Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023)

Last week, there were 66 vulnerabilities disclosed in 56 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates
WP Post Author <= 3.3.0 – Privilege Escalation

 

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
26

Patched
40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
52

High Severity
9

Critical Severity
5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Cross-Site Request Forgery (CSRF)
22

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
17

Missing Authorization
8

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4

Authorization Bypass Through User-Controlled Key
3

Authentication Bypass Using an Alternate Path or Channel
2

Information Exposure
2

Server-Side Request Forgery (SSRF)
2

Improper Neutralization of Formula Elements in a CSV File
2

Improper Privilege Management
1

Incorrect Privilege Assignment
1

Use of Hard-coded Cryptographic Key
1

Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
(Wordfence Vulnerability Researcher)
6

Cat
5

Erwan LR
4

Rafie Muhammad
4

Rafshanzani Suhada
3

Dave Jong
2

Marco Wotschka
(Wordfence Vulnerability Researcher)
2

Dipak Panchal
1

NeginNrb
1

emad
1

Ravi Dharmawan
1

Justiice
1

Marc-Alexandre Montpas
1

Lukas Kinneberg
1

Kenichiro Ito
1

coogee86
1

Muhammad Daffa
1

Mika
1

Elliot
1

Chris Shultz
1

Le Ngoc Anh
1

Hoang Van Hiep
1

FearZzZz
1

Felipe Restrepo Rodriguez
1

Edison Poveda
1

yuyudhn
1

Etan Imanol Castro Aldrete
1

Abdi Pranata
1

qilin_99
1

Taurus Omar
1

Luca Greeb
1

Andreas Krüger
1

Abu Hurayra
1

Rafael B.
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

AN_GradeBook
an-gradebook

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

Active Directory Integration / LDAP Integration
ldap-login-for-intranet-sites

ApplyOnline – Application Form Builder and Manager
apply-online

Autochat Automatic Conversation
auyautochat-for-wp

AutomateWoo
automatewoo

Booked – Appointment Booking for WordPress
booked

Caldera Forms Google Sheets Connector
gsheetconnector-caldera-forms

Catalyst Connect Zoho CRM Client Portal
catalyst-connect-client-portal

Duplicate Post Page Menu & Custom Post Type
duplicate-post-page-menu-custom-post-type

Easy Accordion FAQ and Knowledge Base Software for WordPress
knowledge-center

Editorial Calendar
editorial-calendar

Email download link
email-download-link

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
embedpress

Enhanced Text Widget
enhanced-text-widget

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
chaty

Form Builder | Create Responsive Contact Forms
contact-form-add

Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
front-editor

Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite
image-map-pro-lite

Image Regenerate & Select Crop
image-regenerate-select-crop

Layer Slider
slider-slideshow

LearnDash LMS
sfwd-lms

LiquidPoll – Advanced Polls for Creators and Brands
wp-poll

Login Configurator
login-configurator

Login/Signup Popup ( Inline Form + Woocommerce )
easy-login-woocommerce

My Content Management
my-content-management

NEX-Forms – Ultimate Form Builder – Contact forms and much more
nex-forms-express-wp-form-builder

NOO Timetable
noo-timetable

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
post-smtp

Poll Maker – Best WordPress Poll Plugin
poll-maker

Post Hit Counter
post-hit-counter

Post to CSV by BestWebSoft
post-to-csv

Quiz Expert – Easy Quiz Maker, Exam and Test Manager
quiz-expert

Request a Quote
request-a-quote

SP Project & Document Manager
sp-client-document-manager

SW Product Bundles
sw-product-bundles

Salon booking system
salon-booking-system

Short URL
shorten-url

Subscribe2 – Form, Email Subscribers & Newsletters
subscribe2

TrustProfile and reviews for WordPress
trustprofile

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
ultimate-member

WP Abstracts
wp-abstracts-manuscripts-manager

WP Job Board
wpjobboard

WP Post Author – The Ideal Author Box for WordPress Posts, Co-Authors and Guest Authors with Author Login and Registration Form Builder
wp-post-author

WP Social AutoConnect
wp-fb-autoconnect

WPFactory Helper
wpcodefactory-helper

WPGraphQL
wp-graphql

Waitlist Woocommerce ( Back in stock notifier )
waitlist-woocommerce

Web3 – Crypto wallet Login & NFT token gating
web3-authentication

WebwinkelKeur: Webshop keurmerk & reviews for WordPress
webwinkelkeur

WooCommerce Google Sheet Connector
wc-gsheetconnector

WooCommerce Pre-Orders
woocommerce-pre-orders

WooCommerce Ship to Multiple Addresses
woocommerce-shipping-multiple-addresses

Woocommerce Order Barcodes
woocommerce-order-barcodes

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
miniorange-login-openid

houzez-crm
houzez-crm

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

The7 — Website and eCommerce Builder for WordPress
dt-the7

Vulnerability Details

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass

Affected Software: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
CVE ID: CVE-2023-2982
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66

WP Post Author <= 3.2.3 – Privilege Escalation

Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates

WPJobBoard <= 5.9.0 – Unauthenticated SQL Injection

Affected Software: WP Job Board
CVE ID: CVE-2023-36525
CVSS Score: 9.8 (Critical)
Researcher/s: FearZzZz
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cd1d385-001c-4c84-9a80-553315336a63

Web3 – Crypto wallet Login & NFT token gating <= 2.6.0 – Authentication Bypass

Affected Software: Web3 – Crypto wallet Login & NFT token gating
CVE ID: CVE-2023-3249
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e30b62de-7280-4c29-b882-dfa83e65966b

LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

Affected Software: LearnDash LMS
CVE ID: CVE-2023-3105
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2318b3e1-268d-45fa-83bf-c6e88f1b9013

Houzez CRM <= 1.3.3 – Authenticated (Subscriber+) SQL Injection

Affected Software: houzez-crm
CVE ID: CVE-2023-36529
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54c14f04-32ec-4d05-b47b-3ff5e70c4daf

AN_GradeBook <= 5.0.1 – Authenticated (Subscriber+) SQL Injection

Affected Software: AN_GradeBook
CVE ID: CVE-2023-2636
CVSS Score: 8.8 (High)
Researcher/s: Lukas Kinneberg
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60d59753-5b6b-4f3e-8faf-8053750ae05d

SP Project & Document Manager <= 4.67 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

Affected Software: SP Project & Document Manager
CVE ID: CVE-2023-3063
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6dc2e720-85d9-42d9-94ef-eb172425993d

Short URL <= 1.6.4 – Authenticated (Subscriber+) SQL Injection

Affected Software: Short URL
CVE ID: CVE-2022-46860
CVSS Score: 8.8 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86908097-a5b2-427a-85c9-fbe29b519883

Form Builder <= 1.9.9.0 – Unauthenticated CSV Injection

Affected Software: Form Builder | Create Responsive Contact Forms
CVE ID: CVE-2023-23796
CVSS Score: 8.3 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432807d0-64d8-49b1-a4ab-33aa8fbc5189

Active Directory Integration / LDAP Integration <= 4.1.5 – Authenticated (Subscrber+) LDAP Injection

Affected Software: Active Directory Integration / LDAP Integration
CVE ID: CVE-2023-3447
CVSS Score: 7.6 (High)
Researcher/s: Luca Greeb, Andreas Krüger
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd7553e8-e43d-4740-b2ee-e3d8dc351e53

Post to CSV by BestWebSoft <= 1.4.0 – Authenticated (Author+) CSV Injection

Affected Software: Post to CSV by BestWebSoft
CVE ID: CVE-2023-36527
CVSS Score: 7.4 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74f0af24-e4d9-4b89-b91e-c6ec3e3918e7

Autochat Automatic Conversation <= 1.1.7 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Autochat Automatic Conversation
CVE ID: CVE-2023-3041
CVSS Score: 7.2 (High)
Researcher/s: Rafael B.
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9ad533d-4ec0-42a0-99fc-75fc59498c94

Email download link <= 3.7 – Unauthenticated Sensitive Information Exposure

Affected Software: Email download link
CVE ID: CVE-2023-36523
CVSS Score: 6.5 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29d6df4e-eaf6-42ec-8cd9-7cf86908f4ef

POST SMTP Mailer <= 2.5.6 – Cross-Site Request Forgery to Account Compromise

Booked <= 2.4 – Unauthenticated Sensitive Information Exposure

Affected Software: Booked – Appointment Booking for WordPress
CVE ID: CVE-2022-36399
CVSS Score: 6.5 (Medium)
Researcher/s: coogee86
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f917973-e207-4ba3-b61b-e562e884fe0f

Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization on multiple AJAX actions

Affected Software: Image Regenerate & Select Crop
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0eb165f-c979-4318-8362-ca47500ed845

AutomateWoo <= 5.7.5 – Missing Authorization

Affected Software: AutomateWoo
CVE ID: CVE-2023-36512
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb51383f-03c8-4e81-bfed-40fd9f5c4d20

Image Regenerate & Select Crop <= 7.1.0 – Cross-Site Request Forgery on multiple AJAX actions

Affected Software: Image Regenerate & Select Crop
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8596412-53d5-45ed-998a-49799bd269d0

Front User Submit | Front Editor <= 3.8.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bc03b4a-f7ec-4827-b914-0560b9268b6f

NOO Timetable <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: NOO Timetable
CVE ID: CVE-2022-45821
CVSS Score: 6.4 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5fab1ae8-2aa4-452a-a594-64088c92b5c3

Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 – Missing Authorization to Stored Cross-Site Scripting

Affected Software: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite
CVE ID: CVE-2023-3412
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b58403df-af09-4d74-88e6-140e3f2f291b

Layer Slider <= 1.1.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Layer Slider
CVE ID: CVE-2023-23798
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5ac3714-27f1-4258-a1ab-12b969b31793

Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite
CVE ID: CVE-2023-3411
CVSS Score: 6.1 (Medium)
Researcher/s: Kenichiro Ito
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63e108f4-5d9d-4bcf-aef9-aa856f4241ea

WPFactory Helper <= 1.5.2 – Reflected Cross-Site Scripting via item_slug

Affected Software: WPFactory Helper
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c77259a-cdf3-4fa0-b468-9e98645293fe

WooCommerce Pre-Orders <= 2.0.1 – Reflected Cross-Site Scripting

Affected Software: WooCommerce Pre-Orders
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Chris Shultz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f73d0a6-2eae-4d85-96ce-db5902bd6e3a

Login Configurator <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Login Configurator
CVE ID: CVE-2023-1893
CVSS Score: 6.1 (Medium)
Researcher/s: Taurus Omar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb148264-c75e-4e73-95d7-3a06cdd8990e

WPGraphQL <= 1.14.5 – Authenticated (Editor+) Server-Side Request Forgery

Affected Software: WPGraphQL
CVE ID: CVE-2023-23684
CVSS Score: 5.5 (Medium)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38efd6d6-b931-41a7-b55d-b98cdeef4145

Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 – Cross-Site Request Forgery via reset_settings

Affected Software: Waitlist Woocommerce ( Back in stock notifier )
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69cc2fd1-b576-49f6-8afc-54f00058de8c

Editorial Calendar <= 3.7.12 – Authenticated (Contributor+) Insecure Direct Object Reference

Affected Software: Editorial Calendar
CVE ID: CVE-2023-36520
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f01ad95-7a51-408c-917f-4350dbeabb2b

Salon Booking System <= 8.4.6 – Cross-Site Request Forgery to Admin Role Change to Customer, User Meta Update via save_customer

Affected Software: Salon booking system
CVE ID: CVE-2023-3427
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93875f19-d9b9-4e33-bba9-afc75cf26bf2

EmbedPress <= 3.7.3 – Sensitive Information Exposure

NEX-Forms – Ultimate Form Builder <= 8.4.3 – Authenticated Stored Cross-Site Scripting via Form Name

Poll Maker <= 4.6.2 – Authenticated (Admin+) Server-Side Request Forgery

Affected Software: Poll Maker – Best WordPress Poll Plugin
CVE ID: CVE-2023-34013
CVSS Score: 4.7 (Medium)
Researcher/s: Abu Hurayra
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e55ba61d-6fd0-4269-8ee9-3b8645d52e1d

Floating Chat Widget – Chaty <= 3.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

SP Project & Document Manager <= 4.67 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: SP Project & Document Manager
CVE ID: CVE-2023-36530
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37eb77ed-0b2e-46ea-806d-8041742eab5d

Knowledge Center <= 2.7 – Authenticated (Admin+) Cross-Site Scripting

Affected Software: Easy Accordion FAQ and Knowledge Base Software for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6309c706-f84a-4997-9a9b-1bd8cf8f711a

Catalyst Connect Zoho CRM Client Portal <= 2.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Catalyst Connect Zoho CRM Client Portal
CVE ID: CVE-2022-44629
CVSS Score: 4.4 (Medium)
Researcher/s: Hoang Van Hiep
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88cea535-1042-4011-aee9-684d7661e193

My Content Management <= 1.7.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: My Content Management
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fc18fee-5813-4134-8c4d-44710665857a

ApplyOnline – Application Form Builder and Manager <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ApplyOnline – Application Form Builder and Manager
CVE ID: CVE-2023-24391
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5dbcc22-ab2e-4114-a7d7-bac01a5c5b3f

Short URL <= 1.6.4 – Authenticated(Admin+) Stored Cross-Site Scripting

Affected Software: Short URL
CVE ID: CVE-2023-1602
CVSS Score: 4.4 (Medium)
Researcher/s: Etan Imanol Castro Aldrete
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5f29f35-da79-4389-a0a5-a1be0b0b8996

ARMember <= 4.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2022-47421
CVSS Score: 4.4 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa2ed43b-cd8f-4d09-8576-d215c835a684

NOO Timetable <= 2.1.3 – Cross-Site Request Forgery

Affected Software: NOO Timetable
CVE ID: CVE-2022-45828
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13046019-f390-48ae-bf08-53293c41f178

Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 – Cross-Site Request Forgery to Settings Reset

Affected Software: Waitlist Woocommerce ( Back in stock notifier )
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20910787-b99d-475e-acc9-cc2bb669aa56

TrustProfile <= 3.24 – Cross-Site Request Forgery

Affected Software: TrustProfile and reviews for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/296f15eb-0782-4351-a2c5-c8ef6f005352

Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 – Cross-Site Request Forgery

Affected Software: Quiz Expert – Easy Quiz Maker, Exam and Test Manager
CVE ID: CVE-2023-36522
CVSS Score: 4.3 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32ee3eb8-18b7-47da-b4f9-cb252ffabc71

Login/Signup Popup <= 2.3 – Cross-Site Request Forgery to Settings Reset

Affected Software: Login/Signup Popup ( Inline Form + Woocommerce )
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fa62b8f-1c2f-4bc9-9f2a-8b9765c2d30d

Post Hit Counter <= 1.3.2 – Missing Authorization

Affected Software: Post Hit Counter
CVE ID: CVE-2023-36518
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4049f8fb-ad81-4f09-97b3-39ac6a9275d6

Duplicate Post Page Menu & Custom Post Type <= 2.3.1 – Missing Authorization

Affected Software: Duplicate Post Page Menu & Custom Post Type
CVE ID: CVE-2023-36526
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44e84fd9-bc83-4780-ab7a-8898a8c5c78a

The7 <= 11.6.0 – Cross-Site Request Forgery

Affected Software: The7 — Website and eCommerce Builder for WordPress
CVE ID: CVE-2023-32123
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f481478-5dc9-4b11-ba3e-1942882a9f43

WP Social AutoConnect <= 4.6.1 – Cross-Site Request Forgery via jfb_admin_page

Affected Software: WP Social AutoConnect
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50f69182-66c0-4d3a-aabe-015b72937f3e

Enhanced Text Widget <= 1.5.7 – Missing Authorization

Affected Software: Enhanced Text Widget
CVE ID: CVE-2023-23823
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7487f72c-9852-4651-a848-239d4882bbf8

Subscribe2 <= 10.40 – Cross-Site Request Forgery

Affected Software: Subscribe2 – Form, Email Subscribers & Newsletters
CVE ID: CVE-2023-3407
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92b4d800-2895-4f7b-8b3b-ee6df75a7908

Request a Quote <= 2.3.10 – Cross-Site Request Forgery

Affected Software: Request a Quote
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9854d09a-2fab-46e6-9fc1-ff6d68df2662

WebwinkelKeur <= 3.24 – Cross-Site Request Forgery

Affected Software: WebwinkelKeur: Webshop keurmerk & reviews for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a077e95f-7912-4b94-89f3-54f37adfcd8e

AutomateWoo <= 5.7.5 – Cross-Site Request Forgery

Affected Software: AutomateWoo
CVE ID: CVE-2023-36513
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a33c8a80-e11e-403d-9eb0-e1c5b59204b0

LiquidPoll – Advanced Polls for Creators and Brands <= 3.3.68 – Missing Authorization via activate_addon

Affected Software: LiquidPoll – Advanced Polls for Creators and Brands
CVE ID: CVE-2023-36531
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa154536-9f9f-48c3-96c7-4091991e4f6c

SW Product Bundles <= 2.0.15 – Missing Authorization

Affected Software: SW Product Bundles
CVE ID: CVE-2023-36519
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0ceff94-e312-41da-acec-15d550aba792

POST SMTP Mailer <= 2.5.6 – Cross-Site Request Forgery to Arbitrary Log Deletion

Caldera Forms Google Sheets Connector <= 1.2 – Cross-Site Request Forgery

Affected Software: Caldera Forms Google Sheets Connector
CVE ID: CVE-2023-2330
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5ec03e9-06bb-4677-b480-4ebdb33acd08

WooCommerce Ship to Multiple Addresses <= 3.8.5 – Cross-Site Request Forgery

Affected Software: WooCommerce Ship to Multiple Addresses
CVE ID: CVE-2023-36514
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bda44801-6599-459d-a70c-164f563bf158

Subscribe2 <= 10.40 – Missing Authorization

Affected Software: Subscribe2 – Form, Email Subscribers & Newsletters
CVE ID: CVE-2023-1844
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c34ce601-5cf9-433f-bc9d-5c705eba6b08

WP Abstracts <= 2.6.2 – Cross-Site Request Forgery

Affected Software: WP Abstracts
CVE ID: CVE-2023-36517
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5b74908-65ed-4b6f-856f-e95cfd64f998

WooCommerce Order Barcodes <= 1.6.4 – Cross-Site Request Forgery

Affected Software: Woocommerce Order Barcodes
CVE ID: CVE-2023-36511
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cefa38d0-7da1-48dd-98d7-fe2f36e19d7c

WooCommerce Google Sheet Connector <= 1.3.4 – Cross-Site Request Forgery

Affected Software: WooCommerce Google Sheet Connector
CVE ID: CVE-2023-2329
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e30e64e7-5de9-4eb3-914f-457daa6f3fe5

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023) appeared first on Wordfence.

Leave a Comment