Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
20
Patched
40
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
1
Medium Severity
53
High Severity
6
Critical Severity
0
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
26
Cross-Site Request Forgery (CSRF)
21
Missing Authorization
8
Information Exposure
1
Authorization Bypass Through User-Controlled Key
1
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
1
Unrestricted Upload of File with Dangerous Type
1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Erwan LR
5
Marco Wotschka
(Wordfence Vulnerability Reasearcher)
4
Mika
3
Lana Codes
(Wordfence Vulnerability Reasearcher)
3
yuyudhn
3
konagash
2
NeginNrb
2
emad
1
Alex Thomas
(Wordfence Vulnerability Reasearcher)
1
thiennv
1
Chloe Chamberland
(Wordfence Vulnerability Reasearcher)
1
Phd
1
killr00t
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership
All Bootstrap Blocks
all-bootstrap-blocks
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment
booking-and-rental-manager-for-woocommerce
CF7 Google Sheets Connector
cf7-google-sheets-connector
CF7 Google Sheets Connector Pro
cf7-google-sheets-connector-pro
CHP Ads Block Detector
chp-ads-block-detector
Church Admin
church-admin
Constant Contact Forms
constant-contact-forms
Contact Form by WD – responsive drag & drop contact form builder tool
contact-form-maker
Elementor Forms Google Sheet Connector
gsheetconnector-for-elementor-forms
Elementor Forms Google Sheet Connector Pro
gsheetconnector-for-elementor-forms-pro
Flo Forms – Easy Drag & Drop Form Builder
flo-forms
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
form-maker
Forminator – Contact Form, Payment Form & Custom Form Builder
forminator
Galleria
galleria
Google Map Shortcode
google-map-shortcode
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
front-editor
LWS Cleaner
lws-cleaner
LWS Tools
lws-tools
Login Configurator
login-configurator
MStore API
mstore-api
MasterStudy LMS WordPress Plugin – for Online Courses and Education
masterstudy-lms-learning-management-system
ND Shortcodes
nd-shortcodes
Ninja Forms Google Sheet Connector
gsheetconnector-ninja-forms
Ninja Forms Google Sheet Connector Pro
gsheetconnector-ninja-forms-pro
Password Protected
password-protected
Protect WP Admin
protect-wp-admin
Recent Posts Slider
recent-posts-slider
Recipe Maker For Your Food Blog from Zip Recipes
zip-recipes
Securimage-WP
securimage-wp
Seed Fonts
seed-fonts
Sermon’e – Sermons Online
UNKNOWN-CVE-2023-35776-1
Stock Manager for WooCommerce
woocommerce-stock-manager
Template Debugger
quick-edit-template-link
Tutor LMS – eLearning and online course solution
tutor
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
unlimited-elements-for-elementor
WP Affiliate Links
wp-affiliate-links
WP Backup Manager
wp-backup-manager
WP Directory Kit
wpdirectorykit
WP Matterport Shortcode
shortcode-gallery-for-matterport-showcase
WP PDF Generator
wp-pdf-generator
WPForms Google Sheet Connector
gsheetconnector-wpforms
WPForms Google Sheet Connector Pro
gsheetconnector-wpforms-pro
Who Hit The Page – Hit Counter
who-hit-the-page-hit-counter
WooCommerce Stripe Payment Gateway
woocommerce-gateway-stripe
WordPress Contact Forms by Cimatti
contact-forms
WordPress NextGen GalleryView
wordpress-nextgen-galleryview
YaySMTP – Simple WP SMTP Mail
yaysmtp
Zephyr Project Manager
zephyr-project-manager
breadcrumb simple
breadcrumb-simple
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
mycred
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件
fat-rat-collect
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload
CVE ID: CVE-2023-3295
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce1ac711-6026-49ef-b66b-2cc199697942
Tutor LMS <= 2.2.0 – Missing Authorization via REST API
CVE ID: CVE-2023-3133
CVSS Score: 7.5 (High)
Researcher/s: A. S. M. Muhiminul Hasan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d6c9765-6936-4b22-835e-e899f62c14c9
WooCommerce Stripe Payment Gateway <= 7.4.0 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure
CVE ID: CVE-2023-34000
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70971072-d743-466b-affe-d7f79d5712aa
Ninja Forms Google Sheet Connector <= 1.2.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2333
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/559a92e0-609e-415f-aab3-649a185eb431
YaySMTP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting via Email
CVE ID: CVE-2023-3093
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e
Who Hit The Page – Hit Counter <= 1.4.14.3 – Unauthenticated Cross-Site Scripting
CVE ID: CVE-2023-25466
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/714d7811-0425-4833-a7b2-a408799181e4
Contact Form Maker <= 1.13.23 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-2655
CVSS Score: 6.6 (Medium)
Researcher/s: killr00t
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb56c071-d7b9-40e0-8cc5-2dd48c93b8cf
All Bootstrap Blocks <= 1.3.6 – Cross-Site Request Forgery to Plugin Settings Reset
CVE ID: CVE-2023-35047
CVSS Score: 6.5 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a7a15ab-4f13-4eb1-aeb5-143230308871
WP Directory Kit <= 1.2.3 – Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action
CVE ID: CVE-2023-2351
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50c5154c-1573-4c2b-85a1-a89bdb22dc7d
MStore API <= 3.9.5 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a747542-0601-4fa5-a97c-c72d1347013b
Sermon’e <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-35776
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08b5f399-018c-4e0b-aefc-55463d4ac48d
MasterStudy LMS <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35090
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/174e2bf3-2531-4a53-ade6-3df7e976ed29
ND Shortcodes <= 6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2022-4623
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d92687e-cdf2-4dd2-b984-eaf9f0a56625
WP Matterport Shortcode <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-35094
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b76ce38-d9ee-4998-ba3b-9f21158ce18a
ND Shortcodes <= 6.9 – Authenticated (Subscriber+) Local File Inclusion
CVE ID: CVE-2023-1273
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b9bd42f-cb24-483a-ae91-add4378067d9
Front User Submit | Front Editor <= 3.7.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f34722fb-e852-4194-b839-7d885d212fc9
NextGen GalleryView <= 0.5.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35098
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/043ed446-3af3-4d90-8da7-b1fe73e06bba
CF7 Google Sheets Connector <= 5.0.1 – Reflected Cross-Site Scripting via ‘code’
CVE ID: CVE-2023-2320
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c6b2c4b-5ea5-471d-9114-d2b469b6c59b
Elementor Forms Google Sheet Connector <= 1.0.6 – Reflected Cross-Site Scripting via ‘code’
CVE ID: CVE-2023-2324
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac577f4-2e61-4b72-881e-6fbbfd268f7b
WP Backup Manager <= 1.13.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35775
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ee3416b-d6df-4f8b-834b-4e78516c00ba
WPForms Google Sheet Connector <= 3.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-2321
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75067f95-48b6-4c1d-8d8b-2601185b1f81
Recent Posts Slider <= 1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35043
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bbc6aa7-0625-4689-8afe-d7399009ee53
WP Affiliate Links <= 0.1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35097
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba4638be-29d3-4638-84d3-6a9d540bfa33
Google Map Shortcode <= 3.1.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-35772
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbd4983f-bf92-45c3-95a6-6f5e39bca228
Church Admin <= 3.7.29 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-34021
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e85efdc1-cffc-411a-a2f7-6fa1132e2910
LWS Tools <= 2.4.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-35774
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/315dbb77-d872-4cc4-bb4c-9d4763a6ff8f
LWS Cleaner <= 2.3.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-35781
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89c51fe-c056-4d85-a6e3-6678ed93b9d8
Fat Rat Collect <= 2.6.1 – Missing Authorization
CVE ID: CVE-2023-35045
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/279cebb5-4be4-485a-92c7-e0bcc961f93e
Protect WP Admin <= 3.8 – Unauthenticated Information Disclosure to Protection Bypass
CVE ID: CVE-2023-3139
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7012b34d-8d65-4575-9965-417739206b5f
Forminator <= 1.23.3 – Race Condition to Multiple Poll Voting
CVE ID: CVE-2023-2010
CVSS Score: 5.3 (Medium)
Researcher/s: Amirmohammad vakili
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a40cb2da-dc13-4e20-9602-a4e6c2eade43
CHP Ads Block Detector <= 3.9.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-2354
CVSS Score: 4.9 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f8514c9-0e11-4e26-ba0b-1d08a990b56c
Seed Fonts 2.3.1 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35779
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57953bab-7430-4841-b073-7db7964e6a65
ARMember <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-33323
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/668d4bd3-adde-4347-9169-67c3c96e1743
Booking and Rental Manager <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35048
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e7c629f-e9c6-4254-ba37-46de5206d77d
Login Configurator <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-34369
CVSS Score: 4.4 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74d3606f-bd62-4844-ac17-8e47feddab92
Password Protected <= 2.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-32580
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79c296b1-e385-404d-96c0-a98f10b89f08
Flo Forms <= 1.0.40 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35095
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bdd35d61-0777-4e64-8a51-55fe928e75ba
Recent Posts Slider <= 1.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-35778
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cf9c390-81d7-45d4-a6df-22b16235d11b
MStore API <= 3.9.6 – Cross-Site Request Forgery to Product Limit Update
CVE ID: CVE-2023-3203
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aed51a2-9fd4-43bb-b72d-ae8e51ee6e87
Zephyr Project Manager <= 3.3.93 – Cross-Site Request Forgery
CVE ID: CVE-2023-34373
CVSS Score: 4.3 (Medium)
Researcher/s: Theodoros Malachias
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/236387f0-b58e-4ef1-b370-a0703a7902eb
WP PDF Generator <= 1.2.2 – Cross-Site Request Forgery to PDF Settings Update
CVE ID: CVE-2023-35038
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a4c868-a24d-4fd8-ae0e-d5c0bf3a7436
Securimage-WP <= 3.6.16 – Cross-Site Request Forgery
CVE ID: CVE-2023-35044
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36f41de5-50d5-47ca-bbd0-eca3b756a0cd
MasterStudy LMS <= 3.0.7 – Missing Authorization to Course Category Creation
CVE ID: CVE-2023-35093
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ae2f2-e245-49bb-8b77-0eabf6095459
CHP Ads Block Detector <= 3.9.4 – Missing Authorization to Plugin Settings Update
CVE ID: CVE-2023-2353
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4eca64d7-6e33-4b8e-af37-a3e8bbf2b76f
Zip Recipes <= 8.0.7 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/727a0649-082f-46d0-8d6f-de53ee7fb18e
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Message Update
CVE ID: CVE-2023-3200
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d
Form Maker <= 1.15.16 – Missing Authorization in check_score
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f0eac1e-4988-4b73-bf13-c959b0dc11e2
Template Debugger <= 3.1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-35773
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8da0fed9-4b88-4b68-b317-124fe678cfa4
Stock Manager for WooCommerce <= 2.10.0 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99984fff-94e3-46fb-8241-88fcda556054
myCred <= 2.5 – Cross-Site Request Forgery
CVE ID: CVE-2023-35096
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3936c4b-2326-41dc-b7d6-a8cf43752ddb
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update
CVE ID: CVE-2023-3199
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a604df5d-92b3-4df8-a7ef-00f0ee95cf0f
Constant Contact Forms <= 2.0.2 – Missing Authorization via constant_contact_privacy_ajax_handler
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8a26695-4793-418b-9a23-6709fe79ea4f
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Status Update
CVE ID: CVE-2023-3198
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b
MStore API <= 3.9.6 – Cross-Site Request Forgery to Order Title Update
CVE ID: CVE-2023-3201
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158
MStore API <= 3.9.6 – Cross-Site Request Forgery to Firebase Server Key Update
CVE ID: CVE-2023-3202
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2b3612e-3c91-469b-98ef-fdb03b0ee9d9
CHP Ads Block Detector <= 3.9.4 – Cross-Site Request Forgery via chp_abd_action
CVE ID: CVE-2023-2352
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5a9cced-0e5e-4b6e-8291-0a862c9f9523
Galleria <= 1.0.3 – Cross-Site Request Forgery via showOptionsPage
CVE ID: CVE-2023-35780
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea85fa9a-78ea-4017-b72e-49db7eafa11e
Recipe Maker For Your Food Blog from Zip Recipes <= 8.0.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-35089
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebd1483a-949d-4edb-9b86-007879d2d207
WordPress Contact Forms by Cimatti <= 1.5.7 – Cross-Site Request Forgery via _accua_forms_form_edit_action
CVE ID: CVE-2023-2563
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f80a1f13-c1b9-4259-8d96-71a3cbcaf4ca
breadcrumb simple <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-35092
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/598e38d7-b5a9-43c1-b908-dab8bbe24115
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023) appeared first on Wordfence.
