Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status
Number of Vulnerabilities
Unpatched
37
Patched
27
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating
Number of Vulnerabilities
Low Severity
2
Medium Severity
53
High Severity
6
Critical Severity
3
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
29
Missing Authorization
12
Cross-Site Request Forgery (CSRF)
11
Unrestricted Upload of File with Dangerous Type
5
Server-Side Request Forgery (SSRF)
1
URL Redirection to Untrusted Site (‘Open Redirect’)
1
Improper Input Validation
1
Authorization Bypass Through User-Controlled Key
1
Improper Control of Generation of Code (‘Code Injection’)
1
Use of Less Trusted Source
1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
1
Researchers That Contributed to WordPress Security Last Week
Researcher Name
Number of Vulnerabilities
Rio Darmawan
11
Lana Codes
(Wordfence Vulnerability Researcher)
4
thiennv
3
Mika
2
Zlrqh
2
Dmitrii
2
Elliot
2
Marco Wotschka
(Wordfence Vulnerability Researcher)
2
Phd
1
Ramuel Gall
(Wordfence Vulnerability Researcher)
1
FearZzZz
1
emad
1
yuyudhn
1
mehmet
1
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name
Software Slug
Activity Log
aryo-activity-log
AffiliateWP
AffiliateWP
All-in-One WP Migration Box Extension
all-in-one-wp-migration-box-extension
All-in-One WP Migration Dropbox Extension
all-in-one-wp-migration-dropbox-extension
All-in-One WP Migration Google Drive Extension
all-in-one-wp-migration-gdrive-extension
All-in-One WP Migration OneDrive Extension
all-in-one-wp-migration-onedrive-extension
Better Elementor Addons
better-elementor-addons
Bridge Core
bridge-core
Ditty – Responsive News Tickers, Sliders, and Lists
ditty-news-ticker
DoLogin Security
dologin
Easy Coming Soon
easy-coming-soon
Easy Newsletter Signups
easy-newsletter-signups
Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
holler-box
FileOrganizer – Manage WordPress and Website Files
fileorganizer
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
folders
Font Awesome 4 Menus
font-awesome-4-menus
Forminator – Contact Form, Payment Form & Custom Form Builder
forminator
GiveWP – Donation Plugin and Fundraising Platform
give
GuruWalk Affiliates
guruwalk-affiliates
Happy Addons for Elementor Pro
happy-elementor-addons-pro
Import XML and RSS Feeds
import-xml-feed
Localize Remote Images
localize-remote-images
Login and Logout Redirect
login-and-logout-redirect
LuckyWP Scripts Control
luckywp-scripts-control
Maintenance Switch
maintenance-switch
MakeStories (for Google Web Stories)
makestories-helper
Metform Elementor Contact Form Builder
metform
Multi-column Tag Map
multi-column-tag-map
Olive One Click Demo Import
olive-one-click-demo-import
Order Tracking – WordPress Status Tracking Plugin
order-tracking
Ovic Product Bundle
ovic-product-bundle
Popup Builder – Create highly converting, mobile friendly marketing popups.
popup-builder
Popup box
ays-popup-box
PowerPress Podcasting plugin by Blubrry
powerpress
Prevent files / folders access
prevent-file-access
Pricing Deals for WooCommerce
pricing-deals-for-woocommerce
RSVPMaker
rsvpmaker
Remove/hide Author, Date, Category Like Entry-Meta
removehide-author-date-category-like-entry-meta
Responsive Gallery Grid
responsive-gallery-grid
Sermon’e – Sermons Online
sermone-online-sermons-management
Simple 301 Redirects by BetterLinks
simple-301-redirects
Site Reviews
site-reviews
Sitekit
sitekit
Slimstat Analytics
wp-slimstat
Smarty for WordPress
smarty-for-wordpress
Snap Pixel
snap-pixel
Social Media Share Buttons & Social Sharing Icons
ultimate-social-media-icons
Social Share Boost
social-share-boost
Surfer – WordPress Plugin
surferseo
URL Shortener by MyThemeShop
mts-url-shortener
Ultimate Addons for Contact Form 7
ultimate-addons-for-contact-form-7
WP Bannerize Pro
wp-bannerize-pro
WP GoToWebinar
wp-gotowebinar
WP Search Analytics
search-analytics
WP Super Minify
wp-super-minify
WP Synchro – WordPress Migration Plugin for Database & Files
wpsynchro
WP Users Media
wp-users-media
WP-dTree
wp-dtree-30
WordPress Ecommerce For Creating Fast Online Stores – By SureCart
surecart
authLdap
authldap
WordPress Themes with Reported Vulnerabilities Last Week
Software Name
Software Slug
Arya Multipurpose Pro
arya-multipurpose-pro
Everest News Pro
everest-news-pro
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Forminator <= 1.24.6 – Unauthenticated Arbitrary File Upload
CVE ID: CVE-2023-4596
CVSS Score: 9.8 (Critical)
Researcher/s: mehmet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513
Import XML and RSS Feeds <= 2.1.4 – Unauthenticated Remote Code Execution
CVE ID: CVE-2023-4521
CVSS Score: 9.8 (Critical)
Researcher/s: Enrico Marcolini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0856920-5463-4dd3-a4fd-e56901a89b83
RSVPMarker <= 10.6.6 – Unauthenticated SQL Injection
CVE ID: CVE-2023-41652
CVSS Score: 9.8 (Critical)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f655704d-70a1-40d8-ae36-39029185d262
Folders <= 2.9.2 – Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload
CVE ID: CVE-2023-40204
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ab28410-76c5-43cb-b87a-c99f8867167c
Give – Donation Plugin <= 2.33.0 – Authenticated(Give Manager+) Privilege Escalation
CVE ID: CVE-2023-41665
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22ff4b09-063b-425e-9d59-be2e5d283186
Olive One Click Demo Import <= 1.0.9 – Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file
CVE ID: CVE-2023-29102
CVSS Score: 7.2 (High)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f3e3311-11d8-4e4f-9d99-36533fe44d56
DoLogin Security <= 3.6 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-4549
CVSS Score: 7.2 (High)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad34d657-da59-46ff-a54a-64e6c8974b69
Prevent files / folders access <= 2.5.1 – Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page
CVE ID: CVE-2023-4238
CVSS Score: 7.2 (High)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b266bd10-dbc6-4058-a5b2-1578c0814cb4
Import XML and RSS Feeds <= 2.1.3 – Authenticated (Admin+) Arbitrary File Upload
CVE ID: CVE-2023-4300
CVSS Score: 7.2 (High)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f45b4c43-c6c4-41da-bd59-9a355800815a
Easy Newsletter Signups <= 1.0.4 – Missing Authorization
CVE ID: CVE-2023-41664
CVSS Score: 6.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/288946ae-6e58-42e6-89d1-8951539728d3
Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4597
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52aee4b8-f494-4eeb-8357-71ce8d5bc656
Sitekit <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘sitekit_iframe ‘ shortcode
CVE ID: CVE-2023-27628
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f0be29a-7896-4166-a2a6-64f99d845236
Font Awesome 4 Menus <= 4.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4718
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc59510c-6eaf-4526-8acb-c07e39923ad9
Email Encoder <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-4599
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e90f04e4-eb4c-4822-89c6-79f553987c37
Login and Logout Redirect <= 2.0.2 – Open Redirect
CVE ID: CVE-2023-41648
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09a0639e-4b14-4dc9-a50c-d18234faa7b1
Arya Multipurpose Pro <= 1.0.8 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41237
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22cfbaa1-5412-4944-899c-7ae41d017384
Social Media & Share Icons <= 2.8.3 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41238
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a8998db-ffc2-40b2-a191-09380984adac
URL Shortener by MyThemeShop <= 1.0.17 – Reflected Cross-Site Scripting via ‘page’
CVE ID: CVE-2023-30472
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2837e-8947-4ce9-bda5-e0c2f831fb36
Sermon’e – Sermons Online <= 1.0.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41653
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c17678e-6598-4e80-b121-beae822b9f81
WP-dTree <= 4.4.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41662
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c01da54-fbbe-42f9-a76e-8e823027d62a
Everest News Pro <= 1.1.7 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41235
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb967453-59d6-4b03-8c75-1906b99bff80
Bridge Core <= 3.0.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-40333
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc698c40-4a2b-4dab-93f0-647e4db79d2c
Ditty <= 3.1.24 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-4148
CVSS Score: 6.1 (Medium)
Researcher/s: Animesh Gaurav
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cabf7aae-0673-4358-a2df-0ca22c8432b5
Happy Elementor Addons Pro <= 2.8.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41236
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d536d3a8-9ac5-4ea9-8c65-16ad8b3a7106
Ultimate Addons for Contact Form 7 <= 3.1.32 – Reflected Cross-Site Scripting via ‘page’
CVE ID: CVE-2023-30493
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d857324c-94c9-471a-9da8-0b8c9bb50262
Order Tracking Pro <= 3.3.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-4471
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed64d0ff-4f49-4c18-86ec-2c6fbd559d2e
WP Bannerize Pro <= 1.6.9 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-41663
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edc35f8c-f916-433e-9d3f-4992e8c9d7cd
WP Search Analytics <= 1.4.7 – Reflected Cross-Site Scripting via ‘render_stats_page’
CVE ID: CVE-2023-30471
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6433a17-0017-46a9-a8e6-4d4a4a55f2db
PowerPress <= 11.0.6 – Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info
CVE ID: CVE-2023-41239
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/031c31b2-6e27-47bb-9f63-2bbaa1edbbb2
Site Reviews <= 6.10.2 – Missing Authorization
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1accc41e-41d2-49e3-a80a-6b95b02cb42e
Responsive Gallery Grid <= 2.3.10 – Cross-Site Request Forgery
CVE ID: CVE-2023-41659
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3abe2de8-9127-4ef0-9194-cf331b20868a
LuckyWP Scripts Control <= 1.2.1 – Missing Authorization via multiple AJAX actions
CVE ID: CVE-2023-29239
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed93c5c-38bb-4e84-8fe8-03dd75b4d9f3
Maintenance Switch <= 1.5.2 – Cross-Site Request Forgery via ‘admin_action_request’
CVE ID: CVE-2023-29235
CVSS Score: 5.4 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f14f19d-95b3-474b-a2ea-d846c85644cd
Simple 301 Redirects <= 2.0.7 – Cross-Site Request Forgery via ‘clicked’
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9945c85b-a97a-4ad0-9d0a-69faf157563a
Surfer <= 1.1.2.298 – Missing Authorization
CVE ID: CVE-2023-35037
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c06f9f6d-3cd0-4700-834b-435a99983453
Pricing Deals for WooCommerce <= 2.0.3.2 – Missing Authorization via vtprd_ajax_clone_rule
CVE ID: CVE-2023-41240
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1101bfe6-2075-4f44-933b-6d9f372100a2
Ovic Product Bundle <= 1.1.2 – Missing Authorization
CVE ID: CVE-2023-41649
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5657ffe2-7d04-4834-bcec-ab6afaeda7df
Multiple ServMask Plugins <= (Various Versions) – Missing Authorization to Access Token Update
CVE ID: CVE-2023-40004
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86bb44f0-142d-4c4e-8fc5-a50526118130
Localize Remote Images <= 1.0.9 – Cross-Site Request Forgery via admin menu
CVE ID: CVE-2023-41244
CVSS Score: 5.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab96123e-17aa-461f-b460-e8eba82c78e1
Multi-column Tag Map <= 17.0.26 – Missing Authorization
CVE ID: CVE-2023-41651
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2a60cb2-fe7d-4c51-9995-5cb4682d9d26
Activity Log <= 2.8.7 – IP Address Spoofing
CVE ID: CVE-2023-4281
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de821236-f878-46a4-9265-bcf6e8661910
Order Tracking Pro <= 3.3.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-4500
CVSS Score: 4.7 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81f9a4c6-971f-4f6d-8bb1-e97bf75cf8d3
GuruWalk Affiliates <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-27622
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b2714f7-9877-4d3d-a692-70fbf8584728
SureCart <= 2.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-41241
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/416c13ff-15ae-4ba4-8a95-7c07bec75c22
Smarty for WordPress <= 3.1.35 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41661
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/498a10a1-8da6-4309-833f-950f6442d5ae
WP GoToWebinar <= 14.45 – Authenticated (Administrator+) Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a7b32f5-5d27-4f5a-89f3-abf4f8da79e4
HollerBox <= 2.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41657
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c76871e-b774-4284-ad00-f8ef7f6df389
Popup Builder <= 4.1.15 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-3226
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f97af51-1532-4034-8b2a-8356b65cb617
Snap Pixel <= 1.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41242
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c37686f8-6bd7-4c06-b80a-7d6849bbc7b0
Easy Coming Soon <= 2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
CVE ID: CVE-2023-25483
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46139c8-dd7e-4904-81b2-283952cea9b5
Popup Box <= 3.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6dbbb52-4202-4d69-837f-c7d5ca06fab5
WP Users Media <= 4.2.3 – Cross-Site Request Forgery in wpusme_save_settings
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Zlrqh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07a82335-d738-4c14-b385-04843f12e4ef
Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_first_name’ shortcode
CVE ID: CVE-2023-0689
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903
Social Share Boost <= 4.5 – Cross-Site Request Forgery via ‘syntatical_settings_content’
CVE ID: CVE-2023-25033
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53a265b8-e34c-4683-a653-4b4b2410e9de
Better Elementor Addons <= 1.3.5 – Missing Authorization
CVE ID: CVE-2023-41656
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a628eef-937c-4391-afac-22128ec5b51c
WP Users Media <= 4.2.3 – Missing Authorization via wpusme_save_settings
CVE ID: CVE-2023-27428
CVSS Score: 4.3 (Medium)
Researcher/s: Zlrqh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e125188-4aff-4c64-b4ec-a363db2431b7
WP Super Minify <= 1.5.1 – Cross-Site Request Forgery via ‘wpsmy_admin_options’
CVE ID: CVE-2023-27615
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af59fcf6-4435-45f0-8904-ff520ea86157
Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-41650
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd0abdf2-24da-4e87-825b-0796af6c3ccd
MakeStories (for Google Web Stories) <= 2.8.0 – Cross-Site Request Forgery via ‘ms_set_options’
CVE ID: CVE-2023-27448
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9f7130d-883a-4db4-9edf-f5526724de11
AffiliateWP <= 2.14.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
CVE ID: CVE-2023-4600
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2
authLdap <= 2.5.8 – Cross-Site Request Forgery
CVE ID: CVE-2023-41654
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eddce6e0-2ea7-4980-97a7-857b2e1e3b69
WP Migration Plugin DB & Files – WP Synchro <= 1.9.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-41660
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1b6f041-5ea6-48ca-9ca7-4ce96cbfa275
authLdap <= 2.5.8 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-41655
CVSS Score: 3.3 (Low)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b91ad8b-79ec-4ef7-bb39-edb06309da5e
FileOrganizer <= 1.0.2 – Authenticated (Admin+) Arbitrary File Access
CVE ID: CVE-2023-3664
CVSS Score: 2.7 (Low)
Researcher/s: Dmitrii
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11c9124d-80e0-435d-9eb4-901c4f481a6f
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) appeared first on Wordfence.
