Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024)

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024) πŸŽ‰ Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000,Β  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 52 vulnerabilities disclosed in 42 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. Total Unpatched & Patched Vulnerabilities Last Week Patch Status
Number of Vulnerabilities
Unpatched 15 Patched 37 Total Vulnerabilities by CVSS Severity Last Week Severity Rating
Number of Vulnerabilities
Low Severity 0 Medium Severity 46 High Severity 5 Critical Severity 1 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE
Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (β€˜Cross-site Scripting’) 25 Cross-Site Request Forgery (CSRF) 8 Missing Authorization 5 Improper Access Control 5 Deserialization of Untrusted Data 2 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2 Use of Insufficiently Random Values 1 Improper Control of Generation of Code (β€˜Code Injection’) 1 Improper Neutralization of Special Elements used in an SQL Command (β€˜SQL Injection’) 1 Improper Limitation of a Pathname to a Restricted Directory (β€˜Path Traversal’) 1 Inappropriate Source Code Style or Formatting 1 Researchers That Contributed to WordPress Security Last Week Researcher Name
Number of Vulnerabilities
Bob Matyas 8 Webbernaut 6 Francesco Carlucci 6 Krzysztof ZajΔ…c 5 Daniel Ruf 4 Sh 2 Majed Refaea 2 Yuki Haruma 1 Tobias Weißhaar (kun_19) 1 Le Ngoc Anh 1 Byeongjun Jo 1 Pedro Cuco (Illex) 1 Bence Szalai 1 arpeetrathi 1 stealthcopter 1 Sam Pizzey (mopman) 1 Colin Xu 1 Ahmed Algohary 1 Akbar Kustirama 1 kodaichodai 1 Dipak Panchal (th3.d1p4k) 1 Nex Team 1 drop 1 Ma Long 1 SudoBash 1 Richard Telleng (stueotue) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name
Software Slug
(Simply) Guest Author Name guest-author-name 10Web AI Assistant – AI content writing assistant ai-assistant-by-10web AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages Add SVG Support for Media Uploader | inventivo add-svg-support-for-media-uploader-inventivo Advanced Database Cleaner advanced-database-cleaner Advanced Schedule Posts advanced-schedule-posts Allow SVG allow-svg Backuply – Backup, Restore, Migrate and Clone backuply Better Follow Button for Jetpack better-follow-button-for-jetpack Better Search Replace better-search-replace Category Discount Woocommerce woo-product-category-discount Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) content-views-query-and-display-post-page Elementor Addons by Livemesh addons-for-elementor Exclusive Addons for Elementor exclusive-addons-for-elementor File Manager wp-file-manager File Manager Pro wp-file-manager-pro Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder formidable InstaWP Connect – 1-click WP Staging & Migration instawp-connect Mang Board WP mangboard Marketing Twitter Bot wordpress-twitterbot Meks Smart Social Widget meks-smart-social-widget PDF Generator For Fluent Forms – The Contact Form Plugin fluentforms-pdf PDF Poster – PDF Embedder Plugin for WordPress pdf-poster Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro SVG Uploads Support svg-uploads-support Sticky Buttons – floating buttons builder sticky-buttons Ultimate Noindex Nofollow Tool ultimate-noindex-nofollow-tool Views for WPForms – Display & Edit WPForms Entries on your site frontend views-for-wpforms-lite WP Customer Area customer-area WP Dashboard Notes wp-dashboard-notes WP Go Maps (formerly WP Google Maps) wp-google-maps WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator WP-Reply Notify wp-reply-notify WPFront Notification Bar wpfront-notification-bar WebSub (FKA. PubSubHubbub) pubsubhubbub WolfNet IDX for WordPress wolfnet-idx-for-wordpress WordPress Button Plugin MaxButtons maxbuttons WordPress Simple Shopping Cart wordpress-simple-paypal-shopping-cart aBitGone CommentSafe abitgone-commentsafe coreActivity: Activity Logging plugin for WordPress coreactivity illi Link Party! link-party Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Better Search Replace <= 1.4.4 – Unauthenticated PHP Object Injection Affected Software : Better Search Replace CVE ID : CVE-2023-6933 CVSS Score : 9.8 (Critical) Researcher/s : Sam Pizzey (mopman) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af File Manager Pro <= 8.3.4 – Authenticated (Subscriber+) Arbitrary File Upload Affected Software : File Manager Pro CVE ID : CVE-2023-6846 CVSS Score : 8.8 (High) Researcher/s : Tobias Weißhaar (kun_19) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e8e0257-a745-495f-a103-c032b95209fc InstaWP Connect <= 0.1.0.9 – Authenticated (Subscriber+) SQL Injection Affected Software : InstaWP Connect – 1-click WP Staging & Migration CVE ID : CVE-2024-23507 CVSS Score : 8.8 (High) Researcher/s : Majed Refaea Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578cf704-e84d-469f-bf26-e60268506a78 File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames Affected Software : File Manager CVE ID : CVE-2024-0761 CVSS Score : 8.1 (High) Researcher/s : Yuki Haruma Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176 illi Link Party! <= 1.0 – Unauthenticated Stored Cross-Site Scripting Affected Software : illi Link Party! CVE ID : CVE-2023-7228 CVSS Score : 7.2 (High) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9df6d75b-a141-41a8-b965-6be7acee582d coreActivity <= 1.8 – Unauthenticated Stored Cross-Site Scripting Affected Software : coreActivity: Activity Logging plugin for WordPress CVE ID : CVE-2024-0852 CVSS Score : 7.2 (High) Researcher/s : Ahmed Algohary Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2432a0a-d262-4460-bd2d-2cb200d51f6f Advanced Database Cleaner <= 3.1.3 – Authenticated(Administrator+) PHP Object Injection via process_bulk_action Affected Software : Advanced Database Cleaner CVE ID : CVE-2024-0668 CVSS Score : 6.6 (Medium) Researcher/s : Richard Telleng (stueotue) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0b8c24b-3e51-4637-9d8e-da065077d082 10Web AI Assistant – AI content writing assistant <= 1.0.18 – Missing Authorization to Arbitrary Plugin Installation Affected Software : 10Web AI Assistant – AI content writing assistant CVE ID : CVE-2023-6985 CVSS Score : 6.5 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229245a5-468d-47b9-8f26-d23d593e91da Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 – Authenticated (Administrator+) Directory Traversal Affected Software : Backuply – Backup, Restore, Migrate and Clone CVE ID : CVE-2024-0697 CVSS Score : 6.5 (Medium) Researcher/s : Bence Szalai Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70effa22-fbf6-44cb-9d1b-8625969c10ac Elementor Addons by Livemesh <= 8.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Elementor Addons by Livemesh CVE ID : CVE-2024-0448 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/058d1aa0-2ef6-49a4-b978-43a91c8e55f3 (Simply) Guest Author Name <= 4.34 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : (Simply) Guest Author Name CVE ID : CVE-2024-0254 CVSS Score : 6.4 (Medium) Researcher/s : Francesco Carlucci Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e9e2864-6624-497f-8bec-df8360ed3f4a Add SVG Support for Media Uploader | inventivo <= 1.0.5 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected Software : Add SVG Support for Media Uploader | inventivo CVE ID : CVE-2023-7088 CVSS Score : 6.4 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ca2d1d4-fcf8-4943-b9c5-9560968ae2d8 Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything Affected Software : Exclusive Addons for Elementor CVE ID : CVE-2024-0824 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/925b0a86-ed23-471c-84e2-ae78a01b1876 SVG Uploads Support <= 2.1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected Software : SVG Uploads Support CVE ID : CVE-2023-7086 CVSS Score : 6.4 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad95f0b2-4d96-4f62-b495-050a89539177 WordPress Button Plugin MaxButtons <= 9.7.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : WordPress Button Plugin MaxButtons CVE ID : CVE-2023-7029 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bca0e8a0-d837-42d8-a9d3-35e0c820eb43 Allow SVG <= 1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected Software : Allow SVG CVE ID : CVE-2023-6541 CVSS Score : 6.4 (Medium) Researcher/s : Bob Matyas Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee725cff-959d-4078-9c2e-2d52bb904ca0 aBitGone CommentSafe <= 1.0.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery Affected Software : aBitGone CommentSafe CVE ID : CVE-2023-7174 CVSS Score : 6.1 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2375027c-9619-40fc-811d-7f4ba02bee53 PDF Poster – PDF Embedder Plugin for WordPress <= 2.1.17 – Reflected Cross-Site Scripting Affected Software : PDF Poster – PDF Embedder Plugin for WordPress CVE ID : CVE-2024-23508 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/341516d3-b785-4daf-98de-76f4f94b8c96 Ultimate Noindex Nofollow Tool <= 1.1.2 – Cross-Site Request Forgery to Settings Update Affected Software : Ultimate Noindex Nofollow Tool CVE ID : CVE-2023-7196 CVSS Score : 6.1 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d7ca3ff-eae4-425f-8340-9d9b4952ce4a Advanced Schedule Posts <= 2.1.8 – Reflected Cross-Site Scripting Affected Software : Advanced Schedule Posts CVE ID : CVE-2024-0249 CVSS Score : 6.1 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47122866-8e40-42bc-84ed-60fc81247320 WP Customer Area <= 8.2.2 – Reflected Cross-Site Scripting Affected Software : WP Customer Area CVE ID : CVE-2024-0665 CVSS Score : 6.1 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/567d62ec-e868-45e2-b07a-8cc661d7c5e1 Accelerated Mobile Pages <= 1.0.92.1 – Reflected Cross-Site Scripting Affected Software : AMP for WP – Accelerated Mobile Pages CVE ID : CVE-2024-0587 CVSS Score : 6.1 (Medium) Researcher/s : stealthcopter Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85ca96a6-7992-424b-8b88-9a0751925223 WP Go Maps (formerly WP Google Maps) <= 9.0.28 – Reflected Cross-Site Scripting Affected Software : WP Go Maps (formerly WP Google Maps) CVE ID : CVE-2023-6697 CVSS Score : 6.1 (Medium) Researcher/s : Nex Team Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5 Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting Affected Software : Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder CVE ID : CVE-2024-0660 CVSS Score : 6.1 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b983d22b-6cd2-4450-99e2-88bb149091fe Marketing Twitter Bot <= 1.11 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting Affected Software : Marketing Twitter Bot CVE ID : CVE-2023-7197 CVSS Score : 6.1 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2795202-64e6-488b-a0e1-da2923f6f791 Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Exclusive Addons for Elementor CVE ID : CVE-2024-0823 CVSS Score : 5.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c5cdc3f-eaa6-4d0b-9e75-5483c723e15a Form-Maker (twb_form-maker) <= 1.15.21 – Cross-Site Request Forgery to Limited Code Execution via Execute Affected Software : Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE ID : CVE-2024-0667 CVSS Score : 5.4 (Medium) Researcher/s : SudoBash Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1 illi Link Party! <= 1.0 – Missing Authorization to Unauthenticated Arbitrary Link Deletion Affected Software : illi Link Party! CVE ID : CVE-2023-7231 CVSS Score : 5.3 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d68293a-b98b-41e0-9f79-ccd2c0108e82 Category Discount Woocommerce <= 4.12 – Missing Authorization via wpcd_save_discount() Affected Software : Category Discount Woocommerce CVE ID : CVE-2024-0617 CVSS Score : 5.3 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/996b44bb-d1e0-4f82-b8ee-a98b0ae994f9 Paid Memberships Pro <= 2.12.7 – Cross-Site Request Forgery to Level Orders Update Affected Software : Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID : CVE-2024-0624 CVSS Score : 5.3 (Medium) Researcher/s : kodaichodai Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae68d083-b6e2-409b-8c91-d4eb7e62dba9 Category Discount Woocommerce <= 4.11 – Cross-Site Request Forgery via wpcd_save_discount() Affected Software : Category Discount Woocommerce CVE ID : CVE-2024-0617 CVSS Score : 5.3 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f04dee5b-d16f-4ef0-88a4-1567e2287bd5 PDF Generator For Fluent Forms <= 1.1.7 – Cross-Site Scripting Affected Software : PDF Generator For Fluent Forms – The Contact Form Plugin CVE ID : CVE-2023-6953 CVSS Score : 4.9 (Medium) Researcher/s : drop Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6675c48-43d4-4394-a4a3-f753bdaa5c4e WPFront Notification Bar <= 3.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class] Affected Software : WPFront Notification Bar CVE ID : CVE-2024-0625 CVSS Score : 4.4 (Medium) Researcher/s : Sh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19a5a9f3-637c-42af-9775-5651a14cf516 Mang Board WP <= 1.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Mang Board WP CVE ID : CVE-2024-22306 CVSS Score : 4.4 (Medium) Researcher/s : Byeongjun Jo Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d8cfcdc-6258-4629-a3b4-d65e44ac82f1 Meks Smart Social Widget <= 1.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Meks Smart Social Widget CVE ID : CVE-2024-0664 CVSS Score : 4.4 (Medium) Researcher/s : arpeetrathi Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/722aae99-fcfb-4234-9245-5db57aaa03c5 WP RSS Aggregator <= 4.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source Affected Software : WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging CVE ID : CVE-2024-0630 CVSS Score : 4.4 (Medium) Researcher/s : Colin Xu Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2 Content Views <= 3.6.2 – Authenticated(Administrator+) Stored Cross-Site Scripting via settings Affected Software : Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) CVE ID : CVE-2024-0612 CVSS Score : 4.4 (Medium) Researcher/s : Akbar Kustirama Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa4377a8-bcf4-45ba-824b-3505bd8e8c61 WordPress Simple Shopping Cart <= 4.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting Affected Software : WordPress Simple Shopping Cart CVE ID : CVE-2023-6497 CVSS Score : 4.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac6201a1-7ca9-461b-b9ad-16407120dfae Sticky Buttons <= 3.2.2 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Sticky Buttons – floating buttons builder CVE ID : CVE-2024-0703 CVSS Score : 4.4 (Medium) Researcher/s : Dipak Panchal (th3.d1p4k) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c070be-e955-4076-9878-0b1044766397 WolfNet IDX for WordPress <= 1.19.1 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : WolfNet IDX for WordPress CVE ID : CVE-2023-6783 CVSS Score : 4.4 (Medium) Researcher/s : Ma Long Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c226ca9a-8a2e-4e56-a039-96c31526a379 illi Link Party! <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : illi Link Party! CVE ID : CVE-2023-7230 CVSS Score : 4.4 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbf193ef-e172-4fe3-9bff-b5cbac9adb54 WebSub (FKA. PubSubHubbub) <= 3.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : WebSub (FKA. PubSubHubbub) CVE ID : CVE-2024-0688 CVSS Score : 4.4 (Medium) Researcher/s : Sh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f07b166b-3436-4797-a2df-096ff7c27a09 Better Follow Button for Jetpack <= 8.0 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Better Follow Button for Jetpack CVE ID : CVE-2023-7168 CVSS Score : 4.4 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fec06875-f6b4-4e57-917f-e80ece3744e1 Views for WPForms <= 3.2.2 – Missing Authorization via get_form_fields Affected Software : Views for WPForms – Display & Edit WPForms Entries on your site frontend CVE ID : CVE-2024-0372 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ab58add-ab81-4c84-b773-7daf382492b0 Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via create_view Affected Software : Views for WPForms – Display & Edit WPForms Entries on your site frontend CVE ID : CVE-2024-0374 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34c0c676-37f9-49f2-ad50-2d70831fda53 Views for WPForms <= 3.2.2 – Missing Authorization via save_view Affected Software : Views for WPForms – Display & Edit WPForms Entries on your site frontend CVE ID : CVE-2024-0370 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d WP Dashboard Notes <= 1.0.10 – Missing Authorization to Arbitrary Private Notes Update Affected Software : WP Dashboard Notes CVE ID : CVE-2023-7239 CVSS Score : 4.3 (Medium) Researcher/s : Pedro Cuco (Illex) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64a36778-c17c-44ee-8b09-c221d27184f8 WP-Reply Notify <= 1.1 – Cross-Site Request Forgery to Settings Update Affected Software : WP-Reply Notify CVE ID : CVE-2023-7195 CVSS Score : 4.3 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/837e596e-a4a7-4fcf-a761-aed35a789770 InstaWP Connect <= 0.1.0.9 – Missing Authorization to Sensitive Information Dislcosure Affected Software : InstaWP Connect – 1-click WP Staging & Migration CVE ID : CVE-2024-23506 CVSS Score : 4.3 (Medium) Researcher/s : Majed Refaea Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a184384-9162-4509-957b-d97dd4089856 Views for WPForms <= 3.2.2 – Missing Authorization via create_view Affected Software : Views for WPForms – Display & Edit WPForms Entries on your site frontend CVE ID : CVE-2024-0371 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e illi Link Party! <= 1.0 – Cross-Site Request Forgery to Settings Update Affected Software : illi Link Party! CVE ID : CVE-2023-7229 CVSS Score : 4.3 (Medium) Researcher/s : Bob Matyas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd6b604-45dd-4688-a9b9-fabb12c418e2 Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via save_view Affected Software : Views for WPForms – Display & Edit WPForms Entries on your site frontend CVE ID : CVE-2024-0373 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2273c53-bc8a-45c7-914d-a3b934c2cb18 As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.