Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)

Last week, there were 55 vulnerabilities disclosed in 46 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 15 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via start_staging and get_staging_progress
MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via save_settings_permission
PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
16

Patched
39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
37

High Severity
16

Critical Severity
2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
18

Cross-Site Request Forgery (CSRF)
7

Missing Authorization
6

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
5

Deserialization of Untrusted Data
5

Information Exposure
4

Authorization Bypass Through User-Controlled Key
3

Server-Side Request Forgery (SSRF)
2

Improper Control of Generation of Code (‘Code Injection’)
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Incorrect Privilege Assignment
1

Improper Authorization
1

Unverified Password Change
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Lana Codes
(Wordfence Vulnerability Researcher)
20

foobar7
5

Marco Wotschka
(Wordfence Vulnerability Researcher)
5

Yan&Co ApS
2

Vladislav Pokrovsky
2

Chloe Chamberland
(Wordfence Vulnerability Researcher)
1

Nguyen Anh Tien
1

Do Xuan Trung
1

osama-hamad
1

Rafie Muhammad
1

Dmitrii Ignatyev
1

Alex Thomas
(Wordfence Vulnerability Researcher)
1

teo23mal
1

David Anderson
1

Pablo Sanchez
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

10Web Map Builder for Google Maps
wd-google-maps

Allow PHP in Posts and Pages
allow-php-in-posts-and-pages

Awesome Weather Widget
awesome-weather

BAN Users
ban-users

Booking Calendar
booking

Booking calendar, Appointment Booking System
booking-calendar

Booster for WooCommerce
woocommerce-jetpack

Checkout Field Editor
woocommerce-checkout-field-editor

Comments – wpDiscuz
wpdiscuz

Crayon Syntax Highlighter
crayon-syntax-highlighter

DoLogin Security
dologin

Dropbox Folder Share
dropbox-folder-share

Enable Media Replace
enable-media-replace

Essential Addons for Elementor
essential-addons-for-elementor-lite

Essential Blocks Pro
essential-blocks-pro

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks

Feeds for YouTube (YouTube video, channel, and gallery plugin)
feeds-for-youtube

File Manager Pro – Filester
filester

Google Maps Plugin by Intergeo
intergeo-maps

Horizontal scrolling announcement
horizontal-scrolling-announcement

JQuery Accordion Menu Widget
jquery-vertical-accordion-menu

Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
zero-bs-crm

Leyka
leyka

Login with phone number
login-with-phone-number

MapPress Maps for WordPress
mappress-google-maps-for-wordpress

Migration, Backup, Staging – WPvivid
wpvivid-backuprestore

MultiVendorX – MultiVendor Marketplace Solution For WooCommerce
dc-woocommerce-multi-vendor

Page Builder: Pagelayer – Drag and Drop website builder
pagelayer

Photospace Responsive Gallery
photospace-responsive

PowerPress Podcasting plugin by Blubrry
powerpress

Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
quiz-master-next

Read More & Accordion
expand-maker

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
shortpixel-image-optimiser

Simplr Registration Form Plus+
simplr-registration-form

Slimstat Analytics
wp-slimstat

Testimonial Slider Shortcode
testimonial-slider-shortcode

WP Customer Reviews
wp-customer-reviews

WP User Control
wp-user-control

WS Facebook Like Box Widget
ws-facebook-likebox

Welcart e-Commerce
usc-e-shop

WooCommerce
woocommerce

WooCommerce Beta Tester
woocommerce-beta-tester

WooCommerce CVR Payment Gateway
woocommerce-cvr-payment-gateway

WooCommerce EAN Payment Gateway
woocommerce-ean-payment-gateway

WooCommerce Subscription
woocommerce-subscriptions

WordPress File Upload
wp-file-upload

woocommerce-checkout-field-editor
woocommerce-checkout-field-editor

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Allow PHP in Posts and Pages <= 3.0.4 – Authenticated (Subscriber+) Remote Code Execution via Shortcode

Affected Software: Allow PHP in Posts and Pages
CVE ID: CVE-2023-4994
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d8b4bb6-3715-40c1-8140-7fcf874ccec3

Dropbox Folder Share <= 1.9.7 – Unauthenticated Local File Inclusion

Affected Software: Dropbox Folder Share
CVE ID: CVE-2023-4488
CVSS Score: 9.8 (Critical)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/647a2f27-092a-4db1-932d-87ae8c2efcca

Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode

Affected Software: Slimstat Analytics
CVE ID: CVE-2023-4598
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07c0f5a5-3455-4f06-b481-f4d678309c50

Welcart e-Commerce <= 2.8.21 – Authenticated(level_5+) SQL Injection via get_logs

Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35dadb9c-f0c6-4b74-bb31-5e9d504b3db5

Simplr Registration Form Plus+ <= 2.4.5 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

Affected Software: Simplr Registration Form Plus+
CVE ID: CVE-2023-4213
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ddf0452-3afe-4ada-bccc-30c818968a81

Login with phone number <= 1.4.8 – Cross-Site Request Forgery to User Password Change

Affected Software: Login with phone number
CVE ID: CVE-2023-4916
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71083db7-377b-47a1-ac8b-83d8974a2654

Essential Addons for Elementor <= 5.8.8 – Authenticated (Contributor+) Privilege Escalation

Affected Software: Essential Addons for Elementor
CVE ID: CVE-2023-41955
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c13701e-424d-462f-b152-4dc5ad3ef197

BAN Users <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation

Affected Software: BAN Users
CVE ID: CVE-2023-4153
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af6bd2db-47a4-4381-a881-d5f97a159f8d

Horizontal scrolling announcement <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Horizontal scrolling announcement
CVE ID: CVE-2023-4999
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf50922a-58a6-4ca4-80b7-cafb37b87216

File Manager Pro – Filester – <= 1.7.6 – Cross-Site Request Forgery to Arbitrary File Rename

Affected Software: File Manager Pro – Filester
CVE ID: CVE-2023-4827
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfbc7af2-1e2c-4aaf-b73c-870f7519aff1

MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via ‘save_settings_permission’

Affected Software: MultiVendorX – MultiVendor Marketplace Solution For WooCommerce
CVE ID: CVE Unknown
CVSS Score: 8.6 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/afd9046c-5b6a-411e-8e66-ff1ba60d7f9d

WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via ‘start_staging’ and ‘get_staging_progress’

Affected Software: Migration, Backup, Staging – WPvivid
CVE ID: CVE-2023-41243
CVSS Score: 8.3 (High)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28e723ee-e99a-4ec4-b492-bfba04d27fd0

Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via products

Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via queries

Read More & Accordion <= 3.2.2 – Authenticated (Administrator+) PHP Object Injection

Affected Software: Read More & Accordion
CVE ID: CVE-2023-3392
CVSS Score: 7.2 (High)
Researcher/s: Do Xuan Trung
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73ab9f95-05cc-47fc-bfcb-1787f6f80789

Booking calendar, Appointment Booking System <= 3.2.8 – Multiple Authenticated(Editor+) SQL Injection

Affected Software: Booking calendar, Appointment Booking System
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a02f4fc4-42ca-4f8e-9c28-bfa69644e7b6

Dropbox Folder Share <= 1.9.7 – Unauthenticated Server-Side Request Forgery via ‘link’

Affected Software: Dropbox Folder Share
CVE ID: CVE-2023-3025
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d62bd2bd-db01-479f-89e4-8031d69a912f

WooCommerce Beta Tester < 2.2.4 – Authenticated (Administrator+) SQL Injection

Affected Software: WooCommerce Beta Tester
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: teo23mal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6cbec61-cbe8-44a6-8cc8-8603393ed6b0

Enable Media Replace <= 4.1.2 – Authenticated(Editor+) PHP Object Injection

Affected Software: Enable Media Replace
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e7e6445-c1c5-48a8-a76d-819f2db1efc2

ShortPixel Image Optimizer <= 5.4.1 – Authenticated(Editor+) PHP Object Injection

Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f23bf62-6008-4a9c-a7ae-a2e513699684

Booking Calendar <= 9.7.3 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Booking Calendar
CVE ID: CVE-2023-4620
CVSS Score: 6.5 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f883823f-c225-4cd2-a0f6-39013476ed83

Testimonial Slider Shortcode <= 1.1.8 – Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode

Affected Software: Testimonial Slider Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30cb1b8c-84ce-4401-9c30-775efb257fe6

Feeds for YouTube <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Feeds for YouTube (YouTube video, channel, and gallery plugin)
CVE ID: CVE-2023-4841
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/376e2638-a873-4142-ad7d-067ae3333709

Awesome Weather Widget <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Awesome Weather Widget
CVE ID: CVE-2023-4944
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bf77988-370b-437f-83a0-18a147e3e087

Crayon Syntax Highlighter <= 2.8.4 – Authenticated (Contributor+) Server Side Request Forgery

Affected Software: Crayon Syntax Highlighter
CVE ID: CVE-2023-4893
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/527f75f1-6361-4e16-8ae4-d38ca4589811

WS Facebook Like Box Widget <= 5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WS Facebook Like Box Widget
CVE ID: CVE-2023-4963
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bebc229-9d15-439f-a8df-f68455bc5193

Booster for WooCommerce <= 7.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-4945
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/981639a3-63c4-4b3f-827f-4d770bd44806

PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL

Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae8c888e-46ed-468f-a5d5-74a7f9d01a36

JQuery Accordion Menu Widget <= 3.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: JQuery Accordion Menu Widget
CVE ID: CVE-2023-4890
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0cf3015-cdc9-4ac9-82f3-e9b4d1203e22

MapPress Maps for WordPress <= 2.88.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: MapPress Maps for WordPress
CVE ID: CVE-2023-4840
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3d2c9a4-32f7-484f-86ce-a33ef1174b28

Google Maps Plugin by Intergeo <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Google Maps Plugin by Intergeo
CVE ID: CVE-2023-4887
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb6d11ad-0983-4a4b-b52b-824eae8b8e3c

Horizontal scrolling announcement <= 9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Horizontal scrolling announcement
CVE ID: CVE-2023-5001
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4f60e8c-2745-4930-9101-914bd73c6e1c

Jetpack CRM <= 5.5.0 – Authenticated (Client+) Stored Cross-Site Scripting

Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1dbd0e2-8c6c-4127-b37c-269af3b7f71c

PageLayer <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e34b6ae5-1370-4058-95dd-5686978ca45b

WooCommerce <= 7.8.2 – Sensitive Information Exposure

Affected Software: WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: osama-hamad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b2d1879-c337-41c9-9f47-f9c2fe8e5928

wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Post Rating Increase/Decrease

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-3998
CVSS Score: 5.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d09bdab-ffab-44cc-bba2-821b21a8e343

wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Comment Rating Increase/Decrease

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-3869
CVSS Score: 5.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b30ac1b0-eae2-4194-bf8e-ae73b4236965

Leyka <= 3.30.3 – Authenticated (Subscriber+) Sensitive Information Exposure

Affected Software: Leyka
CVE ID: CVE-2023-4917
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dcd24b90-94ff-4625-8e3e-9c90e38683f9

WP User Control <= 1.5.3 – Insecure Password Reset Mechanism

Affected Software: WP User Control
CVE ID: CVE-2023-4915
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4ca1736-7b99-49db-9367-586dbc14df41

WooCommerce <= 7.0.0 – Authenticated(Shop Manager+) Sensitive Information Exposure

Affected Software: WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: David Anderson
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1efcff5-3af6-4c44-9654-b917523419aa

WordPress File Upload <= 4.23.2 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress File Upload
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e1915d9-8ea9-4ab2-9746-3c49bc0bd7c8

Jetpack CRM <= 5.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32f2fc21-165c-483f-ab81-48d8f221e4be

Photospace Responsive <= 2.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Photospace Responsive Gallery
CVE ID: CVE-2023-4271
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bc98896-6ff9-40de-ace2-2ca331c2a44a

Migration, Backup, Staging – WPvivid <= 0.9.90 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Migration, Backup, Staging – WPvivid
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6d3ede8-465e-4588-b8ef-36bcd1850ec3

WP Customer Reviews <= 3.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Customer Reviews
CVE ID: CVE-2023-4648
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f81950be-de32-4fa1-94fe-42667414fe2d

WooCommerce Subscription < 4.6.0 – Cross-Site Request Forgery

Affected Software: WooCommerce Subscription
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08a98c08-cddc-4bc3-bc07-15d084070abd

DoLogin Security <= 3.7 – Missing Authorization on Dashboard Widget

Affected Software: DoLogin Security
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24e2b96c-665f-4616-ac99-1a2b1b0a9ccd

WooCommerce EAN Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) EAN Update

Affected Software: WooCommerce EAN Payment Gateway
CVE ID: CVE-2023-4947
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes, Yan&Co ApS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6

Quiz And Survey Master <= 8.1.15 – Cross-Site Request Forgery via ‘display_results’

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32173d38-7f85-4e0c-9b4c-38bee2783d77

10Web Map Builder for Google Maps <= 1.0.73 – Cross-Site Request Forgery to Notice Dismissal

Affected Software: 10Web Map Builder for Google Maps
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4be81ba0-c678-4234-b63e-da9813817bef

10Web Map Builder for Google Maps <= 1.0.73 – Missing Authorization to Notice Dismissal

Affected Software: 10Web Map Builder for Google Maps
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63666c16-9f68-4a27-b163-4c25f0a7589e

Checkout Field Editor (Premium) < 1.7.5 – Cross-Site Request Forgery

Affected Software: woocommerce-checkout-field-editor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4647210-ba7e-4233-83d6-12572213f5fb

Booster for WooCommerce <= 7.1.0 – Authenticated (Subscriber+) Information Disclosure via Shortcode

Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-4796
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4cd49b2-ff93-4582-906b-b690d8472c38

Checkout Field Editor <= 1.7.4 – Cross-Site Request Forgery to Checkout Fields Update

Affected Software: Checkout Field Editor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad430706-749f-4582-af07-6c543b8d5aad

WooCommerce CVR Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) CVR Update

Affected Software: WooCommerce CVR Payment Gateway
CVE ID: CVE-2023-4948
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes, Yan&Co ApS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f72ba0e2-a9c4-43b0-a01f-185554090162

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023) appeared first on Wordfence.

Leave a Comment