(855)-537-2266 sales@kerbco.com

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) 🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Unpatched 40 Patched 86 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 105 High Severity 14 Critical Severity 5 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 43 Missing Authorization 36 Cross-Site Request Forgery (CSRF) 26 Unrestricted Upload of File with Dangerous Type 4 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 3 Information Exposure 2 Deserialization of Untrusted Data 2 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 1 Improper Privilege Management 1 Unverified Password Change 1 Protection Mechanism Failure 1 URL Redirection to Untrusted Site (‘Open Redirect’) 1 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 1 Use of Less Trusted Source 1 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1 Improper Authorization 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Abdi Pranata 23 Rafie Muhammad 18 Ngô Thiên An (ancorn_) 10 Le Ngoc Anh 5 István Márton (Wordfence Vulnerability Researcher) 4 Mika 4 Marco Wotschka (Wordfence Vulnerability Researcher) 4 Paolo Tresso (Wordfence Vulnerability Researcher) 4 emad 3 Huynh Tien Si 3 Ala Arfaoui 2 Vincenzo Turturro 2 Gianluca Parisi 2 Vincenzo Cantatore 2 Revan Arifio 1 Enrico Marcolini 1 Claudio Marchesini (Dottormarc) 1 wpdabh 1 RIN MIYACHI 1 Nicolas Surribas 1 Naveen Muthusamy 1 Vladislav Pokrovsky (ΞX.MI) 1 niclo 1 LEE SE HYOUNG 1 Muhammad Daffa 1 Brandon James Roldan (tomorrowisnew) 1 BuShiYue 1 Alex Sanford 1 thiennv 1 Nguyen Xuan Chien 1 Furkan ÖZER 1 DoYeon Park (p6rkdoye0n) 1 Dmitrii Ignatyev 1 Bartłomiej Marek 1 Tomasz Swiadek 1 resecured.io 1 Ivy (TOOR, Lisa) 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 10WebAnalytics wd-google-analytics AMP+ Plus amp-plus ARI Stream Quiz – WordPress Quizzes Builder ari-stream-quiz AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth aweber-web-form-widget Accordion accordions-wp Acme Fix Images acme-fix-images Add Widgets to Page add-widgets-to-page Ajax Domain Checker ajax-domain-checker Anywhere Flash Embed anywhere-flash-embed AppPresser – Mobile App Framework apppresser Audio Merchant audio-merchant BMI Calculator Plugin bmi-calculator-shortcode BP Profile Shortcodes Extra bp-profile-shortcodes-extra BSK Contact Form 7 Blacklist bsk-contact-form-7-blacklist Bamboo Columns bamboo-columns Better RSS Widget better-rss-widget BetterDocs – Best Documentation & Knowledge Base Plugin betterdocs Big File Uploads – Increase Maximum File Upload Size tuxedo-big-file-uploads Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin bus-ticket-booking-with-seat-reservation Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress sprout-invoices CodeBard’s Patron Button and Widgets for Patreon patron-button-and-widgets-by-codebard Comments – wpDiscuz wpdiscuz Community by PeepSo – Social Network, Membership, Registration, User Profiles peepso-core Conditional Fields for Contact Form 7 cf7-conditional-fields Customer Reviews for WooCommerce customer-reviews-woocommerce Daily Prayer Time daily-prayer-time-for-mosques Delete Duplicate Posts delete-duplicate-posts Ditty – Responsive News Tickers, Sliders, and Lists ditty-news-ticker DrawIt (draw.io) drawit EWWW Image Optimizer ewww-image-optimizer Easy Call Now by ThikShare easy-call-now EasyAzon – Amazon Associates Affiliate Plugin easyazon Elementor Addon Elements addon-elements-for-elementor-page-builder Email Encoder – Protect Email Addresses and Phone Numbers email-encoder-bundle Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification miniorange-otp-verification Embed Privacy embed-privacy EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor embedpress Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks Essential Grid Portfolio – Photo Gallery essential-grid Events Addon for Elementor events-addon-for-elementor Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty chaty Footer Putter footer-putter FormCraft – Contact Form Builder for WordPress formcraft-form-builder Forminator – Contact Form, Payment Form & Custom Form Builder forminator Frontend File Manager Plugin nmedia-user-file-uploader Hreflang Manager hreflang-manager-lite Image Compressor & Optimizer – iLoveIMG iloveimg Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-constant-contact Interactive World Map interactive-world-map Jetpack – WP Security, Backup, Speed, & Growth jetpack LWS Hide Login lws-hide-login LayerSlider layerslider Leadster leadster-marketing-conversacional Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator legal-pages Live Preview for Contact Form 7 cf7-live-preview LuckyWP Scripts Control luckywp-scripts-control MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar Namaste! LMS namaste-lms Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro Permalinks Customizer permalinks-customizer Phlox Shop auxin-shop Popup Box – Best WordPress Popup Plugin ays-popup-box Post Status Notifier Lite post-status-notifier-lite Premium Portfolio Features for Phlox theme auxin-portfolio Premmerce Redirect Manager premmerce-redirect-manager Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic shareaholic Pz-LinkCard pz-linkcard Quick Call Button quick-call-button Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress quiz-master-next Restaurant & Cafe Addon for Elementor restaurant-cafe-addon-for-elementor SearchIQ – The Search Solution searchiq Shortcodes and extra features for Phlox theme auxin-elements Simple 301 Redirects by BetterLinks simple-301-redirects Simply Excerpts simply-excerpts Slider Revolution revslider Slider – Ultimate Responsive Image Slider ultimate-responsive-image-slider Star CloudPRNT for WooCommerce star-cloudprnt-for-woocommerce Theater for WordPress theatre URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress url-shortify Ultimate Dashboard – Custom WordPress Dashboard ultimate-dashboard WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses wp-courses WP Custom Admin Interface wp-custom-admin-interface WP EXtra wp-extra WP Fastest Cache wp-fastest-cache WP Like Button wp-like-button WP Maintenance wp-maintenance WP Meta and Date Remover wp-meta-and-date-remover WP Not Login Hide (WPNLH) wp-not-login-hide-wpnlh WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation wp-cafe Website Optimization – Plerdy plerdy-heatmap Welcart e-Commerce usc-e-shop Welcome Email Editor welcome-email-editor WooCommerce woocommerce WooCommerce Blocks woo-gutenberg-products-block WooCommerce Bookings woocommerce-bookings WooCommerce Product Carousel Slider product-carousel-slider-for-woocommerce Woocommerce Shipping Canada Post woocommerce-shipping-canada-post WordPress File Upload wp-file-upload YOP Poll yop-poll avalex – Automatisch sichere Rechtstexte avalex eCommerce Product Catalog Plugin for WordPress ecommerce-product-catalog wpMandrill wpmandrill WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Betheme betheme Thrive Themes Builder thrive-theme Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Shortcodes and extra features for Phlox theme <= 2.14.0 – Unauthenticated Local File Inclusion Affected Software : Shortcodes and extra features for Phlox theme CVE ID : CVE-2023-37888 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09437329-f01a-4998-90ec-e4b2e271e896 WP Fastest Cache <= 1.2.2 – Unauthenticated SQL Injection Affected Software : WP Fastest Cache CVE ID : CVE-2023-6063 CVSS Score : 9.8 (Critical) Researcher/s : Alex Sanford Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/876efd71-8867-44b8-8017-86fad2a1b89f Phlox Shop <= 2.0.0 – Unauthenticated Local File Inclusion Affected Software : Phlox Shop CVE ID : CVE-2023-39163 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e11e4bab-f8a9-4ecb-b36e-09a55e47f1ae Phlox Portfolio <= 2.3.1 – Unauthenticated Local File Inclusion Affected Software : Premium Portfolio Features for Phlox theme CVE ID : CVE-2023-38399 CVSS Score : 9.8 (Critical) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6f3f82e-6b1b-4138-b8f3-82e8dcd24479 Frontend File Manager Plugin <= 22.5 – Authenticated (Editor+) Directory Traversal Affected Software : Frontend File Manager Plugin CVE ID : CVE-2023-5105 CVSS Score : 9.1 (Critical) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b59b5c41-6173-485e-869d-4165dc18e2bd Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Arbitrary File Upload Affected Software : Audio Merchant CVE ID : CVE-2023-6196 CVSS Score : 8.8 (High) Researcher/s : Ala Arfaoui Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06513dfe-f263-48b7-ba01-2c205247095b Thrive Theme Builder <= 3.20.1 – Cross-Site Request Forgery Affected Software : Thrive Themes Builder CVE ID : CVE-2023-47781 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353c3cd9-5ada-466b-b8e5-d40e0ec4e867 Thrive Theme Builder <= 3.20.1 – Privilege Escalation Affected Software : Thrive Themes Builder CVE ID : CVE-2023-47782 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b345dfe-3945-405a-9825-c88816b2adee WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update Affected Software : WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses CVE ID : CVE Unknown CVSS Score : 8.8 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a6f7952-cb64-4cff-aae7-0f03692cd95f Welcart e-Commerce <= 2.9.4 – Cross-Site Request Forgery Affected Software : Welcart e-Commerce CVE ID : CVE Unknown CVSS Score : 8.8 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59004bb-b026-4137-a332-f46a09237e7b Welcart e-Commerce <= 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload Affected Software : Welcart e-Commerce CVE ID : CVE Unknown CVSS Score : 8.8 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f690e67c-119f-4ea6-9505-101e7f7a3dea Essential Grid <= 3.0.18 – Missing Authorization Affected Software : Essential Grid Portfolio – Photo Gallery CVE ID : CVE-2023-47771 CVSS Score : 8.3 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/326618eb-186b-44a2-a779-00d5366bfff2 Thrive Theme Builder <= 3.20.1 – Missing Authorization Affected Software : Thrive Themes Builder CVE ID : CVE-2023-47783 CVSS Score : 8.3 (High) Researcher/s : Rafie Muhammad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd6fa4f-8f4d-4d2f-ac67-98124cfa9592 AppPresser <= 4.2.5 – Insecure Password Reset Mechanism Affected Software : AppPresser – Mobile App Framework CVE ID : CVE-2023-4214 CVSS Score : 8.1 (High) Researcher/s : István Márton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload Affected Software : Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID : CVE-2023-6187 CVSS Score : 7.5 (High) Researcher/s : István Márton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5979f2eb-2ca8-4b06-814c-c4236bb81af0 Image Compressor & Optimizer – iLoveIMG <= 1.0.5 – Authenticated (Administrator+) PHP Object Injection Affected Software : Image Compressor & Optimizer – iLoveIMG CVE ID : CVE Unknown CVSS Score : 7.2 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/501e9cd1-1187-4d01-a3cc-5edba64c391f Welcart e-Commerce <= 2.9.5 – Authenticated (Administrator+) PHP Object Injection Affected Software : Welcart e-Commerce CVE ID : CVE Unknown CVSS Score : 7.2 (High) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91f86c22-94db-4c43-985a-2f3dd96ece21 Slider Revolution <= 6.6.15 – Authenticated (Author+) Arbitrary File Upload Affected Software : Slider Revolution CVE ID : CVE-2023-47784 CVSS Score : 7.2 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2d29afd-06e8-461a-918f-38228441a51a Bus Ticket Booking with Seat Reservation <= 5.2.5 – Unauthenticated Cross-Site Scripting Affected Software : Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin CVE ID : CVE-2023-30496 CVSS Score : 7.2 (High) Researcher/s : Ivy (TOOR, Lisa) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9960282-4730-4ee8-b338-adcc57f01cc6 Forminator <= 1.27.0 – Authenticated (Administrator+) Arbitrary File Upload Affected Software : Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID : CVE-2023-6133 CVSS Score : 6.6 (Medium) Researcher/s : István Márton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3 Email Encoder Bundle <= 2.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Email Encoder – Protect Email Addresses and Phone Numbers CVE ID : CVE-2023-47821 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09f328f6-8a66-46bf-80d9-3ffeaecfec32 Better RSS Widget <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Better RSS Widget CVE ID : CVE-2023-47813 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12660e7a-51fc-42c5-8a09-49df1db51efb eCommerce Product Catalog for WordPress <= 3.3.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : eCommerce Product Catalog Plugin for WordPress CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39695b53-9af7-42f0-8bde-3969398a7186 LayerSlider <= 7.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : LayerSlider CVE ID : CVE-2023-47786 CVSS Score : 6.4 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/441bc9fe-3dd6-40a6-b7f3-36511115c083 WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute Affected Software/s : WooCommerce, WooCommerce Blocks CVE ID : CVE-2023-47777 CVSS Score : 6.4 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/525dec5b-b457-483c-ab2d-09dd320edcaa Quiz And Survey Master <= 8.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress CVE ID : CVE-2023-47834 CVSS Score : 6.4 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c482b6e-ce1e-46e2-8847-10c485594448 Ajax Domain Checker <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Ajax Domain Checker CVE ID : CVE-2023-47810 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/699459a1-d407-4561-9d08-dd5d918ea601 Add Widgets to Page <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Add Widgets to Page CVE ID : CVE-2023-47808 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af20a2c-065c-48d5-a95c-2883ceeb50c6 Slider Revolution <= 6.6.14 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Slider Revolution CVE ID : CVE-2023-47772 CVSS Score : 6.4 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/772e843b-00ea-45f5-b730-c9a793d4c2db Jetpack <= 12.8-a.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute Affected Software : Jetpack – WP Security, Backup, Speed, & Growth CVE ID : CVE-2023-45050 CVSS Score : 6.4 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/824360ab-c797-465a-8480-baeae941af29 BMI Calculator Plugin <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : BMI Calculator Plugin CVE ID : CVE-2023-47814 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bf0e224-d8c7-4bf9-b9a3-97545da9d90c Bamboo Columns <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Bamboo Columns CVE ID : CVE-2023-47812 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e7b40e4-c80a-4317-acff-77696fd8098f Anywhere Flash Embed <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Anywhere Flash Embed CVE ID : CVE-2023-47811 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a95d7ff6-55ce-4d63-8433-60cece306628 DrawIt (draw.io) <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : DrawIt (draw.io) CVE ID : CVE-2023-47831 CVSS Score : 6.4 (Medium) Researcher/s : resecured.io Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddde9db5-3ed7-42f7-97c1-4ff9b9d1f627 WooCommerce Product Carousel Slider <= 3.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : WooCommerce Product Carousel Slider CVE ID : CVE-2023-47755 CVSS Score : 6.4 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6f6dab2-da03-43b6-b9c1-ebc6a7e1d1c9 BP Profile Shortcodes Extra <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : BP Profile Shortcodes Extra CVE ID : CVE-2023-47815 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea9eaca6-3441-4976-8556-0ce288d1a0c6 ARI Stream Quiz <= 1.2.32 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : ARI Stream Quiz – WordPress Quizzes Builder CVE ID : CVE-2023-47835 CVSS Score : 6.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edb4f4b7-a59c-454b-82b5-d8e91c1c82a3 Daily Prayer Time <= 2023.10.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Daily Prayer Time CVE ID : CVE-2023-47817 CVSS Score : 6.4 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0ccd265-2e64-4b23-a032-aaeb9941df34 Shareaholic <= 9.7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Software : Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic CVE ID : CVE-2023-4889 CVSS Score : 6.4 (Medium) Researcher/s : István Márton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff6932c6-f3ec-46a8-a03b-95512eee5bf1 AWeber <= 7.3.9 – Missing Authorization via AJAX actions Affected Software : AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth CVE ID : CVE-2023-47757 CVSS Score : 6.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/397f20d8-2400-4403-8543-f57141378012 Betheme <= 27.1.1 – Missing Authorization Affected Software : Betheme CVE ID : CVE-2023-47770 CVSS Score : 6.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72bdc81e-1a9d-4dd8-93a5-fb1026d6a2d9 Interactive World Map <= 3.2.0 – Reflected Cross-Site Scripting Affected Software : Interactive World Map CVE ID : CVE-2023-47767 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09b0bfd3-93a7-4f13-828d-772f54085a60 BSK Contact Form 7 Blacklist <= 1.0.1 – Reflected Cross-Site Scripting Affected Software : BSK Contact Form 7 Blacklist CVE ID : CVE-2023-5141 CVSS Score : 6.1 (Medium) Researcher/s : Enrico Marcolini, Claudio Marchesini (Dottormarc) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e27b0a8-e052-49ed-8744-a2376aa386f5 Star CloudPRNT for WooCommerce <= 2.0.3 – Reflected Cross-Site Scripting Affected Software : Star CloudPRNT for WooCommerce CVE ID : CVE-2023-4603 CVSS Score : 6.1 (Medium) Researcher/s : Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/110c6d41-e814-41c9-a3e7-d94ec3d953e6 AMP+ Plus <= 3.0 – Reflected Cross Site Scripting Affected Software : AMP+ Plus CVE ID : CVE-2023-5210 CVSS Score : 6.1 (Medium) Researcher/s : Nicolas Surribas Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ff4fd-e514-4366-b9a6-c04d7434eac1 EmbedPress <= 3.9.1 – Reflected Cross-Site Scripting Affected Software : EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID : CVE Unknown CVSS Score : 6.1 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41edf49a-18a2-4cf0-b498-738e77287b90 Footer Putter <= 6.1.3 – Reflected Cross-Site Scripting Affected Software : Footer Putter CVE ID : CVE Unknown CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/688353c9-e4e5-4717-9651-15d05248554f Post Status Notifier Lite <= 1.11.0 – Reflected Cross-Site Scripting Affected Software : Post Status Notifier Lite CVE ID : CVE-2023-47766 CVSS Score : 6.1 (Medium) Researcher/s : LEE SE HYOUNG Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af1224e-0ed3-4770-96c0-c15cc895d36d Permalinks Customizer <= 2.8.2 – Reflected Cross-Site Scripting Affected Software : Permalinks Customizer CVE ID : CVE-2023-47773 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/702dca65-fa8c-48c7-89e4-cba4b151e2c4 Namaste! LMS <= 2.6.1.1 – Reflected Cross-Site Scripting Affected Software : Namaste! LMS CVE ID : CVE-2023-4602 CVSS Score : 6.1 (Medium) Researcher/s : Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d014f512-9030-49ce-945d-4900594fb373 Accordion <= 2.6 – Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings Affected Software : Accordion CVE ID : CVE-2023-47809 CVSS Score : 5.5 (Medium) Researcher/s : Ngô Thiên An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff656409-2344-4190-a731-5a282e21375c Embed Privacy <= 1.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Embed Privacy CVE ID : CVE-2023-48300 CVSS Score : 5.4 (Medium) Researcher/s : wpdabh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26d9dfc7-151c-4b32-9ae4-3085d08f137c Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery Affected Software : Elementor Addon Elements CVE ID : CVE-2023-4689 CVSS Score : 5.4 (Medium) Researcher/s : Marco Wotschka, Paolo Tresso Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/472cdbc4-3bfa-4254-b35a-be7ae10782e6 MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10 – Missing Authorization to Template Import Affected Software : MP3 Audio Player for Music, Radio & Podcast by Sonaar CVE ID : CVE-2023-47822 CVSS Score : 5.4 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6bcb9d95-acb4-4405-b785-1e5eace10dc9 Legal Pages <= 1.3.8 – Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data Affected Software : Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator CVE ID : CVE-2023-47824 CVSS Score : 5.4 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fb9c8c3-e491-4bca-adeb-b87d9f8f3b32 Pz-LinkCard <= 2.4.8 – Cross-Site Request Forgery via page_cacheman Affected Software : Pz-LinkCard CVE ID : CVE-2023-47790 CVSS Score : 5.4 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6de97ac-127d-47ec-8b74-03e7fa4932f6 eCommerce Product Catalog for WordPress <= 3.3.25 – Cross-Site Request Forgery Affected Software : eCommerce Product Catalog Plugin for WordPress CVE ID : CVE Unknown CVSS Score : 5.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba70f811-543f-4da4-ba45-715dbd6be6be Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting Affected Software : Audio Merchant CVE ID : CVE-2023-6197 CVSS Score : 5.4 (Medium) Researcher/s : Ala Arfaoui Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7911337-57fa-4268-8366-d37ff13fae86 Delete Duplicate Posts <= 4.8.9 – Missing Authorization via AJAX Actions Affected Software : Delete Duplicate Posts CVE ID : CVE-2023-47754 CVSS Score : 5.4 (Medium) Researcher/s : Huynh Tien Si Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f603a25f-7d56-4cf4-89aa-de87ee49522a Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery Affected Software : Elementor Addon Elements CVE ID : CVE-2023-4690 CVSS Score : 5.4 (Medium) Researcher/s : Marco Wotschka, Paolo Tresso Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd53b4e1-c6b7-4111-911a-04b14c7a9c4e Restaurant & Cafe Addon for Elementor <= 1.5.2 – Missing Authorization Affected Software : Restaurant & Cafe Addon for Elementor CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07712191-03b6-4de4-b0a4-e6f03ce9dc81 Ditty <= 3.1.24 – Missing Authorization via save_ditty_permissions_check Affected Software : Ditty – Responsive News Tickers, Sliders, and Lists CVE ID : CVE-2023-47764 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08630dfd-df43-4a5a-8fc7-ba8ff753db3d FormCraft <= 1.2.7 – Missing Authorization via formcraft_nag_update Affected Software : FormCraft – Contact Form Builder for WordPress CVE ID : CVE-2023-47823 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25d5735a-8eed-4b4a-9bbe-9e42fb18ddf2 SearchIQ <= 4.4 – Missing Authorization via getSIQPluginSettings Affected Software : SearchIQ – The Search Solution CVE ID : CVE-2023-47832 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3001829b-f63b-4b99-91a0-53d615ac96c1 YOP Poll <= 6.5.26 – Race Condition to Vote Manipulation Affected Software : YOP Poll CVE ID : CVE-2023-6109 CVSS Score : 5.3 (Medium) Researcher/s : RIN MIYACHI Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c WPCafe <= 2.2.19 – Missing Authorization via dismiss_ajax_call Affected Software : WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation CVE ID : CVE-2023-47805 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4261bc62-a091-408b-8643-e6fa61d62103 LWS Hide Login <= 2.1.8 – Protection Mechanism Bypass Affected Software : LWS Hide Login CVE ID : CVE-2023-47818 CVSS Score : 5.3 (Medium) Researcher/s : Naveen Muthusamy Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/532cffdb-16e8-4ced-9477-483c96db343c avalex – Automatisch sichere Rechtstexte <= 3.0.8 – Missing Authorization Affected Software : avalex – Automatisch sichere Rechtstexte CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7319293e-f921-46d1-aea6-2578d1a251a7 WP Maintenance <= 6.1.3 – IP Restriction Bypass Affected Software : WP Maintenance CVE ID : CVE-2023-47769 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87a1cc00-330c-40c3-a174-8ea50075c4bd Elementor Addon Elements <= 1.12.7 – Missing Authorization to Sensitive Information Exposure Affected Software : Elementor Addon Elements CVE ID : CVE-2023-4723 CVSS Score : 5.3 (Medium) Researcher/s : Marco Wotschka, Paolo Tresso Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89489218-263f-4157-a5cd-a12bc6a0dfe6 Welcome Email Editor <= 5.0.5 – Missing Authorization via ajax_handler Affected Software : Welcome Email Editor CVE ID : CVE-2023-47756 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/943cd10b-1b58-4803-ba6f-291f73353422 Events Addon for Elementor <= 2.1.2 – Missing Authorization Affected Software : Events Addon for Elementor CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7f52e71-da35-4b46-b658-d293f81b5dc9 Acme Fix Images <= 1.0.0 – Missing Authorization via acme_fix_images_ajax_callback Affected Software : Acme Fix Images CVE ID : CVE-2023-47793 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9047775-2d72-4eb5-9339-419f95aa19b2 EWWW Image Optimizer <= 7.2.0 – Unauthenticated Sensitive Information Exposure via Debug Log Affected Software : EWWW Image Optimizer CVE ID : CVE-2023-40600 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d20ff1a8-8794-41e1-9e66-1cda90f9ff77 WP Meta and Date Remover <= 2.3.0 – Cross-Site Request Forgery via updateSettings Affected Software : WP Meta and Date Remover CVE ID : CVE-2023-47836 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/faa9ad87-44b2-47b3-a05c-52e59af7255a Jetpack < 12.7 – Authenticated(Contributor+) Clickjacking via Iframe Injection Affected Software : Jetpack – WP Security, Backup, Speed, & Growth CVE ID : CVE-2023-47774 CVSS Score : 5 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92a3e622-b3b2-450e-82a7-0a942711e8c0 Integration for Contact Form 7 and Constant Contact <= 1.1.4 – Open Redirect Affected Software : Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms CVE ID : CVE-2023-47779 CVSS Score : 4.7 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c8404d2-7b37-40df-b756-328f827f273d Chaty <= 3.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected Software : Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty CVE ID : CVE-2023-47759 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/361deac0-f675-432c-b7d2-b99f168d476d Popup Box <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Popup Box – Best WordPress Popup Plugin CVE ID : CVE Unknown CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a40bac7-d3b8-486d-938a-30591ff3016c Simply Excerpts <= 1.4 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Simply Excerpts CVE ID : CVE-2023-5137 CVSS Score : 4.4 (Medium) Researcher/s : niclo Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e6a7f09-2166-426e-a548-daafb23363a6 Quick Call Button <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected Software : Quick Call Button CVE ID : CVE-2023-47829 CVSS Score : 4.4 (Medium) Researcher/s : Muhammad Daffa Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b5e9c7f-e0c9-4c27-8b39-87e15fd29604 Ultimate Dashboard <= 3.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings Affected Software : Ultimate Dashboard – Custom WordPress Dashboard CVE ID : CVE-2023-4726 CVSS Score : 4.4 (Medium) Researcher/s : Marco Wotschka Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79cce1fc-a27f-4842-b1a2-2c53857add4c WP Not Login Hide <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : WP Not Login Hide (WPNLH) CVE ID : CVE-2023-5940 CVSS Score : 4.4 (Medium) Researcher/s : Furkan ÖZER Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fc46de4-af1c-4e38-9caa-55b7b18a69ae Theater for WordPress <= 0.18.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected Software : Theater for WordPress CVE ID : CVE-2023-47833 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0fdad22-5aee-468f-885c-f65c068cf413 Premmerce Redirect Manager <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Premmerce Redirect Manager CVE ID : CVE Unknown CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3d4f658-e9ce-490b-bcaa-1061a463dbb2 Elementor Addon Elements <= 1.12.7 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Elementor Addon Elements CVE ID : CVE-2023-5381 CVSS Score : 4.4 (Medium) Researcher/s : Paolo Tresso Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd2bc2e7-960e-40db-9dcc-a6a60117bd83 Website Optimization – Plerdy <= 1.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Website Optimization – Plerdy CVE ID : CVE-2023-5715 CVSS Score : 4.4 (Medium) Researcher/s : Huynh Tien Si Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db18ac07-2e7a-466d-b00c-a598401f8633 URL Shortify <= 1.7.9 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress CVE ID : CVE-2023-5605 CVSS Score : 4.4 (Medium) Researcher/s : Bartłomiej Marek, Tomasz Swiadek Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddc4b758-5a1e-4d0a-949e-869fcd9df0bc wpDiscuz <= 7.6.12 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Comments – wpDiscuz CVE ID : CVE Unknown CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68bc7e9-3bfe-4b2f-82a1-92bbde1a133a Community by PeepSo <= 6.1.6.0 – Cross-Site Request Forgery via delete Affected Software : Community by PeepSo – Social Network, Membership, Registration, User Profiles CVE ID : CVE-2023-39925 CVSS Score : 4.3 (Medium) Researcher/s : Revan Arifio Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0aea5564-b1b9-4d57-9f7e-81dd791c8d48 WP Courses LMS <= 3.2.3 – Missing Authorization Affected Software : WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1127fe1e-4359-4dff-93a7-392a8bfded51 Sprout Invoices <= 20.5.3 – Sensitive Information Exposure Affected Software : Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2330b18e-0907-47e1-b91f-1fe466bcf76b BetterDocs <= 2.5.2 – Missing Authorization via AJAX actions Affected Software : BetterDocs – Best Documentation & Knowledge Base Plugin CVE ID : CVE-2023-47762 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a7d6059-4cef-4bd1-a14d-ad544bfaeea3 Conditional Fields for Contact Form 7 <= 2.4.1 – Missing Authorization Affected Software : Conditional Fields for Contact Form 7 CVE ID : CVE-2023-47838 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cfd8b2d-cf2a-439d-9f9a-dbe499b1cd48 WP Courses LMS <= 3.2.3 – Cross-Site Request Forgery Affected Software : WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/487e23c9-9100-4240-8992-c4c85930c4a6 LuckyWP Scripts Control <= 1.2.1 – Missing Authorization Affected Software : LuckyWP Scripts Control CVE ID : CVE-2023-47778 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51c42ca2-cdba-49f5-bea2-83c9b8cf0db7 Events Addon for Elementor <= 2.1.2 – Cross-Site Request Forgery Affected Software : Events Addon for Elementor CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5256ef2b-e1fc-4746-b35e-07a265f47f95 wpDiscuz <= 7.6.11 – Cross-Site Request Forgery Affected Software : Comments – wpDiscuz CVE ID : CVE-2023-47775 CVSS Score : 4.3 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f Ultimate Responsive Image Slider <= 3.5.11 – Missing Authorization via AJAX action Affected Software : Slider – Ultimate Responsive Image Slider CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c92beb0-1fcf-4352-bd34-00e31b265c04 10WebAnalytics <= 1.2.12 – Missing Authorization via gawd_wd_bp_install_notice_status Affected Software : 10WebAnalytics CVE ID : CVE-2023-47807 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd2a4cb-dd74-4b00-82f5-3bf1452e71a3 miniorange otp verification <= 4.2.1 – Missing Authorization via dismiss_notice Affected Software : Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification CVE ID : CVE-2023-47776 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62ea1427-0990-4645-aa1a-42da6fd3944f WP EXtra <= 6.4 – Cross-Site Request Forgery ToolImport Affected Software : WP EXtra CVE ID : CVE-2023-47825 CVSS Score : 4.3 (Medium) Researcher/s : Huynh Tien Si Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e3f3104-e213-4b0f-9821-b3f1a5c06191 Leadster <= 1.1.2 – Cross-Site Request Forgery via leadster_script_code_action Affected Software : Leadster CVE ID : CVE-2023-47791 CVSS Score : 4.3 (Medium) Researcher/s : BuShiYue Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86837f87-ea91-404a-92ac-38d1abf14cde Live Preview for Contact Form 7 <= 1.2.0 – Missing Authorization via update_option Affected Software : Live Preview for Contact Form 7 CVE ID : CVE-2023-47830 CVSS Score : 4.3 (Medium) Researcher/s : thiennv Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89dbf14f-1cc8-4a66-b3d3-3568cba9a0aa WP Custom Admin Interface <= 7.31 – Missing Authorization via wpcai_pro_notice_disable Affected Software : WP Custom Admin Interface CVE ID : CVE-2023-47763 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b040f47-b126-4640-9fc5-bda8650f6c69 EasyAzon – Amazon Associates Affiliate <= 5.1.0 – Missing Authorization on AJAX actions Affected Software : EasyAzon – Amazon Associates Affiliate Plugin CVE ID : CVE-2023-47780 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ba93de-4c5f-4611-8296-adfc85c8dd2b LayerSlider <= 7.7.9 – Cross-Site Request Forgery Affected Software : LayerSlider CVE ID : CVE-2023-47785 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9225ebc6-bff9-4176-a86e-022ff8ec3b05 Big File Uploads <= 2.1.1 – Cross-Site Request Forgery via actions Affected Software : Big File Uploads – Increase Maximum File Upload Size CVE ID : CVE-2023-47792 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93b527a8-30c0-4e47-bb2b-522380b21699 Easy Call Now by ThikShare <= 1.1.0 – Cross-Site Request Forgery via settings_page Affected Software : Easy Call Now by ThikShare CVE ID : CVE-2023-47819 CVSS Score : 4.3 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bd8c4e5-ef53-47e8-8658-291509e9b987 Restaurant & Cafe Addon for Elementor <= 1.5.2 – Cross-Site Request Forgery Affected Software : Restaurant & Cafe Addon for Elementor CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d986739-d6a5-491d-948f-4c58af75369a Conditional Fields for Contact Form 7 <= 2.4.0 – Missing Authorization Affected Software : Conditional Fields for Contact Form 7 CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a175d2b2-0a35-4c5a-b05b-4d334e444e85 CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Cross-Site Request Forgery Affected Software : CodeBard’s Patron Button and Widgets for Patreon CVE ID : CVE-2023-47765 CVSS Score : 4.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ea53bd-2ce7-4dce-8c57-51ba81838f1a WooCommerce Bookings <= 2.0.3 – Cross-Site Request Forgery Affected Software : WooCommerce Bookings CVE ID : CVE-2023-47787 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54841af-65ce-4434-a67e-79ea673ec8f9 Customer Reviews for WooCommerce <= 5.38.1 – Cross-Site Request Forgery via manual review reminders Affected Software : Customer Reviews for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b243722e-6510-48bd-be26-95ccbe79fa57 WordPress File Upload 4.24.0 – Cross-Site Request Forgery Affected Software : WordPress File Upload CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6048088-c11c-4741-8dde-da707f8f84f2 ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery Affected Software : ARI Stream Quiz – WordPress Quizzes Builder CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6c5f933-b71b-4475-abdf-4cffff2a1a6c wpMandrill <= 1.33 – Missing Authorization via getAjaxStats Affected Software : wpMandrill CVE ID : CVE-2023-47828 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89cf8ef-9fa0-4ede-8ec9-c166d0db74fe Essential Blocks for Gutenberg <= 4.2.0 – Missing Authorization via AJAX actions Affected Software : Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID : CVE-2023-47760 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2136e1c-5f69-434d-bdc7-72a144da744b Hreflang Manager <= 1.06 – Cross-Site Request Forgery Affected Software : Hreflang Manager CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c357e34f-2d0f-4af4-bb67-cbbc6cd4e141 Customer Reviews for WooCommerce <= 5.38.1 – Missing Authorization via manual review reminders Affected Software : Customer Reviews for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6e2710f-f51a-487d-a4bb-a19f614ff254 Legal Pages <= 1.3.8 – Missing Authorization Affected Software : Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db0508dd-143f-4674-8193-d46967d2799f Simple 301 Redirects by BetterLinks <= 2.0.7 – Missing Authorization via clicked Affected Software : Simple 301 Redirects by BetterLinks CVE ID : CVE-2023-47761 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddacd612-0cd5-4b07-9184-bec6f1adbb4c Jetpack <= 12.6.2 – Improper Authorization via WPCom External Media REST endpoints Affected Software : Jetpack – WP Security, Backup, Speed, & Growth CVE ID : CVE-2023-47788 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e62fa16f-a4a1-44a7-9a66-abafd8dddf67 WooCommerce Canada Post Shipping <= 2.8.3 – Cross-Site Request Forgery Affected Software : Woocommerce Shipping Canada Post CVE ID : CVE-2023-47789 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff850f88-6e89-48dd-ad70-dda4018c22fc Restaurant & Cafe Addon for Elementor <= 1.5.3 – Missing Authorization via multiple AJAX functions Affected Software : Restaurant & Cafe Addon for Elementor CVE ID : CVE-2023-47826 CVSS Score : 3.1 (Low) Researcher/s : Abdi Pranata Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad003d57-a573-473e-80a9-5bf60d42a707 WP Like Button <= 1.7.0 – Missing Authorization via crublabFBLBAjax Affected Software : WP Like Button CVE ID : CVE-2023-47820 CVSS Score : 3.1 (Low) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da550fd7-3c1a-4b07-afc0-2366e0f5cccd As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.