Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
20

Patched
40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
53

High Severity
6

Critical Severity
0

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
26

Cross-Site Request Forgery (CSRF)
21

Missing Authorization
8

Information Exposure
1

Authorization Bypass Through User-Controlled Key
1

Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
1

Unrestricted Upload of File with Dangerous Type
1

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Truoc Phan
6

LEE SE HYOUNG
5

Erwan LR
5

Marco Wotschka
(Wordfence Vulnerability Reasearcher)
4

Abdi Pranata
3

Mika
3

Lana Codes
(Wordfence Vulnerability Reasearcher)
3

yuyudhn
3

Nguyen Xuan Chien
3

Rafshanzani Suhada
2

konagash
2

NeginNrb
2

Rafie Muhammad
2

A. S. M. Muhiminul Hasan
1

Theodoros Malachias
1

Rio Darmawan
1

Le Ngoc Anh
1

emad
1

Alex Thomas
(Wordfence Vulnerability Reasearcher)
1

Daniel Ruf
1

Amirmohammad vakili
1

thiennv
1

Chloe Chamberland
(Wordfence Vulnerability Reasearcher)
1

Phd
1

killr00t
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

All Bootstrap Blocks
all-bootstrap-blocks

Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment
booking-and-rental-manager-for-woocommerce

CF7 Google Sheets Connector
cf7-google-sheets-connector

CF7 Google Sheets Connector Pro
cf7-google-sheets-connector-pro

CHP Ads Block Detector
chp-ads-block-detector

Church Admin
church-admin

Constant Contact Forms
constant-contact-forms

Contact Form by WD – responsive drag & drop contact form builder tool
contact-form-maker

Elementor Forms Google Sheet Connector
gsheetconnector-for-elementor-forms

Elementor Forms Google Sheet Connector Pro
gsheetconnector-for-elementor-forms-pro

Flo Forms – Easy Drag & Drop Form Builder
flo-forms

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
form-maker

Forminator – Contact Form, Payment Form & Custom Form Builder
forminator

Galleria
galleria

Google Map Shortcode
google-map-shortcode

Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
front-editor

LWS Cleaner
lws-cleaner

LWS Tools
lws-tools

Login Configurator
login-configurator

MStore API
mstore-api

MasterStudy LMS WordPress Plugin – for Online Courses and Education
masterstudy-lms-learning-management-system

ND Shortcodes
nd-shortcodes

Ninja Forms Google Sheet Connector
gsheetconnector-ninja-forms

Ninja Forms Google Sheet Connector Pro
gsheetconnector-ninja-forms-pro

Password Protected
password-protected

Protect WP Admin
protect-wp-admin

Recent Posts Slider
recent-posts-slider

Recipe Maker For Your Food Blog from Zip Recipes
zip-recipes

Securimage-WP
securimage-wp

Seed Fonts
seed-fonts

Sermon’e – Sermons Online
UNKNOWN-CVE-2023-35776-1

Stock Manager for WooCommerce
woocommerce-stock-manager

Template Debugger
quick-edit-template-link

Tutor LMS – eLearning and online course solution
tutor

Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
unlimited-elements-for-elementor

WP Affiliate Links
wp-affiliate-links

WP Backup Manager
wp-backup-manager

WP Directory Kit
wpdirectorykit

WP Matterport Shortcode
shortcode-gallery-for-matterport-showcase

WP PDF Generator
wp-pdf-generator

WPForms Google Sheet Connector
gsheetconnector-wpforms

WPForms Google Sheet Connector Pro
gsheetconnector-wpforms-pro

Who Hit The Page – Hit Counter
who-hit-the-page-hit-counter

WooCommerce Stripe Payment Gateway
woocommerce-gateway-stripe

WordPress Contact Forms by Cimatti
contact-forms

WordPress NextGen GalleryView
wordpress-nextgen-galleryview

YaySMTP – Simple WP SMTP Mail
yaysmtp

Zephyr Project Manager
zephyr-project-manager

breadcrumb simple
breadcrumb-simple

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
mycred

胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件
fat-rat-collect

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload

Affected Software: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
CVE ID: CVE-2023-3295
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce1ac711-6026-49ef-b66b-2cc199697942

Tutor LMS <= 2.2.0 – Missing Authorization via REST API

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-3133
CVSS Score: 7.5 (High)
Researcher/s: A. S. M. Muhiminul Hasan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d6c9765-6936-4b22-835e-e899f62c14c9

WooCommerce Stripe Payment Gateway <= 7.4.0 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure

Affected Software: WooCommerce Stripe Payment Gateway
CVE ID: CVE-2023-34000
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70971072-d743-466b-affe-d7f79d5712aa

Ninja Forms Google Sheet Connector <= 1.2.6 – Reflected Cross-Site Scripting

Affected Software/s: Ninja Forms Google Sheet Connector, Ninja Forms Google Sheet Connector Pro
CVE ID: CVE-2023-2333
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/559a92e0-609e-415f-aab3-649a185eb431

YaySMTP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting via Email

Affected Software: YaySMTP – Simple WP SMTP Mail
CVE ID: CVE-2023-3093
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e

Who Hit The Page – Hit Counter <= 1.4.14.3 – Unauthenticated Cross-Site Scripting

Affected Software: Who Hit The Page – Hit Counter
CVE ID: CVE-2023-25466
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/714d7811-0425-4833-a7b2-a408799181e4

Contact Form Maker <= 1.13.23 – Authenticated (Administrator+) SQL Injection

Affected Software: Contact Form by WD – responsive drag & drop contact form builder tool
CVE ID: CVE-2023-2655
CVSS Score: 6.6 (Medium)
Researcher/s: killr00t
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb56c071-d7b9-40e0-8cc5-2dd48c93b8cf

All Bootstrap Blocks <= 1.3.6 – Cross-Site Request Forgery to Plugin Settings Reset

Affected Software: All Bootstrap Blocks
CVE ID: CVE-2023-35047
CVSS Score: 6.5 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a7a15ab-4f13-4eb1-aeb5-143230308871

WP Directory Kit <= 1.2.3 – Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action

Affected Software: WP Directory Kit
CVE ID: CVE-2023-2351
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50c5154c-1573-4c2b-85a1-a89bdb22dc7d

MStore API <= 3.9.5 – Missing Authorization

Affected Software: MStore API
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a747542-0601-4fa5-a97c-c72d1347013b

Sermon’e <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Sermon’e – Sermons Online
CVE ID: CVE-2023-35776
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b5f399-018c-4e0b-aefc-55463d4ac48d

MasterStudy LMS <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education
CVE ID: CVE-2023-35090
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/174e2bf3-2531-4a53-ade6-3df7e976ed29

ND Shortcodes <= 6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ND Shortcodes
CVE ID: CVE-2022-4623
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d92687e-cdf2-4dd2-b984-eaf9f0a56625

WP Matterport Shortcode <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Matterport Shortcode
CVE ID: CVE-2023-35094
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b76ce38-d9ee-4998-ba3b-9f21158ce18a

ND Shortcodes <= 6.9 – Authenticated (Subscriber+) Local File Inclusion

Affected Software: ND Shortcodes
CVE ID: CVE-2023-1273
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b9bd42f-cb24-483a-ae91-add4378067d9

Front User Submit | Front Editor <= 3.7.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f34722fb-e852-4194-b839-7d885d212fc9

NextGen GalleryView <= 0.5.5 – Reflected Cross-Site Scripting

Affected Software: WordPress NextGen GalleryView
CVE ID: CVE-2023-35098
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/043ed446-3af3-4d90-8da7-b1fe73e06bba

CF7 Google Sheets Connector <= 5.0.1 – Reflected Cross-Site Scripting via ‘code’

Affected Software/s: CF7 Google Sheets Connector Pro, CF7 Google Sheets Connector
CVE ID: CVE-2023-2320
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c6b2c4b-5ea5-471d-9114-d2b469b6c59b

Elementor Forms Google Sheet Connector <= 1.0.6 – Reflected Cross-Site Scripting via ‘code’

Affected Software/s: Elementor Forms Google Sheet Connector Pro, Elementor Forms Google Sheet Connector
CVE ID: CVE-2023-2324
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac577f4-2e61-4b72-881e-6fbbfd268f7b

WP Backup Manager <= 1.13.1 – Reflected Cross-Site Scripting

Affected Software: WP Backup Manager
CVE ID: CVE-2023-35775
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ee3416b-d6df-4f8b-834b-4e78516c00ba

WPForms Google Sheet Connector <= 3.4.5 – Reflected Cross-Site Scripting

Affected Software/s: WPForms Google Sheet Connector Pro, WPForms Google Sheet Connector
CVE ID: CVE-2023-2321
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75067f95-48b6-4c1d-8d8b-2601185b1f81

Recent Posts Slider <= 1.1 – Reflected Cross-Site Scripting

Affected Software: Recent Posts Slider
CVE ID: CVE-2023-35043
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bbc6aa7-0625-4689-8afe-d7399009ee53

WP Affiliate Links <= 0.1.1 – Reflected Cross-Site Scripting

Affected Software: WP Affiliate Links
CVE ID: CVE-2023-35097
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba4638be-29d3-4638-84d3-6a9d540bfa33

Google Map Shortcode <= 3.1.2 – Reflected Cross-Site Scripting

Affected Software: Google Map Shortcode
CVE ID: CVE-2023-35772
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbd4983f-bf92-45c3-95a6-6f5e39bca228

Church Admin <= 3.7.29 – Reflected Cross-Site Scripting

Affected Software: Church Admin
CVE ID: CVE-2023-34021
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e85efdc1-cffc-411a-a2f7-6fa1132e2910

LWS Tools <= 2.4.1 – Cross-Site Request Forgery

Affected Software: LWS Tools
CVE ID: CVE-2023-35774
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/315dbb77-d872-4cc4-bb4c-9d4763a6ff8f

LWS Cleaner <= 2.3.0 – Cross-Site Request Forgery

Affected Software: LWS Cleaner
CVE ID: CVE-2023-35781
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89c51fe-c056-4d85-a6e3-6678ed93b9d8

Fat Rat Collect <= 2.6.1 – Missing Authorization

Protect WP Admin <= 3.8 – Unauthenticated Information Disclosure to Protection Bypass

Affected Software: Protect WP Admin
CVE ID: CVE-2023-3139
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7012b34d-8d65-4575-9965-417739206b5f

Forminator <= 1.23.3 – Race Condition to Multiple Poll Voting

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE-2023-2010
CVSS Score: 5.3 (Medium)
Researcher/s: Amirmohammad vakili
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a40cb2da-dc13-4e20-9602-a4e6c2eade43

CHP Ads Block Detector <= 3.9.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: CHP Ads Block Detector
CVE ID: CVE-2023-2354
CVSS Score: 4.9 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f8514c9-0e11-4e26-ba0b-1d08a990b56c

Seed Fonts 2.3.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Seed Fonts
CVE ID: CVE-2023-35779
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57953bab-7430-4841-b073-7db7964e6a65

ARMember <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2023-33323
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/668d4bd3-adde-4347-9169-67c3c96e1743

Booking and Rental Manager <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Login Configurator <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login Configurator
CVE ID: CVE-2023-34369
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74d3606f-bd62-4844-ac17-8e47feddab92

Password Protected <= 2.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Password Protected
CVE ID: CVE-2023-32580
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79c296b1-e385-404d-96c0-a98f10b89f08

Flo Forms <= 1.0.40 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Flo Forms – Easy Drag & Drop Form Builder
CVE ID: CVE-2023-35095
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bdd35d61-0777-4e64-8a51-55fe928e75ba

Recent Posts Slider <= 1.1 – Cross-Site Request Forgery

Affected Software: Recent Posts Slider
CVE ID: CVE-2023-35778
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cf9c390-81d7-45d4-a6df-22b16235d11b

MStore API <= 3.9.6 – Cross-Site Request Forgery to Product Limit Update

Affected Software: MStore API
CVE ID: CVE-2023-3203
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aed51a2-9fd4-43bb-b72d-ae8e51ee6e87

Zephyr Project Manager <= 3.3.93 – Cross-Site Request Forgery

Affected Software: Zephyr Project Manager
CVE ID: CVE-2023-34373
CVSS Score: 4.3 (Medium)
Researcher/s: Theodoros Malachias
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/236387f0-b58e-4ef1-b370-a0703a7902eb

WP PDF Generator <= 1.2.2 – Cross-Site Request Forgery to PDF Settings Update

Affected Software: WP PDF Generator
CVE ID: CVE-2023-35038
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a4c868-a24d-4fd8-ae0e-d5c0bf3a7436

Securimage-WP <= 3.6.16 – Cross-Site Request Forgery

Affected Software: Securimage-WP
CVE ID: CVE-2023-35044
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36f41de5-50d5-47ca-bbd0-eca3b756a0cd

MasterStudy LMS <= 3.0.7 – Missing Authorization to Course Category Creation

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education
CVE ID: CVE-2023-35093
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ae2f2-e245-49bb-8b77-0eabf6095459

CHP Ads Block Detector <= 3.9.4 – Missing Authorization to Plugin Settings Update

Affected Software: CHP Ads Block Detector
CVE ID: CVE-2023-2353
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4eca64d7-6e33-4b8e-af37-a3e8bbf2b76f

Zip Recipes <= 8.0.7 – Cross-Site Request Forgery

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/727a0649-082f-46d0-8d6f-de53ee7fb18e

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Message Update

Affected Software: MStore API
CVE ID: CVE-2023-3200
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d

Form Maker <= 1.15.16 – Missing Authorization in check_score

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f0eac1e-4988-4b73-bf13-c959b0dc11e2

Template Debugger <= 3.1.2 – Cross-Site Request Forgery

Affected Software: Template Debugger
CVE ID: CVE-2023-35773
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8da0fed9-4b88-4b68-b317-124fe678cfa4

Stock Manager for WooCommerce <= 2.10.0 – Cross-Site Request Forgery

Affected Software: Stock Manager for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99984fff-94e3-46fb-8241-88fcda556054

myCred <= 2.5 – Cross-Site Request Forgery

Affected Software: myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
CVE ID: CVE-2023-35096
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3936c4b-2326-41dc-b7d6-a8cf43752ddb

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update

Affected Software: MStore API
CVE ID: CVE-2023-3199
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a604df5d-92b3-4df8-a7ef-00f0ee95cf0f

Constant Contact Forms <= 2.0.2 – Missing Authorization via constant_contact_privacy_ajax_handler

Affected Software: Constant Contact Forms
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8a26695-4793-418b-9a23-6709fe79ea4f

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Status Update

Affected Software: MStore API
CVE ID: CVE-2023-3198
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b

MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update

Affected Software: MStore API
CVE ID: CVE-2023-3201
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158

MStore API <= 3.9.6 – Cross-Site Request Forgery to Firebase Server Key Update

Affected Software: MStore API
CVE ID: CVE-2023-3202
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2b3612e-3c91-469b-98ef-fdb03b0ee9d9

CHP Ads Block Detector <= 3.9.4 – Cross-Site Request Forgery via chp_abd_action

Affected Software: CHP Ads Block Detector
CVE ID: CVE-2023-2352
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5a9cced-0e5e-4b6e-8291-0a862c9f9523

Galleria <= 1.0.3 – Cross-Site Request Forgery via showOptionsPage

Affected Software: Galleria
CVE ID: CVE-2023-35780
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea85fa9a-78ea-4017-b72e-49db7eafa11e

Recipe Maker For Your Food Blog from Zip Recipes <= 8.0.7 – Cross-Site Request Forgery

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE-2023-35089
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebd1483a-949d-4edb-9b86-007879d2d207

WordPress Contact Forms by Cimatti <= 1.5.7 – Cross-Site Request Forgery via _accua_forms_form_edit_action

Affected Software: WordPress Contact Forms by Cimatti
CVE ID: CVE-2023-2563
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f80a1f13-c1b9-4259-8d96-71a3cbcaf4ca

breadcrumb simple <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: breadcrumb simple
CVE ID: CVE-2023-35092
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/598e38d7-b5a9-43c1-b908-dab8bbe24115

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023) appeared first on Wordfence.

Leave a Comment