Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023)

Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates via API

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
34

Patched
30

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
2

Medium Severity
54

High Severity
6

Critical Severity
2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Missing Authorization
18

Cross-Site Request Forgery (CSRF)
18

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
16

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
3

Server-Side Request Forgery (SSRF)
2

Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
1

Authorization Bypass Through User-Controlled Key
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Improper Authorization
1

Protection Mechanism Failure
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Use of Hard-coded Cryptographic Key
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Abdi Pranata
7

Mika
7

Rafie Muhammad
5

Skalucy
3

Lana Codes
(Wordfence Vulnerability Researcher)
3

longxi
3

Nguyen Xuan Chien
2

yuyudhn
2

Dipak Panchal
2

Chloe Chamberland
(Wordfence Vulnerability Researcher)
2

Junsu Yeo
1

Cat
1

TaeEun Lee
1

Emili Castells
1

Truoc Phan
1

konagash
1

Dmitriy
1

Christiaan Swiers
1

Stephen
1

Muhammad Daffa
1

LOURCODE
1

Bob Matyas
1

Yuchen Ji
1

Phd
1

Muhamad Arsyad
1

Marco Wotschka
(Wordfence Vulnerability Researcher)
1

Jonas Höbenreich
1

Marc-Alexandre Montpas
1

Rio Darmawan
1

PetiteMais
1

LEE SE HYOUNG
1

thiennv
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

ACF Photo Gallery Field
navz-photo-gallery

AGP Font Awesome Collection
agp-font-awesome-collection

APIExperts Square for WooCommerce
woosquare

Assistant – Every Day Productivity Apps
assistant

Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui
molongui-authorship

Backup Migration
backup-backup

Banner Management For WooCommerce
banner-management-for-woocommerce

Blog2Social: Social Media Auto Post & Scheduler
blog2social

Booster Elementor Addons
booster-for-elementor

Change WP Admin Login
change-wp-admin-login

Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget
bit-assist

Church Admin
church-admin

Clone
wp-clone-by-wp-academy

CodeBard’s Patron Button and Widgets for Patreon
patron-button-and-widgets-by-codebard

Contact Form Builder by Bit Form – Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress
bit-form

Custom Field For WP Job Manager
custom-field-for-wp-job-manager

Custom Field Template
custom-field-template

Discussion Board – WordPress Forum Plugin
wp-discussion-board

Donations Made Easy – Smart Donations
smart-donations

Duplicate Post
copy-delete-posts

Enhanced Text Widget
enhanced-text-widget

Fraud Prevention For Woocommerce
woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers

Google Map Shortcode
google-map-shortcode

HTTP Auth
http-auth

InstaWP Connect – 1-click WP Staging & Migration (beta)
instawp-connect

Instant CSS
instant-css

LWS Affiliation
lws-affiliation

Local Development
local-development

Meks Smart Social Widget
meks-smart-social-widget

Mobile Address Bar Changer
mobile-address-bar-changer

MultiParcels Shipping For WooCommerce
multiparcels-shipping-for-woocommerce

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
ninja-forms

Optimize Database after Deleting Revisions
rvg-optimize-database

Perelink Pro
perelink

Pop-up
pop-up-pop-up

Post to Google My Business (Google Business Profile)
post-to-google-my-business

QR code MeCard/vCard generator
wp-qrcode-me-v-card

Quasar form free – Contact Form Builder for WordPress
quasar-form

RSS Redirect & Feedburner Alternative
feedburner-alternative-and-rss-redirect

Redirection
redirect-redirection

Remove Duplicate Posts
remove-duplicate-posts

SSL Mixed Content Fix
http-https-remover

Saphali Woocommerce Lite
saphali-woocommerce-lite

Schema Pro
wp-schema-pro

Simple Author Box
simple-author-box

Simple Googlebot Visit
simple-googlebot-visit

Simple Wp Sitemap
simple-wp-sitemap

Slider Carousel – Responsive Image Slider
slider-images

Social Media Share Buttons & Social Sharing Icons
ultimate-social-media-icons

Social Share Icons & Social Share Buttons
ultimate-social-media-plus

Taboola
taboola

The Events Calendar
the-events-calendar

Ultimate Posts Widget
ultimate-posts-widget

Update Theme and Plugins from Zip File
update-theme-and-plugins-from-zip-file

User Activity Log
user-activity-log

User Email Verification for WooCommerce
woo-confirmation-email

Video Conferencing with Zoom
video-conferencing-with-zoom-api

WP Clone Menu
clone-menu

WP Quick Post Duplicator
wp-quick-post-duplicator

WPS Limit Login
wps-limit-login

Web Accessibility By accessiBe
accessibe

WordPress Database Administrator
wp-database-admin

cartflows-pro
cartflows-pro

tagDiv Composer
td-composer

wp tell a friend popup form
wp-tell-a-friend-popup-form

wpml-string-translation
wpml-string-translation

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

nsc
nsc

winters
winters

yourjourney
yourjourney

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

InstaWP Connect <= 0.0.9.18 – Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver

Affected Software: InstaWP Connect – 1-click WP Staging & Migration (beta)
CVE ID: CVE-2023-3956
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b

LWS Affiliation <= 2.2.6 – Unauthenticated Remote/Local File Inclusion

Affected Software: LWS Affiliation
CVE ID: CVE-2023-32297
CVSS Score: 9.8 (Critical)
Researcher/s: Marco Wotschka, Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7b1871d-9d26-4bdc-bd20-0535143902d4

Quasar form <= 6.1 – Authenticated (Subscriber+) SQL Injection via ‘id’

Affected Software: Quasar form free – Contact Form Builder for WordPress
CVE ID: CVE-2023-35910
CVSS Score: 8.8 (High)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/150021d3-71bb-41c0-bb1c-5843e94ec0b6

User Activity Log <= 1.6.4 – Unauthenticated SQL Injection

Affected Software: User Activity Log
CVE ID: CVE-2023-3435
CVSS Score: 7.5 (High)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4ca985e-cae1-4e26-ad2d-413724cfd45d

WordPress Database Administrator <= 1.0.3 – Authenticated (Administrator+) SQL Injection

Affected Software: WordPress Database Administrator
CVE ID: CVE-2023-3211
CVSS Score: 7.2 (High)
Researcher/s: Christiaan Swiers
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c314acf-d5bb-433a-8e2d-4ca333944bb6

WPML String Translation <= 3.2.5 – Authenticated (Administrator+) SQL Injection via ‘context’

Affected Software: wpml-string-translation
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Stephen
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e8f224c-cd22-4926-be24-9da2f22afa50

MultiParcels Shipping For WooCommerce <= 1.15.4 – Unauthenticated Stored Cross-Site Scripting

Affected Software: MultiParcels Shipping For WooCommerce
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5ce2d08-6e01-4a7c-a2d5-ba98639107a8

Molongui <= 4.6.19 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui
CVE ID: CVE-2023-39164
CVSS Score: 7.2 (High)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cff04656-5930-4324-9ddf-43a2166cdf04

Booster Elementor Addons <= 1.4.9 – Missing Authorization

Affected Software: Booster Elementor Addons
CVE ID: CVE-2023-38480
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60ee9cfc-016d-45ee-b3f4-da999d093776

Ninja Forms <= 3.6.25 – Reflected Cross-Site Scripting via ‘data’

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CVE ID: CVE-2023-37979
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1460dc44-dd64-4fd6-952b-1f5d4285bfa4

tagDiv Composer <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting

Affected Software: tagDiv Composer
CVE ID: CVE-2023-39166
CVSS Score: 6.1 (Medium)
Researcher/s: Truoc Phan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/199d3a1f-bfde-4081-bb68-ebb6f9d360b2

User Email Verification for WooCommerce <= 3.5.0 – Reflected Cross-Site Scripting

Affected Software: User Email Verification for WooCommerce
CVE ID: CVE-2023-39162
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/282ef0bb-4db5-4b07-9aad-b128e8fdb915

CodeBard’s Patron Button and Widgets for Patreon <= 2.1.8 – Reflected Cross-Site Scripting via ‘site_account’

Affected Software: CodeBard’s Patron Button and Widgets for Patreon
CVE ID: CVE-2023-30491
CVSS Score: 6.1 (Medium)
Researcher/s: LOURCODE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46f5d1fa-dba7-4882-be29-39dc281d7278

nsc <= 1.0 – Prototype Pollution to Reflected Cross-Site Scripting

Affected Software: nsc
CVE ID: CVE-2023-3965
CVSS Score: 6.1 (Medium)
Researcher/s: longxi
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5909513d-8877-40ff-bee9-d565141b7ed2

Winters <= 1.4.3 – Prototype Pollution to Reflected Cross-Site Scripting

Affected Software: winters
CVE ID: CVE-2023-3962
CVSS Score: 6.1 (Medium)
Researcher/s: longxi
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f8b75a1-f0f2-445b-a1c7-1628916470d3

Custom Field Template <= 2.5.9 – Reflected Cross-Site Scripting

Affected Software: Custom Field Template
CVE ID: CVE-2023-38392
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/752a07c4-ae88-4152-b449-68228a54604a

Blog2Social: Social Media Auto Post & Scheduler <= 7.2.0 – Reflected Cross-Site Scripting

Affected Software: Blog2Social: Social Media Auto Post & Scheduler
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a00147db-2ca5-4290-ae13-27be6119b751

AGP Font Awesome Collection <= 3.2.4 – Reflected Cross-Site Scripting

Affected Software: AGP Font Awesome Collection
CVE ID: CVE-2023-30481
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4df1fc3-ea7e-4f41-a5f0-d3928f8add70

Your Journey <= 1.9.8 – Prototype Pollution to Reflected Cross-Site Scripting

Affected Software: yourjourney
CVE ID: CVE-2023-3933
CVSS Score: 6.1 (Medium)
Researcher/s: longxi
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c738e051-ad1c-4115-94d3-127dd5dff935

Church Admin <= 3.7.56 – Server-Side Request Forgery via church_admin_import_csv

Affected Software: Church Admin
CVE ID: CVE-2023-38515
CVSS Score: 5.5 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ff53647-572f-419f-ad39-965658a10263

Assistant <= 1.4.3 – Authenticated (Editor+) Server Side Request Forgery

Affected Software: Assistant – Every Day Productivity Apps
CVE ID: CVE Unknown
CVSS Score: 5.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d5ed6cf-ae12-4da5-809f-6a8c61eeb4f6

WP Quick Post Duplicator <= 1.0 – Missing Authorization

Affected Software: WP Quick Post Duplicator
CVE ID: CVE-2023-31214
CVSS Score: 5.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a576ee-f8a9-4740-b87b-091a46970d53

Discussion Board <= 2.4.8 – Authenticated (Subscriber+) Content Injection

Affected Software: Discussion Board – WordPress Forum Plugin
CVE ID: CVE-2023-39161
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e9d7776-aa96-47c8-9e31-5484ab65bc66

wp tell a friend popup form <= 7.1 – Cross-Site Request Forgery via ‘TellAFriend_admin’

Affected Software: wp tell a friend popup form
CVE ID: CVE-2023-25463
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f760821-98d4-4154-a4ae-861283f991f8

HTTP Auth <= 0.3.2 – Cross-Site Request Forgery

Affected Software: HTTP Auth
CVE ID: CVE-2023-27435
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43357daa-4dce-4851-b41b-48d3ffb8a387

Schema Pro <= 2.7.8 – Authenticated(Contributor+) Missing Authorization

Affected Software: Schema Pro
CVE ID: CVE-2023-36683
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/645ab4b9-e421-4610-b99b-960a7fbb7779

Saphali Woocommerce Lite <= 1.8.13 – Cross-Site Request Forgery via ‘woocommerce_saphali_page_s_l’

Affected Software: Saphali Woocommerce Lite
CVE ID: CVE-2023-25788
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c58d9011-a082-48ca-b702-ef5563af2c66

WP Clone Menu <= 1.0.1 – Missing Authorization to Menu Clone

Affected Software: WP Clone Menu
CVE ID: CVE-2023-38395
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0bbbefce-4451-410d-bc19-f489318dda4a

APIExperts Square for WooCommerce <= 4.2.8 – Missing Authorization

Affected Software: APIExperts Square for WooCommerce
CVE ID: CVE-2022-47182
CVSS Score: 5.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e1193b1-6e5a-4ecc-ae97-1a3129ad330e

Ninja Forms <= 3.6.25 – Missing Authorization to Contributor+ Form Submission Export

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CVE ID: CVE-2023-38386
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6551eea6-1059-4caa-876c-3d08083130f6

Change WP Admin Login <= 1.1.3 – Protection Mechanism Failure to Login Page Disclosure

Affected Software: Change WP Admin Login
CVE ID: CVE-2023-3604
CVSS Score: 5.3 (Medium)
Researcher/s: Muhamad Arsyad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9410b5b8-1bb2-42d7-8d4d-721131d392e3

Instant CSS <= 1.1.4 – Missing Authorization via AJAX Actions

Affected Software: Instant CSS
CVE ID: CVE-2023-38483
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b82a9ae8-ff82-40bf-a5d4-5175daab9146

Slider Carousel – Responsive Image Slider <= 1.5.0 – Missing Authorization

Affected Software: Slider Carousel – Responsive Image Slider
CVE ID: CVE-2023-25457
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c32f1c6a-cf65-419e-bfcd-48ac8e3735bc

Meks Smart Social Widget <= 1.6 – Missing Authorization to notice dimissal

Affected Software: Meks Smart Social Widget
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eaabaadf-7881-4c4f-8987-fbba8318a458

Custom Field For WP Job Manager <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom Field For WP Job Manager
CVE ID: CVE-2023-3328
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f504434-2de9-4d2e-848d-6c7fc0880672

Contact Form Builder by Bit Form <= 2.1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Web Accessibility By accessiBe <= 1.15 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Web Accessibility By accessiBe
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d79ce22-33ef-4dfb-a842-591cd7cedc94

wp tell a friend popup form <= 7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: wp tell a friend popup form
CVE ID: CVE-2023-25465
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec860ad9-7054-4ed2-a8f2-6589e4db36cd

Bit Assist <= 1.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Remove Duplicate Posts <= 1.3.4 – Missing Authorization to Post Deletion

Affected Software: Remove Duplicate Posts
CVE ID: CVE-2023-29237
CVSS Score: 4.3 (Medium)
Researcher/s: Junsu Yeo
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02dcf609-e8ef-4ff5-a61e-6c513af04ca2

Donations Made Easy – Smart Donations <= 4.0.12 – Missing Authorization

Affected Software: Donations Made Easy – Smart Donations
CVE ID: CVE-2023-38475
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0efebdcb-c3fb-435a-8687-6abdd5f9334b

Woocommerce Category Banner Management <= 2.4.1 – Cross-Site Request Forgery

Affected Software: Banner Management For WooCommerce
CVE ID: CVE-2023-39158
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/223a6c35-712a-458c-8708-6981c9041fe1

Simple Author Box <= 2.51 – Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure

Affected Software: Simple Author Box
CVE ID: CVE-2023-3601
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitriy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a1b7e37-1e30-473c-aadc-176de729e619

Mobile Address Bar Changer <= 3.0 – Cross-Site Request Forgery to Settings Update

Affected Software: Mobile Address Bar Changer
CVE ID: CVE-2023-38390
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f1b0b50-663f-40ff-803e-a20d7c7ea980

Meks Smart Social Widget <= 1.6 – Cross-Site Request Forgery via meks_remove_notification

Affected Software: Meks Smart Social Widget
CVE ID: CVE-2023-25989
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d0efe1d-69ad-483c-b200-38873f88433b

Simple Wp Sitemap <= 1.2.1 – Cross-Site Request Forgery

Affected Software: Simple Wp Sitemap
CVE ID: CVE-2023-24380
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e3dc509-73c3-4869-b520-6f5c1d691184

Optimize Database after Deleting Revisions <= 5.0.110 – Cross-Site Request Forgery via ‘odb_start_manually’

Affected Software: Optimize Database after Deleting Revisions
CVE ID: CVE-2023-25980
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d01548e-91bf-44db-83dc-10c7d5962f9b

Perelink Pro <= 2.1.4 – Cross-Site Request Forgery to Settings Update

Affected Software: Perelink Pro
CVE ID: CVE-2023-37990
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65b9fea3-323a-4123-ad83-3d713eb5552f

ACF Photo Gallery Field <= 1.9 – Authenticated (Subscriber+) Arbitrary Usermeta Update

Affected Software: ACF Photo Gallery Field
CVE ID: CVE-2023-3957
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/689511e0-1355-4fcb-8a72-d819abc8e9a3

QR code MeCard/vCard generator <= 1.6.0 – Missing Authorization via wqm_make_url_permanent

Affected Software: QR code MeCard/vCard generator
CVE ID: CVE-2023-38477
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8896fa5a-1642-4fcd-8fff-1e5828c28523

Taboola <= 2.0.1 – Cross-Site Request Forgery to Plugin Settings Update

Affected Software: Taboola
CVE ID: CVE-2023-38398
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab015cb4-0b1e-40ff-ab9b-6c03eed3142f

Inisev Plugins (Various Versions) – Cross-Site Request Forgery on handle_installation function

Simple Googlebot Visit <= 1.2.4 – Missing Authorization to Settings Update

Affected Software: Simple Googlebot Visit
CVE ID: CVE-2023-38479
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1e7bb04-28b4-407c-910b-e37a7e26682e

Post to Google My Business <= 3.1.14 – Cross-Site Request Forgery to Dismiss Notification

Affected Software: Post to Google My Business (Google Business Profile)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/baa8e48f-769a-4f48-bc47-d55c179d1ca1

The Events Calendar <= 6.1.2.2 – Missing Authorization

Affected Software: The Events Calendar
CVE ID: CVE-2023-35777
CVSS Score: 4.3 (Medium)
Researcher/s: PetiteMais
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c513e674-c027-4335-8ba3-b19696a1ce9b

Inisev Plugins (Various Versions) – Missing Authorization on handle_installation function

CartFlows Pro <= 1.11.12 – Cross-Site Request Forgery

Affected Software: cartflows-pro
CVE ID: CVE-2023-36685
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0631ec9-fb72-4573-a41b-9b6b01aeaae9

Ninja Forms <= 3.6.25 – Missing Authorization to Form Submission Export

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
CVE ID: CVE-2023-38393
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7befdf6-07d7-42c9-876a-abb8f8f9c3df

Google Map Shortcode <= 3.1.2 – Cross-Site Request Forgery to Plugin Setting Update

Affected Software: Google Map Shortcode
CVE ID: CVE-2023-38396
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3f05af5-35f5-4813-b8a3-bb90709af677

Update Theme and Plugins from Zip File <= 2.0.0 – Cross-Site Request Forgery

Affected Software: Update Theme and Plugins from Zip File
CVE ID: CVE-2023-25489
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e59293a6-cc61-4913-9ed0-13fa16299705

Woocommerce Blocker Lite <= 2.1.4.1 – Cross-Site Request Forgery

Affected Software: Fraud Prevention For Woocommerce
CVE ID: CVE-2023-39159
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4f84b2a-2674-42a1-9db1-d9c1f3db2376

Local Development <=2.8.2 – Cross-Site Request Forgery to Settings Update

Affected Software: Local Development
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f962a3ef-205d-42e2-acf1-45eabfdba3ee

WPS Limit Login <= 1.5.6 – Race Condition

Affected Software: WPS Limit Login
CVE ID: CVE-2023-39160
CVSS Score: 3.7 (Low)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/298b31e4-739e-424e-918f-77092148a6bb

Video Conferencing with Zoom <= 4.2.1 – Sensitive Information Exposure

Affected Software: Video Conferencing with Zoom
CVE ID: CVE-2023-3947
CVSS Score: 3.7 (Low)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba2515d9-ced0-4b49-87c4-04c8391c2608

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) appeared first on Wordfence.

Leave a Comment