(855)-537-2266 sales@kerbco.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) 🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will  earn 6.25x our normal bounty rates  when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!🎁 Last week, there were 109 vulnerabilities disclosed in 98 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import WordPress Core 6.4-6.4.1 – Remote Code Execution POP Chain via Object Injection (Note that the existence of the POP chain is not classified as a vulnerability on its own so it does not have a Wordfence Intelligence Entry. The rule is intended to block exploitation by any existing Object Injection vulnerability.) Two additional firewall rules for vulnerabilities that have not yet been patched or publicly disclosed. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Unpatched 63 Patched 46 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 0 Medium Severity 88 High Severity 9 Critical Severity 12 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 28 Missing Authorization 28 Cross-Site Request Forgery (CSRF) 21 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 6 Unrestricted Upload of File with Dangerous Type 5 Deserialization of Untrusted Data 5 Information Exposure 3 Improper Authorization 2 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2 Use of Less Trusted Source 1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1 Uncontrolled Resource Consumption (‘Resource Exhaustion’) 1 Protection Mechanism Failure 1 Authorization Bypass Through User-Controlled Key 1 Server-Side Request Forgery (SSRF) 1 Improper Control of Generation of Code (‘Code Injection’) 1 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1 Improper Neutralization of Alternate XSS Syntax 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Nguyen Xuan Chien 13 Rafie Muhammad 12 Abdi Pranata 12 Dmitrii Ignatyev 7 Vladislav Pokrovsky (ΞX.MI) 7 Mika 6 Ngô Thiên An (ancorn_) 5 emad 4 István Márton (Wordfence Vulnerability Researcher) 4 Skalucy 4 Brandon James Roldan (tomorrowisnew) 3 thiennv 3 lttn 3 LVT-tholv2k 2 Marco Wotschka (Wordfence Vulnerability Researcher) 2 Abu Hurayra (HurayraIIT) 2 Kyle Sanchez 2 qilin_99 2 Rafshanzani Suhada 1 Universe 1 German Ritter 1 DoYeon Park (p6rkdoye0n) 1 Naveen Muthusamy 1 Hong Quan 1 0x9567b 1 Luqman Hakim Y 1 Yuchen Ji 1 Labda 1 Enrico Marcolini 1 Claudio Marchesini (Dottormarc) 1 Rachit Arora 1 Muhammad Daffa 1 Huynh Tien Si 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug Advanced Database Cleaner advanced-database-cleaner Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress advanced-page-visit-counter Alma – Pay in installments or later for WooCommerce alma-gateway-for-woocommerce Alt Manager alt-manager Annual Archive anual-archive AppMySite – Create an app with the Best Mobile App Builder appmysite ArtPlacer Widget artplacer-widget Astra Pro Addon astra-addon Author Avatars List/Block author-avatars Awesome Support – WordPress HelpDesk & Support Plugin awesome-support BCorp Shortcodes bcorp-shortcodes Backup Migration backup-backup Bacola Core bacola-core Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo biteship Block for Font Awesome block-for-font-awesome Bold Page Builder bold-page-builder Bulk Edit Post Titles bulk-edit-post-titles Burst Statistics Pro burst-pro Burst Statistics – Privacy-Friendly Analytics for WordPress burst-statistics CSV Importer csv-importer CSprite csprite Caddy – Smart Side Cart for WooCommerce caddy Calculated Fields Form calculated-fields-form Clotya Core clotya-core Code Embed simple-embed-code Cookie Bar cookie-bar Cosmetsy Core cosmetsy-core Custom Login custom-login Custom Post Type Page Template custom-post-type-page-template Dashboard Widgets Suite dashboard-widgets-suite Digital Publications by Supsystic digital-publications-by-supsystic Duplicator Pro duplicator-pro Duplicator – WordPress Migration & Backup Plugin duplicator Elementor Timeline Widget 3r-elementor-timeline-widget Elementor Website Builder – More than Just a Page Builder elementor Email Subscription Popup email-subscribe EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor embedpress Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin wp-event-solution FOX – Currency Switcher Professional for WooCommerce woocommerce-currency-switcher First Order Discount Woocommerce first-order-discount-woocommerce Fix My Feed RSS Repair fix-my-feed-rss-repair Flexible Woocommerce Checkout Field Editor flexible-woocommerce-checkout-field-editor Furnob Core furnob-core Genesis Simple Love genesis-simple-love Gift Up Gift Cards for WordPress and WooCommerce gift-up Guest Author guest-author Ibtana – WordPress Website Builder ibtana-visual-editor Import and export users and customers import-users-from-csv-with-meta Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site integrate-google-drive LiveChat – WP live chat plugin for WordPress wp-live-chat-software-for-wordpress Login With Ajax login-with-ajax MW WP Form mw-wp-form Manage Notification E-mails manage-notification-emails Medibazar Core medibazar-core Menu Bar Cart Icon For WooCommerce By Binary Carpenter bc-menu-cart-woo Multi Currency For WooCommerce wc-multi-currency Optin Forms – Simple List Building Plugin for WordPress optin-forms Parto Core partdo-core PayTR Taksit Tablosu – WooCommerce paytr-taksit-tablosu-woocommerce Piotnet Forms piotnetforms Post Duplicator post-duplicator Product Catalog Feed by PixelYourSite product-catalog-feed Product Enquiry for WooCommerce gm-woocommerce-quote-popup Redirects redirects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager Responsive Slick Slider WordPress responsive-slick-slider Rocket Maintenance Mode & Coming Soon Page rocket-maintenance-mode Sayfa Sayac sayfa-sayac SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy woo-aliexpress-dropshipping Shortcoder — Create Shortcodes for Anything shortcoder Shortcodes and extra features for Phlox theme auxin-elements Smart External Link Click Monitor [Link Log] link-log Smart Forms – when you need more than just a contact form smart-forms Social Media Feather | social media sharing social-media-feather Spectra – WordPress Gutenberg Blocks ultimate-addons-for-gutenberg SpeedyCache – Cache, Optimization, Performance speedycache Square Thumbnails square-thumbnails Structured Content (JSON-LD) #wpsc structured-content SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! suretriggers Symbiostock – Sell Photos Online For Free! symbiostock System Dashboard system-dashboard Translate WordPress – Google Language Translator google-language-translator Tutor LMS – eLearning and online course solution tutor Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 Ultimate Dashboard – Custom WordPress Dashboard ultimate-dashboard Video PopUp video-popup WP Booking System – Booking Calendar wp-booking-system WP Photo Album Plus wp-photo-album-plus WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts wedevs-project-manager WPBakery Page Builder Addons by Livemesh addons-for-visual-composer WPPerformanceTester wpperformancetester WPsoonOnlinePage wp-soononline-page WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute wapppress-builds-android-app-for-website Webflow Pages webflow-pages Welcart e-Commerce usc-e-shop WooDiscuz – WooCommerce Comments woodiscuz-woocommerce-comments WooPayments – Fully Integrated Solution Built and Supported by Woo woocommerce-payments WordPress Simple HTML Sitemap wp-simple-html-sitemap WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Adifier – Classified Ads WordPress Theme adifier-system Bacola – Grocery Store and Food eCommerce Theme bacola Clotya – Fashion Store eCommerce Theme clotya Cosmetsy – Beauty Cosmetics Shop Theme cosmetsy Couponis Demo couponis-demo Furnob – Furniture Store WooCommerce Theme furnob Machic – Electronics Store WooCommerce Theme machic-core Medibazar – Medical WooCommerce Theme medibazar Partdo – Auto Parts and Tools Shop WooCommerce Theme partdo Soledad soledad Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. WappPress <= 5.0.3 – Unauthenticated Arbitrary File Upload Affected Software : WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute CVE ID : CVE-2023-49815 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07eab536-6f20-45ec-9f9e-70ab35555db2 Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 – Unauthenticated SQL Injection Affected Software/s : Burst Statistics – Privacy-Friendly Analytics for WordPress, Burst Statistics Pro CVE ID : CVE-2023-5761 CVSS Score : 9.8 (Critical) Researcher/s : German Ritter Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3 Couponis Demo < 2.2 – Unauthenticated SQL Injection Affected Software : Couponis Demo CVE ID : CVE-2023-49750 CVSS Score : 9.8 (Critical) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd67a02-b0fb-4c4f-9564-c3ee0180e79c Genesis Simple Love <= 2.0 – Unauthenticated PHP Object Injection Affected Software : Genesis Simple Love CVE ID : CVE-2023-49772 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55abf798-f336-4262-9f52-4526a4bae15a Soledad <= 8.4.1 – Unauthenticated PHP Object Injection Affected Software : Soledad CVE ID : CVE-2023-49826 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e954190-7c58-4044-a85e-a188fe5b6d89 Adifier System < 3.1.4 – Unauthenticated SQL Injection Affected Software : Adifier – Classified Ads WordPress Theme CVE ID : CVE-2023-49752 CVSS Score : 9.8 (Critical) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e64d865-5acc-419b-8c61-e8fd8207fa94 BCorp Shortcodes <= 0.23 – Unauthenticated PHP Object Injection Affected Software : BCorp Shortcodes CVE ID : CVE-2023-49773 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94696151-9f99-4847-bd67-8fb77f8b6a0e Sayfa Sayaç <= 2.6 – Unauthenticated PHP Object Injection Affected Software : Sayfa Sayac CVE ID : CVE-2023-49778 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a29180-901d-447e-8f82-63161b9e11e0 MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload Affected Software : MW WP Form CVE ID : CVE-2023-6316 CVSS Score : 9.8 (Critical) Researcher/s : István Márton (Wordfence Vulnerability Researcher) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2c03142-be30-4173-a140-14d73a16dd2b Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 – Unauthenticated Sensitive Information Exposure Affected Software/s : Duplicator Pro, Duplicator – WordPress Migration & Backup Plugin CVE ID : CVE-2023-6114 CVSS Score : 9.8 (Critical) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3f7a88c-a09b-46ac-b345-139c2d20a3d2 Adifier System < 3.1.4 – Unauthenticated Local File Inclusion Affected Software : Adifier – Classified Ads WordPress Theme CVE ID : CVE-2023-49753 CVSS Score : 9.8 (Critical) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8574ff9-847c-4337-8c0e-2a717b51f66c Backup Migration <= 1.3.5 – Unauthenticated Sensitive Information Exposure Affected Software : Backup Migration CVE ID : CVE-2023-6271 CVSS Score : 9.8 (Critical) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f661f19d-fdd4-4cd3-8fb3-8b6073d94596 Structured Content <= 1.5.3 – Authenticated (Contributor+) PHP Object Injection Affected Software : Structured Content (JSON-LD) #wpsc CVE ID : CVE-2023-49819 CVSS Score : 8.8 (High) Researcher/s : LVT-tholv2k Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b25252b-fad3-4212-be72-94e94779ef67 Smart Forms <= 2.6.84 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update Affected Software : Smart Forms – when you need more than just a contact form CVE ID : CVE-2023-49856 CVSS Score : 8.8 (High) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac48cd9-1de5-4840-b3f3-dc24ca52442e Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import Affected Software : Elementor Website Builder – More than Just a Page Builder CVE ID : CVE-2023-48777 CVSS Score : 8.8 (High) Researcher/s : Hong Quan Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b6d0a38-ac28-41c9-9da1-b30b3657b463 Soledad <= 8.4.1 – Authenticated (Contributor+) SQL Injection Affected Software : Soledad CVE ID : CVE-2023-49825 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a9846c4-4678-4c25-84fd-b05d21ea34fb Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox Affected Software : Astra Pro Addon CVE ID : CVE-2023-49830 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9769bc3-236f-4c9d-a4ce-544e49eee2ec ArtPlacer Widget <= 2.20.6 – Authenticated (Editor+) SQL Injection Affected Software : ArtPlacer Widget CVE ID : CVE-2023-6373 CVSS Score : 8.8 (High) Researcher/s : Enrico Marcolini, Claudio Marchesini (Dottormarc) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bff3a160-5238-4478-ab11-3300cac51cf2 Piotnet Forms <= 1.0.26 – Unauthenticated Arbitrary File Upload Affected Software : Piotnet Forms CVE ID : CVE-2023-6220 CVSS Score : 8.1 (High) Researcher/s : István Márton (Wordfence Vulnerability Researcher) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af2b7eac-a3f5-408f-b139-643e70b3f27a Advanced Database Cleaner <= 3.1.2 – Authenticated (Administrator+) SQL Injection Affected Software : Advanced Database Cleaner CVE ID : CVE-2023-49764 CVSS Score : 7.2 (High) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62c46925-8e97-4989-8c2c-56223d6911a2 Symbiostock Lite <= 6.0.0 – Authenticated (Shop Manager+) Arbitrary File Upload Affected Software : Symbiostock – Sell Photos Online For Free! CVE ID : CVE-2023-49814 CVSS Score : 7.2 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/666b8b39-fab0-4e99-b365-a4ac9f964494 Import and export users and customers <= 1.24.2 – Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality Affected Software : Import and export users and customers CVE ID : CVE-2023-6583 CVSS Score : 6.6 (Medium) Researcher/s : Labda Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac709779-36f1-4f66-8db3-95a514a5ea59 Code Embed <= 2.3.6 – Authenticated(Contributor+) Denial of Service Affected Software : Code Embed CVE ID : CVE-2023-49837 CVSS Score : 6.5 (Medium) Researcher/s : Universe Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef2ded1-dd56-4c33-98dc-d4c69e66568f Alma – Pay in installments or later for WooCommerce <= 5.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Alma – Pay in installments or later for WooCommerce CVE ID : CVE-2023-50369 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044d7480-ccd7-4ce8-bb5d-367ba5d0217c Ibtana – WordPress Website Builder <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : Ibtana – WordPress Website Builder CVE ID : CVE-2023-6684 CVSS Score : 6.4 (Medium) Researcher/s : István Márton (Wordfence Vulnerability Researcher) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b09d496-0e03-48a4-acf7-57febe18ed0a Spectra <= 2.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Spectra – WordPress Gutenberg Blocks CVE ID : CVE-2023-49833 CVSS Score : 6.4 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0df493cb-2b5e-4a16-b6d8-4cd9a473540d WooCommerce Payments <= 6.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : WooPayments – Fully Integrated Solution Built and Supported by Woo CVE ID : CVE-2023-49828 CVSS Score : 6.4 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13617b70-9b57-4873-9942-12bffed411e2 Annual Archive <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Annual Archive CVE ID : CVE-2023-49847 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20199c88-1800-4d18-a0ee-0219be77b429 Advanced Page Visit Counter <= 8.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress CVE ID : CVE-2023-50371 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b497a36-4929-413f-abfc-1d81bfaa7889 Livemesh Addons for WPBakery Page Builder <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : WPBakery Page Builder Addons by Livemesh CVE ID : CVE-2023-50370 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60af0a7c-014b-4f71-9918-7ddc1186bee4 Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : Video PopUp CVE ID : CVE-2023-4962 CVSS Score : 6.4 (Medium) Researcher/s : István Márton (Wordfence Vulnerability Researcher) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89 Guest Author <= 2.3 – Authenticated (Author+) Stored Cross-Site Scripting Affected Software : Guest Author CVE ID : CVE-2023-49747 CVSS Score : 6.4 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78fd9dcf-228e-46ec-b34f-2cb0c87cc895 Bold Page Builder <= 4.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Bold Page Builder CVE ID : CVE-2023-49823 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c99f70b-77a6-4bd7-99b1-ad4ec76d50c6 Shortcodes and extra features for Phlox theme <= 2.15.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Shortcodes and extra features for Phlox theme CVE ID : CVE-2023-50368 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95d61096-8e44-4b70-a409-c02cb3d1e32c WP Project Manager <= 2.6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting Affected Software : WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts CVE ID : CVE-2023-49860 CVSS Score : 6.4 (Medium) Researcher/s : lttn Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd625d24-c1e9-465d-896a-bff75d8c534f Author Avatars List/Block <= 2.1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Author Avatars List/Block CVE ID : CVE-2023-49846 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7c8380b-02ae-49d2-8c64-debe7f73ee35 Structured Content <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Structured Content (JSON-LD) #wpsc CVE ID : CVE-2023-49820 CVSS Score : 6.4 (Medium) Researcher/s : LVT-tholv2k Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e44ad307-2663-4613-ae53-9ef6208f08f9 Ultimate Addons for Contact Form 7 <= 3.2.0 – Reflected Cross-Site Scripting Affected Software : Ultimate Addons for Contact Form 7 CVE ID : CVE-2023-49766 CVSS Score : 6.1 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/364946a5-ce1e-4872-895d-e7cf795a04f7 Multiple Plugins by KlbTheme <= (Various Versions) – Reflected Cross-Site Scripting Affected Software/s : Cosmetsy Core, Parto Core, Medibazar Core, Bacola Core, Clotya Core, Furnob Core CVE ID : CVE-2023-49839 CVSS Score : 6.1 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fb06315-30ad-4d98-af75-b04933583be7 WP Photo Album Plus <= 8.5.02.005 – Cross-Site Scripting Affected Software : WP Photo Album Plus CVE ID : CVE-2023-49813 CVSS Score : 6.1 (Medium) Researcher/s : Kyle Sanchez Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5486d50c-8544-4368-b58b-66024a8ae86d Email Subscription Popup <= 1.2.18 – Reflected Cross-Site Scripting Affected Software : Email Subscription Popup CVE ID : CVE-2023-6527 CVSS Score : 6.1 (Medium) Researcher/s : 0x9567b Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f84814e-f7b7-4228-b331-63027a0770af Machic Core <= 1.2.6 – Reflected Cross-Site Scripting Affected Software : Machic – Electronics Store WooCommerce Theme CVE ID : CVE-2023-49186 CVSS Score : 6.1 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4fc9628-b254-405b-a7cc-bb955618bc35 Smart External Link Click Monitor [Link Log] <= 5.0.2 – Reflected Cross-Site Scripting Affected Software : Smart External Link Click Monitor [Link Log] CVE ID : CVE-2023-49771 CVSS Score : 6.1 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d062bc7b-0cb0-46bd-b203-90cc9a44a403 Soledad <= 8.4.1 – Reflected Cross-Site Scripting Affected Software : Soledad CVE ID : CVE-2023-49827 CVSS Score : 6.1 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83b36fe-4e46-4ab7-a113-6dcfa7cce625 Biteship <= 2.2.22 – Authenticated (Shop manager+) Stored Cross-Site Scripting Affected Software : Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo CVE ID : CVE-2023-49767 CVSS Score : 5.5 (Medium) Researcher/s : Luqman Hakim Y Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78c46ac-22dd-48f2-a10b-016205f7e7fa Cookie Bar <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected Software : Cookie Bar CVE ID : CVE-2023-49836 CVSS Score : 5.5 (Medium) Researcher/s : Muhammad Daffa Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd58bc54-f16e-48ee-97f4-95b839d75350 WOOCS – WooCommerce Currency Switcher <= 1.4.1.4 – Cross-Site Request Forgery via delete_profiles_data Affected Software : FOX – Currency Switcher Professional for WooCommerce CVE ID : CVE-2023-49834 CVSS Score : 5.4 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/139d4ec2-1147-4332-a56d-633890f32560 Digital Publications by Supsystic <= 1.7.6 – Cross-Site Request Forgery via AJAX action Affected Software : Digital Publications by Supsystic CVE ID : CVE-2023-5756 CVSS Score : 5.4 (Medium) Researcher/s : Marco Wotschka (Wordfence Vulnerability Researcher) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2304e4dc-0dc6-4ded-b8e6-8d76d70f63d7 SpeedyCache <= 1.1.2 – Authenticated (Subscriber+) Server-Side Request Forgery Affected Software : SpeedyCache – Cache, Optimization, Performance CVE ID : CVE-2023-49746 CVSS Score : 5.4 (Medium) Researcher/s : Yuchen Ji Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab922406-4af8-4ef2-bcc8-c326212546b1 Awesome Support <= 6.1.6 – Missing Authorization Affected Software : Awesome Support – WordPress HelpDesk & Support Plugin CVE ID : CVE-2023-49757 CVSS Score : 5.4 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd9f1385-6457-4bc9-9c75-0fcd399a5956 WP Photo Album Plus <= 8.5.02.005 – IP Spoofing Affected Software : WP Photo Album Plus CVE ID : CVE-2023-49774 CVSS Score : 5.3 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/017fe804-a1a5-4f8d-a531-e928d668dbc4 Manage Notification E-mails <= 1.8.5 – Missing Authorization Affected Software : Manage Notification E-mails CVE ID : CVE-2023-6496 CVSS Score : 5.3 (Medium) Researcher/s : Rafshanzani Suhada Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/048bc117-88df-44b3-a30c-692bad23050f RegistrationMagic <= 5.2.3.0 – Missing Authorization Affected Software : RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login CVE ID : CVE-2023-49831 CVSS Score : 5.3 (Medium) Researcher/s : lttn Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d041b14-0d05-4bfe-bd5c-7e06d7b108b8 Square Thumbnails <= 1.1.0 – Missing Authorization Affected Software : Square Thumbnails CVE ID : CVE-2023-49851 CVSS Score : 5.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31cc30c7-262d-4582-8976-fc8095bdca5f Awesome Support <= 6.1.6 – Missing Authorization Affected Software : Awesome Support – WordPress HelpDesk & Support Plugin CVE ID : CVE-2023-49857 CVSS Score : 5.3 (Medium) Researcher/s : thiennv Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a1cbd74-e598-4edf-90c2-f97d5070f0cc Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post Affected Software : Gift Up Gift Cards for WordPress and WooCommerce CVE ID : CVE-2023-49744 CVSS Score : 5.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e8d9909-7b98-4d98-8293-0c30eebc6c7b Ultimate Dashboard <= 3.7.10 – Login Page Disclosure on Multi-site Affected Software : Ultimate Dashboard – Custom WordPress Dashboard CVE ID : CVE-2023-49822 CVSS Score : 5.3 (Medium) Researcher/s : Naveen Muthusamy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56f3cb34-0452-4e3d-9442-0decc77f5e63 PayTR Taksit Tablosu <= 1.3.1 – Improper Authorization Affected Software : PayTR Taksit Tablosu – WooCommerce CVE ID : CVE-2023-49853 CVSS Score : 5.3 (Medium) Researcher/s : qilin_99 Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5898944f-565c-4950-83e8-ad0de0f948d1 Flexible Woocommerce Checkout Field Editor <= 2.0.1 – Missing Authorization Affected Software : Flexible Woocommerce Checkout Field Editor CVE ID : CVE-2023-49817 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5947f7cb-de84-4a62-bef7-cbeb1f20bb72 WP Photo Album Plus <= 8.5.02.005 – Insecure Direct Object Reference Affected Software : WP Photo Album Plus CVE ID : CVE-2023-49812 CVSS Score : 5.3 (Medium) Researcher/s : Kyle Sanchez Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72f3925d-6b3a-43bf-bfd1-fef7e71d5e43 AppMySite <= 3.10.0 – Unauthenticated Information Disclsoure Affected Software : AppMySite – Create an app with the Best Mobile App Builder CVE ID : CVE-2023-49762 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b9f171f-56d8-4ab9-bf61-0daa7c0d928f Redirects <= 1.2.1 – Missing Authorization Affected Software : Redirects CVE ID : CVE-2023-49845 CVSS Score : 5.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/903161b0-b64c-4986-8c94-b90221bc911b Webflow Pages <= 1.0.8 – Missing Authorization Affected Software : Webflow Pages CVE ID : CVE-2023-49818 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a01141ed-9b9c-426f-96b3-c6ceade4d35c Shortcoder <= 6.3.1 – Missing Authorization Affected Software : Shortcoder — Create Shortcodes for Anything CVE ID : CVE-2023-49849 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54ad0b4-b6e7-4eac-843e-261ec6c83d84 EmbedPress <= 3.9.4 – Missing Authorization Affected Software : EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7cf1c70-9778-4b50-b494-d0b1d0277b35 Alt Manager <= 1.5.9 – Missing Authorization Affected Software : Alt Manager CVE ID : CVE-2023-50373 CVSS Score : 5.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaa041a3-d8e5-4637-b8da-5f07c498685a Custom Login <= 4.1.0 – Missing Authorization Affected Software : Custom Login CVE ID : CVE-2023-49858 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b23afc11-c31d-4569-8f4b-8141eef7b3d9 Google Language Translator <= 6.0.20 – Missing Authorization to Notice Dismissal Affected Software : Translate WordPress – Google Language Translator CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec894433-53c8-4d04-bb8a-92c66cbd2ce7 WP Simple HTML Sitemap <= 2.4 – Missing Authorization Affected Software : WordPress Simple HTML Sitemap CVE ID : CVE-2023-49850 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eff4cb35-492b-448a-8d16-b9210917c567 Login With Ajax <= 4.1 – Missing Authorization Affected Software : Login With Ajax CVE ID : CVE-2023-49859 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f11926c8-2b31-4ad5-9fd0-225071a91b2a WP Project Manager <= 2.6.7 – Missing Authorization Affected Software : WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts CVE ID : CVE-2023-40003 CVSS Score : 5.3 (Medium) Researcher/s : lttn Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83a6631-ff6c-422e-8b6c-49576fadb89f Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.1 – Missing Authorization Affected Software : SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy CVE ID : CVE-2023-49848 CVSS Score : 5.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbc7e515-c712-4a39-a0f7-c3f646083060 Rocket Maintenance Mode & Coming Soon Page <= 4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Rocket Maintenance Mode & Coming Soon Page CVE ID : CVE-2023-49842 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/055cc26b-1e24-4e39-89c8-bdc4a69ce938 Optin Forms <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Optin Forms – Simple List Building Plugin for WordPress CVE ID : CVE-2023-49841 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35e0a997-190e-457a-b80c-7b4ecec97095 Smart External Link Click Monitor [Link Log] <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Smart External Link Click Monitor [Link Log] CVE ID : CVE-2023-49770 CVSS Score : 4.4 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c1811f7-0fb4-4f50-93ac-6abd9e6a1d66 Calculated Fields Form <= 1.2.40 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Calculated Fields Form CVE ID : CVE-2023-6446 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c879123c-531e-43d8-a7d3-16a3c86b68a3 Dashboard Widgets Suite <= 3.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Dashboard Widgets Suite CVE ID : CVE-2023-49743 CVSS Score : 4.4 (Medium) Researcher/s : Rachit Arora Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cba77ced-412e-4461-8d2a-980371c78a17 Tutor LMS <= 2.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Tutor LMS – eLearning and online course solution CVE ID : CVE-2023-49829 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b2a90f-7a0a-4150-8a24-14b2ed11663e Fix My Feed RSS Repair <= 1.4 – Cross-Site Request Forgery Affected Software : Fix My Feed RSS Repair CVE ID : CVE-2023-49816 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/038742d8-3da9-4e2a-bbd4-9ed6b31e8767 Product Catalog Feed by PixelYourSite <= 2.1.1 – Cross-Site Request Forgery Affected Software : Product Catalog Feed by PixelYourSite CVE ID : CVE-2023-49824 CVSS Score : 4.3 (Medium) Researcher/s : thiennv Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09547dae-85dc-481d-9eb1-423d8faadc80 LiveChat <= 4.5.15 – Cross-Site Request Forgery Affected Software : LiveChat – WP live chat plugin for WordPress CVE ID : CVE-2023-49821 CVSS Score : 4.3 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b80e90d-72bd-4253-b84b-d2706e1abd4c System Dashboard <= 2.8.8 – Missing Authorization to Information Disclosure (sd_php_info) Affected Software : System Dashboard CVE ID : CVE-2023-5711 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17bc3a9f-2bf9-44e3-81ef-bfa932085da9 CSV Importer <= 0.3.8 – Cross-Site Request Forgery Affected Software : CSV Importer CVE ID : CVE-2023-49775 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/252153ec-3811-484a-984f-eeb6ed9229a5 Integrate Google Drive <= 1.3.4 – Cross-Site Request Forgery Affected Software : Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site CVE ID : CVE-2023-49769 CVSS Score : 4.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c53cd7-3ea3-4971-be51-9544ca9d488f WPPerformanceTester <= 2.0.0 – Cross-Site Request Forgery Affected Software : WPPerformanceTester CVE ID : CVE-2023-49844 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fb35366-b09c-4667-8fb9-6f80ba6d09f0 Social Media Feather <= 2.1.3 – Missing Authorization Affected Software : Social Media Feather | social media sharing CVE ID : CVE-2023-49861 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4154aa02-7fa1-4858-bea7-092ec4a508ac SureTriggers <= 1.0.23 – Cross-Site Request Forgery Affected Software : SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! CVE ID : CVE-2023-49749 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/461211c9-951e-4ccd-abf5-84941290a6a5 System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_db_specs) Affected Software : System Dashboard CVE ID : CVE-2023-5714 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53b3ac83-847d-4bd0-a79b-531af266e1b4 Block for Font Awesome <= 1.4.0 – Cross-Site Request Forgery Affected Software : Block for Font Awesome CVE ID : CVE-2023-49751 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d255ca7-37a5-4c1b-84be-356ae3900f7e Multi Currency For WooCommerce <= 1.5.5 – Cross-Site Request Forgery Affected Software : Multi Currency For WooCommerce CVE ID : CVE-2023-49840 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a19d494-08d1-479a-8ba4-edeb2873866a System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_global_value) Affected Software : System Dashboard CVE ID : CVE-2023-5712 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70f14d9d-6ed6-4bcb-944d-f9c5aa6a17a6 WP Booking System <= 2.0.19.2 – Missing Authorization Affected Software : WP Booking System – Booking Calendar CVE ID : CVE-2023-49758 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/805c46ec-0b8a-4a40-bfc9-5d2d8d43a17b Elementor Timeline Widget <= 2.0 – Missing Authorization to Notice Dismissal Affected Software : Elementor Timeline Widget CVE ID : CVE-2023-49755 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/819b3e0c-1cd0-45f9-8621-41817ad1de5e Custom Post Type Page Template <= 1.1 – Cross-Site Request Forgery Affected Software : Custom Post Type Page Template CVE ID : CVE-2023-50372 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff05617-61b1-4d1f-9230-c771f23d3283 WPsoonOnlinePage <= 1.9 – Cross-Site Request Forgery Affected Software : WPsoonOnlinePage CVE ID : CVE-2023-49760 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a554b365-b54b-4696-87f6-df5099e15708 Caddy <= 1.9.7 – Cross-Site Request Forgery Affected Software : Caddy – Smart Side Cart for WooCommerce CVE ID : CVE-2023-49854 CVSS Score : 4.3 (Medium) Researcher/s : qilin_99 Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b331c32e-7341-458b-80be-574cfa915159 First Order Discount Woocommerce <= 1.21 – Cross-Site Request Forgery Affected Software : First Order Discount Woocommerce CVE ID : CVE-2023-49843 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9d161a3-eb9f-447f-b2d2-b8b193678d20 Bulk Edit Post Titles <= 5.0.0 – Missing Authorization Affected Software : Bulk Edit Post Titles CVE ID : CVE-2023-49754 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbdeaa77-72c9-4afc-8913-7a1e44cdeb82 Responsive Slick Slider WordPress <= 1.4 – Authenticated (Contributor+) Content Injection Affected Software : Responsive Slick Slider WordPress CVE ID : CVE-2023-49852 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c59f1784-da65-4e6d-b284-d65ee2196be9 WooDiscuz – WooCommerce Comments <= 2.3.0 – Cross-Site Request Forgery Affected Software : WooDiscuz – WooCommerce Comments CVE ID : CVE-2023-49759 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0bfa461-5cea-40e8-af9f-800cdbb6efb5 Post Duplicator <= 2.31 – Missing Authorization via mtphr_duplicate_post Affected Software : Post Duplicator CVE ID : CVE-2023-49835 CVSS Score : 4.3 (Medium) Researcher/s : Huynh Tien Si Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5665931-8da9-44db-a5b1-46acebf14f3b Multiple Themes by KlbTheme <= (Various Versions) – Cross-Site Request Forgery Affected Software/s : Medibazar – Medical WooCommerce Theme, Machic – Electronics Store WooCommerce Theme, Furnob – Furniture Store WooCommerce Theme, Cosmetsy – Beauty Cosmetics Shop Theme, Clotya – Fashion Store eCommerce Theme, Bacola – Grocery Store and Food eCommerce Theme, Partdo – Auto Parts and Tools Shop WooCommerce Theme CVE ID : CVE-2023-49838 CVSS Score : 4.3 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d5036a-c756-47a6-b071-c393f8a6ce5e System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_option_value) Affected Software : System Dashboard CVE ID : CVE-2023-5713 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d1a33b-2518-48f7-90b6-a94a34473d1e System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_constants) Affected Software : System Dashboard CVE ID : CVE-2023-5710 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f170379e-e833-42e0-96fd-1e1722a8331c Eventin <= 3.3.44 – Missing Authorization Affected Software : Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin CVE ID : CVE-2023-49756 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256036d-11e8-4311-baa0-d15193c72da0 Product Enquiry for WooCommerce <= 3.0 – Cross-Site Request Forgery Affected Software : Product Enquiry for WooCommerce CVE ID : CVE-2023-49761 CVSS Score : 4.3 (Medium) Researcher/s : thiennv Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f37cc9d0-345e-4ab7-ae99-d9d7fee6c1e5 CSprite <= 1.1 – Cross-Site Request Forgery Affected Software : CSprite CVE ID : CVE-2023-49763 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5da3a4f-7084-4ba9-89c9-5a480efc7eca BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter <= 1.49.3 – Cross-Site Request Forgery Affected Software : Menu Bar Cart Icon For WooCommerce By Binary Carpenter CVE ID : CVE-2023-49855 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc626bdb-e962-407c-95c3-3f9e28dc5876 Welcart e-Commerce <= 2.9.6 – Authenticated (Administrator+) Directory Traversal Affected Software : Welcart e-Commerce CVE ID : CVE-2023-6120 CVSS Score : 4.1 (Medium) Researcher/s : Marco Wotschka (Wordfence Vulnerability Researcher) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2677cea6-d60d-4e10-afd7-e088a5592b19 As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.