Wordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023)

Last week, there were 64 vulnerabilities disclosed in 67 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-627, data redacted while we work with the developer to ensure this gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 24
Patched 40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 50
High Severity 9
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 26
Missing Authorization 12
Cross-Site Request Forgery (CSRF) 9
Improper Privilege Management 2
Use of Less Trusted Source 2
Information Exposure 2
Deserialization of Untrusted Data 1
Server-Side Request Forgery (SSRF) 1
Improper Control of Generation of Code (‘Code Injection’) 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1
Improper Authorization 1
Improper Access Control 1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1
Weak Password Recovery Mechanism for Forgotten Password 1
Unrestricted Upload of File with Dangerous Type 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Abdi Pranata 5
Marco Wotschka
(Wordfence Vulnerability Researcher)
4
Lana Codes
(Wordfence Vulnerability Researcher)
4
Mika 4
3
3
David 2
Truoc Phan 2
Rio Darmawan 2
LEE SE HYOUNG 2
Yuki Haruma 2
Muhammad Arsalan Diponegoro 2
Jonatas Souza Villa Flor 1
Ivy 1
Random Robbie 1
Nithissh S 1
TomS 1
NGÔ THIÊN AN 1
Le Ngoc Anh 1
Debangshu Kundu 1
Arpeet Rathi 1
Rafie Muhammad 1
Utkarsh Agrawal 1
Hung Duong 1
Bartłomiej Marek 1
Tomasz Swiadek 1
Prasanna V Balaji 1
Nguyen Xuan Chien 1
Elliot 1
Lokesh Dachepalli 1
Rafshanzani Suhada 1
Dmitrii Ignatyev 1
Dmitrii 1
Skalucy 1
1
Francesco Carlucci 1
Jonas Höbenreich 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
123.chat – 1:1 Live Video Chat Tool Plugin
Accordion Slider
Accordion and Accordion Slider
Advanced File Manager
Album and Image Gallery plus Lightbox
BigBlueButton
Blog Designer – Post and Widget
CLUEVO LMS, E-Learning Platform
CT Commerce
Carrrot
Cleverwise Daily Quotes
Contact form 7 Custom validation
Cookies and Content Security Policy
Cost Calculator Builder
Countdown Timer Ultimate
Custom Admin Login Page | WPZest
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
Donations Made Easy – Smart Donations
Doofinder WP & WooCommerce Search
Dynamic Pricing and Discount Rules for WooCommerce
Enhanced Ecommerce Google Analytics for WooCommerce
Event Tickets with Ticket Scanner
GD Security Headers
InfiniteWP Client
JS Help Desk – Best Help Desk & Support Plugin
Kanban Boards for WordPress
Make Paths Relative
Media from FTP
Meta Slider and Carousel with Lightbox
Orders Tracking for WooCommerce
Paid Memberships Pro CCBill Gateway
Password Reset with Code for WordPress REST API
Plausible Analytics
Portfolio Gallery – Responsive Image Gallery
Portfolio and Projects
Post Ticker Ultimate
Post grid and filter ultimate
Products Quick View for WooCommerce
Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
RSVPMaker
Schedule Posts Calendar
Serial Codes Generator and Validator with WooCommerce Support
Simple Org Chart
Simple Staff List
Smart SEO Tool – SEO优化插件
Stripe Payment Plugin for WooCommerce
Tabs & Accordion
Team Slider and Team Grid Showcase plus Team Carousel
Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Timeline and History slider
Trending/Popular Post Slider and Widget
Typing Effect
User Activity Log
User Submitted Posts – Enable Users to Submit Posts from the Front End
Video Gallery for YouTube Videos and WordPress
Video gallery and Player
WP LINE Notify
WP Remote Users Sync
WP VR – 360 Panorama and Virtual Tour Builder For WordPress
WP-PostRatings
WebLibrarian
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
WordPress Mortgage Calculator Estatik
fitness calculators plugin
tagDiv Composer
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Aapna aapna
Anand anand
Anfaust anfaust
Arendelle arendelle
Atlast Business atlast-business
Bazaar Lite bazaar-lite
Brain Power brain-power
BunnyPressLite bunnypresslite
Cafe Bistro cafe-bistro
College college

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Kanban Boards <= 2.5.21 – Authenticated (Administrator+) Remote Code Execution

Affected Software: Kanban Boards for WordPress
CVE ID: CVE-2023-40606
CVSS Score: 9.8 (Critical)
Researcher/s: TomS
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adea276-6b55-422d-adc9-a767f569181c

Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation

Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
CVE ID: CVE-2023-4404
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/522ecc1c-5834-4325-9234-79cf712213f3

Contact form 7 Custom validation <= 1.1.3 – Unauthenticated SQL Injection via ‘post’

Affected Software: Contact form 7 Custom validation
CVE ID: CVE-2023-40609
CVSS Score: 9.8 (Critical)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbfc52a4-6c9d-480b-9247-1513318ff84b

Password Reset with Code for WordPress REST API <= 0.0.15 – Weak Password Recovery Mechanism

Affected Software: Password Reset with Code for WordPress REST API
CVE ID: CVE-2023-35039
CVSS Score: 9.8 (Critical)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b9e6d-2f84-45f6-9f74-3f23b03c5a49

Affected Software: WP Remote Users Sync
CVE ID: CVE-2023-3958
CVSS Score: 8.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46

Affected Software: InfiniteWP Client
CVE ID: CVE-2023-2916
CVSS Score: 7.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19

User Submitted Posts <= 20230809 – Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’

Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End
CVE ID: CVE-2023-4308
CVSS Score: 7.2 (High)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bb4d37c-c4c2-4523-9b4e-73ffb7be81ea

tagDiv Composer <= 4.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: tagDiv Composer
CVE ID: CVE-2023-3169
CVSS Score: 7.2 (High)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6998cf4c-6086-402b-a95f-ee6a4980dffb

Cleverwise Daily Quotes <= 3.2 – Reflected Cross-Site Scripting

Affected Software: Cleverwise Daily Quotes
CVE ID: CVE-2023-40335
CVSS Score: 7.2 (High)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71f7733a-1350-4e22-98d8-28be401aee69

GD Security Headers <= 1.6.1 – Unauthenticated Cross-Site Scripting

Affected Software: GD Security Headers
CVE ID: CVE-2023-40330
CVSS Score: 7.2 (High)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ce32ecf-6995-4794-8559-2f84533ecf50

RSVPMarker <= 10.6.5 – Unauthenticated Stored Cross-Site Scripting via ’email’

Affected Software: RSVPMaker
CVE ID: CVE-2023-27616
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaf0e58c-0430-44fe-980f-8ea469802c86

Mortgage Calculator Estatik <= 2.0.7 – Unauthenticated Cross-Site Scripting

Affected Software: WordPress Mortgage Calculator Estatik
CVE ID: CVE-2023-40601
CVSS Score: 7.2 (High)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb73e92b-b807-4406-b378-cef6cff9eb82

JS Help Desk – Best Help Desk & Support Plugin <= 2.7.7 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: JS Help Desk – Best Help Desk & Support Plugin
CVE ID: CVE-2023-25444
CVSS Score: 7.2 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa75366a-651c-43d0-a32b-cdabf5b07b66

wpDataTables – Tables & Table Charts <= 2.1.65 – Authenticated(Administrator+) PHP Object Injection

Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c458644-a799-4bea-abcb-06a946dc19df

Advanced File Manager <= 5.1 – Authenticated(Administrator+) Arbitrary File and Folder Access

Affected Software: Advanced File Manager
CVE ID: CVE-2023-3814
CVSS Score: 6.6 (Medium)
Researcher/s: Dmitrii
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ceba35c3-16b0-4366-b33c-603bdc2c1006

Gallery Portfolio <= 1.4.6 – Missing Authorization via Multiple AJAX actions

Affected Software: Portfolio Gallery – Responsive Image Gallery
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96112707-04ca-4647-9008-31954764486f

Affected Software: Event Tickets with Ticket Scanner
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ec40d89-9caa-44dc-8577-00fa6463348c

BigBlueButton <= 3.0.0-beta.4 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: BigBlueButton
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f829d21-5347-46ec-9218-2b3cbe7d7b95

Serial Codes Generator and Validator with WooCommerce Support <= 2.4.14 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Serial Codes Generator and Validator with WooCommerce Support
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4886822-3a05-45b3-ad1d-4d4a4f921817

Typing Effect <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Typing Effect
CVE ID: CVE-2023-40605
CVSS Score: 6.4 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db12f986-580e-4e81-8bd2-124393e5d21b

Media from FTP <= 11.16 – Authenticated (Author+) Improper Privilege Management

Affected Software: Media from FTP
CVE ID: CVE-2023-4019
CVSS Score: 6.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9764d402-b8a2-43d5-882a-bc3886078b7f

LINE Notify <= 1.4.4 – Reflected Cross-Site Scripting via ‘uid’

Affected Software: WP LINE Notify
CVE ID: CVE-2023-30497
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b4e7c02-48d3-4271-a3bc-e7d3256b7217

Multiple Themes (Various Versions) – Reflected Cross-Site Scripting via Search Field

Affected Software/s: College, Anfaust, Brain Power, BunnyPressLite, Bazaar Lite, Cafe Bistro, Arendelle, Anand, Atlast Business, Aapna
CVE ID: CVE-2023-2813
CVSS Score: 6.1 (Medium)
Researcher/s: Random Robbie
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32253923-ffec-4312-bcdf-06c5aed77d30

Plausible Analytics <= 1.3.3 – Reflected Cross-Site Scripting via page-url

Affected Software: Plausible Analytics
CVE ID: CVE-2023-40553
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed6d5e6-1094-46ec-afb9-43c142f334ed

WebLibrarian <= 3.5.8.1 – Reflected Cross-Site Scripting via multiple parameters

Affected Software: WebLibrarian
CVE ID: CVE-2023-29441
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b4b05a8-3a32-4fa9-9ff5-a2a62b11a05d

Donations Made Easy – Smart Donations <= 4.0.12 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Donations Made Easy – Smart Donations
CVE ID: CVE-2023-40664
CVSS Score: 6.1 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799975aa-44fe-48dc-8ac9-469c89a03c67

WP VR <= 8.3.4 – Reflected Cross-Site Scripting

Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
CVE ID: CVE-2023-40663
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc08e4cf-3964-406e-9046-420e749df4b5

Fitness calculators plugin <= 2.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: fitness calculators plugin
CVE ID: CVE-2023-40552
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aafbdd50-c78b-4aad-a3e2-f1339d698e77

Smart SEO Tool-WordPress SEO优化插件 <= 4.0.1 – Cross-Sitquest Forgery via ‘wp_ajax_wb_smart_seo_tool’

Affected Software: Smart SEO Tool – SEO优化插件
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/078d06ad-555b-4de4-a032-d81440c7dfb5

Doofinder for WooCommerce <= 1.5.49 – Unauthenticated Open Redirect

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-40602
CVSS Score: 5.4 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7414779e-7241-4ab2-9b1f-34c3e1acc66b

Cost Calculator Builder <= 3.1.42 – Improper Authorization

Affected Software: Cost Calculator Builder
CVE ID: CVE-2023-40011
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94d60fcb-a542-41a9-b6ac-6ac2607068aa

WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking <= 3.7.1 – Cross-Site Request Forgery

Affected Software: Enhanced Ecommerce Google Analytics for WooCommerce
CVE ID: CVE-2023-40561
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f7e1a4-88b2-4069-adb8-d51278b48234

Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘putler_connector_sync_complete’

Affected Software: Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
CVE ID: CVE-2023-40327
CVSS Score: 5.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09a1388e-6c87-44cd-a137-4212b569423b

Multiple WPOnlineSupport Plugins <= (Various Versions) – Missing Authorization to Notice Dismissal


Paid Memberships Pro CCBill Gateway <= 0.3 – Insufficient Authorization

Affected Software: Paid Memberships Pro CCBill Gateway
CVE ID: CVE-2023-40608
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47bb46df-3ed6-4331-8c05-c76331aa6995

Comments Like Dislike <= 1.2.0 – Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset

Affected Software:
CVE ID: CVE-2023-3244
CVSS Score: 5.3 (Medium)
Researcher/s: Hung Duong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66019297-a8a8-4bbc-99db-4b47066f3e50

WP-PostRatings <= 1.91 – IP Spoofing

Affected Software: WP-PostRatings
CVE ID: CVE-2023-40332
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6aed9434-1681-47d6-bbc1-0815db548a24

User Activity Log <= 1.6.6 – IP Address Spoofing

Affected Software: User Activity Log
CVE ID: CVE-2023-4279
CVSS Score: 5.3 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77462f1f-f7d8-4d11-aaf1-82395897fcfa

Cookies and Content Security Policy <= 2.15 – Sensitive Information Exposure

Affected Software: Cookies and Content Security Policy
CVE ID: CVE-2023-40662
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79e68c5b-1f1a-4af3-acf4-1a38f2d72424

Simple Org Chart <= 2.3.4 – Missing Authorization

Affected Software: Simple Org Chart
CVE ID: CVE-2023-40603
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c674ec32-7959-414a-8c31-3455bebb47bb

Stripe Payment Plugin for WooCommerce <= 3.7.9 – Missing Authorization to Arbitrary Order Status Modification

Affected Software: Stripe Payment Plugin for WooCommerce
CVE ID: CVE-2023-4040
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef543c61-2acc-4b72-81ff-883960d4c7c3

123.chat <= 1.3.0 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: 123.chat – 1:1 Live Video Chat Tool Plugin
CVE ID: CVE-2023-4298
CVSS Score: 4.4 (Medium)
Researcher/s: Jonatas Souza Villa Flor
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a0ced4d-368d-4f12-9099-1f8c0b0fe245

tagDiv Composer <= 4.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: tagDiv Composer
CVE ID: CVE-2023-3170
CVSS Score: 4.4 (Medium)
Researcher/s: Truoc Phan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3861f675-1a26-4947-91ef-8ab04646704f

CT Commerce <= 2.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: CT Commerce
CVE ID: CVE-2023-40007
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/399109be-7efe-428e-a9b8-7a68864b2790

Schedule Posts Calendar <= 5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: Schedule Posts Calendar
CVE ID: CVE-2023-40560
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c815c2-a5ea-431c-bfde-c08a4eb5fda6

WooCommerce PDF Invoice Builder <= 1.2.90 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-4160
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a765360-8603-4ba1-a6db-dd0175ff3ddf

Carrot <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Carrrot
CVE ID: CVE-2023-40328
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77fa042d-1e4f-4344-bf5a-3860add7aae3

Custom Admin Login Page | WPZest <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom Admin Login Page | WPZest
CVE ID: CVE-2023-40329
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/906dcf2a-6be1-4966-9a70-1ef9a8f1017d

RSVPMarker <= 10.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: RSVPMaker
CVE ID: CVE-2023-27617
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Arsalan Diponegoro
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfb27513-61ad-4cf0-a471-0ab7aeb0801b

Simple Staff List <= 2.2.3 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Simple Staff List
CVE ID: CVE-2023-28790
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5880581-3505-4851-b32f-cd2873072f73

WooCommerce PDF Invoice Builder <= 1.2.89 – Missing Authorization to Sensitive Information Exposure

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-4245
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/200fbfc1-df21-43b0-8eb1-b2ba0cc0c0df

Affected Software: WP Remote Users Sync
CVE ID: CVE-2023-4374
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb

Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘send_resync_request’

Affected Software: Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store
CVE ID: CVE-2023-40326
CVSS Score: 4.3 (Medium)
Researcher/s: David
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38537f60-52f4-4007-b26f-6948b9263931

Products Quick View for WooCommerce <= 2.2.0 – Missing Authorization

Affected Software: Products Quick View for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c9f055-2527-4678-bda1-27a29ab24acd

WooCommerce PDF Invoice Builder <= 1.2.90 – Cross-Site Request Forgery to Custom Field Creation

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-4161
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b7aac1c-6962-49cf-850f-ab7b1d220090

Accordion Slider <= 1.9.6 – Missing Authorization to Notice Dismissal

Affected Software: Accordion Slider
CVE ID: CVE-2023-40331
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3dc69bba-39e0-46bd-8cdb-7cf1f7d36282

CLUEVO LMS, E-Learning Platform <= 1.10.0 – Cross-Site Request Forgery

Affected Software: CLUEVO LMS, E-Learning Platform
CVE ID: CVE-2023-40607
CVSS Score: 4.3 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/414165a3-78f8-4254-ac24-2de177cad3dd

Schedule Posts Calendar <= 5.2 – Cross-Site Request Forgery

Affected Software: Schedule Posts Calendar
CVE ID: CVE-2023-40556
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d4f490e-c86e-490e-8041-36c154b890aa

Make Paths Relative <= 1.3.0 – Cross-Site Request Forgery via ‘admin/class-make-paths-relative-admin.php’

Affected Software: Make Paths Relative
CVE ID: CVE-2023-27433
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85317781-7e77-4a78-af67-0a1dce39364c

Simple Org Chart <= 2.3.4 – Cross-Site Request Forgery

Affected Software: Simple Org Chart
CVE ID: CVE-2023-28791
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d413350-f520-4dd9-af7d-e776628aef1d

WooCommerce Dynamic Pricing and Discount Rules <= 2.4.0 – Cross-Site Request Forgery

Affected Software: Dynamic Pricing and Discount Rules for WooCommerce
CVE ID: CVE-2023-40559
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d624f234-c57a-4a66-900d-362194a79d34

Video Gallery & Management <= 3.3.5 – Cross-Site Request Forgery

Affected Software: Video Gallery for YouTube Videos and WordPress
CVE ID: CVE-2023-40558
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e226d75f-37b2-4af2-bba0-0fd3a96cc1a0

Tabs & Accordion <= 1.3.10 – Authenticated (Contributor+) Content Injection

Affected Software: Tabs & Accordion
CVE ID: CVE-2023-40557
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eaead805-b122-4418-a4a0-cf1b0925f3c3

Orders Tracking for WooCommerce <= 1.2.5 – Authenticated (Administrator+) Directory Traversal via ‘file_url’

Affected Software: Orders Tracking for WooCommerce
CVE ID: CVE-2023-4216
CVSS Score: 2.7 (Low)
Researcher/s: Utkarsh Agrawal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a62e8b2-7606-4842-8be5-dff8634539d0

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023) appeared first on Wordfence.

This content was originally published here.