Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
WAF-RULE-622, data redacted while we work with the developer to ensure this vulnerability gets patched.
WAF-RULE-623, data redacted while we work with the developer to ensure this vulnerability gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
25
Patched
61
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
0
Medium Severity
63
High Severity
19
Critical Severity
4
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
25
Missing Authorization
21
Cross-Site Request Forgery (CSRF)
20
Unrestricted Upload of File with Dangerous Type
4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4
Improper Privilege Management
3
Authorization Bypass Through User-Controlled Key
2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
2
Server-Side Request Forgery (SSRF)
1
Improper Authorization
1
Improper Authentication
1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
1
Deserialization of Untrusted Data
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher)
11
Mika
5
Marco Wotschka
(Wordfence Vulnerability Researcher)
4
Cat
3
thiennv
2
Skalucy
2
Erwan LR
2
Ramuel Gall
(Wordfence Vulnerability Researcher)
2
Phd
2
Ivy
1
Dmitrii
1
tnt24
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
AI ChatBot
chatbot
ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember
Absolute Privacy
absolute-privacy
Accordion and Accordion Slider
accordion-and-accordion-slider
Advanced Custom Fields Pro
advanced-custom-fields-pro
All Users Messenger
all-users-messenger
BigBlueButton
bigbluebutton
Biometric Login For WooCommerce
biometric-login-for-woocommerce
Booking Package
booking-package
Canto
canto
Donations Made Easy – Smart Donations
smart-donations
Easy Cookie Law
easy-cookie-law
Easy!Appointments
easyappointments
Email Template Designer – WP HTML Mail
wp-html-mail
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
embedpress
FULL – Customer
full-customer
Fusion Builder
fusion-builder
Futurio Extra
futurio-extra
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent)
gdpr-cookie-compliance
Gutenberg Blocks by Kadence Blocks – Page Builder Features
kadence-blocks
Highcompress Image Compressor
high-compress
ImageRecycle pdf & image compression
imagerecycle-pdf-image-compression
JCH Optimize
jch-optimize
Jupiter X Core
jupiterx-core
Justified Gallery
justified-gallery
Kangu para WooCommerce
kangu
Leyka
leyka
MailChimp Forms by MailMunch
mailchimp-forms-by-mailmunch
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
ninja-forms
Online Booking & Scheduling Calendar for WordPress by vcita
meeting-scheduler-by-vcita
POEditor
poeditor
Photo Gallery by Ays – Responsive Image Gallery
gallery-photo-gallery
PixTypes
pixtypes
Popup by Supsystic
popup-by-supsystic
Portfolio and Projects
portfolio-and-projects
Post Grid Combo – 36+ Blocks for Gutenberg
post-grid
Post Timeline
post-timeline
Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
pmpro-courses
Premium Packages – Sell Digital Products Securely
wpdm-premium-packages
Printful Integration for WooCommerce
printful-shipping-for-woocommerce
Product Attachment for WooCommerce
woo-product-attachment
Profile Builder – User Profile & User Registration Forms
profile-builder
Rate my Post – WP Rating System
rate-my-post
Real Estate Manager – Property Listing and Agent Management
real-estate-manager
Realia
realia
Responsive WordPress Slider – Avartan Slider Lite
avartan-slider-lite
SB Child List
sb-child-list
SendPress Newsletters
sendpress
Sign-up Sheets
sign-up-sheets
Stock Ticker
stock-ticker
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
the-post-grid
Theme Demo Import
theme-demo-import
Themesflat Addons For Elementor
themesflat-addons-for-elementor
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
ultimate-member
User Activity Log
user-activity-log
User Activity Tracking and Log
user-activity-tracking-and-log
Visual Website Collaboration, Feedback & Project Management – Atarim
atarim-visual-collaboration
WP 404 Auto Redirect to Similar Post
wp-404-auto-redirect-to-similar-post
WP Categories Widget
wp-categories-widget
WP Like Button
wp-like-button
WP Pipes
wp-pipes
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
woo-pdf-invoice-builder
WxSync-标准云微信公众号文章免费采集-任意公众 style=”height: 40px; background-color: rgba(45, 45, 45, 0.05); width: 23.8959%; text-align: center;”>wxsync
YITH WooCommerce Waitlist
yith-woocommerce-waiting-list
demon image annotation
demon-image-annotation
flowpaper
flowpaper-lite-pdf-flipbook
wSecure Lite
wsecure
woocommerce-one-page-checkout
woocommerce-one-page-checkout
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
Avada | Website Builder For WordPress & WooCommerce
Avada
Betheme
betheme
Business Pro
business-pro
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Kadence Blocks <= 3.1.10 – Unauthenticated Arbitrary File Upload
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4562535-ef69-4337-b03e-0b7c869cb042
Canto <= 3.0.4 – Unauthenticated Remote File Inclusion
CVE ID: CVE-2023-3452
CVSS Score: 9.8 (Critical)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a76077c6-700a-4d21-a930-b0d6455d959c
Biometric Login for WooCommerce <= 1.0.3 – Unauthenticated Privilege Escalation
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Alexander Concha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b280155e-6d07-448d-922c-4a0ea21f4992
Themesflat Addons For Elementor <= 2.0.0 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-37390
CVSS Score: 9.8 (Critical)
Researcher/s: Robert Rowley
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f33d080c-6d64-46d1-b01c-ef859106159f
Realia <= 1.4.0 – Cross-Site Request Forgery to User Email Change
CVE ID: CVE-2023-4277
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06f33e18-0bdd-4c56-a8df-fc1969b9ecf8
WooCommerce PDF Invoice Builder <= 1.2.89 – Authenticated (Subscriber+) SQL Injection via Export
CVE ID: CVE-2023-3677
CVSS Score: 8.8 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4336d597-7e87-46eb-8abd-9fafd6cd25d9
Fusion Builder <= 3.11.1 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-39309
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c734aa9-ee9e-4605-a4b8-5075ce4b941f
Premium Packages – Sell Digital Products Securely <= 5.7.4 – Arbitrary User Meta Update to Authenticated (Subscriber+) Privilege Escalation
CVE ID: CVE-2023-4293
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82137302-60ca-44d5-b087-dc96e2815fca
FULL – Customer <= 2.2.3 – Authenticated(Subscriber+) Improper Authorization to Arbitrary Plugin Installation
CVE ID: CVE-2023-4243
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9799df3f-e34e-42a7-8a72-fa57682f7014
Avada <= 7.11.1 – Authenticated(Author+) Arbitrary File Upload via Zip Extraction
CVE ID: CVE-2023-39312
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3b62eb2-6c03-4e24-a454-5de54a4521b2
Real Estate Manager <= 6.7.1 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
CVE ID: CVE-2023-4239
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d83d1fd0-6e21-406e-a7c0-89d26eabbb32
Absolute Privacy <= 2.1 – Cross-Site Request Forgery to User Email/Password Change
CVE ID: CVE-2023-4276
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3855e84-b97e-4729-8a48-55f2a2444e2c
WooCommerce One Page Checkout <= 2.3.0 – Authenticated (Contributor+) Local File Inclusion via `woocommerce_one_page_checkout`
CVE ID: CVE-2023-35881
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffac779c-c17f-46bd-9276-a1ce2db4e95c
Avada <= 7.11.1 – Authenticated(Contributor+) Server Side Request Forgery via ‘ajax_import_options’
CVE ID: CVE-2023-39313
CVSS Score: 8.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43b11ab0-c7f2-4a7a-aab7-7f9dd58ec1ab
JupiterX Core 3.0.0 – 3.3.0 – Missing Authorization
CVE ID: CVE-2023-38385
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dccb69e-b3d8-44b5-8f5e-931e5afe2bd1
Easy!Appointments <= 1.3.1 – Authenticated(Subscriber+) Arbitrary File Deletion via ‘disconnect’
CVE ID: CVE-2023-32295
CVSS Score: 8.1 (High)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35fc9a16-3775-48c0-82af-692974f54c33
Post Grid <= 2.2.50 – Missing Authorization to Sensitive Information Exposure via REST API
CVE ID: CVE-2023-40211
CVSS Score: 7.5 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a52fb5f4-60ba-4077-95cd-e160a6d9a419
Avada <= 7.11.1 – Authenticated(Contributor+) Arbitrary File Upload via ‘ajax_import_options’
CVE ID: CVE-2023-39307
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a73f7812-771d-4d9f-9a7c-e4e01ec05023
User Activity Log <= 1.6.5 – Unauthenticated Data Export to Sensitive Information Disclosure
CVE ID: CVE-2023-4269
CVSS Score: 7.5 (High)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb7e9ea4-c450-491f-b924-47ed4abec64a
Theme Demo Import <= 1.1.1 – Authenticated (Administrator+) Arbitrary File Upload
CVE ID: CVE-2023-28170
CVSS Score: 7.2 (High)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/186180ed-321f-4618-8828-65b93fa054a4
WP 404 Auto Redirect to Similar Post <= 1.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-40206
CVSS Score: 7.2 (High)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33166510-41b2-4e9a-8bd7-501235729346
Donations Made Easy – Smart Donations <= 4.0.12 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-40207
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9c4e296-f98a-4018-980d-173d5e7ade7b
Demon image annotation <= 5.1 – Authenticated (Administrator+) SQL Injection
CVE ID: CVE-2023-40215
CVSS Score: 7.2 (High)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f093dfc8-8a2f-4614-b7c1-4fbf1afa9589
Fusion Builder <= 3.11.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-39311
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05220967-dd42-4cb9-9c2f-9c7ac3c0926b
Accordion and Accordion Slider <= 1.2.4 – Missing Authorization via ‘wp_aas_get_attachment_edit_form’ and ‘wp_aas_save_attachment_data’
CVE ID: CVE-2023-39996
CVSS Score: 6.5 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c956651-4f5e-4e2d-a0f2-b02d4f25bd68
Betheme <= 27.1.1 – Missing Authorization via ‘_tool_history_delete’
CVE ID: CVE-2023-39998
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62e75bb6-83d9-43db-8c89-0995698ca0ca
Highcompress Image Compressor <= 4.0.0 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-40209
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0f2e2f4-6575-4f00-9417-3b5a19c3de40
EmbedPress <= 3.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4283
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b340eda1-e9d2-40b6-89f9-41d995ce3555
WxSync <= 2.7.23 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-39988
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c85c13ed-6981-4062-8aca-800721b28b88
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-39992
CVSS Score: 6.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/daeb24e0-7f3f-472f-aee5-be42e374aa52
flowpaper <= 1.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-40197
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e59b75cf-491a-4894-8a4a-567832b47048
Popup by Supsystic <= 1.10.19 – Cross-Site Request Forgery
CVE ID: CVE-2023-39997
CVSS Score: 6.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/10021498-73c8-4767-b059-f282ddc35963
Stock Ticker <= 3.23.3 – Reflected Cross-Site Scripting in ajax_stockticker_load
CVE ID: CVE-2023-40208
CVSS Score: 6.1 (Medium)
Researcher/s: Aman Rawat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06eaf73f-273c-4733-9ff9-2d8034221814
BigBlueButton <= 3.0.0-beta.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-39991
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka, Ivy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c799ee5-d8ee-4aec-b9a5-f93c150de6bd
ImageRecycle pdf & image compression <= 3.1.11 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40196
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3253e1b3-ac63-4796-ac10-92781d5a76c8
Stock Ticker <= 3.23.2 – Reflected Cross-Site Scripting in ajax_stockticker_symbol_search_test
CVE ID: CVE-2022-45365
CVSS Score: 6.1 (Medium)
Researcher/s: Aman Rawat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f8321a7-863c-43ab-a42a-e01d60101c3b
ImageRecycle pdf & image compression <= 3.1.10 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-30494
CVSS Score: 6.1 (Medium)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5eeae0eb-bc24-4a34-b393-e84831edaba6
Business Pro <= 1.10.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40214
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6bb97b95-fa6a-4566-b448-b774bb732455
WP Categories Widget <= 2.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-31220
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6240290-4b6c-46ba-9f78-e6bba3504f17
Fusion Builder <= 3.11.1 – Reflected Cross-Site Scripting via User Register Element
CVE ID: CVE-2023-39306
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b173523a-e79d-4d2d-af67-5372576df220
Kangu para WooCommerce <= 2.2.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-32296
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9de8d95-4e07-4c52-912b-1a4e2d7e5ed0
Atarim <= 3.9.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-37393
CVSS Score: 6.1 (Medium)
Researcher/s: Robert DeVore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc26ce1b-2427-4320-8363-f635ea02aece
PixTypes <= 1.4.15 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40205
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca05783d-7516-469e-b8a0-c23035db43b7
Leyka <= 3.30.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-39314
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d11c84ea-e52b-4396-a508-9d415040b76e
Booking Package <= 1.6.01 – Reflected Cross-Site Scripting via ‘mode’
CVE ID: CVE-2023-39918
CVSS Score: 6.1 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d460cc34-c8b0-453b-9b6b-3bd53137625a
Avartan Slider Lite <= 1.5.3 – Reflected Cross-Site Scripting via ‘asview-nouce’
CVE ID: CVE-2023-30485
CVSS Score: 6.1 (Medium)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e78116a6-5ce5-4567-95d4-2c19fc1b085a
Post Timeline <= 2.2.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-4284
CVSS Score: 6.1 (Medium)
Researcher/s: tnt24
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f75966a5-e593-4c86-842d-c136ae847eb0
MailChimp Forms by MailMunch <= 3.1.4 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-40203
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18dd1b86-3206-4cd7-a20b-33240c139aa5
All Users Messenger <= 1.24 – Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion
CVE ID: CVE-2023-4023
CVSS Score: 5.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d23541e-bb1c-4fcf-836b-28522a39b018
EmbedPress <= 3.8.2 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data
CVE ID: CVE-2023-4282
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5fa2ec9e-2859-4a96-9e33-9e22d37e544f
Profile Builder <= 3.9.7 – Missing Authorization to Initial Page Creation
CVE ID: CVE-2023-4059
CVSS Score: 5.3 (Medium)
Researcher/s: Mesh3l_911
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d25cca1-eb57-4ba2-8923-a3c56f41ce22
ARMember Premium <= 5.9.2 – Missing Authorization
CVE ID: CVE-2023-39994
CVSS Score: 5.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4363600-666a-4a75-a817-4af679ab400c
SendPress Newsletters <= 1.22.3.31 – Missing Authorization
CVE ID: CVE-2023-35040
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f03dfbd4-b34a-46ab-b8aa-e37fb0321e8e
wSecure Lite <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings
CVE ID: CVE-2023-39987
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05f5addb-ab1d-4b67-b969-3b95d43be790
ChatBot 4.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings
CVE ID: CVE-2023-4254
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f5f8bd5-435a-4a53-8fa2-55674f39b78b
ChatBot 4.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder
CVE ID: CVE-2023-4253
CVSS Score: 4.4 (Medium)
Researcher/s: Nguyen Hoang Nam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1cc50245-365a-419d-a85c-fbd658d004ae
Paid Memberships Pro – Courses for Membership Add On <= 1.2.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55fac183-bd8d-4e16-b25a-784861897deb
Advanced Custom Fields PRO 6.1 – 6.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Satoo Nakano, Ryotaro Imamura
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77876d74-5825-4bd8-812e-87061d0470e6
Ninja Forms <= 3.6.25 – Authenticated (Administrator+) Stored HTML Injection
CVE ID: CVE-2023-4109
CVSS Score: 4.4 (Medium)
Researcher/s: Sayandeep Dutta
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3d795f5-c79a-4615-be1f-120a6ffd663d
WP Pipes <= 1.4.0 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/094bf4e2-b774-4015-b6c6-c829c16556eb
YITH WooCommerce Waiting List <= 2.6.0 – Cross-Site Request forgery via ‘save_mail_status’
CVE ID: CVE-2023-36506
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0bcc1457-abbc-4bd9-a0a8-80e3d5624d95
Paid Memberships Pro – Courses for Membership Add On <= 1.2.3 – Cross-Site Request Forgery to Course Modifications
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e454573-4b34-40e3-b4c3-10eb71dfa03e
JCH Optimize <= 4.0.0 – Missing Authorization to Authenticated (Subscriber+) Settings Modification
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2077bd81-52bd-4aa7-85f6-9abb02aec65b
Photo Gallery by Ays <= 5.2.6 – Cross-Site Request Forgery
CVE ID: CVE-2023-39917
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21f710ee-5040-4916-9fde-efc6d3b90943
Fusion Builder <= 3.11.1 – Missing Authorization
CVE ID: CVE-2023-39310
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35b3a82a-4391-41b0-b434-691743c5ff4d
Easy Cookie Law <= 3.1 – Cross-Site Request Forgery via ‘ecl_options’
CVE ID: CVE-2023-40198
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40487921-b9eb-4a18-b6f5-194611d2ef82
User Activity Tracking and Log <= 4.0.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-4150
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/420f56de-4c83-4c9f-933c-0422467bbc7a
JupiterX Core 3.0.0 – 3.3.0 – Missing Authorization
CVE ID: CVE-2023-38394
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/48583297-59db-48ec-8551-d6b37ac02197
Rate my Post – WP Rating System <= 3.4.1 – Insecure Direct Object Reference
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6669d04c-9f97-43a5-a312-1cb3d67d21fa
The Post Grid <= 7.2.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-39923
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7de4282f-157b-4ba0-b400-e4e9982beb31
POEditor <= 0.9.7 – Cross-Site Request Forgery
CVE ID: CVE-2023-4209
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8671bf69-640d-4656-ae22-a46daadf58a0
GDPR Cookie Compliance <= 4.12.4 – Cross-Site Request Forgery to License Modification
CVE ID: CVE-2023-4013
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f847a61-4378-4b04-8eb4-99ef36417b6c
Portfolio and Projects <= 1.3.7 – Cross-Site Request Forgery via ‘wpos_anylc_admin_init_process’
CVE ID: CVE-2023-39995
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9567f199-7c31-4df3-aa2c-911780b2497a
WP Like Button <= 1.6.11 – Cross-Site Request Forgery via ‘saveData’
CVE ID: CVE-2023-40199
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/989836fc-a15d-4424-be0e-348e1acc7466
Sign-up Sheets <= 2.2.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-39165
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9999301a-002d-441b-bd66-6b7f4c46a8bf
FULL – Customer <= 2.2.3 – Authenticated(Subscriber+) Information Disclosure via Health Check
CVE ID: CVE-2023-4242
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a77d0fb5-8829-407d-a40a-169cf0c5f837
WooCommerce Product Attachment <= 2.1.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-40212
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8be9c76-08aa-4d41-8599-cc3494be7e58
Paid Memberships Pro – Courses for Membership Add On <= 1.2.3 – Missing Authorization to Authenticated (Subscriber+) Course Modifications
CVE ID: CVE-2023-39990
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2dee8d2-e1ab-455c-b922-92881f62fc5c
Avada <= 7.11.1 – Missing Authorization
CVE ID: CVE-2023-39922
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfffed4d-dacb-4591-840c-45105a58362a
Justified Gallery <= 1.7.3 – Missing Authorization via ‘dismiss_how_to_use_notice’ and ‘dismiss_notice’
CVE ID: CVE-2023-40213
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3978cb6-1739-4671-bb98-17c409c67d1c
Printful Integration for WooCommerce <= 2.2.2 – Cross-Site Request Forgery
CVE ID: CVE-2022-47168
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c96b3d65-431b-447a-8dc5-8865d83a92b9
WP HTML Mail <= 3.4.0 – Cross-Site Request Forgery via ‘send_test’
CVE ID: CVE-2023-40202
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dda9aa4a-bac7-4aa1-b0c3-c8e37b1fbe70
WooCommerce PDF Invoice Builder <= 1.2.90 – Cross-Site Request Forgery via Save
CVE ID: CVE-2023-3764
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebf2e701-9f9b-4a78-a61a-0cf90cdd9755
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.6.8 – Cross-Site Request Forgery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5b08a10-f6bc-44a0-865a-5ad71a1772f7
Futurio Extra <= 1.8.2 – Cross-Site Request Forgery via ‘futurio_extra_reset_mod’
CVE ID: CVE-2023-40201
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f765e21e-938a-4110-8fdf-12315e2a79cc
SB Child List <= 4.5 – Cross-Site Request Forgery via ‘sb_cl_update_settings’
CVE ID: CVE-2023-40210
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83be46f-3b51-4a30-88a4-388bcbfd0d2a
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023) appeared first on Wordfence.