApexChat
CVE ID: CVE-2023-28414
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbe8d164-85c7-444d-80ad-4d03151b939b

Simple Tooltips <= 2.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Tooltips
CVE ID: CVE-2023-25958
CVSS Score: 4.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc7e4235-5f40-48c2-8474-cf57af5e35bd

Cab Grid <= 1.5.15 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cab Grid
CVE ID: CVE-2023-28533
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e09c629b-9908-4548-b828-9e6140ff5670

Image Optimizer WD <= 1.0.26 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5eea72d-f10b-460b-be00-bb5b1c4a1a62

BizLibrary <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: BizLibrary
CVE ID: CVE-2023-0892
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee7513d9-e76c-4da4-919b-ba376f0c4022

Easy Ad Manager <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Ad Manager
CVE ID: CVE-2023-25460
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7750f70-e79c-45fb-b792-ba6a4da59964

eRocket <= 1.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: eRocket
CVE ID: CVE-2023-28174
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb9b8f3a-6f49-455d-99c6-cdf5671af49d

Ninja Tables <= 4.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Ninja Tables – Best Data Table Plugin for WordPress
CVE ID: CVE-2022-47137
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc296c70-358e-4908-be49-5ffae83aca9b

GDPR Compliance & Cookie Consent <= 1.2 – Cross-Site Request Forgery

Affected Software: GDPR Compliance & Cookie Consent
CVE ID: CVE-2022-45815
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/052b345a-7b71-4de5-9bf8-8b81cc1b4e77

Image Optimizer by 10web <= 1.0.25 – Directory Traversal to Information Exposure

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4a0dff-1054-4f50-8ff5-e3cc2b45d77b

Essential Blocks <= 4.0.6 – Missing Authorization via get

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2084
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be8c668-0f1c-4f83-8a71-49c8bb9b67ae

Album Gallery – WordPress Gallery <= 1.4.9 – Cross-Site Request Forgery via album-gallery-column-settings.php

Affected Software: Album Gallery – WordPress Gallery
CVE ID: CVE-2023-23646
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3df75e-cf2f-4076-b5ff-b8540408044a

Layer Slider <= 1.1.9.6 – Cross-Site Request Forgery via save_slide_ajax

Affected Software: Layer Slider
CVE ID: CVE-2023-23671
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ad366f1-2369-4fb2-aeda-301c85cf6801

Enable/Disable Auto Login when Register <= 1.1.0 Cross-Site Request Forgery

Affected Software: Enable/Disable Auto Login when Register
CVE ID: CVE-2023-0522
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fa45fa7-b1da-42f0-945b-2a6b0db5ba91

Zendesk Support for WordPress <= 1.8.4 – Cross-Site Request Forgery

Affected Software: Zendesk Support for WordPress
CVE ID: CVE-2023-23716
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/212b7da7-bd3e-42df-8b50-a3eb472cf440

LIQUID SPEECH BALLOON <= 1.1.8 – Cross-Site Request Forgery to Settings Update

Affected Software: LIQUID SPEECH BALLOON
CVE ID: CVE-2023-27889
CVSS Score: 4.3 (Medium)
Researcher/s: Ryo Sato
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23980e13-b632-43ec-938e-8171884cb87b

Ninja Tables <= 4.3.4 – Cross-Site Request Forgery

Affected Software: Ninja Tables – Best Data Table Plugin for WordPress
CVE ID: CVE-2022-47136
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/338158b5-bbda-4cd8-b4ea-97a3926a0989

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Staff Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0761
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51ce7b71-0a19-48ef-8748-3848742c542b

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Holidays Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0763
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c852fa1-698b-4e72-b781-095e2a98df81

WP Docs <= 1.9.8 – Cross-Site Request Forgery to folder management

Affected Software: WP Docs
CVE ID: CVE-2023-30873
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6003b1bf-b176-4ca9-9de2-58133259e0f6

Pearl <= 1.3.4 – Cross-Site Request Forgery via stm_hb_save_settings

Affected Software: WordPress Header Builder Plugin – Pearl
CVE ID: CVE-2022-38356
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6058da9e-8ca3-4966-bb10-e5da526e8c7e

WooCommerce Order Status Change Notifier <= 1.1.0 – Authenticated (Subscriber+) Arbitrary Order Status Update

Affected Software: WooCommerce Order Status Change Notifier
CVE ID: CVE-2023-2179
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66bc83f5-0f6c-425f-a560-e79e777b76ca

Woocommerce Product Designer <= 4.3.3 – Cross-Site Request Forgery

Kodex Posts likes <= 2.4.3 – Cross-Site Request Forgery

Affected Software: Kodex Posts likes
CVE ID: CVE-2022-46814
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77d56f61-7e45-405e-878d-fa3d53acede0

Reservation.Studio widget <= 1.0.9 – Cross-Site Request Forgery via plugin settings

Affected Software: Reservation.Studio widget
CVE ID: CVE-2023-25468
CVSS Score: 4.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/783e5794-0d74-4b7a-a1cd-2b834a50c50c

BadgeOS <= 3.7.1.6 – Cross-Site Request Forgery

Affected Software: BadgeOS
CVE ID: CVE-2022-41987
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bb1be6d-5af9-4b58-a641-05a913548fe7

Essential Blocks <= 4.0.6 – Missing Authorization via template_count

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2086
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9efc782a-ec61-4741-81fd-a263a2739e16

Gallery Metabox <= 1.5 – Cross-Site Request Forgery via gallery_remove

Affected Software: Gallery Metabox
CVE ID: CVE-2022-47134
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f8b1103-71b2-421e-bcbe-f2716b59e367

Essential Blocks <= 4.0.6 – Missing Authorization via templates

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2085
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad2c1ab6-5c78-4317-b5e7-c86e2eebeb4f

SiteAlert (Formerly WP Health) <= 1.9.7 – Cross-Site Request Forgery

Affected Software: SiteAlert – Uptime, Speed, and Security Monitoring for WordPress
CVE ID: CVE-2022-46857
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1870c6e-23b6-4f3b-adba-72633d62dfd0

OoohBoi Steroids for Elementor <= 2.1.4 – Missing Authorization leading to Authenticated (Subscriber+) Image Upload

Affected Software: OoohBoi Steroids for Elementor
CVE ID: CVE-2023-1169
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c56ed896-9267-49e6-a207-fe5362fe18cd

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Designation Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0762
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6b17e90-42df-47ed-9e92-f5f1b990f921

Form Block <= 1.0.1 – Cross-Site Request Forgery

Affected Software: Form Block
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb18d6d8-28e5-4125-9209-a71403f678f0

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Designation Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0762
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc97109c-187f-43b7-b5ed-5afeec5ea8fd

Essential Blocks <= 4.0.6 – Cross-Site Request Forgery via save

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2087
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d38d41c7-8786-4145-9591-3e24eff3b79c

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Staff Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0761
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8ec03c6-6ea9-4017-915a-e10b757d98ff

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Holiday Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0763
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddc0261d-56ed-47a6-a0b2-0ab5f9dee815

Simple Share Buttons Adder <= 8.4.6 – Cross-Site Request Forgery

Affected Software: Simple Share Buttons Adder
CVE ID: CVE-2022-47178
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e57bfae5-4cc0-4d97-9431-4c8ebb2f0882

Stream <= 3.9.2 – Cross-Site Request Forgery

Affected Software: Stream
CVE ID: CVE-2022-43490
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7203b5c-5753-453c-8fc2-26fcebdeea5b

Essential Blocks <= 4.0.6 – Missing Authorization via save

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2083
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8bf0933-1c97-4374-b323-c55b91fe4d27

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023) appeared first on Wordfence.

Leave a Comment