Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024)

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024) 🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: Stored Cross-Site Scripting via Block WAF-RULE-666 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched. WAF-RULE-665 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status
Number of Vulnerabilities
Unpatched 12 Patched 55 Total Vulnerabilities by CVSS Severity Last Week Severity Rating
Number of Vulnerabilities
Low Severity 1 Medium Severity 54 High Severity 7 Critical Severity 5 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE
Number of Vulnerabilities
Cross-Site Request Forgery (CSRF) 20 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 19 Missing Authorization 8 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 4 Unrestricted Upload of File with Dangerous Type 4 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3 Information Exposure 2 Information Exposure Through Debug Information 1 Exposure of Private Information (‘Privacy Violation’) 1 Use of Less Trusted Source 1 Protection Mechanism Failure 1 Server-Side Request Forgery (SSRF) 1 Authorization Bypass Through User-Controlled Key 1 Improper Access Control 1 Researchers That Contributed to WordPress Security Last Week Researcher Name
Number of Vulnerabilities
Francesco Carlucci 5 Rafie Muhammad 4 Dave Jong 3 Daniel Ruf 2 Nex Team 2 drop 2 Artem Guzhva (hexcat) 2 Ngô Thiên An (ancorn_) 2 Abdi Pranata 2 Brandon James Roldan (tomorrowisnew) 2 Webbernaut 2 Dateoljo of BoB 12th 1 Lucio Sá 1 LVT-tholv2k 1 Le Ngoc Anh 1 Huynh Tien Si 1 Mika 1 Joshua Chan 1 Abu Hurayra (HurayraIIT) 1 Akbar Kustirama 1 Yudistira Arya 1 Naveen Muthusamy 1 thiennv 1 Yuchen Ji 1 Dmitrii Ignatyev 1 Rafshanzani Suhada 1 Ulyses Saicha 1 Elliot 1 Nicolas Decayeux 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name
Software Slug
AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! ai-engine ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership Advanced Flamingo advanced-flamingo Advanced Woo Search advanced-woo-search Auto Affiliate Links wp-auto-affiliate-links Beds24 Online Booking beds24-online-booking Constant Contact Forms by MailMunch constant-contact-forms-by-mailmunch Contact Form 7 Connector ari-cf7-connector Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension Customer Reviews for WooCommerce customer-reviews-woocommerce Download Monitor download-monitor Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder droit-elementor-addons ElementsKit Elementor addons elementskit-lite Email Encoder – Protect Email Addresses and Phone Numbers email-encoder-bundle Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks EventON eventon-lite EventON Pro eventon Football Pool football-pool Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder formidable GD Rating System gd-rating-system Gallery Plugin for WordPress – Envira Photo Gallery envira-gallery-lite Happy Addons for Elementor happy-elementor-addons Index Now mihdan-index-now InstaWP Connect – 1-click WP Staging & Migration instawp-connect List category posts list-category-posts MailerLite – WooCommerce integration woo-mailerlite Metform Elementor Contact Form Builder metform Newsletter – Send awesome emails from WordPress newsletter OneClick Chat to Order oneclick-whatsapp-order Order Export & Order Import for WooCommerce order-import-export-for-woocommerce PDF Invoices & Packing Slips for WooCommerce woocommerce-pdf-invoices-packing-slips POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications post-smtp Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress contest-gallery Plugin for Google Reviews widget-google-reviews Products, Order & Customers Export for WooCommerce export-woocommerce Profile Builder Pro profile-builder-pro RabbitLoader rabbit-loader Schema & Structured Data for WP & AMP schema-and-structured-data-for-wp Seraphinite Accelerator seraphinite-accelerator Seraphinite Alternative Slugs Manager seraphinite-old-slugs-mgr Shortcodes Finder shortcodes-finder Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce barcode-scanner-lite-pos-to-manage-products-inventory-and-orders Swift SMTP (formerly Welcome Email Editor) welcome-email-editor TNC PDF viewer pdf-viewer-by-themencode The Events Calendar the-events-calendar Voting Record voting-record WP Register Profile With Shortcode wp-register-profile-with-shortcode WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms WP Spell Check wp-spell-check WP Testimonials testimonial-widgets WPS Hide Login wps-hide-login WooCommerce woocommerce Woocommerce Vietnam Checkout woo-vietnam-checkout Word Replacer Pro word-replacer-ultra WordPress Button Plugin MaxButtons maxbuttons WordPress Live Chat Plugin for Elementor – LiveChat livechat-elementor WordPress Live Chat Plugin for WooCommerce – LiveChat livechat-woocommerce WordPress Manutenção wp-manutencao Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated Arbitrary File Upload via uploadFile Affected Software : Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce CVE ID : CVE-2023-52221 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34439db4-1b66-4ccb-bf84-fddef6bc1f88 Customer Reviews for WooCommerce <= 5.38.9 – Authenticated (Author+) Arbitrary File Upload Affected Software : Customer Reviews for WooCommerce CVE ID : CVE-2023-6979 CVSS Score : 9.8 (Critical) Researcher/s : Artem Guzhva (hexcat) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48 AI Engine: ChatGPT Chatbot <= 1.9.98 – Unauthenticated Arbitrary File Upload via rest_upload Affected Software : AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! CVE ID : CVE-2023-51409 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7 Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated SQL Injection via userToken Affected Software : Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce CVE ID : CVE-2023-52215 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba18bd0c-ba6c-4f98-ac29-660a79affa6c POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API Affected Software : POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications CVE ID : CVE-2023-6875 CVSS Score : 9.8 (Critical) Researcher/s : Ulyses Saicha Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af WP Testimonials <= 1.4.4 – Authenticated (Contributor+) SQL Injection Affected Software : WP Testimonials CVE ID : CVE Unknown CVSS Score : 8.8 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4da18aad-3c82-4bc6-8dad-523643c12d5b WP Register Profile With Shortcode <= 3.5.9 – Cross-Site Request Forgery to User Password Reset Affected Software : WP Register Profile With Shortcode CVE ID : CVE-2023-5448 CVSS Score : 8.8 (High) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca564941-4780-4da2-b937-c9bd45966d81 Profile Builder Pro <= 3.10.0 – Cross-Site Request Forgery Affected Software : Profile Builder Pro CVE ID : CVE-2024-22140 CVSS Score : 8.8 (High) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4c8932b-ede8-4f17-9612-5493c1130170 Download Monitor <= 4.9.4 – Authenticated (Admin+) SQL Injection Affected Software : Download Monitor CVE ID : CVE Unknown CVSS Score : 7.2 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/105ae6be-2cb7-4ab2-8e4c-5d3ff84c5b9f Order Export & Order Import for WooCommerce <= 2.4.3 – Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file Affected Software : Order Export & Order Import for WooCommerce CVE ID : CVE-2024-22135 CVSS Score : 7.2 (High) Researcher/s : Dateoljo of BoB 12th Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15ce2e54-ca5a-4dbc-9795-6e989e85b330 PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 – Authenticated (Shop Manager+) SQL Injection Affected Software : PDF Invoices & Packing Slips for WooCommerce CVE ID : CVE-2024-22147 CVSS Score : 7.2 (High) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92e307d-b3c0-441a-abac-580a60dd44cf Index Now <= 2.6.3 – Cross-Site Request Forgery via reset_form Affected Software : Index Now CVE ID : CVE-2024-0428 CVSS Score : 7.1 (High) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91 EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta Affected Software/s : EventON, EventON Pro CVE ID : CVE-2023-6158 CVSS Score : 6.5 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea List category posts <= 0.89.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : List category posts CVE ID : CVE-2023-6994 CVSS Score : 6.5 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/611871cc-737f-44e3-baf5-dbaa8bd8eb81 EventON – WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery via save_virtual_event_settings Affected Software/s : EventON, EventON Pro CVE ID : CVE-2023-6244 CVSS Score : 6.5 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fcc3a82-f116-446e-9e5f-4f074e20403b Profile Builder Pro <= 3.10.0 – Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure Affected Software : Profile Builder Pro CVE ID : CVE-2024-22141 CVSS Score : 6.5 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a388b406-1640-443d-9656-6a87588ce201 Word Replacer Pro <= 1.0 – Missing Authorization Affected Software : Word Replacer Pro CVE ID : CVE-2023-52229 CVSS Score : 6.5 (Medium) Researcher/s : thiennv Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd31e8b0-6089-4521-a80f-e65e61ad062f GD Rating System <= 3.5.0 – Unauthenticated Stored Cross-Site Scripting via IP Affected Software : GD Rating System CVE ID : CVE Unknown CVSS Score : 6.5 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0b3662d-e369-4978-aa7a-debbb3ee37e4 EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Cross-Site Request Forgery via evo_eventpost_update_meta Affected Software/s : EventON, EventON Pro CVE ID : CVE-2023-6242 CVSS Score : 6.5 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8e9a333-a6b7-4b5e-93c1-b95566e5d6fb Formidable Forms <= 6.7 – HTML Injection Affected Software : Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder CVE ID : CVE-2023-6830 CVSS Score : 6.5 (Medium) Researcher/s : drop Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6 Happy Elementor Addons <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Happy Addons for Elementor CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1453815d-4e28-41ec-9aa4-4fd2899c619a Voting Record <= 2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting Affected Software : Voting Record CVE ID : CVE-2023-7084 CVSS Score : 6.4 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/286c3e26-07a8-4fca-9fdc-98e62ae88b67 OneClick Chat to Order <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : OneClick Chat to Order CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e4aaf2e-a0c6-47d2-9eb8-d65952a74424 Beds24 Online Booking <= 2.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Beds24 Online Booking CVE ID : CVE-2023-52228 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fc2b2a5-00b0-424e-8678-c6b5cd76baec TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : TNC PDF viewer CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a5f29ce-e266-4f52-af63-159253e7987c Constant Contact Forms by MailMunch <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Constant Contact Forms by MailMunch CVE ID : CVE-2024-22137 CVSS Score : 6.4 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523 Plugin for Google Reviews <= 3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Plugin for Google Reviews CVE ID : CVE-2023-6884 CVSS Score : 6.4 (Medium) Researcher/s : Akbar Kustirama Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599 WP SMS <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9141ad3-86cf-47ae-be99-d78f0337f2ca Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Email Encoder – Protect Email Addresses and Phone Numbers CVE ID : CVE-2023-7070 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5afe6ea-93b8-4782-8593-76468e370a45 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID : CVE-2023-7071 CVSS Score : 6.4 (Medium) Researcher/s : Webbernaut Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f969cb24-734f-46e5-a74d-fddf8e61e096 Football pool <= 2.11.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Football Pool CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff150706-5fbf-4881-976b-89fdaf637fb1 ARMember <= 4.0.22 – Cross-Site Request Forgery Affected Software : ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID : CVE-2023-52200 CVSS Score : 6.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88907f28-7b1d-4a5a-b846-67dfd21d6488 WooCommerce < 8.4.0 – Reflected Cross-Site Scripting Affected Software : WooCommerce CVE ID : CVE Unknown CVSS Score : 6.1 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43810a17-89b4-44f5-887e-1ad0989ea5b4 Profile Builder Pro <= 3.10.0 – Reflected Cross-Site Scripting Affected Software : Profile Builder Pro CVE ID : CVE-2024-22142 CVSS Score : 6.1 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578d8ca7-7042-493d-92b4-63241b4bdfca Shortcodes Finder <= 1.5.4 – Reflected Cross-Site Scripting Affected Software : Shortcodes Finder CVE ID : CVE-2024-21750 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8eb77a53-4aea-46c3-8eea-a16f728dfa23 Advanced Woo Search <= 2.96 – Reflected Cross-Site Scripting Affected Software : Advanced Woo Search CVE ID : CVE-2024-0251 CVSS Score : 6.1 (Medium) Researcher/s : Artem Guzhva (hexcat) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91358e40-e64f-4e8e-b5a3-7d2133db5fe9 Voting Record <= 2.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting Affected Software : Voting Record CVE ID : CVE-2023-7083 CVSS Score : 6.1 (Medium) Researcher/s : Daniel Ruf Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f93aa003-5b8b-4836-af65-80df2f9fbdb6 Auto Affiliate Links <= 6.4.2.7 – Cross-Site Request Forgery Affected Software : Auto Affiliate Links CVE ID : CVE Unknown CVSS Score : 5.8 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89918e1-b525-4d32-9b11-5e014eb02c16 Metform Elementor Contact Form Builder <= 3.8.1 – Cross-Site Request Forgery Affected Software : Metform Elementor Contact Form Builder CVE ID : CVE-2023-6788 CVSS Score : 5.4 (Medium) Researcher/s : Lucio Sá Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30fd2425-ee48-4777-91c1-03906d63793a Schema & Structured Data for WP & AMP <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Schema & Structured Data for WP & AMP CVE ID : CVE-2024-22146 CVSS Score : 5.4 (Medium) Researcher/s : LVT-tholv2k Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca21247-c443-4808-8397-790669453bfc RabbitLoader <= 2.19.13 – Missing Authorization via multiple AJAX actions Affected Software : RabbitLoader CVE ID : CVE-2024-21751 CVSS Score : 5.4 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/958118ec-437e-45c8-a0f0-6aaf54e60d04 MailerLite – WooCommerce integration <= 2.0.8 – Cross-Site Request Forgery via Multiple AJAX Functions Affected Software : MailerLite – WooCommerce integration CVE ID : CVE-2023-52223 CVSS Score : 5.4 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ea7ccb0-c0fb-4ef3-8041-9bf5abe36e3f Contact Form 7 Extension For Mailchimp <= 0.5.70 – Authenticated (Subscriber+) Server-Side Request Forgery Affected Software : Contact Form 7 Extension For Mailchimp CVE ID : CVE-2024-22134 CVSS Score : 5.4 (Medium) Researcher/s : Yuchen Ji Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bed25977-040e-4427-b1e3-e9be9733b31f Paid Memberships Pro <= 2.12.6 – Information Exposure in Debug Logs Affected Software : Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/852b1895-3bed-4c2f-912c-c136b38a09bb Seraphinite Accelerator <= 2.20.45 – Unauthenticated Sensitive Information Exposure via Log File Affected Software : Seraphinite Accelerator CVE ID : CVE-2024-22138 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5991df2-1aab-4d07-9e30-1257aa9ec884 WordPress Manutenção <= 1.0.6 – IP Spoofing to Maintenance Mode Bypass Affected Software : WordPress Manutenção CVE ID : CVE-2024-22139 CVSS Score : 5.3 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6664039-554b-43bf-8925-00c1e62e28f5 The Events Calendar <= 6.2.8.2 – Unauthenticated Sensitive Information Exposure Affected Software : The Events Calendar CVE ID : CVE-2023-6557 CVSS Score : 5.3 (Medium) Researcher/s : Nicolas Decayeux Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61 ElementsKit Lite <= 3.0.3 – Unauthenticated Sensitive Information Exposure Affected Software : ElementsKit Elementor addons CVE ID : CVE-2023-6582 CVSS Score : 5.3 (Medium) Researcher/s : Nex Team Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff4ae5c8-d164-4c2f-9bf3-83934c22cf4c Newsletter <= 8.0.6 – Cross-Site Request Forgery Affected Software : Newsletter – Send awesome emails from WordPress CVE ID : CVE Unknown CVSS Score : 4.7 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c24ee66-7b57-4e4c-bbb5-0451fc24ce4b Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery Affected Software : Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress CVE ID : CVE Unknown CVSS Score : 4.7 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2b5213d-fdc5-4c98-9a05-15d83bd7308f Formidable Forms <= 6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder CVE ID : CVE-2023-6842 CVSS Score : 4.4 (Medium) Researcher/s : drop Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce Woocommerce Vietnam Checkout <= 2.0.8 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Woocommerce Vietnam Checkout CVE ID : CVE Unknown CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5344499d-c183-4164-a52c-0dca7873f63d WordPress Button Plugin MaxButtons <= 9.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : WordPress Button Plugin MaxButtons CVE ID : CVE-2023-6594 CVSS Score : 4.4 (Medium) Researcher/s : Rafshanzani Suhada Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfe2cabd-98f6-4ebc-8a02-e6951202aa88 Swift SMTP <= 5.0.6 – Cross-Site Request Forgery Affected Software : Swift SMTP (formerly Welcome Email Editor) CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b9ed184-814d-46cb-979c-908bc9359fae LiveChat Elementor <= 1.0.13 – Cross-Site Request Forgery Affected Software : WordPress Live Chat Plugin for Elementor – LiveChat CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32c2a25d-e660-4700-8df3-b043cf6aa78a Envira Gallery Lite <= 1.8.7.2 – Missing Authorization to Gallery Modification via envira_gallery_insert_images Affected Software : Gallery Plugin for WordPress – Envira Photo Gallery CVE ID : CVE-2023-6742 CVSS Score : 4.3 (Medium) Researcher/s : Nex Team Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40655278-6915-4a76-ac2d-bb161d3cee92 InstaWP Connect <= 0.1.0.8 – Cross-Site Request Forgery via create_file_db_manager Affected Software : InstaWP Connect – 1-click WP Staging & Migration CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5954c35a-7d0a-4bc5-9cad-3223e7be56eb Seraphinite Alternative Slugs Manager <= 1.3 – Cross-Site Request Forgery Affected Software : Seraphinite Alternative Slugs Manager CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66377ee2-cc87-4cfe-a4e4-cef4459bf2ec MailerLite – WooCommerce integration <= 2.0.8 – Missing Authorization via Multiple Functions Affected Software : MailerLite – WooCommerce integration CVE ID : CVE-2023-52227 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/757690b0-6c59-4e74-aad2-f5fde9f7a2fb LiveChat WooCommerce <= 2.2.16 – Cross-Site Request Forgery Affected Software : WordPress Live Chat Plugin for WooCommerce – LiveChat CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/872f13bc-e6d0-4307-b2c9-b55a44df1016 Advanced Flamingo <= 1.0 – Cross-Site Request Forgery Affected Software : Advanced Flamingo CVE ID : CVE-2023-52226 CVSS Score : 4.3 (Medium) Researcher/s : Huynh Tien Si Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ce8ad5f-05e8-4279-915a-1c94559d4e56 WP Spell Check <= 9.17 – Cross-Site Request Forgery Affected Software : WP Spell Check CVE ID : CVE-2024-22143 CVSS Score : 4.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9eef053c-16a1-4624-8393-08e78b221d4f Contact Form 7 – Dynamic Text Extension <= 4.1.0 – Insecure Direct Object Reference Affected Software : Contact Form 7 – Dynamic Text Extension CVE ID : CVE-2023-6630 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486 Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery Affected Software : Contact Form 7 Connector CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b437020c-31a3-413e-a1da-b4781da34f10 Products & Order Export for WooCommerce <= 2.0.7 – Missing Authorization Affected Software : Products, Order & Customers Export for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da1f68a5-8ca7-4744-9b73-09e767072885 Droit Elementor Addons <= 3.1.5 – Cross-Site Request Forgery Affected Software : Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder CVE ID : CVE-2024-22136 CVSS Score : 4.3 (Medium) Researcher/s : Elliot Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7b49fd1-2d1e-4083-bc1d-010a9c8f4c2f WPS Hide Login <= 1.9.11 – Hidden Login Page Location Disclosure Affected Software : WPS Hide Login CVE ID : CVE-2023-49748 CVSS Score : 3.7 (Low) Researcher/s : Naveen Muthusamy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb81e90f-8da4-483c-9bc1-18b6c016df5e As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.