Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023)

Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation
Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
WAF-RULE-603 – data redacted while we work with the developer to ensure the vulnerability this rule protects against gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
68

Patched
48

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
3

Medium Severity
93

High Severity
16

Critical Severity
4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
36

Cross-Site Request Forgery (CSRF)
35

Missing Authorization
22

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
6

Improper Input Validation
2

Improper Authorization
2

Authorization Bypass Through User-Controlled Key
2

Authentication Bypass Using an Alternate Path or Channel
2

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Improper Privilege Management
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Insufficient Verification of Data Authenticity
1

Server-Side Request Forgery (SSRF)
1

Use of Less Trusted Source
1

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
1

Deserialization of Untrusted Data
1

Improper Control of Generation of Code (‘Code Injection’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
(Wordfence Vulnerability Researcher)
22

Jonas Höbenreich
13

Mika
7

Rafie Muhammad
7

yuyudhn
6

LEE SE HYOUNG
6

thiennv
6

Alex Thomas
(Wordfence Vulnerability Researcher)
4

Yuki Haruma
3

Ramuel Gall
(Wordfence Vulnerability Researcher)
2

Dave Jong
2

Rafshanzani Suhada
2

Nguyen Xuan Chien
2

Rio Darmawan
2

Dongzhu Li
2

Emili Castells
2

Jerome Bruandet
2

Juampa Rodríguez
1

Le Hong Minh
1

Justiice
1

Skalucy
1

Elliot
1

40826d
1

Francesco Carlucci
1

konagash
1

TomS
1

Hamed
1

Le Ngoc Anh
1

Miguel Neto
1

TaeEun Lee
1

Vinay Kumar
1

Marco Wotschka
(Wordfence Vulnerability Researcher)
1

Taihei Shimamine
1

minhtuanact
1

Mateus Machado Tesser
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Ajax Pagination and Infinite Scroll
malinky-ajax-pagination

B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More
b2bking-wholesale-for-woocommerce

BBS e-Popup
bbs-e-popup

Blog-in-Blog
blog-in-blog

Brizy – Page Builder
brizy

CRM Perks Forms – WordPress Form Builder
crm-perks-forms

CRM and Lead Management by vcita
crm-customer-relationship-management-by-vcita

Call Now Accessibility Button
accessibility-help-button

Call Now Icon Animate
call-now-icon-animate

Cart2Cart: Magento to WooCommerce Migration
cart2cart-magento-to-woocommerce-migration

Change WooCommerce Add To Cart Button Text
change-woocommerce-add-to-cart-button-text

Chilexpress woo oficial
chilexpress-oficial

Complianz – GDPR/CCPA Cookie Consent
complianz-gdpr

Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping
advanced-free-flat-shipping-woocommerce

Constant Contact Forms
constant-contact-forms

Contact Form Builder by vcita
contact-form-with-a-meeting-scheduler-by-vcita

Contact Form and Calls To Action by vcita
lead-capturing-call-to-actions-by-vcita

Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
feather-login-page

Directorist – WordPress Business Directory Plugin with Classified Ads Listings
directorist

Disable WordPress Update Notifications and auto-update Email Notifications
disable-update-notifications

Display post meta, term meta, comment meta, and user meta
display-metadata

Donation Platform for WooCommerce: Fundraising & Donation Management
wc-donation-platform

Download Monitor
download-monitor

Dynamic QR Code Generator
dynamic-qr-code-generator

Dynamic Visibility for Elementor
dynamic-visibility-for-elementor

Event Registration Calendar By vcita
event-registration-calendar-by-vcita

Extended Post Status
extended-post-status

Favorites
favorites

File Manager Advanced Shortcode WordPress
file-manager-advanced-shortcode

Floating Action Button
floating-action-button

Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
formidable

GDPR Cookie Consent Notice Box
cookie-consent-box

Google Fonts For WordPress
free-google-fonts

Gravityforms
gravityforms

Headless CMS
headless-cms

Interactive Image Map Plugin – Draw Attention
draw-attention

JS Job Manager
js-jobs

Jetpack – WP Security, Backup, Speed, & Growth
jetpack

Kanban Boards for WordPress
kanban

Kebo Twitter Feed
kebo-twitter-feed

LH Password Changer
lh-password-changer

LWS Hide Login
lws-hide-login

Login Configurator
login-configurator

Nested Pages
wp-nested-pages

Online Booking & Scheduling Calendar for WordPress by vcita
meeting-scheduler-by-vcita

Online Payments – Get Paid with PayPal, Square & Stripe
paypal-payment-button-by-vcita

Page Builder with Image Map by AZEXO
page-builder-by-azexo

Photo Gallery by 10Web – Mobile-Friendly Image Gallery
photo-gallery

Quick/Bulk Order Form for WooCommerce
woocommerce-bulk-order-form

ReviewX – Multi-criteria Rating & Reviews for WooCommerce
reviewx

Social Media Share Buttons & Social Sharing Icons
ultimate-social-media-icons

Social Share, Social Login and Social Comments Plugin – Super Socializer
super-socializer

SpamReferrerBlock
spamreferrerblock

TPG Redirect
tpg-redirect

TS Webfonts for さくらのレンタルサーバ
ts-webfonts-for-sakura

Telegram Bot & Channel
telegram-bot

Tutor LMS – eLearning and online course solution
tutor

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
ultimate-member

Uncanny Toolkit for LearnDash
uncanny-learndash-toolkit

Unite Gallery Lite
unite-gallery-lite

User Email Verification for WooCommerce
woo-confirmation-email

VK Blocks
vk-blocks

WOLF – WordPress Posts Bulk Editor and Manager Professional
bulk-editor

WP Directory Kit
wpdirectorykit

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
erp

WP Full Auto Tags Manager
wp-full-auto-tags-manager

WP Hide Post
wp-hide-post

WP Inventory Manager
wp-inventory-manager

WP Report Post
wp-report-post

WP User Switch
wp-user-switch

WP-Cache.com
wp-cachecom

WP-Cirrus
wp-cirrus

WPC Smart Wishlist for WooCommerce
woo-smart-wishlist

Web Directory Free
web-directory-free

WooCommerce Box Office
woocommerce-box-office

WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
cartflows

Woocommerce Order address Print
woocommerce-order-address-print

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
groundhogg

WordPress NextGen GalleryView
wordpress-nextgen-galleryview

WordPress Online Booking and Scheduling Plugin – Bookly
bookly-responsive-appointment-booking-tool

WordPress Social Login
wordpress-social-login

Wordapp
wordapp

Worthy – VG WORT Integration für WordPress
wp-worthy

Yandex Metrica Counter
counter-yandex-metrica

bbPress Toolkit
bbp-toolkit

bbp style pack
bbp-style-pack

premium-addons-pro
premium-addons-pro

wpForo Forum
wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

HashOne
hashone

Viral
viral

Viral News
viral-news

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature

Affected Software: Wordapp
CVE ID: CVE-2023-2987
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d

Tutor LMS <= 2.1.10 – Unauthenticated SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-25700
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dfee325-9001-4483-b3eb-846da0314529

Gravity Forms <= 2.7.3 – Unauthenticated PHP Object Injection

Affected Software: Gravityforms
CVE ID: CVE-2023-28782
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc1e5fb7-92d0-4e7f-9b1b-15673e3b852a

File Manager Advanced Shortcode WordPress <= 2.3.2 – Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode

Affected Software: File Manager Advanced Shortcode WordPress
CVE ID: CVE-2023-2068
CVSS Score: 9.8 (Critical)
Researcher/s: Mateus Machado Tesser
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea40d06e-672c-42db-9378-d382de5838d4

Directorist <= 7.5.4 – Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
CVE ID: CVE-2023-1888
CVSS Score: 8.8 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7

Feather Login Page 1.0.7 – 1.1.1 – Cross-Site Request Forgery to Privilege Escalation

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-2549
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12560b8e-9c47-4f7f-ac9c-d86f17914ba3

Tutor LMS <= 2.2.0 – Authenticated (Student+) SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-25800
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a64b1ff-0d3f-42fa-bab2-4f31bb8f0476

ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
CVE ID: CVE-2023-2833
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70e1d701-2cff-4793-9e4c-5b16a4038e8d

Tutor LMS <= 2.1.10 – Authenticated (Tutor Instructor+) SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-25990
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d623512-ee99-4a73-a752-ecbb6ad96b63

wpForo Forum <= 2.1.7 – Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents

Affected Software: wpForo Forum
CVE ID: CVE-2023-2249
CVSS Score: 8.8 (High)
Researcher/s: Hamed
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb

Web Directory Free <= 1.6.7 – Authenticated (Contributor+) SQL Injection via post_id

Affected Software: Web Directory Free
CVE ID: CVE-2023-2201
CVSS Score: 8.8 (High)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d831fa81-4714-4757-b75d-0a8f5edda910

WP User Switch <= 1.0.2 – Authenticated (Subscriber+) Authentication Bypass via Cookie

Affected Software: WP User Switch
CVE ID: CVE-2023-2546
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e89d912d-fa7a-4fb1-8872-95fa861c21ca

Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-2545
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ab2178-7438-43ef-961e-b54d0d230f4a

User Email Verification for WooCommerce <= 3.5.0 – Authentication Bypass

Affected Software: User Email Verification for WooCommerce
CVE ID: CVE-2023-2781
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1e31357-7fbc-414b-a4f4-53fa5f2fc715

bbPress Toolkit <= 1.0.12 – Cross-Site Scripting

Affected Software: bbPress Toolkit
CVE ID: CVE-2023-34032
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11305d35-07d6-4c61-a0c7-035671229f07

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2298
CVSS Score: 7.2 (High)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e6a0bf9-4767-4d4c-9a1e-adcb3c7719d9

WP Report Post <= 2.1.2 – Authenticated (Editor+) SQL Injection

Affected Software: WP Report Post
CVE ID: CVE-2023-34168
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8dae13e5-cee7-4392-af71-7d466ba6f6c4

Groundhogg <= 2.7.10.3 – Authenticated (Administrator+) SQL Injection

Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Local File Inclusion via Shortcode

Affected Software: Blog-in-Blog
CVE ID: CVE-2023-2435
CVSS Score: 7.2 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d53161ad-cc5f-4433-b288-a8095cdfd7db

Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 – Missing Authorization via setToken

Affected Software: Cart2Cart: Magento to WooCommerce Migration
CVE ID: CVE-2023-34379
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d9ab83f-6d0b-4fe4-a121-87b09dcc0953

Headless CMS <= 2.0.3 – Missing Authorization

Affected Software: Headless CMS
CVE ID: CVE-2023-34186
CVSS Score: 6.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d1414f5-e705-4fd4-847b-b46d2d20943b

Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-2996
CVSS Score: 6.5 (Medium)
Researcher/s: Miguel Neto
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dfca4cb-71dc-4b2d-bcf3-0ca9f88f88df

B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Price Modification

Directorist <= 7.5.4 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
CVE ID: CVE-2023-1889
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b47edd57-cac7-463f-88cc-8922f1b34612

Uncanny Toolkit for LearnDash <= 3.6.4.3 – Missing Authorization via review-banner-visibility REST route

Affected Software: Uncanny Toolkit for LearnDash
CVE ID: CVE-2023-34019
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdaa7450-3b51-470d-8903-52fd1d4215a2

Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9f060bd-029a-462e-b308-8366e82be383

Contact Form Builder by vcita <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita
CVE ID: CVE-2023-2300
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12ce97ba-8053-481f-bcd7-05d5e8292adb

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Page Builder by AZEXO <= 1.27.133 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3051
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24486605-9324-4f19-9ca3-340d006432db

WooCommerce Box Office <= 1.1.50 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Box Office
CVE ID: CVE-2023-34004
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ebd05d5-a65d-49df-a865-882e9d17fc0f

Contact Form and Calls To Action by vcita <= 2.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form and Calls To Action by vcita
CVE ID: CVE-2023-2302
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfc237a-9157-4da9-ba8f-9daf2ba4f20b

Favorites <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Favorites
CVE ID: CVE-2023-2304
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bd03cd0-34f0-491c-8247-79656eba32a8

Display post meta, term meta, comment meta, and user meta <= 0.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting

Affected Software: Display post meta, term meta, comment meta, and user meta
CVE ID: CVE-2023-1661
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f90c0d8-ede6-4f24-870f-19e888238e93

CRM and Lead Management by vcita <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CRM and Lead Management by vcita
CVE ID: CVE-2023-2404
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e26ccd06-22e0-4d91-a53a-df6ead8a8e3b

Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Post Creation/Modification/Deletion

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3052
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4e26035-ce4e-4b4b-aa3c-cd86b29b199a

Chilexpress woo oficial <= 1.2.9 – Reflected Cross-Site Scripting

Affected Software: Chilexpress woo oficial
CVE ID: CVE-2023-34176
CVSS Score: 6.1 (Medium)
Researcher/s: Le Hong Minh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0999a738-9fae-4043-99eb-ff222a7608fa

CRM and Lead Management by vcita <= 2.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: CRM and Lead Management by vcita
CVE ID: CVE-2023-2405
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f75c6bf-1b93-49d5-b5fb-e59b4e67432f

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Contact Form and Calls To Action by vcita <= 2.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita
CVE ID: CVE-2023-2303
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2

Woocommerce Order address Print <= 3.2 – Reflected Cross-Site Scripting

Affected Software: Woocommerce Order address Print
CVE ID: CVE-2023-34184
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bbf4e86-308c-43f3-a54c-e1c6ee21260e

Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3055
CVSS Score: 6.1 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2efeffa2-b21a-4aa1-93b0-51c775758ab1

bbp style pack <= 5.5.5 – Reflected Cross-Site Scripting

Affected Software: bbp style pack
CVE ID: CVE-2023-33997
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49e82146-e8ad-4bc5-94a7-a4ae694b7039

Contact Form Builder by vcita <= 4.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita
CVE ID: CVE-2023-2301
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c39f5f-3b17-4e4d-824e-241159a73400

Social Share, Social Login and Social Comments <= 7.13.51 – Reflected Cross-Site Scripting

Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer
CVE ID: CVE-2023-2779
CVSS Score: 6.1 (Medium)
Researcher/s: 40826d
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6257739a-cd7c-4797-882a-016a01fe84b4

Dynamic QR Code Generator <= 0.0.5 – Reflected Cross-Site Scripting

Affected Software: Dynamic QR Code Generator
CVE ID: CVE-2023-34022
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65f30cd4-1d47-4ebe-a6de-acdb3a813c9c

WP Directory Kit <= 1.2.3 – Reflected Cross-Site Scripting via ‘search’

Affected Software: WP Directory Kit
CVE ID: CVE-2023-2835
CVSS Score: 6.1 (Medium)
Researcher/s: Dongzhu Li
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/847f1c00-0e8f-4d38-84af-fe959e2efe5c

BBS e-Popup <= 2.4.5 – Reflected Cross-Site Scripting

Affected Software: BBS e-Popup
CVE ID: CVE-2023-34174
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f715947-e379-4a05-9ab8-5d9e94ffc136

Premium Addons PRO <= 2.8.24 – Reflected Cross-Site Scripting

Affected Software: premium-addons-pro
CVE ID: CVE-2023-34012
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9445a54c-06b9-400a-a8ae-a58f1b968196

Google Fonts For WordPress <= 3.0.0 – Reflected Cross-Site Scripting

Affected Software: Google Fonts For WordPress
CVE ID: CVE-2023-34180
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94712f92-5045-420b-9d6d-59a4c031e998

Login Configurator <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Login Configurator
CVE ID: CVE-2023-34175
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89a1265-6e26-498c-a2b4-da12d38463c9

WP ERP <= 1.12.3 – Reflected Cross-Site Scripting

Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Blog-in-Blog
CVE ID: CVE-2023-2436
CVSS Score: 5.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c6a88c3-18b7-470f-8014-373ead66dcfa

Quick/Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Quick/Bulk Order Form for WooCommerce
CVE ID: CVE-2023-34170
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/898af9aa-72c4-46a6-afc2-76dd17672fbc

Download Monitor <= 4.8.1 – Authenticated (Admin+) Server-Side Request Forgery

Affected Software: Download Monitor
CVE ID: CVE-2023-31219
CVSS Score: 5.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a03f0780-796c-41a3-8f06-04f76e0da2da

JS Job Manager <= 2.0.0 – Cross-Site Request Forgery via multiple functions

Affected Software: JS Job Manager
CVE ID: CVE-2023-31087
CVSS Score: 5.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0131921b-6f60-4da1-b5d9-d44a33d35cae

Groundhogg <= 2.7.10.3 – Cross-Site Request Forgery

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-34178
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22506d45-40db-47c4-91b2-ab4f49703bf9

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Settings Update and Media Upload

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2414
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5

Dynamic Visibility for Elementor <= 5.0.5 – Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification

Affected Software: Dynamic Visibility for Elementor
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e704333-ad88-42c9-b632-babc9d54cb13

Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-2547
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d58a6a4-de2c-485f-a8b0-7a7d144fbf3c

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Account Logout

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2415
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18

Worthy – VG WORT Integration für WordPress <= 1.6.5-6497609 – Cross-Site Request Forgery

Affected Software: Worthy – VG WORT Integration für WordPress
CVE ID: CVE-2023-24417
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7717cd0f-6aac-4cb0-b27e-2517d5d7ecd9

Extended Post Status <= 1.0.19 – Missing Authorization via wp_insert_post_data

Affected Software: Extended Post Status
CVE ID: CVE-2023-32094
CVSS Score: 5.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6369b41-d93f-4959-8fad-be69ef724b24

Change WooCommerce Add To Cart Button Text <= 1.3 – Missing Authorization via rexvs_settings_submit

Affected Software: Change WooCommerce Add To Cart Button Text
CVE ID: CVE-2023-34376
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d47f5d90-dc7d-4500-a6e6-e585e4a5c11b

Page Builder by AZEXO <= 1.27.133 – Missing Authorization to Post Creation

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3053
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd56cb73-1c40-44b1-b713-c0291832d988

WordPress Social Login <= 3.0.4 – Reflected Cross-Site Scripting

Affected Software: WordPress Social Login
CVE ID: CVE-2023-34023
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8b03deb-4134-4dde-8545-a14977a47209

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Cross-Site Request Forgery to Account Logout

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2416
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization on REST-API

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2299
CVSS Score: 5.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557

WooCommerce Box Office <= 1.1.51 – Missing Authorization

Affected Software: WooCommerce Box Office
CVE ID: CVE-2023-34003
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8872eca8-4812-4f5f-b775-cbfab90ba2ca

Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Call Now Accessibility Button
CVE ID: CVE-2023-28933
CVSS Score: 4.4 (Medium)
Researcher/s: Juampa Rodríguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04df6505-46c1-4e66-a363-4ccebacb5e42

Yandex Metrica Counter <= 1.4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Yandex Metrica Counter
CVE ID: CVE-2023-34173
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/173661aa-6895-41d6-8869-6abfd2eadf31

Unite Gallery Lite <= 1.7.60 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Unite Gallery Lite
CVE ID: CVE-2023-34183
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/577d8986-edc5-445f-80cf-7a7f2cca9749

Download SpamReferrerBlock <= 2.22 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SpamReferrerBlock
CVE ID: CVE-2023-34372
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/692e995d-cdfc-4ab8-8a8a-5423eb7f8d15

Telegram Bot & Channel <= 3.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Telegram Bot & Channel
CVE ID: CVE-2023-34006
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eb099c3-f6f6-4d9c-a9c7-fa1b81ce082e

Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Kanban Boards for WordPress
CVE ID: CVE-2023-34368
CVSS Score: 4.4 (Medium)
Researcher/s: TomS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fe3e55e-7286-4d12-b24f-fce69248a446

Call Now Icon Animate <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Call Now Icon Animate
CVE ID: CVE-2023-34187
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82f5e976-2564-4f8b-96d5-cfac9945737c

WordPress Social Login <= 3.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Social Login
CVE ID: CVE-2023-34172
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc2c3bdb-65b9-4e0b-899f-bd08077bc8ba

Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Quick/Bulk Order Form for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d549fcd5-6808-4d7d-bf1f-df8cfa458744

CRM Perks Forms <= 1.1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: CRM Perks Forms – WordPress Form Builder
CVE ID: CVE-2023-2836
CVSS Score: 4.4 (Medium)
Researcher/s: Dongzhu Li
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de11636b-a051-4e76-bc26-ed76f66fe0df

GDPR Cookie Consent Notice Box <= 1.1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: GDPR Cookie Consent Notice Box
CVE ID: CVE-2023-32294
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b8e21-4bfd-487f-96f1-d264d335f54f

TS Webfonts for さくらのレンタルサーバ <= 3.1.0 – Cross-Site Request Forgery

Affected Software: TS Webfonts for さくらのレンタルサーバ
CVE ID: CVE-2023-34169
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/025d576b-7342-4863-ac30-f1ff0205d638

NextGen GalleryView <= 0.5.5 – Cross-Site Request Forgery

Affected Software: WordPress NextGen GalleryView
CVE ID: CVE-2023-34185
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/052ea3af-96d8-4e83-b4e7-3db30b556d0d

WP Report Post <= 2.1.2 – Cross-Site Request Forgery

Affected Software: WP Report Post
CVE ID: CVE-2023-34171
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09e28b72-55c6-4f2f-b689-a8989945651b

Ajax Pagination and Infinite Scroll <= 2.0.1 – Cross-Site Request Forgery

Affected Software: Ajax Pagination and Infinite Scroll
CVE ID: CVE-2023-34033
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0bc7f5dd-a1eb-442d-9913-e391208e7f26

VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update

Affected Software: VK Blocks
CVE ID: CVE-2023-0583
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a94f5b-bc30-4a65-b397-54488c836ec3

Floating Action Button <= <=1.2.1 – Cross-Site Request Forgery

Affected Software: Floating Action Button
CVE ID: CVE-2023-31088
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14bf654e-c4f1-4267-811e-6d796c14834a

Photo Gallery <= 1.8.15 – Missing Authorization

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1534f67d-cf3f-4185-9aa6-01ae5dee4f26

Multiple Themes (Various Versions) – Missing Authorization to Arbitrary Plugin Activation

Affected Software/s: Viral News, HashOne, Viral
CVE ID: CVE-2023-33923
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/154a838c-f8bb-4568-b066-a78264c75eea

Draw Attention <= 2.0.11 – Missing Authorization to Arbitrary Post Featured Image Modification

Affected Software: Interactive Image Map Plugin – Draw Attention
CVE ID: CVE-2023-2764
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18530601-a294-448c-a1b2-c3995f9042ac

LH Password Changer <= 1.55 – Cross-Site Request Forgery

Affected Software: LH Password Changer
CVE ID: CVE-2023-34182
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19d08a16-51c1-4255-b0e0-01307e1783ca

Social Media & Share Icons <= 2.8.1 – Missing Authorization via handle_installation

Affected Software: Social Media Share Buttons & Social Sharing Icons
CVE ID: CVE-2023-34009
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bfb5d34-738d-4842-be93-9668fceb3334

Advanced Flat rate shipping Woocommerce <= 1.6.4.4 – Cross-Site Request Forgery via enableDisable and deletePost

Donation Platform for WooCommerce: Fundraising & Donation Management <= 1.2.9 – Cross-Site Request Forgery to Survey Submission

Affected Software: Donation Platform for WooCommerce: Fundraising & Donation Management
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c8602ed-6c0d-4357-93e6-bab1ab38ffb2

WP Hide Post <= 2.0.10 – Cross-Site Request Forgery via save_bulk_edit_data

Affected Software: WP Hide Post
CVE ID: CVE-2023-34378
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c957f3f-fb98-49ff-b317-93b1accd0d47

WP Full Auto Tags Manager <= 2.2 – Cross-Site Request Forgery

Affected Software: WP Full Auto Tags Manager
CVE ID: CVE-2023-34024
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bf209b8-7c12-4fc3-af7f-4fd25777caab

WPC Smart Wishlist for WooCommerce <= 4.6.7 – Cross-Site Request Forgery via wishlist_add and wishlist_remove

Affected Software: WPC Smart Wishlist for WooCommerce
CVE ID: CVE-2023-34386
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/655fc91d-5920-4214-8ef1-8191e2683f9d

Disable WordPress Update Notifications <= 2.3.3 – Cross-Site Request Forgery

Affected Software: Disable WordPress Update Notifications and auto-update Email Notifications
CVE ID: CVE-2023-34029
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/658ba848-fbfe-4cee-b997-77bc4cae53dc

Uncanny Toolkit for LearnDash <= 3.6.4.3 – Open Redirect

Affected Software: Uncanny Toolkit for LearnDash
CVE ID: CVE-2023-34020
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e5a569-1dd5-40e9-8356-d7c82c8e30ed

WP-Cirrus <= 0.6.11 – Cross-Site Request Forgery

Affected Software: WP-Cirrus
CVE ID: CVE-2023-34181
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710aa0fd-34e2-4f0e-b354-0722d9692410

LWS Hide Login <= 2.1.5 – Cross-Site Request Forgery

Affected Software: LWS Hide Login
CVE ID: CVE-2023-34025
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7678b80f-3184-4979-b1f4-25cd75836010

Constant Contact Forms <= 1.14.0 – Missing Authorization via constant_contact_optin_ajax_handler

Affected Software: Constant Contact Forms
CVE ID: CVE-2023-34387
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85b6262c-2576-4177-a683-44464dba0978

bbPress Toolkit <= 1.0.12 – Cross-Site Request Forgery

Affected Software: bbPress Toolkit
CVE ID: CVE-2023-34031
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a9b2ec2-edbe-45c5-bd36-45a6101356d1

WP Inventory Manager <= 2.1.0.13 – Cross-Site Request Forgery via delete_item

Affected Software: WP Inventory Manager
CVE ID: CVE-2023-34002
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95986a4d-94fb-4afe-ba1e-382d6f4c550f

Ultimate Member <= 2.6.0 – Cross-Site Request Forgery to Form Duplication

WOLF <= 1.0.7 – Cross-Site Request Forgery via create_profile

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE-2023-34028
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98dffc17-ac45-4ccd-ae57-96b36bd02be3

Complianz | GDPR/CCPA Cookie Consent <= 6.4.5 – Cross-Site Request Forgery

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92d5176-4cf0-4a31-9dcc-a2dc3259d29b

VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update

Affected Software: VK Blocks
CVE ID: CVE-2023-0584
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b90b7f6c-df7f-48a5-b283-cf5facbd71e5

B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Information Disclosure

Multiple Themes (Various Versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation

Affected Software/s: Viral News, HashOne, Viral
CVE ID: CVE-2023-33923
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3543a39-ad88-40be-93b8-36ec638db4bd

Kebo Twitter Feed <= 1.5.12 – Cross-Site Request Forgery via kebo_twitter_menu_render

Affected Software: Kebo Twitter Feed
CVE ID: CVE-2023-34384
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d56aaa20-f40c-4f99-bc38-0b14fa39a175

SpamReferrerBlock <= 2.22 – Cross-Site Request Forgery

Affected Software: SpamReferrerBlock
CVE ID: CVE-2023-34371
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d70e9d4e-2137-411b-bc01-28388a7b2519

TPG Redirect <= 1.0.6 – Cross-Site Request Forgery

Affected Software: TPG Redirect
CVE ID: CVE-2023-32093
CVSS Score: 4.3 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d92b9c21-067b-41c3-a385-a65faa8dd0ae

WP-Cache.com <= 1.1.1 – Cross-Site Request Forgery

Affected Software: WP-Cache.com
CVE ID: CVE-2023-34177
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9a28625-19e4-4696-bb51-7115368120d3

Bookly <= 21.7 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly
CVE ID: CVE-2023-1159
CVSS Score: 4 (Medium)
Researcher/s: Vinay Kumar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4cdf774-c93b-4b94-85ba-aa56bf401873

Nested Pages <= 3.2.3 – Missing Authorization to Authenticated (Editor+) Plugin Settings Reset

Affected Software: Nested Pages
CVE ID: CVE-2023-2434
CVSS Score: 3.8 (Low)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd

Brizy Page Builder <= 2.4.18 – IP Address Spoofing to Protection Mechanism Bypass

Affected Software: Brizy – Page Builder
CVE ID: CVE-2023-2897
CVSS Score: 3.7 (Low)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316

CartFlows <= 1.11.11 – Insecure Direct Object Reference to Arbitrary Post Deletion

Affected Software: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
CVE ID: CVE Unknown
CVSS Score: 2.7 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9002f6e-4345-4908-9cb8-9841a2458eb7

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023) appeared first on Wordfence.

Leave a Comment