Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)

Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset
Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions
HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
29

Patched
32

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
49

High Severity
8

Critical Severity
4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
24

Cross-Site Request Forgery (CSRF)
14

Missing Authorization
14

Authorization Bypass Through User-Controlled Key
4

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
2

Information Exposure
1

Uncontrolled Resource Consumption (‘Resource Exhaustion’)
1

Unrestricted Upload of File with Dangerous Type
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Alex Thomas
(Wordfence Vulnerability Researcher)
9

LEE SE HYOUNG
6

Abdi Pranata
6

Lana Codes
(Wordfence Vulnerability Researcher)
3

Rafie Muhammad
3

yuyudhn
3

Rio Darmawan
2

Muhammad Daffa
2

Elliot
1

Rafael B.
1

Bob Matyas
1

Kijam López
1

easyBug
1

Alex Sanford
1

Dipak Panchal
1

Yassir Sbai Fahim
1

Rafi Priatna Kasbiantoro
1

Pavitra Tiwari
1

Nguyen Anh Tien
1

Nithissh S
1

Friday
1

Dave Jong
1

PetiteMais
1

Yuki Haruma
1

Le Ngoc Anh
1

thiennv
1

TaeEun Lee
1

Paolo Elia
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
mystickyelements

Animated Number Counters
animated-number-counters

Auto Location for WP Job Manager via Google
auto-location-for-wp-job-manager

BadgeOS
badgeos

Baidu Tongji generator
baidu-tongji-generator

Booking Package
booking-package

Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin
media-library-helper

Classified Listing – Classified ads & Business Directory Plugin
classified-listing

Coming Soon Page – Responsive Coming Soon & Maintenance Mode
responsive-coming-soon-page

Cryptocurrency Widgets – Price Ticker & Coins List
cryptocurrency-price-ticker-widget

FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin
fluent-smtp

Getnet Argentina para Woocommerce
integrar-getnet-con-woo

Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
gift-voucher

HT Mega – Absolute Addons For Elementor
ht-mega-for-elementor

Header Footer Code Manager
header-footer-code-manager

Image Regenerate & Select Crop
image-regenerate-select-crop

Image Social Feed Plugin
add-instagram

Kingkong Board
kingkong-board

LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder
learning-management-system

LearnPress – WordPress LMS Plugin
learnpress

Livestream Notice
livestream-notice

Menubar
menubar

Mobile Call Now & Map Buttons
mobile-call-now-map-buttons

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
ninja-forms

Product Category Tree
product-category-tree

Querlo Chatbot
querlo-chatbots

RSVPMaker
rsvpmaker

Reservation.Studio widget
reservation-studio-widget

SMTP Mail
smtp-mail

Secondary Title
secondary-title

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor)
woolentor-addons

Simple Giveaways – Grow your business, email lists and traffic with contests
giveasap

Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)
only-tweet-like-share-and-google-1

Simple Site Verify
simple-site-verify

Social Share Boost
social-share-boost

SrbTransLatin – Serbian Latinisation
srbtranslatin

Sublanguage
sublanguage

User Registration – Custom Registration Form, Login Form And User Profile For WordPress
user-registration

Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
yotuwp-easy-youtube-embed

Visibility Logic for Elementor
visibility-logic-elementor

Visual Website Collaboration, Feedback & Project Management – Atarim
atarim-visual-collaboration

WP Content Copy Protection & No Right Click
wp-content-copy-protector

WP Dummy Content Generator
wp-dummy-content-generator

WP Full Stripe Free
wp-full-stripe-free

WP Mail Log
wp-mail-log

WP RSS Images
wp-rss-images

WP Reroute Email
wp-reroute-email

WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
wp-sms

WP-Cirrus
wp-cirrus

WP-Optimize – Cache, Clean, Compress.
wp-optimize

WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps
wordpress-mobile-pack

oAuth Twitter Feed for Developers
oauth-twitter-feed-for-developers

wpForo Forum
wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

WPLMS Learning Management System for WordPress, WordPress LMS
wplms

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: User Registration – Custom Registration Form, Login Form And User Profile For WordPress
CVE ID: CVE-2023-3342
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d

HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation

Affected Software: HT Mega – Absolute Addons For Elementor
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46f3cc62-c2d8-45af-bb92-c2040789cbc0

Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset

Affected Software: Booking Package
CVE ID: CVE-2023-37389
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65166432-a877-4070-94c1-cdaf7e5d7586

Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions

Affected Software: Visual Website Collaboration, Feedback & Project Management – Atarim
CVE ID: CVE Unknown
CVSS Score: 9.1 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f3a6e1-6126-4825-b2b1-e40dc5694f43

Getnet Argentina para Woocommerce 0.0.1 – 0.0.4 – Authorization Bypass via webhook

Affected Software: Getnet Argentina para Woocommerce
CVE ID: CVE-2023-3525
CVSS Score: 7.5 (High)
Researcher/s: Kijam López
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/245e9117-ca63-458e-a094-60a759f5ec19

LearnPress <= 4.2.3 – Missing Authorization to Information Exposure

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE-2023-36515
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea136a60-aa42-4577-88b6-a49c79098954

WP Reroute Email <= 1.4.9 – Unauthenticated Stored Cross-Site Scripting via Email Subject

Affected Software: WP Reroute Email
CVE ID: CVE-2023-3168
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a0e962b-b6a0-4179-91d0-5ede508a9895

RSVPMarker <= 10.5.4 – Authenticated (Administrator+) SQL Injection via ‘resend’

Affected Software: RSVPMaker
CVE ID: CVE-2023-29095
CVSS Score: 7.2 (High)
Researcher/s: Rafi Priatna Kasbiantoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6709f9b0-0915-4361-9fb0-1f2696e26c2f

WP Mail Log <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting via Email

Affected Software: WP Mail Log
CVE ID: CVE-2023-3088
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86ee1acb-6f0c-40e6-80a0-fc93b61c1602

SMTP Mail <= 1.2.16 – Unauthenticated Stored Cross-Site Scripting via Email Subject

Affected Software: SMTP Mail
CVE ID: CVE-2023-3092
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ae734d1-0cd4-4ff5-8448-828b0fb64f70

Coming Soon <= 1.5.8 – Authenticated (Administrator+) SQL Injection

Affected Software: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
CVE ID: CVE-2022-46849
CVSS Score: 7.2 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a371489-031e-483e-9fde-3901b55710c6

FluentSMTP <= 2.2.4 – Unauthenticated Stored Cross-Site Scripting via Email Subject

ARMember <= 4.0.5 – Cross-Site Request Forgery

Masteriyo – LMS for WordPress <= 1.6.7 – Sensitive Information Exposure

Simple Giveaways <= 2.46.0 – Missing Authorization

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-23893
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/721f8943-5d59-41ee-935e-999dff2e590d

BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion

Affected Software: BadgeOS
CVE ID: CVE-2023-2173
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebb9e37c-9e8b-429b-b4ef-cd875351852c

Querlo Chatbot <= 1.2.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Querlo Chatbot
CVE ID: CVE-2023-3418
CVSS Score: 6.4 (Medium)
Researcher/s: Rafael B.
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/157ea849-7947-4d0d-9ecf-7705f9039c8d

Secondary Title <= 2.0.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Secondary Title
CVE ID: CVE-2023-28773
CVSS Score: 6.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5ab7d3e-b0c8-4e30-942b-23d91daff2ac

WPLMS < 4.900 – Cross-Site Request Forgery

Affected Software: WPLMS Learning Management System for WordPress, WordPress LMS
CVE ID: CVE-2023-36690
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9071acdf-8d40-4e8b-8d1f-be2cabf3d66e

Kingkong Board <= 2.1.0.2 – Missing Authorization

Affected Software: Kingkong Board
CVE ID: CVE-2023-36694
CVSS Score: 6.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7b33199-d254-4d0c-88d0-ad2f7515d747

wpForo Forum <= 2.1.8 – Reflected Cross-Site Scripting via ‘wpforo_debug’

Affected Software: wpForo Forum
CVE ID: CVE-2023-2309
CVSS Score: 6.1 (Medium)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35b6a26a-d7c1-4538-87f3-fcb1095797a3

WP-Optimize <= 3.2.12 & SrbTransLatin <= 2.4 – Stored/Reflected Cross-Site Scripting via Third Party Library

Affected Software/s: SrbTransLatin – Serbian Latinisation, WP-Optimize – Cache, Clean, Compress.
CVE ID: CVE-2023-1119
CVSS Score: 6.1 (Medium)
Researcher/s: Paolo Elia
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fdb822e8-583e-4437-a735-b116aa8886e2

Animated Number Counters <= 1.6 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Animated Number Counters
CVE ID: CVE-2023-24393
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e87ea6b5-4288-4ebb-8a29-e0a179e6b584

WordPress Mobile Pack <= 3.4.1 – Cross-Site Request Forgery

Affected Software: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps
CVE ID: CVE-2023-37391
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f545c20-5be1-42bc-9268-640590ee4bf2

LearnPress <= 4.2.3 – Missing Authorization

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/389277fd-e47e-42df-9305-61ceedbcfb29

Sublanguage <= 2.9 – Missing Authorization

Affected Software: Sublanguage
CVE ID: CVE-2023-36695
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50726c57-8d42-4143-9e75-d30513d8d0e2

Header Footer Code Manager <= 1.1.34 – Cross-Site Request Forgery via process_bulk_action

Affected Software: Header Footer Code Manager
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60493635-b1b0-4e76-8f73-16c223d7b4d7

BadgeOS <= 3.7.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BadgeOS
CVE ID: CVE-2023-2171
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74a280e1-e4b6-4bd9-882b-d9f185332d61

Menubar <= 5.8.2 – Cross-Site Request Forgery in wpm-admin.php

Affected Software: Menubar
CVE ID: CVE-2023-36687
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be10894d-2a86-4f07-8119-e6eac8c9c950

Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization

Affected Software: Image Regenerate & Select Crop
CVE ID: CVE-2023-36680
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb7335c0-b6ed-43bb-91b7-870093d14cb8

LearnPress <= 4.2.3 – Missing Authorization

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE-2023-36516
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e91e864a-20f6-48a2-ab9f-d20836207383

Product Category Tree <= 2.5 – Missing Authorization

Affected Software: Product Category Tree
CVE ID: CVE-2023-29173
CVSS Score: 5.3 (Medium)
Researcher/s: Friday
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88840d66-1644-4af0-b811-41f0e9fe2c0c

Ninja Forms <= 3.6.25 – Denial of Service via Large Form Submissions

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CVE ID: CVE-2023-35909
CVSS Score: 5.3 (Medium)
Researcher/s: PetiteMais
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/952a3e52-4e23-4bc4-92d3-e15ae2f3d28b

Cryptocurrency Widgets – Price Ticker & Coins List <= 2.6.2 – Missing Authorization

Affected Software: Cryptocurrency Widgets – Price Ticker & Coins List
CVE ID: CVE-2023-36681
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dec2855c-71a8-46b2-819a-d85cd11a1a24

WP Dummy Content Generator <= 2.3.0 – Missing Authorization

Affected Software: WP Dummy Content Generator
CVE ID: CVE-2023-37394
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4dad030-41e4-4d67-8650-8d268c44d352

Auto Location for WP Job Manager via Google <= 1.0 – Authenticated (Administrator+) Stored Cross Site Scripting

Affected Software: Auto Location for WP Job Manager via Google
CVE ID: CVE-2023-3344
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19a70aa0-7075-4922-8feb-25b7fbe9da42

WP Full Stripe Free <= 1.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Full Stripe Free
CVE ID: CVE-2023-28934
CVSS Score: 4.4 (Medium)
Researcher/s: easyBug
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2afbc0a4-32ad-4fc4-9b10-5c06784f72f3

Social Share Boost <= 4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Social Share Boost
CVE ID: CVE-2023-25044
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d09e93-8503-41e8-85d3-8550dc8f85bd

WP-Cirrus <= 0.6.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP-Cirrus
CVE ID: CVE-2023-36692
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4cab3c9c-39c6-4279-9573-858b0592c3fa

All-in-one Floating Contact Form <= 2.1.1 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Livestream Notice <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Livestream Notice
CVE ID: CVE-2023-27621
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69d957d3-a0d5-44ec-a9b0-8c9b41175379

Reservation.Studio widget <= 1.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Reservation.Studio widget
CVE ID: CVE-2023-24397
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7caa4c73-cf57-4f99-8bc6-6fd02308a58f

Video Gallery <= 1.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
CVE ID: CVE-2023-25477
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93b5bc57-3bfa-4477-a9d4-f0563008cf94

WP Content Copy Protection & No Right Click <= 3.5.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Content Copy Protection & No Right Click
CVE ID: CVE-2023-36678
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9589d44b-55c3-45b4-84bb-c86143de3f95

Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)
CVE ID: CVE-2023-37388
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98780ecc-fb45-4392-955d-ddecf9f7fca1

Mobile Call Now & Map Buttons <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Mobile Call Now & Map Buttons
CVE ID: CVE-2023-24401
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a10ee756-1b71-4232-817c-1ba6ead7f0f0

Simple Site Verify <= 1.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Site Verify
CVE ID: CVE-2023-36688
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1ea7e04-d3b3-43fa-be9a-a2d5ac3e34c3

Image Social Feed Plugin <= 1.7.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Image Social Feed Plugin
CVE ID: CVE-2023-24412
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcaa19b0-2d55-4a0c-98e7-9a38488dd922

oAuth Twitter Feed for Developers <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: oAuth Twitter Feed for Developers
CVE ID: CVE-2023-25042
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa3819b1-8e7c-4e97-bac5-96d73d935845

Gift Cards (Gift Vouchers and Packages) <= 4.3.5 – Cross-Site Request Forgery in new_voucher_template.php

Affected Software: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0007d830-2e68-4c2f-8fac-f4363bc2d73d

WP Dummy Content Generator <= 2.3.0 – Cross-Site Request Forgery

Affected Software: WP Dummy Content Generator
CVE ID: CVE-2023-37392
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0576737d-8330-4a80-af70-4f0eab6657ed

Classified Listing <= 2.4.5 – Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete

Affected Software: Classified Listing – Classified ads & Business Directory Plugin
CVE ID: CVE-2023-37387
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2352dce7-5302-4892-9ae2-bf814f029af4

WooLentor <= 2.6.2 – Cross-Site Request Forgery via process_data

BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite

Affected Software: BadgeOS
CVE ID: CVE-2023-2172
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dae8e82-e252-48d9-ae1f-62acfcd17e2b

BadgeOS <= 3.7.1.6 – Missing Authorization in delete_badgeos_log_entries

Affected Software: BadgeOS
CVE ID: CVE-2023-2174
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64e0adbc-c524-4f9d-9741-ce69edf888f7

Visibility Logic for Elementor <= 2.3.4 – Missing Authorization via admin_post ‘toggle_option’

Affected Software: Visibility Logic for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72c04de6-78d2-4a45-834a-01ed879b528f

WP SMS <= 6.1.5 – Cross-Site Request Forgery

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/747afa58-182a-4fb3-bfe3-f15db0b1d85a

Baidu Tongji generator <= 1.0.2 – Cross-Site Request Forgery

Affected Software: Baidu Tongji generator
CVE ID: CVE-2023-31230
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8438ea46-9ac1-4ef5-a436-e438c35a4321

WP RSS Images <= 1.1 – Cross-Site Request Forgery

Affected Software: WP RSS Images
CVE ID: CVE-2023-36693
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/adb70798-2ef9-4384-bcca-8862afa044ed

Visibility Logic for Elementor <= 2.3.4 – Cross-Site Request Forgery via toggle_option

Affected Software: Visibility Logic for Elementor
CVE ID: CVE-2022-47169
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb8aca3a-e4f7-41d6-9ea9-d189817c2c04

Media Library Helper by Codexin <= 1.2.0 – Cross-Site Request Forgery via rate_the_plugin_action

Affected Software: Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin
CVE ID: CVE-2023-37386
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc2356b2-e153-4e80-bfac-c25c15cdc259

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023) appeared first on Wordfence.

Leave a Comment