Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)

Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

 

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
37

Patched
27

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
2

Medium Severity
53

High Severity
6

Critical Severity
3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
29

Missing Authorization
12

Cross-Site Request Forgery (CSRF)
11

Unrestricted Upload of File with Dangerous Type
5

Server-Side Request Forgery (SSRF)
1

URL Redirection to Untrusted Site (‘Open Redirect’)
1

Improper Input Validation
1

Authorization Bypass Through User-Controlled Key
1

Improper Control of Generation of Code (‘Code Injection’)
1

Use of Less Trusted Source
1

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Rio Darmawan
11

Rafie Muhammad
5

Lana Codes
(Wordfence Vulnerability Researcher)
4

thiennv
3

LEE SE HYOUNG
3

Mika
2

Zlrqh
2

Dmitrii
2

László Radnai
2

Elliot
2

Marco Wotschka
(Wordfence Vulnerability Researcher)
2

Bartłomiej Marek
2

Tomasz Swiadek
2

Abdi Pranata
2

Phd
1

Emili Castells
1

Pavitra Tiwari
1

Ramuel Gall
(Wordfence Vulnerability Researcher)
1

FearZzZz
1

emad
1

Prasanna V Balaji
1

deokhunKim
1

yuyudhn
1

Le Ngoc Anh
1

Dipak Panchal
1

mehmet
1

Lokesh Dachepalli
1

Jonas Höbenreich
1

Enrico Marcolini
1

Animesh Gaurav
1

Jonatas Souza Villa Flor
1

Ravi Dharmawan
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Activity Log
aryo-activity-log

AffiliateWP
AffiliateWP

All-in-One WP Migration Box Extension
all-in-one-wp-migration-box-extension

All-in-One WP Migration Dropbox Extension
all-in-one-wp-migration-dropbox-extension

All-in-One WP Migration Google Drive Extension
all-in-one-wp-migration-gdrive-extension

All-in-One WP Migration OneDrive Extension
all-in-one-wp-migration-onedrive-extension

Better Elementor Addons
better-elementor-addons

Bridge Core
bridge-core

Ditty – Responsive News Tickers, Sliders, and Lists
ditty-news-ticker

DoLogin Security
dologin

Easy Coming Soon
easy-coming-soon

Easy Newsletter Signups
easy-newsletter-signups

Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle

Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
holler-box

FileOrganizer – Manage WordPress and Website Files
fileorganizer

Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
folders

Font Awesome 4 Menus
font-awesome-4-menus

Forminator – Contact Form, Payment Form & Custom Form Builder
forminator

GiveWP – Donation Plugin and Fundraising Platform
give

GuruWalk Affiliates
guruwalk-affiliates

Happy Addons for Elementor Pro
happy-elementor-addons-pro

Import XML and RSS Feeds
import-xml-feed

Localize Remote Images
localize-remote-images

Login and Logout Redirect
login-and-logout-redirect

LuckyWP Scripts Control
luckywp-scripts-control

Maintenance Switch
maintenance-switch

MakeStories (for Google Web Stories)
makestories-helper

Metform Elementor Contact Form Builder
metform

Multi-column Tag Map
multi-column-tag-map

Olive One Click Demo Import
olive-one-click-demo-import

Order Tracking – WordPress Status Tracking Plugin
order-tracking

Ovic Product Bundle
ovic-product-bundle

Popup Builder – Create highly converting, mobile friendly marketing popups.
popup-builder

Popup box
ays-popup-box

PowerPress Podcasting plugin by Blubrry
powerpress

Prevent files / folders access
prevent-file-access

Pricing Deals for WooCommerce
pricing-deals-for-woocommerce

RSVPMaker
rsvpmaker

Remove/hide Author, Date, Category Like Entry-Meta
removehide-author-date-category-like-entry-meta

Responsive Gallery Grid
responsive-gallery-grid

Sermon’e – Sermons Online
sermone-online-sermons-management

Simple 301 Redirects by BetterLinks
simple-301-redirects

Site Reviews
site-reviews

Sitekit
sitekit

Slimstat Analytics
wp-slimstat

Smarty for WordPress
smarty-for-wordpress

Snap Pixel
snap-pixel

Social Media Share Buttons & Social Sharing Icons
ultimate-social-media-icons

Social Share Boost
social-share-boost

Surfer – WordPress Plugin
surferseo

URL Shortener by MyThemeShop
mts-url-shortener

Ultimate Addons for Contact Form 7
ultimate-addons-for-contact-form-7

WP Bannerize Pro
wp-bannerize-pro

WP GoToWebinar
wp-gotowebinar

WP Search Analytics
search-analytics

WP Super Minify
wp-super-minify

WP Synchro – WordPress Migration Plugin for Database & Files
wpsynchro

WP Users Media
wp-users-media

WP-dTree
wp-dtree-30

WordPress Ecommerce For Creating Fast Online Stores – By SureCart
surecart

authLdap
authldap

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Arya Multipurpose Pro
arya-multipurpose-pro

Everest News Pro
everest-news-pro

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Forminator <= 1.24.6 – Unauthenticated Arbitrary File Upload

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE-2023-4596
CVSS Score: 9.8 (Critical)
Researcher/s: mehmet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513

Import XML and RSS Feeds <= 2.1.4 – Unauthenticated Remote Code Execution

Affected Software: Import XML and RSS Feeds
CVE ID: CVE-2023-4521
CVSS Score: 9.8 (Critical)
Researcher/s: Enrico Marcolini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0856920-5463-4dd3-a4fd-e56901a89b83

RSVPMarker <= 10.6.6 – Unauthenticated SQL Injection

Affected Software: RSVPMaker
CVE ID: CVE-2023-41652
CVSS Score: 9.8 (Critical)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f655704d-70a1-40d8-ae36-39029185d262

Folders <= 2.9.2 – Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload

Give – Donation Plugin <= 2.33.0 – Authenticated(Give Manager+) Privilege Escalation

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE-2023-41665
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22ff4b09-063b-425e-9d59-be2e5d283186

Olive One Click Demo Import <= 1.0.9 – Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file

Affected Software: Olive One Click Demo Import
CVE ID: CVE-2023-29102
CVSS Score: 7.2 (High)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f3e3311-11d8-4e4f-9d99-36533fe44d56

DoLogin Security <= 3.6 – Unauthenticated Stored Cross-Site Scripting

Affected Software: DoLogin Security
CVE ID: CVE-2023-4549
CVSS Score: 7.2 (High)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad34d657-da59-46ff-a54a-64e6c8974b69

Prevent files / folders access <= 2.5.1 – Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page

Affected Software: Prevent files / folders access
CVE ID: CVE-2023-4238
CVSS Score: 7.2 (High)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b266bd10-dbc6-4058-a5b2-1578c0814cb4

Import XML and RSS Feeds <= 2.1.3 – Authenticated (Admin+) Arbitrary File Upload

Affected Software: Import XML and RSS Feeds
CVE ID: CVE-2023-4300
CVSS Score: 7.2 (High)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f45b4c43-c6c4-41da-bd59-9a355800815a

Easy Newsletter Signups <= 1.0.4 – Missing Authorization

Affected Software: Easy Newsletter Signups
CVE ID: CVE-2023-41664
CVSS Score: 6.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/288946ae-6e58-42e6-89d1-8951539728d3

Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Slimstat Analytics
CVE ID: CVE-2023-4597
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52aee4b8-f494-4eeb-8357-71ce8d5bc656

Sitekit <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe ‘ shortcode

Affected Software: Sitekit
CVE ID: CVE-2023-27628
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f0be29a-7896-4166-a2a6-64f99d845236

Font Awesome 4 Menus <= 4.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Font Awesome 4 Menus
CVE ID: CVE-2023-4718
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc59510c-6eaf-4526-8acb-c07e39923ad9

Email Encoder <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers
CVE ID: CVE-2023-4599
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e90f04e4-eb4c-4822-89c6-79f553987c37

Login and Logout Redirect <= 2.0.2 – Open Redirect

Affected Software: Login and Logout Redirect
CVE ID: CVE-2023-41648
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09a0639e-4b14-4dc9-a50c-d18234faa7b1

Arya Multipurpose Pro <= 1.0.8 – Reflected Cross-Site Scripting

Affected Software: Arya Multipurpose Pro
CVE ID: CVE-2023-41237
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22cfbaa1-5412-4944-899c-7ae41d017384

Social Media & Share Icons <= 2.8.3 – Reflected Cross-Site Scripting

Affected Software: Social Media Share Buttons & Social Sharing Icons
CVE ID: CVE-2023-41238
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a8998db-ffc2-40b2-a191-09380984adac

URL Shortener by MyThemeShop <= 1.0.17 – Reflected Cross-Site Scripting via ‘page’

Affected Software: URL Shortener by MyThemeShop
CVE ID: CVE-2023-30472
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2837e-8947-4ce9-bda5-e0c2f831fb36

Sermon’e – Sermons Online <= 1.0.0 – Reflected Cross-Site Scripting

Affected Software: Sermon’e – Sermons Online
CVE ID: CVE-2023-41653
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c17678e-6598-4e80-b121-beae822b9f81

WP-dTree <= 4.4.5 – Reflected Cross-Site Scripting

Affected Software: WP-dTree
CVE ID: CVE-2023-41662
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c01da54-fbbe-42f9-a76e-8e823027d62a

Everest News Pro <= 1.1.7 – Reflected Cross-Site Scripting

Affected Software: Everest News Pro
CVE ID: CVE-2023-41235
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb967453-59d6-4b03-8c75-1906b99bff80

Bridge Core <= 3.0.9 – Reflected Cross-Site Scripting

Affected Software: Bridge Core
CVE ID: CVE-2023-40333
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc698c40-4a2b-4dab-93f0-647e4db79d2c

Ditty <= 3.1.24 – Reflected Cross-Site Scripting

Affected Software: Ditty – Responsive News Tickers, Sliders, and Lists
CVE ID: CVE-2023-4148
CVSS Score: 6.1 (Medium)
Researcher/s: Animesh Gaurav
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cabf7aae-0673-4358-a2df-0ca22c8432b5

Happy Elementor Addons Pro <= 2.8.0 – Reflected Cross-Site Scripting

Affected Software: Happy Addons for Elementor Pro
CVE ID: CVE-2023-41236
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d536d3a8-9ac5-4ea9-8c65-16ad8b3a7106

Ultimate Addons for Contact Form 7 <= 3.1.32 – Reflected Cross-Site Scripting via ‘page’

Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2023-30493
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d857324c-94c9-471a-9da8-0b8c9bb50262

Order Tracking Pro <= 3.3.6 – Reflected Cross-Site Scripting

Affected Software: Order Tracking – WordPress Status Tracking Plugin
CVE ID: CVE-2023-4471
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed64d0ff-4f49-4c18-86ec-2c6fbd559d2e

WP Bannerize Pro <= 1.6.9 – Reflected Cross-Site Scripting

Affected Software: WP Bannerize Pro
CVE ID: CVE-2023-41663
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edc35f8c-f916-433e-9d3f-4992e8c9d7cd

WP Search Analytics <= 1.4.7 – Reflected Cross-Site Scripting via ‘render_stats_page’

Affected Software: WP Search Analytics
CVE ID: CVE-2023-30471
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6433a17-0017-46a9-a8e6-4d4a4a55f2db

PowerPress <= 11.0.6 – Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info

Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE-2023-41239
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/031c31b2-6e27-47bb-9f63-2bbaa1edbbb2

Site Reviews <= 6.10.2 – Missing Authorization

Affected Software: Site Reviews
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1accc41e-41d2-49e3-a80a-6b95b02cb42e

Responsive Gallery Grid <= 2.3.10 – Cross-Site Request Forgery

Affected Software: Responsive Gallery Grid
CVE ID: CVE-2023-41659
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3abe2de8-9127-4ef0-9194-cf331b20868a

LuckyWP Scripts Control <= 1.2.1 – Missing Authorization via multiple AJAX actions

Affected Software: LuckyWP Scripts Control
CVE ID: CVE-2023-29239
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed93c5c-38bb-4e84-8fe8-03dd75b4d9f3

Maintenance Switch <= 1.5.2 – Cross-Site Request Forgery via ‘admin_action_request’

Affected Software: Maintenance Switch
CVE ID: CVE-2023-29235
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f14f19d-95b3-474b-a2ea-d846c85644cd

Simple 301 Redirects <= 2.0.7 – Cross-Site Request Forgery via ‘clicked’

Affected Software: Simple 301 Redirects by BetterLinks
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9945c85b-a97a-4ad0-9d0a-69faf157563a

Surfer <= 1.1.2.298 – Missing Authorization

Affected Software: Surfer – WordPress Plugin
CVE ID: CVE-2023-35037
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c06f9f6d-3cd0-4700-834b-435a99983453

Pricing Deals for WooCommerce <= 2.0.3.2 – Missing Authorization via vtprd_ajax_clone_rule

Affected Software: Pricing Deals for WooCommerce
CVE ID: CVE-2023-41240
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1101bfe6-2075-4f44-933b-6d9f372100a2

Ovic Product Bundle <= 1.1.2 – Missing Authorization

Affected Software: Ovic Product Bundle
CVE ID: CVE-2023-41649
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5657ffe2-7d04-4834-bcec-ab6afaeda7df

Multiple ServMask Plugins <= (Various Versions) – Missing Authorization to Access Token Update

Localize Remote Images <= 1.0.9 – Cross-Site Request Forgery via admin menu

Affected Software: Localize Remote Images
CVE ID: CVE-2023-41244
CVSS Score: 5.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab96123e-17aa-461f-b460-e8eba82c78e1

Multi-column Tag Map <= 17.0.26 – Missing Authorization

Affected Software: Multi-column Tag Map
CVE ID: CVE-2023-41651
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2a60cb2-fe7d-4c51-9995-5cb4682d9d26

Activity Log <= 2.8.7 – IP Address Spoofing

Affected Software: Activity Log
CVE ID: CVE-2023-4281
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de821236-f878-46a4-9265-bcf6e8661910

Order Tracking Pro <= 3.3.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Order Tracking – WordPress Status Tracking Plugin
CVE ID: CVE-2023-4500
CVSS Score: 4.7 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81f9a4c6-971f-4f6d-8bb1-e97bf75cf8d3

GuruWalk Affiliates <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: GuruWalk Affiliates
CVE ID: CVE-2023-27622
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b2714f7-9877-4d3d-a692-70fbf8584728

SureCart <= 2.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WordPress Ecommerce For Creating Fast Online Stores – By SureCart
CVE ID: CVE-2023-41241
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/416c13ff-15ae-4ba4-8a95-7c07bec75c22

Smarty for WordPress <= 3.1.35 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Smarty for WordPress
CVE ID: CVE-2023-41661
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/498a10a1-8da6-4309-833f-950f6442d5ae

WP GoToWebinar <= 14.45 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: WP GoToWebinar
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a7b32f5-5d27-4f5a-89f3-abf4f8da79e4

HollerBox <= 2.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
CVE ID: CVE-2023-41657
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c76871e-b774-4284-ad00-f8ef7f6df389

Popup Builder <= 4.1.15 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Popup Builder – Create highly converting, mobile friendly marketing popups.
CVE ID: CVE-2023-3226
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f97af51-1532-4034-8b2a-8356b65cb617

Snap Pixel <= 1.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Snap Pixel
CVE ID: CVE-2023-41242
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c37686f8-6bd7-4c06-b80a-7d6849bbc7b0

Easy Coming Soon <= 2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Easy Coming Soon
CVE ID: CVE-2023-25483
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46139c8-dd7e-4904-81b2-283952cea9b5

Popup Box <= 3.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Popup box
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6dbbb52-4202-4d69-837f-c7d5ca06fab5

WP Users Media <= 4.2.3 – Cross-Site Request Forgery in wpusme_save_settings

Affected Software: WP Users Media
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Zlrqh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07a82335-d738-4c14-b385-04843f12e4ef

Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode

Affected Software: Metform Elementor Contact Form Builder
CVE ID: CVE-2023-0689
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903

Social Share Boost <= 4.5 – Cross-Site Request Forgery via ‘syntatical_settings_content’

Affected Software: Social Share Boost
CVE ID: CVE-2023-25033
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53a265b8-e34c-4683-a653-4b4b2410e9de

Better Elementor Addons <= 1.3.5 – Missing Authorization

Affected Software: Better Elementor Addons
CVE ID: CVE-2023-41656
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a628eef-937c-4391-afac-22128ec5b51c

WP Users Media <= 4.2.3 – Missing Authorization via wpusme_save_settings

Affected Software: WP Users Media
CVE ID: CVE-2023-27428
CVSS Score: 4.3 (Medium)
Researcher/s: Zlrqh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e125188-4aff-4c64-b4ec-a363db2431b7

WP Super Minify <= 1.5.1 – Cross-Site Request Forgery via ‘wpsmy_admin_options’

Affected Software: WP Super Minify
CVE ID: CVE-2023-27615
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af59fcf6-4435-45f0-8904-ff520ea86157

Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 – Cross-Site Request Forgery

Affected Software: Remove/hide Author, Date, Category Like Entry-Meta
CVE ID: CVE-2023-41650
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd0abdf2-24da-4e87-825b-0796af6c3ccd

MakeStories (for Google Web Stories) <= 2.8.0 – Cross-Site Request Forgery via ‘ms_set_options’

Affected Software: MakeStories (for Google Web Stories)
CVE ID: CVE-2023-27448
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9f7130d-883a-4db4-9edf-f5526724de11

AffiliateWP <= 2.14.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation

Affected Software: AffiliateWP
CVE ID: CVE-2023-4600
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2

authLdap <= 2.5.8 – Cross-Site Request Forgery

Affected Software: authLdap
CVE ID: CVE-2023-41654
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eddce6e0-2ea7-4980-97a7-857b2e1e3b69

WP Migration Plugin DB & Files – WP Synchro <= 1.9.1 – Cross-Site Request Forgery

Affected Software: WP Synchro – WordPress Migration Plugin for Database & Files
CVE ID: CVE-2023-41660
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1b6f041-5ea6-48ca-9ca7-4ce96cbfa275

authLdap <= 2.5.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: authLdap
CVE ID: CVE-2023-41655
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b91ad8b-79ec-4ef7-bb39-edb06309da5e

FileOrganizer <= 1.0.2 – Authenticated (Admin+) Arbitrary File Access

Affected Software: FileOrganizer – Manage WordPress and Website Files
CVE ID: CVE-2023-3664
CVSS Score: 2.7 (Low)
Researcher/s: Dmitrii
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11c9124d-80e0-435d-9eb4-901c4f481a6f

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) appeared first on Wordfence.

Leave a Comment