Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023)

Last week, there were 97 vulnerabilities disclosed in 63 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-579 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
  • WAF-RULE-576 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
  • WAF-RULE-577 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 25
Patched 72

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 79
High Severity 14
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 37
Cross-Site Request Forgery (CSRF) 29
Missing Authorization 17
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 6
Deserialization of Untrusted Data 3
Improper Authorization 2
Incorrect Privilege Assignment 1
Unrestricted Upload of File with Dangerous Type 1
Authorization Bypass Through User-Controlled Key 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Marco Wotschka 24
Chloe Chamberland 8
Mika 7
5
Lana Codes 5
3
Ramuel Gall 3
MyungJu Kim 3
Rafshanzani Suhada 3
Erwan LR 3
Ameen Alkurdy 2
Rafie Muhammad 2
Simone Onofri 2
Donato Onofri 2
Rio Darmawan 2
Shreya Pohekar 2
FearZzZz 2
Nguyen Huu Do 2
Abdi Pranata 2
Elliot 1
1
1
Taliya Bilal 1
Dave Jong 1
Pablo Sanchez 1
Romés Akhan 1
Yogesh Verma 1
abdi paranata 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Advanced Custom Fields (ACF)
Ajax Search Lite
Ajax Search Pro
Albo Pretorio On line
Appointment and Event Booking Calendar for WordPress – Amelia
Call Now Accessibility Button
Cancel order request / Return order / Repeat Order / Reorder for WooCommerce
Comment Reply Notification
Connections Business Directory
CopySafe Web Protection
Cryptocurrency All-in-One
Dynamics 365 Integration
Easy Sign Up
Email Subscription Popup
Fancy Product Designer
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
Front End Users
HT Builder – WordPress Theme Builder for Elementor
Hustle – Email Marketing, Lead Generation, Optins, Popups
IFrame Shortcode
IMPress Listings
Libsyn Publisher Hub
Limit Login Attempts
Magic Post Thumbnail
MapPress Maps for WordPress
Maps Widget for Google Maps
MasterStudy LMS WordPress Plugin – for Online Courses and Education
MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
Optin Forms – Simple List Building Plugin for WordPress
PHP Compatibility Checker
PixTypes
Product Catalog Simple
Product Enquiry for WooCommerce, WooCommerce product catalog
Product Feed PRO for WooCommerce
Product page shipping calculator for WooCommerce
PropertyHive
Random Text
SEOPress – On-site SEO
SMTP Mailing Queue
Simple Job Board
SimpleModal Contact Form (SMCF)
Site Reviews
Sp*tify Play Button for WordPress
Spreadshop Plugin
StagTools
Steveas WP Live Chat Shoutbox
Superb Social Media Share Buttons and Follow Buttons for WordPress
Tiny carousel horizontal slider plus
Transbank Webpay REST
User Registration – Custom Registration Form, Login Form And User Profile For WordPress
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
WP Data Access
WP FEvents Book
WP Fastest Cache
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
YourChannel: Everything you want in a YouTube plugin.
ZYREX POPUP
amr ical events lists
qTranslate X Cleanup and WPML Import
tencentcloud-cos

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Houzez houzez
The7 — Website and eCommerce Builder for WordPress dt-the7
TheRoof theroof
Weaver Xtreme weaver-xtreme
outdoor

Vulnerability Details

WCFM Membership <= 2.10.0 – Unauthenticated Privilege Escalation

Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVE ID: CVE-2022-4939
CVSS Score: 9.8 (Critical)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0870de2d-bca5-4d57-a07f-877a416ce0d5

Houzez <= 2.8.2 – Unauthenticated SQL Injection

Affected Software: Houzez
CVE ID: CVE-2023-29432
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64087631-3514-4fec-ad2f-b095d7c727bd

Formidable Forms <= 6.1.2 – Unauthenticated PHP Object Injection

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
CVE ID: CVE-2023-1405
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7db04a93-a384-4093-8cab-6f1d6822f625

Steveas WP Live Chat Shoutbox <= 1.4.2 – Unauthenticated SQL Injection

Affected Software: Steveas WP Live Chat Shoutbox
CVE ID: CVE-2023-1020
CVSS Score: 9.8 (Critical)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4e1ca02-4eb5-4a46-99d5-89630f37d9ed

WCFM Marketplace <= 3.4.11 – Missing Authorization

Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
CVE ID: CVE-2022-4935
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85730e9b-c5da-473c-a324-891c5c9f7ba3

MapPress Maps for WordPress <= 2.85.4 – Authenticated (Contributor+) SQL Injection via get_maps

Affected Software: MapPress Maps for WordPress
CVE ID: CVE-2023-26015
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aab16b6f-4daf-4eb1-9526-dd05b2b41dee

Advanced Custom Fields <= 6.0.7 – Authenticated (Contributor+) PHP Object Injection

Affected Software: Advanced Custom Fields (ACF)
CVE ID: CVE-2023-1196
CVSS Score: 8.8 (High)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b13e1916-2a02-4a91-acf1-6e5d7c55bd57

Fancy Product Designer <= 4.6.9 – Insufficient Authorization to Arbitrary Options Update via fpd_update_options

Affected Software: Fancy Product Designer
CVE ID: CVE-2021-4334
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21

Affected Software: WP Data Access
CVE ID: CVE-2023-1874
CVSS Score: 7.5 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f562e33-2aef-46f0-8a65-691155ede9e7

WCFM Membership <= 2.10.0 – Missing Authorization

Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVE ID: CVE-2022-4940
CVSS Score: 7.3 (High)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd

CopySafe Web Protection <= 3.13 – Unauthenticated Stored Cross-Site Scripting

Affected Software: CopySafe Web Protection
CVE ID: CVE-2023-29098
CVSS Score: 7.2 (High)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07e110b3-ef10-482d-a564-c9f23631e5f3

Magic Post Thumbnail <= 4.1.10 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Magic Post Thumbnail
CVE ID: CVE-2023-29171
CVSS Score: 7.2 (High)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08bbde25-bb9a-469c-83de-b680bb501ad6

Steveas WP Live Chat Shoutbox <= 1.4.2 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Steveas WP Live Chat Shoutbox
CVE ID: CVE-2023-0899
CVSS Score: 7.2 (High)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2630dbfe-2e11-4671-9a75-377237ac1ea1

Transbank Webpay REST <= 1.6.6 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: Transbank Webpay REST
CVE ID: CVE-2023-27610
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b737a26-e4ae-4c9f-a98a-a22a31ac4f99

Albo Pretorio Online <= 4.6.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Albo Pretorio On line
CVE ID: CVE-2023-28993
CVSS Score: 7.2 (High)
Researcher/s: Romés Akhan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8fbcd728-d2a2-4787-841d-0ce77356f737

Limit Login Attempts <= 1.7.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Limit Login Attempts
CVE ID: CVE-2023-1912
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb8c80fc-3b51-4003-b221-6f02e74bead0

Zyrex Popup <= 1.1 – Authenticated (Admin+) Arbitrary File Upload

Affected Software: ZYREX POPUP
CVE ID: CVE-2023-0924
CVSS Score: 7.2 (High)
Researcher/s: Yogesh Verma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf992c75-a1ae-49c3-8110-2f3b31b23f6c

Ajax Search Lite <= 4.11 – Reflected Cross-Site Scripting

Affected Software: Ajax Search Lite
CVE ID: CVE-2023-1420
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5e6cb50-8262-406b-b01e-37d62a4bd394

SEOPress <= 6.5.0.2 – Authenticated (Administrator+) PHP Object Injection

Affected Software: SEOPress – On-site SEO
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06863974-e428-418b-891a-ade59ee46c4f

Amr Ical Events Lists <= 6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: amr ical events lists
CVE ID: CVE-2023-1021
CVSS Score: 6.6 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4531261-d76e-4419-b915-749c72830608

YourChannel <= 1.2.3 – Missing Authorization to Plugin Settings Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1865
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34817e32-d5a3-403a-85f0-1d60af8945de

YourChannel <= 1.2.3 – Missing Authorization to Plugin Cache Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1868
CVSS Score: 6.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/541d202b-f3ed-44d8-93a6-e158209db885

Front End Users <= 3.2.24 – Missing Authorization to Unauthenticated Registered User Deletion

Affected Software: Front End Users
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ccfafaf-902f-4142-90b3-9f70800eb377

Affected Software: WP FEvents Book
CVE ID: CVE-2023-1126
CVSS Score: 6.4 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/088aead8-37bb-4277-81e0-b7e2c13e9072

IFrame Shortcode <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: IFrame Shortcode
CVE ID: CVE-2023-29436
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f28b1b2-e751-423e-b4c5-893778eebf3f

Stagtools <= 2.3.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: StagTools
CVE ID: CVE-2023-0891
CVSS Score: 6.4 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45754b5b-8f94-4806-a931-bb423450682c

Weaver Xtreme Theme <= 5.0.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name

Affected Software: Weaver Xtreme
CVE ID: CVE-2023-1403
CVSS Score: 6.4 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b2bef63-c871-45e4-bb05-12bbba20ca5e

Cryptocurrency All-in-One <= 3.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Cryptocurrency All-in-One
CVE ID: CVE-2023-29435
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7492cffe-6e17-4c59-8979-2fa168b4f41d

Easy Sign Up <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Easy Sign Up
CVE ID: CVE-2023-23701
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af718d65-9f8f-4ed8-80ed-e7ed34169016

WCFM Membership <= 2.10.0 – Cross-Site Request Forgery

Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
CVE ID: CVE-2022-4941
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3758db41-a3c5-436a-bb9a-5886f10d1519

WCFM Marketplace <= 3.4.12 – Cross-Site Request Forgery

Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
CVE ID: CVE-2022-4936
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c2cc9a3-cd20-4c9e-baa4-1aea69f84331

Fancy Product Designer <= 4.6.9 – Insufficient Authorization on Mulitple AJAX Actions

Affected Software: Fancy Product Designer
CVE ID: CVE-2021-4335
CVSS Score: 6.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac

WCFM Frontend Manager <= 6.5.13 – Cross-Site Request Forgery


WCFM Frontend Manager <= 6.6.0 – Missing Authorization


WP FEvents Book <= 0.46 – Authenticated (Subscriber+) Insecure Direct Object Reference to Booking Manipulation

Affected Software: WP FEvents Book
CVE ID: CVE-2023-1129
CVSS Score: 6.3 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f63d494c-1d1e-4faa-930a-3fcf2b136182

The7 <= 11.6.0 – Reflected Cross-Site Scripting

Affected Software: The7 — Website and eCommerce Builder for WordPress
CVE ID: CVE-2023-29100
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24c67243-0452-4820-bfb4-b7ac4804aa4b

TheRoof <= 1.0.3 – Reflected Cross-Site Scripting

Affected Software: TheRoof
CVE ID: CVE-2023-29430
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/624d9627-0ffc-409f-beb7-60e80177aa9b

Product Catalog Simple <= 1.6.17 – Reflected Cross-Site Scripting

Affected Software: Product Catalog Simple
CVE ID: CVE-2023-29388
CVSS Score: 6.1 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd58adb-31cd-49e2-9c9d-e248b4b0a778

MyCryptoCheckout <= 2.123 – Reflected Cross-Site Scripting via url

Affected Software: MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
CVE ID: CVE-2023-1546
CVSS Score: 6.1 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7633b5cd-0e8f-4744-bfee-d6d54a44c143

Amelia <= 1.0.75 – Unauthenticated Reflected Cross-Site Scripting via ‘code’

Affected Software: Appointment and Event Booking Calendar for WordPress – Amelia
CVE ID: CVE-2023-29427
CVSS Score: 6.1 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a41f96d-216f-4e5a-a28d-665b052666fb

PropertyHive <= 1.5.46 – Reflected Cross-Site Scripting via ‘merge_ids’

Affected Software: PropertyHive
CVE ID: CVE-2023-29172
CVSS Score: 6.1 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f395100-cf1f-4a3e-a353-1aec6b4e7448

Ajax Search Pro <= 4.26.1 – Reflected Cross-Site Scripting

Affected Software: Ajax Search Pro
CVE ID: CVE-2023-1435
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1a0d54f-08f7-4ec5-8cfe-6c4a6eb26748

Outdoor <= 3.9.6 – Reflected Cross-Site Scripting

Affected Software:
CVE ID: CVE-2023-29236
CVSS Score: 6.1 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef60f4c3-e38f-4f95-80cd-5e1f5512ebf5

YourChannel <= 1.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1869
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Channel Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1866
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45851efe-2584-4b5e-8e4c-24f289d3bc32

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Settings Change

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1867
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c20db2d-f73d-4e52-a275-ab1975ae4b17

Affected Software: Random Text
CVE ID: CVE-2023-0388
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6badba6d-1ff1-4d6f-bccf-1f0278edb17d

Connections Business Directory <= 10.4.36 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Connections Business Directory
CVE ID: CVE-2023-29437
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae40fd4a-8448-48ea-9b31-067643972b44

IMPress Listings <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields

Affected Software: IMPress Listings
CVE ID: CVE-2023-22711
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d31b9022-ae45-4bc2-b820-fb88faf0796f

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Language Translation Reset

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1871
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7ae863c-4638-49ab-bb1f-52346884c3aa

User Registration <= 2.3.2.1 – Missing Authorization via send_test_email


Libsyn Publisher Hub <= 1.3.2 – Sensitive Information Exposure

Affected Software: Libsyn Publisher Hub
CVE ID: CVE-2023-25057
CVSS Score: 5.3 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbafdc15-cf42-4a12-bd79-5c602ce10625

Email Subscription Popup <= 1.2.16 – Reflected Cross-Site Scripting

Affected Software: Email Subscription Popup
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63b30d03-43d2-4696-aa36-8b39ec2c4ed0

WPCode <= 2.0.8 – Cross-Site Request Forgery

Affected Software: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
CVE ID: CVE-2023-1624
CVSS Score: 4.7 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e52c53c1-4f04-4075-9329-d93fabf5a6ce

Tiny carousel horizontal slider plus <= 3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Tiny carousel horizontal slider plus
CVE ID: CVE-2023-24418
CVSS Score: 4.4 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/167ae586-1f18-43ac-a7c1-e67a00ce8787

SMTP Mailing Queue <= 1.4.7 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: SMTP Mailing Queue
CVE ID: CVE-2023-1090
CVSS Score: 4.4 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a0ba31d-d2d8-4614-8f77-a041c25c0519

Sp*tify Play Button for WordPress <= 2.07 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Sp*tify Play Button for WordPress
CVE ID: CVE-2023-1840
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/308f6887-7c1c-4efd-85e2-b71bb6d26dab

Optin Forms <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optin Forms – Simple List Building Plugin for WordPress
CVE ID: CVE-2023-29434
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3971c145-6dca-49af-bbb3-7ef4ce51507f

Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: Call Now Accessibility Button
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Taliya Bilal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/561821b3-e667-428a-9900-e93cab6019b6

Site Reviews <= 6.7.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Site Reviews
CVE ID: CVE-2023-1525
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c31072d-9921-4bef-809c-b97a1020a2cf

Cancel order request WooCommerce <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cancel order request / Return order / Repeat Order / Reorder for WooCommerce
CVE ID: CVE-2023-29423
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f49477f-7a43-489b-8d3c-db8d0efeb596

Product Enquiry for WooCommerce <= 2.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Product Enquiry for WooCommerce, WooCommerce product catalog
CVE ID: CVE-2023-29170
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/889986f8-224e-4af4-a1d2-ef4b04a7e83f

SimpleModal Contact Form (SMCF) <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SimpleModal Contact Form (SMCF)
CVE ID: CVE-2023-29438
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8c19868-49c2-4ee2-883a-93549e65d41a

Maps Widget for Google Maps <= 4.24 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Maps Widget for Google Maps
CVE ID: CVE-2023-1913
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de871598-e4e7-49f6-8530-68243544c06c

Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Hustle – Email Marketing, Lead Generation, Optins, Popups
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e74be387-1413-49c5-91c6-66e620562b42

Product page shipping calculator for WooCommerce <= 1.3.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Product page shipping calculator for WooCommerce
CVE ID: CVE-2023-29094
CVSS Score: 4.4 (Medium)
Researcher/s: MyungJu Kim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed0a37cc-49db-4919-8d0d-cb7739332229

Dynamics 365 Integration <= 1.3.13 – Missing Authorization via init

Affected Software: Dynamics 365 Integration
CVE ID: CVE-2023-29422
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01cc3955-ef2f-4e2b-8dc6-b26f5a3d2f89

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_preload_single_save_settings_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1919
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/024f4058-065b-48b4-a08a-d9732d4375cd

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_clear_cache_of_allsites_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1925
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/096257a4-6ee9-41e1-8a59-4ffcd309f83c

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_start_cdn_integration_ajax_request_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1921
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17c7c61d-c110-448e-ad8a-bc1c00393524

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_preload_single_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1918
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c8034ff-cf36-498f-9efc-a4e6bbb92b2c

MasterStudy LMS WordPress Plugin <= 2.9.34 – Missing Authorization via wp_ajax_stm_wpcfto_get_settings

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ddcd2eb-fd7a-48b7-b9ea-3632d49e9734

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_purgecache_varnish_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1929
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e567aec-07e5-494a-936d-93b40d3e3043

Comment Reply Notification <= 1.4 – Cross-Site Request Forgery

Affected Software: Comment Reply Notification
CVE ID: CVE-2023-25051
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27eb0101-b3d1-458d-b7d7-69d92e3a4bb8

PixTypes <= 1.4.14 – Cross-Site Request Forgery

Affected Software: PixTypes
CVE ID: CVE-2023-25487
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ac7414c-8035-406a-ab1e-94d9f64e52fa

Affected Software:
CVE ID: CVE-2023-23704
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bbf9526-1a82-496e-b762-6fa114ba8d46

PHP Compatibility Checker <= 1.5.2 – Cross-Site Request Forgery

Affected Software: PHP Compatibility Checker
CVE ID: CVE-2023-24421
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41fada19-c697-4078-825b-0bdf6a827b02

qTranslate X Cleanup and WPML Import <= 3.0.1 – Cross-Site Request Forgery via clean_ajx

Affected Software: qTranslate X Cleanup and WPML Import
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43d534f8-fb1c-4170-a66e-2cef72cd40de

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_remove_cdn_integration_ajax_request_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1923
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49ba5cfa-c2cc-49ac-b22d-7e36ccca6ac5

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘deleteCssAndJsCacheToolbar’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1927
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d3858f5-3f13-400c-acf4-eb3dc3a43308

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_preload_single_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1928
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56a90042-a6c0-4487-811b-ced23c97f9f4

Spreadshop Plugin <= 1.6.5 – Cross-Site Request Forgery

Affected Software: Spreadshop Plugin
CVE ID: CVE-2023-29426
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f15ac06-b5d3-4265-b69b-1d46b12a0522

tencentcloud-cos <= 1.0.7 – Missing Authorization via AJAX actions

Affected Software:
CVE ID: CVE-2023-29433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ea157f-7a74-427f-b1eb-a9187f2d9096

Simple Job Board <= 2.10.3 – Cross-Site Request Forgery via sjb_save_settings_section

Affected Software: Simple Job Board
CVE ID: CVE-2023-29440
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bbd528a-94fe-4979-b30f-02c6872db086

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_pause_cdn_integration_ajax_request_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1922
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a1743b26-861e-4a61-80de-b8cc82308228

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_toolbar_save_settings_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1924
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a87f610a-c1ef-4365-bd74-569989587d41

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘deleteCssAndJsCacheToolbar’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1931
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4bb2d72-ff31-4220-acb3-ed17bb9229b5

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘deleteCacheToolbar’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1926
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b793a4cb-3130-428e-9b61-8ce29fcdaf70

WP Fastest Cache <= 1.1.2 – Missing Authorization in ‘wpfc_clear_cache_of_allsites_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1930
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bae67a68-4bd1-4b52-b3dd-af0eef014028

qTranslate X Cleanup and WPML Import <= 3.0.1 – Missing Authorization via clean_ajx

Affected Software: qTranslate X Cleanup and WPML Import
CVE ID: CVE-2023-29431
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbe973a3-a8bf-4037-9067-7cc0987291fe

YourChannel <= 1.2.3 – Cross-Site Request Forgery to Plugin Language Translation Update

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1870
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1cec0b1-b77c-4d21-a3d2-c79fd3250bb0

Product Feed PRO for WooCommerce <= 12.4.4 – Cross-Site Request Forgery

Affected Software: Product Feed PRO for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c80833c3-8ffc-41a1-8d11-dafa962191fd

WP Fastest Cache <= 1.1.2 – Cross-Site Request Forgery via ‘wpfc_purgecache_varnish_callback’

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1920
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e90994-3b5c-4ae6-a27f-890a9101b440

Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 – Missing Authorization via spbsmAjax

Affected Software: Superb Social Media Share Buttons and Follow Buttons for WordPress
CVE ID: CVE-2023-29428
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4dead2-c6da-4613-8ce6-13699a7495a1

HT Builder <= 1.2.9 – Cross-Site Request Forgery via plugin_activation

Affected Software: HT Builder – WordPress Theme Builder for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df413b9d-5c22-4276-a11b-4f193c48740d

Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 – Cross-Site Request Forgery via spbsmAjax

Affected Software: Superb Social Media Share Buttons and Follow Buttons for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: abdi paranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebea0ec0-f7ee-41c5-b0a5-a78e9cd11d41

Front End Users <= 3.2.24 – Cross-Site Request Forgery

Affected Software: Front End Users
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee13399f-0fc9-40f3-93f5-34c913d54aa0

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023) appeared first on Wordfence.

This content was originally published here.