Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023) 🎁 Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!🎁 Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free . Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. New Firewall Rules Deployed Last Week The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection. The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week: wp-autoload.php backdoor – while we typically write firewall rules for vulnerabilities, we wrote a firewall rule to block successful exploitation of this piece of malware we wrote about here. Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Unpatched 66 Patched 58 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 0 Medium Severity 113 High Severity 10 Critical Severity 1 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Improper Neutralization of Input During Web Page Generation (β€˜Cross-site Scripting’) 53 Missing Authorization 24 Cross-Site Request Forgery (CSRF) 21 Information Exposure 7 Improper Neutralization of Special Elements used in an SQL Command (β€˜SQL Injection’) 4 Unrestricted Upload of File with Dangerous Type 3 Server-Side Request Forgery (SSRF) 2 Incorrect Authorization 1 Improper Control of Filename for Include/Require Statement in PHP Program (β€˜PHP Remote File Inclusion’) 1 Authorization Bypass Through User-Controlled Key 1 Guessable CAPTCHA 1 Use of Less Trusted Source 1 Protection Mechanism Failure 1 Improper Access Control 1 Improper Authorization 1 Improper Neutralization of Special Elements in Output Used by a Downstream Component (β€˜Injection’) 1 Reliance on Untrusted Inputs in a Security Decision 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Rafie Muhammad 9 Abdi Pranata 8 emad 7 Mika 7 DoYeon Park (p6rkdoye0n) 6 NgΓ΄ ThiΓͺn An (ancorn_) 6 Joshua Chan 5 Le Ngoc Anh 4 LEE SE HYOUNG 4 qilin_99 4 LVT-tholv2k 4 Rafshanzani Suhada 3 Vladislav Pokrovsky (ΞX.MI) 3 Abu Hurayra (HurayraIIT) 3 Skalucy 3 resecured.io 2 Revan Arifio 2 Francesco Carlucci 2 yuyudhn 2 IstvΓ‘n MΓ‘rton (Wordfence Vulnerability Researcher) 2 thiennv 2 Elliot 2 SeungYongLee 2 Phd 2 Abdullah Hussam 1 Sebastian Neef 1 Yudistira Arya 1 Nguyen Xuan Chien 1 Brandon James Roldan (tomorrowisnew) 1 Alex Thomas (Wordfence Vulnerability Researcher) 1 Shahzaib Ali Khan 1 Dmitrii Ignatyev 1 Bob Matyas 1 Krzysztof ZajΔ…c 1 Truoc Phan 1 Dave Jong 1 Nguyen Anh Tien 1 Yuchen Ji 1 Arvandy 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 12 Step Meeting List 12-step-meeting-list 360 Javascript Viewer 360deg-javascript-viewer AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages Abandoned Cart Lite for WooCommerce woocommerce-abandoned-cart AdFoxly – Ad Manager, AdSense Ads & Ads.txt adfoxly Add to Cart Text Changer and Customize Button, Add Custom Icon woo-add-to-cart-text-change Ads by datafeedr.com ads-by-datafeedrcom Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates affiliatebooster-blocks Antispam Bee antispam-bee Aparat aparat Aruba HiSpeed Cache aruba-hispeed-cache Author Box, Guest Author and Co-Authors for Your Posts – Molongui molongui-authorship Automatic Youtube Video Posts Plugin automatic-youtube-video-posts BSK Forms Blacklist bsk-gravityforms-blacklist Backup Migration backup-backup Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss bp-better-messages BigCommerce For WordPress bigcommerce BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin bookingpress-appointment-booking BrainCert – HTML5 Virtual Classroom html5-virtual-classroom Bravo Translate bravo-translate Button Generator – easily Button Builder button-generation CF7 Google Sheets Connector cf7-google-sheets-connector Campaign Monitor for WordPress forms-for-campaign-monitor Chartify – WordPress Chart Plugin chart-builder Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back chat-bubble Client Dash client-dash Coming soon and Maintenance mode coming-soon-page CommentLuv commentluv Contact Form 7 contact-form-7 Contact Form – Custom Builder, Payment Form, and More powr-pack Credit Tracker credit-tracker Crypto Converter ⚑ Widget crypto-converter-widget Currency Converter Calculator currency-converter-calculator Database for CF7 database-for-cf7 Debug Log Manager debug-log-manager Delete Post Revisions In WordPress delete-post-revisions-on-single-click Doofinder WP & WooCommerce Search doofinder-for-woocommerce Ecwid Ecommerce Shopping Cart ecwid-shopping-cart Email Address Encoder email-address-encoder Enhanced Text Widget enhanced-text-widget Event post event-post Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media evergreen-content-poster Export WP Page to Static HTML/CSS export-wp-page-to-static-html File Gallery file-gallery Form builder to get in touch with visitors, grow your email list and collect payments β€” Happyforms happyforms Forms by CaptainForm – Form Builder for WordPress captainform Formzu WP formzu-wp GDPR Cookie Consent by Supsystic gdpr-compliance-by-supsystic Gift Up Gift Cards for WordPress and WooCommerce gift-up GoDaddy Email Marketing godaddy-email-marketing-sign-up-forms Guest Author guest-author HDW Player Plugin (Video Player & Video Gallery) hdw-player-video-player-video-gallery HUSKY – Products Filter for WooCommerce Professional woocommerce-products-filter Hubbub Lite (formerly Grow Social) social-pug IdeaPush ideapush Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More importify Innovs HR – Complete Human Resource Management System for Your Business innovs-hr-manager JetBlocks for Elementor jet-blocks JetBlog for Elementor jet-blog JetCompareWishlist for Elementor jet-compare-wishlist JetElements jet-elements JetEngine jet-engine JetFormBuilder β€” Dynamic Blocks Form Builder jetformbuilder JetMenu for Elementor jet-menu JetPopup jet-popup JetProductGallery jet-woo-product-gallery JetReviews for Elementor jet-reviews JetSearch jet-search JetSmartFilters for Elementor jet-smart-filters JetTabs for Elementor jet-tabs JetThemeCore for Elementor jet-theme-core JetTricks for Elementor jet-tricks JetWooBuilder for Elementor jet-woo-builder KP Fastest Tawk.to Chat kp-fastest-tawk-to-chat LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… ladipage List all posts by Authors, nested Categories and Titles list-all-posts-by-authors-nested-categories-and-titles MSync msync Media File Renamer: Rename Files (Manual, Auto & AI) media-file-renamer MkRapel Regiones y Ciudades de Chile para WC wc-ciudades-y-regiones-de-chile Mollie Payments for WooCommerce mollie-payments-for-woocommerce Multiple Post Passwords multiple-post-passwords MyTube PlayList mytube Nested Pages wp-nested-pages NextScripts: Social Networks Auto-Poster social-networks-auto-poster-facebook-twitter-g Ocean Extra ocean-extra Page Builder: Pagelayer – Drag and Drop website builder pagelayer Parallax Slider Block parallax-slider-block Participants Database participants-database Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) wp-retina-2x PowerPack Pro for Elementor powerpack-elements Prevent Landscape Rotation prevent-landscape-rotation Product Size Chart For WooCommerce product-size-chart-for-woo Qode Essential Addons qode-essential-addons Quotes for WooCommerce quotes-for-woocommerce Razorpay for WooCommerce woo-razorpay RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager Related Post related-post Responsive Lightbox & Gallery responsive-lightbox SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share wp-scheduled-posts Seraphinite Accelerator seraphinite-accelerator Sign In Scheduling Online Appointment Booking System 10to8-online-booking Simple Long Form simple-long-form Site Offline Or Coming Soon Or Maintenance Mode site-offline SiteOrigin Widgets Bundle so-widgets-bundle Social Share Buttons & Analytics Plugin – GetSocial.io wp-share-buttons-analytics-by-getsocial SoundCloud Shortcode soundcloud-shortcode SpeedyCache – Cache, Optimization, Performance speedycache Spiffy Calendar spiffy-calendar Swift Performance Lite swift-performance-lite Track Geolocation Of Users Using Contact Form 7 track-geolocation-of-users-using-contact-form-7 UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping wc-multishipping WP Catalogue wp-catalogue WP CleanFix wp-cleanfix WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce wp-event-manager WP Forms Puzzle Captcha wp-forms-puzzle-captcha WP Pocket URLs wp-pocket-urls WP Shortcodes Plugin β€” Shortcodes Ultimate shortcodes-ultimate WordPress Brute Force Protection – Stop Brute Force Attacks guardgiant YASR – Yet Another Star Rating Plugin for WordPress yet-another-stars-rating affiliate-toolkit – WordPress Affiliate Plugin affiliate-toolkit-starter canvasio3D Light canvasio3d-light teachPress teachpress which template file which-template-file WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug adifier adifier restricted-site-access restricted-site-access Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Unauthenticated SQL Injection via search terms Affected Software : HUSKY – Products Filter for WooCommerce Professional CVE ID : CVE-2023-40010 CVSS Score : 9.8 (Critical) Researcher/s : Nguyen Anh Tien Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba JetEngine <= 3.2.4 – Authenticated (Contributor+) Privilege Escalation Affected Software : JetEngine CVE ID : CVE-2023-48757 CVSS Score : 8.8 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b CommentLuv <= 3.0.4 – Server Side Request Forgery via do_click Affected Software : CommentLuv CVE ID : CVE-2023-49159 CVSS Score : 8.2 (High) Researcher/s : Yuchen Ji Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure Affected Software : Backup Migration CVE ID : CVE-2023-6266 CVSS Score : 7.5 (High) Researcher/s : Rafshanzani Suhada Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612 CF7 Google Sheets Connector <= 5.0.5 – Unauthenticated Sensitive Information Exposure via Debug Log Affected Software : CF7 Google Sheets Connector CVE ID : CVE-2023-44989 CVSS Score : 7.5 (High) Researcher/s : Joshua Chan Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4 Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization to Unauthenticated Unauthorized Action Affected Software/s : JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetWooBuilder for Elementor, JetReviews for Elementor, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor CVE ID : CVE-2023-48760 CVSS Score : 7.3 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7addc83b-cde5-4f91-b286-70db6f384a9f MSync <= 1.0.0 – Authenticated (Administrator+) SQL Injection Affected Software : MSync CVE ID : CVE-2023-49166 CVSS Score : 7.2 (High) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload Affected Software : Mollie Payments for WooCommerce CVE ID : CVE-2023-6090 CVSS Score : 7.2 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c BookingPress <= 1.0.76 – Authenticated (Administrator+) Arbitrary File Upload Affected Software : BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin CVE ID : CVE-2023-6219 CVSS Score : 7.2 (High) Researcher/s : IstvΓ‘n MΓ‘rton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29 JetEngine <= 3.2.4 – Missing Authorization Affected Software : JetEngine CVE ID : CVE-2023-48758 CVSS Score : 7.1 (High) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c WP Cleanfix <= 5.5.0 – Missing Authorization via register Affected Software : WP CleanFix CVE ID : CVE-2023-48775 CVSS Score : 7.1 (High) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 – Authenticated (Administrator+) SQL Injection via orderby Affected Software : WordPress Brute Force Protection – Stop Brute Force Attacks CVE ID : CVE-2023-48764 CVSS Score : 6.6 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056 Contact Form 7 <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload Affected Software : Contact Form 7 CVE ID : CVE-2023-6449 CVSS Score : 6.6 (Medium) Researcher/s : IstvΓ‘n MΓ‘rton Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6 Bravo Translate <= 1.2 – Authenticated (Administrator+) SQL Injection Affected Software : Bravo Translate CVE ID : CVE-2023-49161 CVSS Score : 6.6 (Medium) Researcher/s : Arvandy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d Chat Bubble <= 2.3 – Cross-Site Request Forgery via cbb_submit_settings_data Affected Software : Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back CVE ID : CVE-2023-48769 CVSS Score : 6.5 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/206261fa-58b6-4407-b8e1-2315836b6c88 Prevent Landscape Rotation <= 2.0 – Cross-Site Request Forgery via adminpage.php Affected Software : Prevent Landscape Rotation CVE ID : CVE-2023-48772 CVSS Score : 6.5 (Medium) Researcher/s : Nguyen Xuan Chien Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6 Database for CF7 <= 1.2.4 – Missing Authorization via wpcf7db_delete AJAX action Affected Software : Database for CF7 CVE ID : CVE-2023-49167 CVSS Score : 6.5 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61 MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 – Cross-Site Request Forgery via multiple functions Affected Software : MkRapel Regiones y Ciudades de Chile para WC CVE ID : CVE-2023-48781 CVSS Score : 6.5 (Medium) Researcher/s : qilin_99 Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487 Product Size Chart For WooCommerce <= 1.1.5 – Cross-Site Request Forgery via get_save_option Affected Software : Product Size Chart For WooCommerce CVE ID : CVE-2023-48778 CVSS Score : 6.5 (Medium) Researcher/s : qilin_99 Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46 Guest Author <= 2.3 – Authenticated Stored Cross-Site Scripting Affected Software : Guest Author CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455 Powr Pack <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Contact Form – Custom Builder, Payment Form, and More CVE ID : CVE-2023-45609 CVSS Score : 6.4 (Medium) Researcher/s : resecured.io Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a Responsive Lightbox <= 2.4.5 – Authenticated (Author+) Stored Cross-Site Scripting via name Affected Software : Responsive Lightbox & Gallery CVE ID : CVE-2023-49174 CVSS Score : 6.4 (Medium) Researcher/s : emad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08 12 Step Meeting List <= 3.14.24 – Authenticated (Contributor+) Server-Side Request Forgery Affected Software : 12 Step Meeting List CVE ID : CVE-2023-46641 CVSS Score : 6.4 (Medium) Researcher/s : Shahzaib Ali Khan Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92 WP Shortcodes Plugin β€” Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : WP Shortcodes Plugin β€” Shortcodes Ultimate CVE ID : CVE-2023-6225 CVSS Score : 6.4 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574 WP Catalogue <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : WP Catalogue CVE ID : CVE-2023-48780 CVSS Score : 6.4 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66 Ads by datafeedr.com <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Ads by datafeedr.com CVE ID : CVE-2023-49169 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f Event post <= 5.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Event post CVE ID : CVE-2023-49179 CVSS Score : 6.4 (Medium) Researcher/s : thiennv Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131 Formzu WP <= 1.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Affected Software : Formzu WP CVE ID : CVE-2023-49160 CVSS Score : 6.4 (Medium) Researcher/s : resecured.io Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : AMP for WP – Accelerated Mobile Pages CVE ID : CVE-2023-48321 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1 Currency Converter Calculator <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Currency Converter Calculator CVE ID : CVE-2023-49149 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe 10to8 Online Appointment Booking System <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Sign In Scheduling Online Appointment Booking System CVE ID : CVE-2023-49173 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510 BP Better Messages <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected Software : Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss CVE ID : CVE-2023-49168 CVSS Score : 6.4 (Medium) Researcher/s : Rafshanzani Suhada Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ccc7f8-c8e0-457a-b437-2a23530a9df4 Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Email Address Encoder CVE ID : CVE-2023-48765 CVSS Score : 6.4 (Medium) Researcher/s : LVT-tholv2k Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e Parallax Slider Block <= 1.2.4 – Authenticated (Author+) Stored Cross-Site Scripting Affected Software : Parallax Slider Block CVE ID : CVE-2023-49184 CVSS Score : 6.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8 Credit Tracker <= 1.1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Credit Tracker CVE ID : CVE-2023-49152 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955 Crypto Converter Widget <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Crypto Converter ⚑ Widget CVE ID : CVE-2023-49150 CVSS Score : 6.4 (Medium) Researcher/s : NgΓ΄ ThiΓͺn An (ancorn_) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2 Aparat <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Aparat CVE ID : CVE-2023-48770 CVSS Score : 6.4 (Medium) Researcher/s : Rafshanzani Suhada Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4 Related Post <= 2.0.53 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Related Post CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f08ca5e3-8b48-4333-9c42-cc103d40394c Spiffy Calendar <= 4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting Affected Software : Spiffy Calendar CVE ID : CVE Unknown CVSS Score : 6.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5 Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization Affected Software/s : JetSearch, JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetPopup, JetWooBuilder for Elementor, JetReviews for Elementor, JetEngine, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor CVE ID : CVE-2023-48761 CVSS Score : 6.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/893500ba-cc16-4429-bbe1-725aa65589c9 File Gallery <= 1.8.5.4 – Reflected Cross-Site Scripting via post_id Affected Software : File Gallery CVE ID : CVE-2023-48771 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64 affiliate-toolkit – WordPress Affiliate Plugin <= 3.4.3 – Reflected Cross-Site Scripting via keyword Affected Software : affiliate-toolkit – WordPress Affiliate Plugin CVE ID : CVE-2023-46086 CVSS Score : 6.1 (Medium) Researcher/s : LEE SE HYOUNG Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752 NextScripts <= 4.4.2 – Reflected Cross-Site Scripting via code Affected Software : NextScripts: Social Networks Auto-Poster CVE ID : CVE-2023-49183 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1 Adifier (Premium Theme) < 3.1.4 – Reflected Cross-Site Scripting Affected Software : adifier CVE ID : CVE-2023-49187 CVSS Score : 6.1 (Medium) Researcher/s : Vladislav Pokrovsky (ΞX.MI) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30 JetBlocks For Elementor <= 1.3.8 – Reflected Cross Site Scripting Affected Software : JetBlocks for Elementor CVE ID : CVE-2023-48756 CVSS Score : 6.1 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1 WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting Affected Software : WP Forms Puzzle Captcha CVE ID : CVE-2023-48278 CVSS Score : 6.1 (Medium) Researcher/s : qilin_99 Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc PowerPack Pro for Elementor <= 2.9.23 – Reflected Cross-Site Scripting Affected Software : PowerPack Pro for Elementor CVE ID : CVE-2023-49739 CVSS Score : 6.1 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504 MyTube PlayList <= 2.0.3 – Reflected Cross-Site Scripting via addplaylistid Affected Software : MyTube PlayList CVE ID : CVE-2023-48767 CVSS Score : 6.1 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792 Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via rt Affected Software : Seraphinite Accelerator CVE ID : CVE-2023-49740 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f List all posts by Authors, nested Categories and Title <= 2.7.10 – Cross-Site Scripting Affected Software : List all posts by Authors, nested Categories and Titles CVE ID : CVE-2023-49182 CVSS Score : 6.1 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10 BrainCert – HTML5 Virtual Classroom <= 1.30 – Reflected Cross-Site Scripting Affected Software : BrainCert – HTML5 Virtual Classroom CVE ID : CVE-2023-49172 CVSS Score : 6.1 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea HDW Player Plugin (Video Player & Video Gallery) <= 5.0 – Cross-Site Scripting Affected Software : HDW Player Plugin (Video Player & Video Gallery) CVE ID : CVE-2023-49178 CVSS Score : 6.1 (Medium) Researcher/s : LEE SE HYOUNG Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd Forms by CaptainForm <= 2.5.3 – Reflected Cross-Site Scripting via REQUEST_URI Affected Software : Forms by CaptainForm – Form Builder for WordPress CVE ID : CVE-2023-49170 CVSS Score : 6.1 (Medium) Researcher/s : Abu Hurayra (HurayraIIT) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62 WP Pocket URLs <= 1.0.2 – Reflected Cross-Site Scripting Affected Software : WP Pocket URLs CVE ID : CVE-2023-49176 CVSS Score : 6.1 (Medium) Researcher/s : SeungYongLee Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920 Campaign Monitor for WordPress <= 2.8.12 – Reflected Cross-Site Scripting Affected Software : Campaign Monitor for WordPress CVE ID : CVE-2023-38474 CVSS Score : 6.1 (Medium) Researcher/s : Phd Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b which template file <= 4.9.0 – Unauthenticated Cross-Site Scripting Affected Software : which template file CVE ID : CVE-2023-49177 CVSS Score : 6.1 (Medium) Researcher/s : LEE SE HYOUNG Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d Doofinder for WooCommerce <= 2.1.4 – Reflected Cross-Site Scripting Affected Software : Doofinder WP & WooCommerce Search CVE ID : CVE-2023-49185 CVSS Score : 6.1 (Medium) Researcher/s : Phd Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90 Innovs HR <= 1.0.3.4 – Reflected Cross-Site Scripting Affected Software : Innovs HR – Complete Human Resource Management System for Your Business CVE ID : CVE-2023-49171 CVSS Score : 6.1 (Medium) Researcher/s : SeungYongLee Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b Happyforms <= 1.25.9 – Reflected Cross-Site Scripting Affected Software : Form builder to get in touch with visitors, grow your email list and collect payments β€” Happyforms CVE ID : CVE-2023-48752 CVSS Score : 6.1 (Medium) Researcher/s : Le Ngoc Anh Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff986a66-93f7-4926-8818-7af745c0166c SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion Affected Software : SiteOrigin Widgets Bundle CVE ID : CVE-2023-6295 CVSS Score : 5.9 (Medium) Researcher/s : Sebastian Neef Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected Software : Automatic Youtube Video Posts Plugin CVE ID : CVE-2023-49180 CVSS Score : 5.5 (Medium) Researcher/s : yuyudhn Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b Client Dash <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected Software : Client Dash CVE ID : CVE-2023-49165 CVSS Score : 5.5 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441 WP Event Manager <= 3.1.39 – Authenticated (Editor+) Stored Cross-Site Scripting Affected Software : WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce CVE ID : CVE-2023-49181 CVSS Score : 5.5 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f Download canvasio3D Light <= 2.4.6 – Missing Authorization Affected Software : canvasio3D Light CVE ID : CVE-2023-48776 CVSS Score : 5.4 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b Export WP Page to Static HTML/CSS <= 2.1.9 – Missing Authorization via Multiple AJAX Actions Affected Software : Export WP Page to Static HTML/CSS CVE ID : CVE-2023-6369 CVSS Score : 5.4 (Medium) Researcher/s : Alex Thomas Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1 Abandoned Cart Lite for WooCommerce <= 5.16.1 – Missing Authorization via multiple AJAX functions Affected Software : Abandoned Cart Lite for WooCommerce CVE ID : CVE-2023-41671 CVSS Score : 5.4 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86 Chronopost & Mondial relay pour WooCommerce – WCMultiShipping <= 2.3.7 – Incorrect Authorization Affected Software : UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5 Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery Affected Software : Abandoned Cart Lite for WooCommerce CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726 Social Pug <= 1.20.3 – Missing Authorization via multiple admin_init actions Affected Software : Hubbub Lite (formerly Grow Social) CVE ID : CVE-2023-49193 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5 Enhanced Text Widget <= 1.6.2 – Missing Authorization via etw_hide_admin_notification_callback Affected Software : Enhanced Text Widget CVE ID : CVE-2023-49192 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc 360 Javascript Viewer <= 1.7.11 – Missing Authorization Affected Software : 360 Javascript Viewer CVE ID : CVE-2023-48779 CVSS Score : 5.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead Yet Another Stars Rating <= 3.4.3 – Missing Authorization via init Affected Software : YASR – Yet Another Star Rating Plugin for WordPress CVE ID : CVE-2023-39305 CVSS Score : 5.3 (Medium) Researcher/s : Revan Arifio Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c PageLayer <= 1.7.7 – Cross-Site Request Forgery via pagelayer_load_plugin Affected Software : Page Builder: Pagelayer – Drag and Drop website builder CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0 Participants Database <= 2.5.5 – Missing Authorization Affected Software : Participants Database CVE ID : CVE-2023-48751 CVSS Score : 5.3 (Medium) Researcher/s : Yudistira Arya Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4 WP Retina 2x <= 6.4.5 – Sensitive Information Exposure Affected Software : Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) CVE ID : CVE-2023-44982 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7 WP Forms Puzzle Captcha <= 4.1 – Captcha Bypass Affected Software : WP Forms Puzzle Captcha CVE ID : CVE-2023-48276 CVSS Score : 5.3 (Medium) Researcher/s : qilin_99 Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917 Media File Renamer <= 5.6.9 – Sensitive Information Exposure via Log File Affected Software : Media File Renamer: Rename Files (Manual, Auto & AI) CVE ID : CVE-2023-44991 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba Aruba HiSpeed Cache <= 2.0.6 – Sensitive Information Exposure via Log File Affected Software : Aruba HiSpeed Cache CVE ID : CVE-2023-44983 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0 Button Generator – easily Button Builder <= 2.3.8 – Missing Authorization Affected Software : Button Generator – easily Button Builder CVE ID : CVE-2023-49154 CVSS Score : 5.3 (Medium) Researcher/s : Elliot Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56 Restricted Site Access <= 7.4.1 – IP Spoofing to Protection Mechanism Bypass Affected Software : restricted-site-access CVE ID : CVE-2023-48753 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4 Importify <= 1.0.4 – Unauthenticated Sensitive Information Exposure Affected Software : Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More CVE ID : CVE-2023-49194 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52 Swift Performance Lite <= 2.3.6.14 – Missing Authorization to Unauthenticated Settings Export Affected Software : Swift Performance Lite CVE ID : CVE-2023-6289 CVSS Score : 5.3 (Medium) Researcher/s : Krzysztof ZajΔ…c Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7 Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post Affected Software : Gift Up Gift Cards for WordPress and WooCommerce CVE ID : CVE Unknown CVSS Score : 5.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f teachPress <= 9.0.4 – Cross-Site Request Forgery Affected Software : teachPress CVE ID : CVE-2023-48755 CVSS Score : 5.3 (Medium) Researcher/s : LVT-tholv2k Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f Coming soon and Maintenance mode <= 3.7.3 – IP Address Spoofing via get_real_ip Affected Software : Coming soon and Maintenance mode CVE ID : CVE-2023-49741 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2 JetElements For Elementor <= 2.6.13 – Missing Authorization to Unauthenticated Arbitrary Attachment Download Affected Software : JetElements CVE ID : CVE-2023-48759 CVSS Score : 5.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d BigCommerce <= 5.0.6 – Unauthenticated Sensitive Information Exposure Affected Software : BigCommerce For WordPress CVE ID : CVE-2023-49162 CVSS Score : 5.3 (Medium) Researcher/s : Joshua Chan Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df JetFormBuilder <= 3.1.4 – Unauthenticated Content Injection Affected Software : JetFormBuilder β€” Dynamic Blocks Form Builder CVE ID : CVE-2023-48763 CVSS Score : 5.3 (Medium) Researcher/s : Revan Arifio Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635 Antispam Bee <= 2.11.3 – IP Address Spoofing via get_client_ip Affected Software : Antispam Bee CVE ID : CVE-2023-41134 CVSS Score : 5.3 (Medium) Researcher/s : Mika Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b KP Fastest Tawk.to Chat <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : KP Fastest Tawk.to Chat CVE ID : CVE-2023-49175 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69 GDPR Cookie Consent by Supsystic <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : GDPR Cookie Consent by Supsystic CVE ID : CVE-2023-49191 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2 Molongui <= 4.6.19 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Author Box, Guest Author and Co-Authors for Your Posts – Molongui CVE ID : CVE-2023-39921 CVSS Score : 4.4 (Medium) Researcher/s : Abdullah Hussam Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d Chart Builder <= 1.9.6 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : Chartify – WordPress Chart Plugin CVE ID : CVE Unknown CVSS Score : 4.4 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9 SoundCloud Shortcode <= 3.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : SoundCloud Shortcode CVE ID : CVE-2023-34018 CVSS Score : 4.4 (Medium) Researcher/s : yuyudhn Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82 Social Share Buttons & Analytics Plugin – GetSocial.io <= 4.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Social Share Buttons & Analytics Plugin – GetSocial.io CVE ID : CVE-2023-49189 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c Simple Long Form <= 2.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Simple Long Form CVE ID : CVE-2023-41136 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d Track Geolocation Of Users Using Contact Form 7 <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Track Geolocation Of Users Using Contact Form 7 CVE ID : CVE-2023-49188 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6 BSK Forms Blacklist <= 3.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting Affected Software : BSK Forms Blacklist CVE ID : CVE-2023-5980 CVSS Score : 4.4 (Medium) Researcher/s : Bob Matyas Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7 Multiple Post Passwords <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Multiple Post Passwords CVE ID : CVE-2023-49157 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366 Site Offline <= 1.5.6 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Site Offline Or Coming Soon Or Maintenance Mode CVE ID : CVE-2023-49190 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c Evergreen Content Poster <= 1.3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media CVE ID : CVE-2023-41127 CVSS Score : 4.4 (Medium) Researcher/s : DoYeon Park (p6rkdoye0n) Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7b67c83-7fb7-4bac-a8eb-7fc318f2ff50 Nested Pages <= 3.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting Affected Software : Nested Pages CVE ID : CVE-2023-49195 CVSS Score : 4.4 (Medium) Researcher/s : emad Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9 Multiple Plugins by Crocoblock <= (Various Versions) – Cross-Site Request Forgery Affected Software/s : JetSearch, JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetPopup, JetWooBuilder for Elementor, JetReviews for Elementor, JetEngine, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor CVE ID : CVE-2023-48762 CVSS Score : 4.3 (Medium) Researcher/s : Rafie Muhammad Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c85e5e0-d8ee-46d3-99b1-df6c6744f020 teachPress <= 9.0.5 – Cross-Site Request Forgery via delete_database() Affected Software : teachPress CVE ID : CVE-2023-49163 CVSS Score : 4.3 (Medium) Researcher/s : LVT-tholv2k Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d Qode Essential Addons <= 1.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation Affected Software : Qode Essential Addons CVE ID : CVE-2023-47840 CVSS Score : 4.3 (Medium) Researcher/s : Brandon James Roldan (tomorrowisnew) Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1 WP Shortcodes Plugin β€” Shortcodes Ultimate <= 5.13.3 – Insecure Direct Object Reference to Information Disclosure Affected Software : WP Shortcodes Plugin β€” Shortcodes Ultimate CVE ID : CVE-2023-6226 CVSS Score : 4.3 (Medium) Researcher/s : Francesco Carlucci Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7 IdeaPush <= 8.53 – Missing Authorization Affected Software : IdeaPush CVE ID : CVE-2023-48774 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72 Quotes for WooCommerce <= 2.0.1 – Missing Authorization Affected Software : Quotes for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8 Quotes for WooCommerce <= 2.0.1 – Cross-Site Request Forgery Affected Software : Quotes for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6954364e-567c-407c-afc6-983b7257cc88 RegistrationMagic <= 5.2.2.6 – Cross-Site Request Forgery Affected Software : RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login CVE ID : CVE-2023-47645 CVSS Score : 4.3 (Medium) Researcher/s : thiennv Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521 Debug Log Manager <= 2.2.0 – Cross-Site Request Forgery Affected Software : Debug Log Manager CVE ID : CVE-2023-5772 CVSS Score : 4.3 (Medium) Researcher/s : Dmitrii Ignatyev Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a LadiApp <= 4.3 – Missing Authorization Affected Software : LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… CVE ID : CVE-2023-49158 CVSS Score : 4.3 (Medium) Researcher/s : Truoc Phan Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6 Ocean Extra <= 2.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation Affected Software : Ocean Extra CVE ID : CVE-2023-49164 CVSS Score : 4.3 (Medium) Researcher/s : Dave Jong Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache Affected Software : SpeedyCache – Cache, Optimization, Performance CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812 Button Generator – easily Button Builder <= 2.3.8 – Cross-Site Request Forgery Affected Software : Button Generator – easily Button Builder CVE ID : CVE-2023-49155 CVSS Score : 4.3 (Medium) Researcher/s : Elliot Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 – Cross-Site Request Forgery via wactc_text_form Affected Software : Add to Cart Text Changer and Customize Button, Add Custom Icon CVE ID : CVE-2023-49153 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5 GoDaddy Email Marketing <= 1.4.3 – Missing Authorization Affected Software : GoDaddy Email Marketing CVE ID : CVE-2023-49156 CVSS Score : 4.3 (Medium) Researcher/s : Abdi Pranata Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618 SchedulePress <= 5.0.4 – Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications Affected Software : SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd Ecwid Ecommerce Shopping Cart <= 6.12.4 – Cross-Site Request Forgery Affected Software : Ecwid Ecommerce Shopping Cart CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 – Cross-Site Request Forgery Affected Software : AdFoxly – Ad Manager, AdSense Ads & Ads.txt CVE ID : CVE-2023-46617 CVSS Score : 4.3 (Medium) Researcher/s : LVT-tholv2k Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569 Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 – Cross-Site Request Forgery via process_bulk_action Affected Software : Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates CVE ID : CVE-2023-49148 CVSS Score : 4.3 (Medium) Researcher/s : LEE SE HYOUNG Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a Razorpay for WooCommerce <= 4.5.6 – Cross-Site Request Forgery Affected Software : Razorpay for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e Delete Post Revisions In WordPress <= 4.6 – Cross-Site Request Forgery Affected Software : Delete Post Revisions In WordPress CVE ID : CVE-2023-48754 CVSS Score : 4.3 (Medium) Researcher/s : Skalucy Patch Status : Unpatched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36 Razorpay for WooCommerce <= 4.5.6 – Missing Authorization Affected Software : Razorpay for WooCommerce CVE ID : CVE Unknown CVSS Score : 4.3 (Medium) Researcher/s : Unknown Patch Status : Patched Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40 As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

This content was originally published here.