(855)-537-2266 sales@kerbco.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2023 to January 7, 2023) 🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.6 – Authorization Bypass via type connect-app API Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox Generic Object Injection Generic XSS in Custom Meta Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Unpatched 33 Patched 52 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 1 Medium Severity 67 High Severity 13 Critical Severity 4 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 27 Missing Authorization 18 Cross-Site Request Forgery (CSRF) 13 Deserialization of Untrusted Data 7 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5 Authorization Bypass Through User-Controlled Key 3 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3 Improper Input Validation 2 Information Exposure 2 Argument Injection or Modification 1 Use of Less Trusted Source 1 Improper Access Control 1 Storing Passwords in a Recoverable Format 1 Path Traversal: ‘../filedir’ 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Rafie Muhammad 11 Ngô Thiên An (ancorn_) 9 Lucio Sá 6 Dave Jong 5 Webbernaut 4 Daniel Ruf 4 Francesco Carlucci 4 Ulyses Saicha 3 Le Ngoc Anh 3 Krzysztof Zając 3 hir0ot 2 Nex Team 2 Mika 2 Abu Hurayra (HurayraIIT) 2 Abdi Pranata 2 Colin Xu 2 Kang SeoHee 1 Huynh Tien Si 1 xEHLE 1 Bob Matyas 1 lttn 1 Akbar Kustirama 1 Joshua Chan 1 drop 1 emad 1 Matan Berson (matanber) 1 Sean Murphy 1 Pedro Cuco (illex) 1 Friday 1 Angelo Delicato 1 Dimas Maulana 1 Arvandy 1 István Márton 1 Rafshanzani Suhada 1 Debangshu Kundu 1 Arpeet Rathi 1 Dhabaleshwar Das 1 Dmitrii Ignatyev 1 Nguyen Xuan Chien 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 3D FlipBook – PDF Flipbook WordPress interactive-3d-flipbook-powered-physics-engine ActivityPub activitypub Ads Invalid Click Protection ads-invalid-click-protection Ajax Search Lite ajax-search-lite Autotitle for WordPress autotitle-for-wordpress Booster Elite for WooCommerce booster-elite-for-woocommerce Booster Plus for WooCommerce booster-plus-for-woocommerce CPT Bootstrap Carousel cpt-bootstrap-carousel Complianz – GDPR/CCPA Cookie Consent complianz-gdpr Constant Contact Forms constant-contact-forms Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder arforms-form-builder Coupon Referral Program coupon-referral-program Depicter Slider – Responsive Image Slider, Video Slider & Post Slider depicter Easy SVG Allow easy-svg-image-allow Easy Social Feed – Social Photos Gallery – Post Feed – Like Box easy-facebook-likebox EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor embedpress Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) mystickymenu FooGallery Premium foogallery-premium Gecka Terms Thumbnails gecka-terms-thumbnails HTML5 MP3 Player with Folder Feedburner Playlist Free html5-mp3-player-with-mp3-folder-feedburner-playlist HTML5 MP3 Player with Playlist Free html5-mp3-player-with-playlist HTML5 SoundCloud Player with Playlist Free html5-soundcloud-player-with-playlist Happy Addons for Elementor happy-elementor-addons Happy Addons for Elementor Pro happy-elementor-addons-pro Hostinger hostinger Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building icegram Ideal Interactive Map ideal-interactive-map Infogram – Add charts, maps and infographics infogram JS & CSS Script Optimizer js-css-script-optimizer Keap Official Opt-in Forms infusionsoft-official-opt-in-forms Laybuy Payment Extension for WooCommerce laybuy-gateway-for-woocommerce LearnPress – WordPress LMS Plugin learnpress LightStart – Maintenance Mode, Coming Soon and Landing Page Builder wp-maintenance-mode MapPress Maps for WordPress mappress-google-maps-for-wordpress Mapster WP Maps mapster-wp-maps MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) google-analytics-for-wordpress OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. host-webfonts-local Orbit Fox by ThemeIsle themeisle-companion Oxygen Builder oxygenbuilder POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications post-smtp Page Builder: Live Composer live-composer-page-builder Page Builder: Pagelayer – Drag and Drop website builder pagelayer Posts to Page posts-to-page PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor Private Google Calendars private-google-calendars Product Delivery Date for WooCommerce – Lite product-delivery-date-for-woocommerce-lite Product Expiry for WooCommerce product-expiry-for-woocommerce Quiz Maker quiz-maker RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds Randomize randomize Rate Star Review – AJAX Reviews for Content, with Star Ratings rate-star-review Site Notes site-notes TJ Shortcodes theme-junkie-shortcodes Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics taggbox-widget User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder Void Contact Form 7 Widget For Elementor Page Builder cf7-widget-elementor WP 2FA – Two-factor authentication for WordPress wp-2fa WP Compress – Image Optimizer [All-In-One] wp-compress-image-optimizer WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting erp WP Job Manager wp-job-manager WP Plugin Lister wp-plugin-lister WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms WP SOCIAL BOOKMARK MENU wp-social-bookmark-menu WP Ultimate Review wp-ultimate-review WP-Members Membership Plugin wp-members WooCommerce woocommerce WooCommerce Conversion Tracking woocommerce-conversion-tracking WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels print-invoices-packing-slip-labels-for-woocommerce Woocommerce Tranzila Payment Gateway woo-tranzila-gateway WordPress Users wordpress-users cformsII cforms2 oEmbed Gist oembed-gist pTypeConverter ptypeconverter WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Meris meris Weaver Xtreme weaver-xtreme Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. WooCommerce Tranzila Gateway <= 1.0.8 – Unauthenticated PHP Object Injection Affected Software : Woocommerce Tranzila Payment Gateway CVE ID : CVE-2023-52218 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed30ebb-cb06-428c-a60e-676f36e75fa9 LearnPress <= 4.2.5.7 – Unauthenticated SQL Injection via order_by Affected Software : LearnPress – WordPress LMS Plugin CVE ID : CVE-2023-6567 CVSS Score : 9.8 (Critical) Researcher/s : hir0ot Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ab578cd-3a0b-43d3-aaa7-0a01f431a4e2 Taggbox <= 3.1 – Unauthenticated PHP Object Injection Affected Software : Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics CVE ID : CVE-2023-52225 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cae6e8b9-a8a9-41d3-83e8-d833515a0244 WP Compress – Image Optimizer [All-In-One] <= 6.10.33 – Unauthenticated Directory Traversal via css Affected Software : WP Compress – Image Optimizer [All-In-One] CVE ID : CVE-2023-6699 CVSS Score : 9.1 (Critical) Researcher/s : Krzysztof Zając Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44 Gecka Terms Thumbnails <= 1.1 – Authenticated (Subscriber+) PHP Object Injection Affected Software : Gecka Terms Thumbnails CVE ID : CVE-2023-52219 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07abe182-370f-4241-9631-387a7930f2f6 HTML5 SoundCloud Player <= 2.8.0 – Authenticated (Author+) PHP Object Injection Affected Software : HTML5 SoundCloud Player with Playlist Free CVE ID : CVE-2023-52205 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229235de-03c6-4560-b0ea-ab21fde256be Page Builder: Live Composer <= 1.5.25 – Authenticated (Author+) PHP Object Injection Affected Software : Page Builder: Live Composer CVE ID : CVE-2023-52206 CVSS Score : 8.8 (High) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a0f9f80-e338-4afd-9a4b-e421865c8b0b HTML5 MP3 Player with Playlist Free <= 3.0.0 – Authenticated (Author+) PHP Object Injecton Affected Software : HTML5 MP3 Player with Playlist Free CVE ID : CVE-2023-52207 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2eac991e-fc34-456c-a9a6-d30fde39fd42 Randomize <= 1.4.3 – Authenticated (Contributor+) SQL Injection Affected Software : Randomize CVE ID : CVE-2023-52204 CVSS Score : 8.8 (High) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b971ae0-624d-416e-b2f2-92ce44e96418 HTML5 MP3 Player with Folder Feedburner <= 2.8.0 – Authenticated (Author+) PHP Object Injection Affected Software : HTML5 MP3 Player with Folder Feedburner Playlist Free CVE ID : CVE-2023-52202 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b7321e8-153c-4586-8114-65583e06573e OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting Affected Software : OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. CVE ID : CVE-2023-6600 CVSS Score : 8.6 (High) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c LearnPress <= 4.2.5.7 – Command Injection Affected Software : LearnPress – WordPress LMS Plugin CVE ID : CVE-2023-6634 CVSS Score : 8.1 (High) Researcher/s : hir0ot Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed Hostinger <= 1.9.7 – Missing Authorization to Maintenance Mode Activation Affected Software : Hostinger CVE ID : CVE-2023-6751 CVSS Score : 7.3 (High) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89cf759-5e5f-43e2-90a9-a8e554653ee1 ARForms <= 1.5.8 – Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url Affected Software : Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder CVE ID : CVE-2023-6828 CVSS Score : 7.2 (High) Researcher/s : drop Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e349cae-a996-4a32-807a-a98ebcb01edd POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device Affected Software : POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications CVE ID : CVE-2023-7027 CVSS Score : 7.2 (High) Researcher/s : Sean Murphy Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e8911a3-ce0f-420c-bf2a-1c2929d01cef WP ERP <= 1.12.8 – Authenticated (Accounting manager+) SQL Injection Affected Software : WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting CVE ID : CVE-2024-21747 CVSS Score : 7.2 (High) Researcher/s : Arvandy Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7d85921-9d70-4812-9c5f-11ee1d0821be pTypeConverter <= 0.2.8.1 – Authenticated (Editor+) SQL Injection Affected Software : pTypeConverter CVE ID : CVE-2023-52201 CVSS Score : 7.2 (High) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3c26454-a91d-4141-9b31-5c902c5e8eec WP-Members Membership Plugin <= 3.4.8 – Missing Authorization to Sensitive Information Exposure Affected Software : WP-Members Membership Plugin CVE ID : CVE-2023-6733 CVSS Score : 6.5 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46c61f38-553e-43b2-a666-b160db40e66d Coupon Referral Program <= 1.7.2 – Sensitive Information Disclosure Affected Software : Coupon Referral Program CVE ID : CVE-2023-52190 CVSS Score : 6.5 (Medium) Researcher/s : Dave Jong Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6015e204-1e07-4c75-ad22-969045934468 Ideal Interactive Map <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Ideal Interactive Map CVE ID : CVE-2023-52189 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/019c5e06-1345-4c8e-abb9-dc0ea5d55ef5 Page Builder: Live Composer <= 1.5.23 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Page Builder: Live Composer CVE ID : CVE-2023-52193 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09631637-55e2-4e1e-9dcb-bba205be5f43 Easy SVG Allow <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected Software : Easy SVG Allow CVE ID : CVE-2023-7089 CVSS Score : 6.4 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a766b5b-e21e-4009-86d9-7f0a5c91ed51 Orbit Fox Companion <= 2.10.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields Affected Software : Orbit Fox by ThemeIsle CVE ID : CVE-2023-6781 CVSS Score : 6.4 (Medium) Researcher/s : Nex Team Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23e39019-c322-4027-84f2-faabd9ca4983 MapPress Maps for WordPress <= 2.88.13 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : MapPress Maps for WordPress CVE ID : CVE-2023-6524 CVSS Score : 6.4 (Medium) Researcher/s : Akbar Kustirama Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a8f025-c2ab-4a5f-a99e-a2d19b14a190 Posts to Page <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Posts to Page CVE ID : CVE-2023-52195 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e5fdaae-3ef2-477e-b79b-0b6e415edb40 Laybuy Payment Extension for WooCommerce <= 5.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Laybuy Payment Extension for WooCommerce CVE ID : CVE-2024-21745 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c91caaa-9bdd-4170-98f1-0d686d3ffcba 3D Flipbook <= 1.15.2 – Authenticated (Contributor+) Cross-Site Scripting via Ready Function Affected Software : 3D FlipBook – PDF Flipbook WordPress CVE ID : CVE-2023-6776 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/500fd8aa-9ad1-41ee-bbeb-cda9c80c4fcb Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders CVE ID : CVE-2023-7044 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e770e98-3c13-4e37-b51b-4c39bce2cb42 Infogram <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Infogram – Add charts, maps and infographics CVE ID : CVE-2023-52191 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72e1482c-0f55-4f43-8590-d4f2758f0eea Keap Official Opt-in Forms <= 1.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Keap Official Opt-in Forms CVE ID : CVE-2023-52192 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a0f1006-8015-4e67-9b03-16d3ad3c0e77 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Authenticated (Author+) Stored Cross-Site Scripting Affected Software : RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID : CVE-2023-6801 CVSS Score : 6.4 (Medium) Researcher/s : Colin Xu Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a713d897-c549-4e0d-9cb3-7002ef2b127f EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID : CVE-2023-6986 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ceae0115-268c-401b-876b-3477d10c10e6 Mapster WP Maps <= 1.2.38 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Mapster WP Maps CVE ID : CVE-2024-21744 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d38ee896-8cdd-45c5-b393-bdcb7baa7bd3 FooGallery Premium <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : FooGallery Premium CVE ID : CVE-2023-6747 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut, Debangshu Kundu, Arpeet Rathi Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dce8ac32-cab8-4e05-bf6f-cc348d0c9472 Private Google Calendars <= 20231125 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Private Google Calendars CVE ID : CVE-2023-52198 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e276cc49-2da1-4e2f-bb64-28ffe6ec9acf Oxygen Builder <= 4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field Affected Software : Oxygen Builder CVE ID : CVE-2023-6938 CVSS Score : 6.4 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee069cb3-370e-48ea-aa35-c30fe83c2498 TJ Shortcodes 0.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : TJ Shortcodes CVE ID : CVE-2023-6530 CVSS Score : 6.4 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f88ef4cf-3f22-40e0-b651-59cb40f148fd oEmbed Gist <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : oEmbed Gist CVE ID : CVE-2023-52194 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fed0e3bc-1401-410a-805d-1ea3e423024b Rate Star Review <= 1.5.1 – Reflected Cross-Site Scripting Affected Software : Rate Star Review – AJAX Reviews for Content, with Star Ratings CVE ID : CVE-2023-52213 CVSS Score : 6.1 (Medium) Researcher/s : Kang SeoHee Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/025a13e6-5f0a-49ca-bd63-44e4095072bd Autotitle for WordPress <= 1.0.3 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting Affected Software : Autotitle for WordPress CVE ID : CVE-2023-6946 CVSS Score : 6.1 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/062d906d-5a6e-4180-a2f2-18411334b9a1 Happy Addons for Elementor <= 3.9.1.1 – Reflected Cross-Site Scripting Affected Software/s : Happy Addons for Elementor Pro, Happy Addons for Elementor CVE ID : CVE-2023-6632 CVSS Score : 6.1 (Medium) Researcher/s : xEHLE Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06ef69f0-34d3-4389-8a81-a4d9922f1468 Ajax Search Lite <= 4.11.4 – Reflected Cross-Site Scripting Affected Software : Ajax Search Lite CVE ID : CVE-2024-21752 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19418da4-bef4-4cbc-901c-f2aeee39b3cf WP Plugin Lister <= 2.1.0 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting Affected Software : WP Plugin Lister CVE ID : CVE-2023-6503 CVSS Score : 6.1 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b819e88-111a-4611-ae23-87ac7a878b4a POST SMTP Mailer <= 2.8.6 – Reflected Cross-Site Scripting via msg Affected Software : POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications CVE ID : CVE-2023-6629 CVSS Score : 6.1 (Medium) Researcher/s : Matan Berson (matanber) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7681f984-d488-4da7-afe1-988e5ad012f2 Meris <= 1.1.2 – Reflected Cross-Site Scripting Affected Software : Meris CVE ID : CVE-2023-7194 CVSS Score : 6.1 (Medium) Researcher/s : Angelo Delicato Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a627f10a-1463-4e4b-98a9-2008fa76e25a CPT Bootstrap Carousel <= 1.12 – Reflected Cross-Site Scripting Affected Software : CPT Bootstrap Carousel CVE ID : CVE-2023-52196 CVSS Score : 6.1 (Medium) Researcher/s : Dimas Maulana Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78321b7-b62b-40ab-a15d-037ebd905d8b WP SMS <= 6.5 – Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting Affected Software : WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID : CVE-2023-6981 CVSS Score : 6.1 (Medium) Researcher/s : Krzysztof Zając Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8f53053-5150-4fba-b8d6-3d6c9df32c69 Weaver Xtreme <= 6.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Weaver Xtreme CVE ID : CVE-2023-6990 CVSS Score : 5.4 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc7384d7-c2fd-4d63-9b80-bb5bde9a23d5 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Missing Authorization Affected Software : RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID : CVE-2023-6798 CVSS Score : 5.4 (Medium) Researcher/s : Colin Xu Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2cdf4e5-0a40-42ca-b5ac-78511fdd2b77 Product Expiry for WooCommerce <= 2.5 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update Affected Software : Product Expiry for WooCommerce CVE ID : CVE-2024-0201 CVSS Score : 5.4 (Medium) Researcher/s : István Márton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4006612-770a-482f-a8c2-e62f607914a9 PageLayer <= 1.7.8 – Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields Affected Software : Page Builder: Pagelayer – Drag and Drop website builder CVE ID : CVE-2023-6738 CVSS Score : 5.4 (Medium) Researcher/s : Nex Team Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d14c8890-482c-4d43-a68f-0d04c4feca8f Constant Contact Forms <= 2.4.2 – Information Disclosure via Log Files Affected Software : Constant Contact Forms CVE ID : CVE-2023-52208 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2990b307-2b07-4daf-917b-d9587253cbeb Wp Ultimate Review <= 2.2.5 – IP Spoofing Affected Software : WP Ultimate Review CVE ID : CVE-2024-21746 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31418a45-7dae-4cd4-8f85-0498a285ef6d ActivityPub <= 1.0.5 – Missing Authorization Affected Software : ActivityPub CVE ID : CVE-2023-52199 CVSS Score : 5.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3666a841-711d-4ecf-bb77-f2db4d5817ea Product Delivery Date for WooCommerce – Lite <= 2.7.0 – Missing Authorization Affected Software : Product Delivery Date for WooCommerce – Lite CVE ID : CVE-2023-52210 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a32ae77-3d4e-4fd4-a43a-7d1a52dcfa77 WP Job Manager <= 2.0.0 – Missing Authorization Affected Software : WP Job Manager CVE ID : CVE-2023-52211 CVSS Score : 5.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b1af76a-3836-4527-9ea6-8bffa173a84e PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 – Cross-Site Request Forgery Affected Software : PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) CVE ID : CVE-2023-6984 CVSS Score : 5.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe2cfc96-63f4-4e4b-bf49-6031594a4805 Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings Affected Software : Complianz – GDPR/CCPA Cookie Consent CVE ID : CVE-2023-6498 CVSS Score : 4.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01c1458d-3e38-4dbf-bb65-80465ea6d0ad CformsII <= 15.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : cformsII CVE ID : CVE-2023-52203 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72800e9b-8e2c-4725-9a87-a9b187ad5967 Ads Invalid Click Protection <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Ads Invalid Click Protection CVE ID : CVE-2023-52197 CVSS Score : 4.4 (Medium) Researcher/s : Dhabaleshwar Das Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0fa8050-6318-4528-8dd4-a3ca5467cfaa Icegram <= 3.1.20 – Missing Authorization Affected Software : Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building CVE ID : CVE-2024-21748 CVSS Score : 4.3 (Medium) Researcher/s : Huynh Tien Si Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/059f526f-6769-4092-92b0-2ef6248963ee WP 2FA – Two-factor authentication for WordPress <= 2.5.0 – Cross-Site Request Forgery Affected Software : WP 2FA – Two-factor authentication for WordPress CVE ID : CVE-2023-6520 CVSS Score : 4.3 (Medium) Researcher/s : Ulyses Saicha Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0af451be-2477-453c-a230-7f3fb804398b WP Social Bookmark Menu <= 1.2 – Cross-Site Request Forgery to Settings Update Affected Software : WP SOCIAL BOOKMARK MENU CVE ID : CVE-2023-7074 CVSS Score : 4.3 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/120a75c5-4fff-4a77-b376-d6968853b40e LearnPress <= 4.2.5.7 – Insecure Direct Object Reference to Information Disclosure Affected Software : LearnPress – WordPress LMS Plugin CVE ID : CVE-2023-6223 CVSS Score : 4.3 (Medium) Researcher/s : lttn Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/215d5d9e-dabb-462d-8c51-952f8c497b78 Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure Affected Software : Booster Plus for WooCommerce CVE ID : CVE-2023-52231 CVSS Score : 4.3 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38a90190-569f-46d8-bef4-fe28caf5e2fc WordPress Users <= 1.4 – Cross-Site Request Forgery to Settings Update Affected Software : WordPress Users CVE ID : CVE-2023-6390 CVSS Score : 4.3 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c1a7bda-29c5-4b4b-bbd8-71187609892e Easy Social Feed <= 6.5.2 – Missing Authorization to Settings Modification Affected Software : Easy Social Feed – Social Photos Gallery – Post Feed – Like Box CVE ID : CVE-2023-6883 CVSS Score : 4.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3deee9b5-2e36-447d-a492-e22e3dc6a5ab Quiz Maker <= 6.5.1.1 – Missing Authorization Affected Software : Quiz Maker CVE ID : CVE-2024-21743 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e62f27b-c6b0-48ed-bfd7-a1893552eb3e WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 – Missing Authorization to Order Export Affected Software : WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels CVE ID : CVE-2023-7068 CVSS Score : 4.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5abc282d-68c9-423c-a15c-d4d3f7035661 WP Job Manager <= 2.0.0 – Cross-Site Request Forgery Affected Software : WP Job Manager CVE ID : CVE-2023-52212 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69430e1a-db2f-4715-84aa-5a1dfd712180 Google Analytics by Monster Insights <= 8.21.0 – Missing Authorization Affected Software : MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) CVE ID : CVE-2023-52220 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81099cdc-bce6-4ee6-b819-c3925acf96a8 Site Notes <= 2.0.0 – Cross-Site Request Forgery to Admin Note Deletion Affected Software : Site Notes CVE ID : CVE-2023-6633 CVSS Score : 4.3 (Medium) Researcher/s : Pedro Cuco (illex) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89cbe41d-3765-4061-8ef6-b63556a5677c Void Contact Form 7 Widget For Elementor Page Builder <= 2.3 – Missing Authorization Affected Software : Void Contact Form 7 Widget For Elementor Page Builder CVE ID : CVE-2023-52214 CVSS Score : 4.3 (Medium) Researcher/s : Friday Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93784c84-93b3-4f43-84a0-5aeed3ba9cfd WP SMS <= 6.5 – Cross-Site Request Forgery to Subscriber Deletion Affected Software : WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID : CVE-2023-6980 CVSS Score : 4.3 (Medium) Researcher/s : Krzysztof Zając Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94ad6b51-ff8d-48d5-9a70-1781d13990a5 LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 – Missing Authorization Affected Software : LightStart – Maintenance Mode, Coming Soon and Landing Page Builder CVE ID : CVE-2023-7019 CVSS Score : 4.3 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b57d3d1d-dcdb-4f11-82d8-183778baa075 WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization Affected Software : WooCommerce Conversion Tracking CVE ID : CVE-2023-52217 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf798142-4daf-41f5-8416-701d03476520 Depicter Slider – Responsive Image Slider, Video Slider & Post Slider <= 2.0.6 – Cross-Site Request Forgery via save Affected Software : Depicter Slider – Responsive Image Slider, Video Slider & Post Slider CVE ID : CVE-2023-6493 CVSS Score : 4.3 (Medium) Researcher/s : Rafshanzani Suhada Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c907ea-3ab4-4674-8945-ade4f6ff2679 WP 2FA <= 2.5.0 – Insecure Direct Object Reference to Arbitrary Email Sending Affected Software : WP 2FA – Two-factor authentication for WordPress CVE ID : CVE-2023-6506 CVSS Score : 4.3 (Medium) Researcher/s : Ulyses Saicha Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40 Booster Plus for WooCommerce < 7.1.3 – Missing Authorization to Arbitrary Options Disclosure Affected Software : Booster Plus for WooCommerce CVE ID : CVE-2023-52230 CVSS Score : 4.3 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd0a4212-fe04-4c3b-9d78-b1a0bf97e274 Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Arbitrary Page/Post Deletion Affected Software : Booster Plus for WooCommerce CVE ID : CVE-2023-52232 CVSS Score : 4.3 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df65af54-ce55-4c50-8a62-5541a1879ad4 WooCommerce <= 8.2.2 – Cross-Site Request Forgery Affected Software : WooCommerce CVE ID : CVE-2023-52222 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb8517bc-f45f-40a1-ae80-ed227c8b32d7 Booster Elite for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure Affected Software : Booster Elite for WooCommerce CVE ID : CVE-2023-52234 CVSS Score : 4.3 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4afcb16-9c97-483f-be48-31b5156bcca3 Profile Builder <= 3.10.7 – Insecure Direct Object Reference to Sensitive Information Exposure via user_meta Shortcode Affected Software : User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor CVE ID : CVE-2023-6504 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f515ccf8-7231-4728-b155-c47049087d42 JS & CSS Script Optimizer <= 0.3.3 – Cross-Site Request Forgery Affected Software : JS & CSS Script Optimizer CVE ID : CVE-2023-52216 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb863896-5a5a-4c65-b2a5-0901de7961f2 My Sticky Bar <= 2.6.6 – Cross-Site Request Forgery to Sensitive Information Exposure Affected Software : Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) CVE ID : CVE-2023-7048 CVSS Score : 3.1 (Low) Researcher/s : Ulyses Saicha Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be0ab40f-cff7-48bd-8dae-cc50af047151 As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.