Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023)

Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 44
Patched 63

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 89
High Severity 11
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 35
Cross-Site Request Forgery (CSRF) 31
Missing Authorization 24
Unrestricted Upload of File with Dangerous Type 3
Authorization Bypass Through User-Controlled Key 2
Deserialization of Untrusted Data 2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 2
External Control of File Name or Path 1
Improper Input Validation 1
Server-Side Request Forgery (SSRF) 1
Improper Privilege Management 1
Improper Neutralization of Formula Elements in a CSV File 1
Improper Encoding or Escaping of Output 1
Information Exposure 1
Improper Authorization 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Rio Darmawan 11
Mika 10
Abdi Pranata 10
Rafshanzani Suhada 7
5
4
Rafie Muhammad 4
LEE SE HYOUNG 3
Le Ngoc Anh 3
NGÔ THIÊN AN 3
Nguyen Xuan Chien 3
Marco Wotschka
(Wordfence Vulnerability Researcher)
2
Revan Arifio 2
Lana Codes
(Wordfence Vulnerability Researcher)
2
Skalucy 2
Elliot 2
FearZzZz 2
2
Pepitoh 1
Shuning Xu 1
deokhunKim 1
DoYeon Park 1
1
Nguyen Anh Tien 1
Debangshu Kundu 1
Arpeet Rathi 1
Ravi Dharmawan 1
Theodoros Malachias 1
Alexander Concha 1
Pedro José Navas Pérez 1
Alex Sanford 1
1
Emili Castells 1
Pavitra Tiwari 1
Alex Concha 1
László Radnai 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AcyMailing – Newsletter & mailing automation for WordPress
All in One B2B for WooCommerce
Analytify – Google Analytics Dashboard For WordPress (GA4 made easy)
Auto Amazon Links – Amazon Associates Affiliate Plugin
Automatic YouTube Gallery
Back To The Top Button
BackupBliss – Backup Migration Staging
BitPay Checkout for WooCommerce
Bulk NoIndex & NoFollow Toolkit
CP Blocks
Carousel Slider
Click To Tweet
Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Cookie Notice & Consent
Customizable WordPress Gallery Plugin – Modula Image Gallery
Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Duplicate Post Page Menu & Custom Post Type
EWWW Image Optimizer
Easy Form by AYS
Easy WP Cleaner
Email posts to subscribers
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Export Import Menus
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Goods Catalog
Hide admin notices – Admin Notification Center
Insert Estimated Reading Time
Laposta Signup Basic
Laposta Signup Embed
Leadster
Live News
Locations
MailMunch – Grow your Email List
Media Library Assistant
My Account Page Editor
MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce
Notice Bar
Order Delivery Date for WP e-Commerce
Outbound Link Manager
POEditor
Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
PeproDev CF7 Database
Poll Maker – Best WordPress Poll Plugin
Premium Starter Templates
RSVPMaker
Realbig For WordPress
Regpack
Rescue Shortcodes
Restrict – membership, site, content and user access restrictions for WordPress
SAML Single Sign On – SSO Login Standard
SIS Handball
SendPress Newsletters
Simple Download Counter
Simple Membership
Slider Pro
Staff / Employee Business Directory for Active Directory
StagTools
Starter Templates — Elementor, WordPress & Beaver Builder Templates
Stock Quotes List
Sunshine Photo Cart
Swifty Bar, sticky bar by WPGens
TelSender – Сontact form 7, Events, Wpforms and wooccommerce to telegram bot
Tilda Publishing
Travel Map
UniConsent CMP for GDPR CPRA GPP TCF
Use Memcached
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
User Submitted Posts – Enable Users to Submit Posts from the Front End
VS Contact Form
WP Accessibility Helper (WAH)
WP Crowdfunding
WP Custom Post Template
WP Directory Kit
WP Gallery Metabox
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
WP iCal Availability
WP-dTree
WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables
WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets
WooCommerce PensoPay
Woocommerce Support System
WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds
WordPress File Sharing Plugin
WordPress Social Login
iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc
rtMedia for WordPress, BuddyPress and bbPress
wordpress publish post email notification
wpCentral

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Attorney attorney
Flatsome flatsome
Raise Mag raise-mag
Wishful Blog wishful-blog
Woodmart woodmart

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Media Library Assistant <= 3.09 – Unauthenticated Local/Remote File Inclusion & Remote Code Execution

Affected Software: Media Library Assistant
CVE ID: CVE-2023-4634
CVSS Score: 9.8 (Critical)
Researcher/s: Pepitoh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf

RSVPMaker <= 10.6.6 – Unauthenticated PHP Object Injection

Affected Software: RSVPMaker
CVE ID: CVE-2023-25054
CVSS Score: 9.8 (Critical)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/647cc71d-4d3a-4722-b498-baaee2450809

All in One B2B for WooCommerce <= 1.0.3 – Unauthenticated Privilege Escalation

Affected Software: All in One B2B for WooCommerce
CVE ID: CVE-2023-4703
CVSS Score: 9.8 (Critical)
Researcher/s: Alexander Concha
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aab3016d-5834-4b4a-a206-0b626884b335

Flatsome <= 3.17.5 – Unauthenticated PHP Object Injection

Affected Software: Flatsome
CVE ID: CVE-2023-40555
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfc4863a-1b8c-4b13-9df1-18f221b40b26

Form Maker by 10Web <= 1.15.19 – Unauthenticated Arbitrary File Upload

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c691d129-35db-4de8-a28e-5e77347e2280


Export Import Menus <= 1.8.0 – Authenticated (Contributor+) Arbitrary File Upload

Affected Software: Export Import Menus
CVE ID: CVE-2023-34385
CVSS Score: 8.8 (High)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d74efb03-4a1c-4163-bd79-ef17975a609e

Affected Software: My Account Page Editor
CVE ID: CVE-2023-4536
CVSS Score: 8.8 (High)
Researcher/s: Alex Concha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f87b6987-8896-4edf-9b14-8582426adeb0

ProfilePress <= 4.13.2 – Limited Privilege Escalation via ‘acceptable_defined_roles’


Woocommerce Support System <= 1.2.0 – Missing Authorization

Affected Software: Woocommerce Support System
CVE ID: CVE-2023-41686
CVSS Score: 7.3 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8004a306-4c8f-40e9-accc-a12d65b5f2f9

Woocommerce Support System <= 1.2.0 – Authenticated (Administrator+) SQL Injection via ‘orderby’

Affected Software: Woocommerce Support System
CVE ID: CVE-2023-41685
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/efab7ec7-7143-4556-8d68-4a7e34f46e9e

Travel Map <= 1.0.1 – Unauthenticated Cross-Site Scripting

Affected Software: Travel Map
CVE ID: CVE-2023-41860
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f04a742-56be-42e9-9080-2131c6e98325

Click To Tweet <= 2.0.14 – Unauthenticated Cross-Site Scripting

Affected Software: Click To Tweet
CVE ID: CVE-2023-41856
CVSS Score: 7.2 (High)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5031140-9a48-43da-b946-00ce9c70258b

PeproDev CF7 Database <= 1.7.0 – Unauthenticated Stored Cross-Site Scripting via form submission

Affected Software: PeproDev CF7 Database
CVE ID: CVE-2023-41863
CVSS Score: 7.2 (High)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7a7df90-a542-48cf-a58e-bcbddc978df2

Simple Membership <= 4.3.5 – Reflected Cross-Site Scripting

Affected Software: Simple Membership
CVE ID: CVE-2023-4719
CVSS Score: 7.2 (High)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b10172-7e54-4ff8-9fbb-41d160ce49e4

User Feedback <= 1.0.7 – Unauthenticated Stored Cross-Site Scripting

Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
CVE ID: CVE-2023-39308
CVSS Score: 7.2 (High)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9e45bc2-6db6-49cd-8a4a-58489a8ddac2

All in One B2B for WooCommerce <= 1.0.3 – Cross-Site Request Forgery

Affected Software: All in One B2B for WooCommerce
CVE ID: CVE-2023-3547
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Sanford
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd53bc57-b10e-47a7-8c10-96bf1f1e82a5

Auto Amazon Links <= 5.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via style

Affected Software: Auto Amazon Links – Amazon Associates Affiliate Plugin
CVE ID: CVE-2023-4482
CVSS Score: 6.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11ffb8a1-55d2-44c5-bcd2-ba866b94e8bc

Goods Catalog <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Goods Catalog
CVE ID: CVE-2023-41687
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21542a9e-efa2-4655-b076-d282e3678fdf

Rescue Shortcodes <= 2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Rescue Shortcodes
CVE ID: CVE-2023-41728
CVSS Score: 6.4 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a11e7c9-f565-4a8c-895f-425c6654b5a9

Starter Templates <= 3.2.4 – Authenticated (Contributor+) Server-Side Request Forgery

Affected Software/s: Starter Templates — Elementor, WordPress & Beaver Builder Templates, Premium Starter Templates
CVE ID: CVE-2023-41804
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e0bdbba-2b67-42b9-8c26-115d472aed0e

Simple Download Counter <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Simple Download Counter
CVE ID: CVE-2023-4838
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa5f7f2a-c7b7-4339-a608-51fd684c18bf

User Submitted Posts <= 20230901 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End
CVE ID: CVE-2023-41696
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7fca965-86f8-4ee4-a9d6-cb18fe5f098e

WordPress Social Login <= 3.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WordPress Social Login
CVE ID: CVE-2023-4773
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b987822d-2b1b-4f79-988b-4bd731864b63

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20230811 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End
CVE ID: CVE-2023-4779
CVSS Score: 6.4 (Medium)
Researcher/s: NGÔ THIÊN AN
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d21ca709-183f-4dd1-849c-f1b2a4f7ec43

Notice Bar <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Notice Bar
CVE ID: CVE-2023-41847
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/defc5b5a-243d-4564-a9f8-3ecf3538129b

Locations <= 4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Locations
CVE ID: CVE-2023-41797
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe10acf6-2649-4e85-abd1-b6840169eb41

Attorney <= 3 – Reflected Cross-Site Scripting

Affected Software: Attorney
CVE ID: CVE-2023-41692
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/026443b6-4ab5-4f31-8a8d-2019097bde4c

Restrict <= 2.2.4 – Reflected Cross-Site Scripting

Affected Software: Restrict – membership, site, content and user access restrictions for WordPress
CVE ID: CVE-2023-41861
CVSS Score: 6.1 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62029ce5-ab97-4594-93e6-469ef5692320

WooCommerce PensoPay <= 6.3.1 – Reflected Cross-Site Scripting via ‘pensopay_action’

Affected Software: WooCommerce PensoPay
CVE ID: CVE-2023-41691
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6845b506-3d38-47f6-9348-d7931e65707a

WoodMart <= 7.2.4 – Reflected Cross-Site Scripting

Affected Software: Woodmart
CVE ID: CVE-2023-41872
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fc92b8f-6794-461a-b6b6-598de21f5e2d

AcyMailing SMTP Newsletter <= 8.6.2 – Reflected Cross-Site Scripting

Affected Software: AcyMailing – Newsletter & mailing automation for WordPress
CVE ID: CVE-2023-41867
CVSS Score: 6.1 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f82ec7c-72a0-4c3b-8041-c6ad080a48f1

Stagtools <= 2.3.7 – Reflected Cross-Site Scripting

Affected Software: StagTools
CVE ID: CVE-2023-41868
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca09ce0d-3989-420d-9457-f0acd709cc6b

Poll Maker <= 4.7.0 – Reflected Cross-Site Scripting

Affected Software: Poll Maker – Best WordPress Poll Plugin
CVE ID: CVE-2023-41871
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/faad9cf7-5d83-4ade-b121-c38fb0de78a5

Wishful Blog <= 2.0.1 & Raise Mag <= 1.0.7 – Unauthenticated Cross-Site Scripting

Affected Software/s: Raise Mag, Wishful Blog
CVE ID: CVE-2023-28621
CVSS Score: 6.1 (Medium)
Researcher/s: László Radnai
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb33f779-d045-48dd-babe-8b1fab903124

Stock Quotes List <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Stock Quotes List
CVE ID: CVE-2023-41666
CVSS Score: 5.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dffbb2d-69d1-495c-8c96-64c5fd878fcd

Tilda Publishing <= 0.3.21 – Missing Authorization

Affected Software: Tilda Publishing
CVE ID: CVE-2023-31234
CVSS Score: 5.4 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a992bb2-67b9-48db-a536-c3af79e93af4

Staff / Employee Business Directory for Active Directory <= 1.2.1 – Insufficient Escaping of Stored LDAP Values

Affected Software: Staff / Employee Business Directory for Active Directory
CVE ID: CVE-2023-4757
CVSS Score: 5.4 (Medium)
Researcher/s: Pedro José Navas Pérez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1355e9f-fa3a-439a-a13f-49b10dd4473a

Easy WP Cleaner <= 1.9 – Cross-Site Request Forgery

Affected Software: Easy WP Cleaner
CVE ID: CVE-2023-41697
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4c2689d-be51-4907-b624-c85da39f545d

Contact Form for Plugin by Fluent Forms <= 5.0.8 – Insecure Direct Object Reference

Affected Software: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
CVE ID: CVE-2023-41952
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20f31e48-0dbb-498a-a400-681cacea7c9c

Sunshine Photo Cart <= 3.0.5 – Insecure Direct Object Reference to Order Manipulation

Affected Software: Sunshine Photo Cart
CVE ID: CVE-2023-41796
CVSS Score: 5.3 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2eae7c33-2347-4b34-8b5f-7f4a6ee3e9c1

TelSender <= 1.14.7 – Missing Authorization

Affected Software: TelSender – Сontact form 7, Events, Wpforms and wooccommerce to telegram bot
CVE ID: CVE-2023-41683
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39193ebd-005a-4497-9939-99947323a1a0

WP Directory Kit <= 1.2.6 – Missing Authorization

Affected Software: WP Directory Kit
CVE ID: CVE-2023-41875
CVSS Score: 5.3 (Medium)
Researcher/s: Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60083262-198d-4a7d-bb0a-717a744e20f9

Email posts to subscribers <= 6.2 – Missing Authorization to Sensitive Information Exposure

Affected Software: Email posts to subscribers
CVE ID: CVE-2023-41735
CVSS Score: 5.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7730d670-d270-4755-bc9a-550498a28edb

WRC Pricing Tables <= 2.3.7 – Missing Authorization

Affected Software: WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables
CVE ID: CVE-2023-32293
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/823dc422-12f4-4f7d-a305-2e4db18bafdf

WiserNotify Social Proof <= 2.5 – Missing Authorization


EWWW Image Optimizer <= 7.2.0 – Sensitive Information Exposure

Affected Software: EWWW Image Optimizer
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7d08bfd-9861-4e21-a696-25b00233ad94

VS Contact Form <= 13.9 – Missing Authorization

Affected Software: VS Contact Form
CVE ID: CVE-2023-41862
CVSS Score: 5.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3f665b8-fbd5-4100-baf6-3fa99332a5dc

BitPay Checkout for WooCommerce <= 4.1.0 – Missing Authorization

Affected Software: BitPay Checkout for WooCommerce
CVE ID: CVE-2023-41803
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea489c69-d4d9-4e05-8cac-25fd17d48506

UniConsent Cookie Consent CMP for GDPR / CCPA <= 1.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: UniConsent CMP for GDPR CPRA GPP TCF
CVE ID: CVE-2023-41800
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19c9cf3e-553b-4cbd-9f2c-803e188a2581

WordPress File Sharing Plugin <= 2.0.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WordPress File Sharing Plugin
CVE ID: CVE-2023-4636
CVSS Score: 4.4 (Medium)
Researcher/s: Shuning Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1df04293-87e9-4ab4-975d-54d36a993ab0

Insert Estimated Reading Time <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Insert Estimated Reading Time
CVE ID: CVE-2023-41734
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45426cdd-2721-4959-8f0b-13025f775d62

Cookie Notice & Consent 1.6.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cookie Notice & Consent
CVE ID: CVE-2023-41948
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/489dc156-b8cb-4e08-a847-73a891398d5c

SendPress Newsletters <= 1.22.3.31 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SendPress Newsletters
CVE ID: CVE-2023-41729
CVSS Score: 4.4 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d173077-06c4-4a23-a664-0be8516053ec

Swifty Bar, sticky bar by WPGens <= 1.2.10 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Swifty Bar, sticky bar by WPGens
CVE ID: CVE-2023-41737
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66c90387-af23-48fc-94da-708b9c223fe3

wordpress publish post email notification <= 1.0.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: wordpress publish post email notification
CVE ID: CVE-2023-41731
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/705d11b1-0924-46ae-a6e6-8fab16a4df00

iFolders <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc
CVE ID: CVE-2023-41949
CVSS Score: 4.4 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1f957ce-7bb0-4701-8b2a-522211c408d8

Order Delivery Date for WP e-Commerce <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Order Delivery Date for WP e-Commerce
CVE ID: CVE-2023-41859
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d74f5813-cf7a-4ffb-9306-56f29b3a7d04

Email posts to subscribers <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Email posts to subscribers
CVE ID: CVE-2023-41736
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e818a5db-acb7-4b16-80b1-939904e93791

Back To The Top Button <= 2.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Back To The Top Button
CVE ID: CVE-2023-41733
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed8cd92a-c791-4781-a7bc-9b2a4d559d7d

Regpack <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Regpack
CVE ID: CVE-2023-41855
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3cdc0ba-d28f-488c-a703-f9d880f0582e

Backup Migration <= 1.2.9 – Cross-Site Request Forgery

Affected Software: BackupBliss – Backup Migration Staging
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00274313-9079-4877-b72e-310e312aa814

Automatic YouTube Gallery <= 2.3.3 – Missing Authorization via AJAX actions

Affected Software: Automatic YouTube Gallery
CVE ID: CVE-2023-41866
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a58d45b-c91b-4141-992e-336650d7252b

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization via export_settings

Affected Software: rtMedia for WordPress, BuddyPress and bbPress
CVE ID: CVE-2023-41951
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cb5df54-a6a7-4c2e-8df0-5d050218622e

Super Socializer <= 7.13.54 – Missing Authorization

Affected Software:
CVE ID: CVE-2023-41802
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/101dd211-c3eb-4d27-9194-841bc2a968e6

Laposta Signup Embed <= 1.1.0 – Missing Authorization

Affected Software: Laposta Signup Embed
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12b81441-d22c-4211-a8da-811182de622d

CP Blocks <= 1.0.20 – Cross-Site Request Forgery to Settings Update

Affected Software: CP Blocks
CVE ID: CVE-2023-41732
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35cd1788-1756-4d03-8f6f-e5e4153e3f4f

Leadster <= 1.1.2 – Cross-Site Request Forgery

Affected Software: Leadster
CVE ID: CVE-2023-41668
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/361216af-b939-4ac1-ae06-97552d283670

EmbedPress <= 3.8.3 – Cross-Site Request Forgery


Live News <= 1.06 – Cross-Site Request Forgery

Affected Software: Live News
CVE ID: CVE-2023-41669
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ee59570-85c3-4394-bebb-c3f49c08be67

WP Gallery Metabox <= 1.0.0 – Cross-Site Request Forgery

Affected Software: WP Gallery Metabox
CVE ID: CVE-2023-41876
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46c4b7f7-e3e6-46b8-b959-07775db8bb6c

wpCentral <= 1.5.7 – Cross-Site Request Forgery

Affected Software: wpCentral
CVE ID: CVE-2023-41854
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49d03254-7399-4a5d-9ce9-7d4736b8b2ee

Laposta Signup Embed <= 1.1.0 – Cross-Site Request Forgery

Affected Software: Laposta Signup Embed
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c0cbf44-f6b4-408d-9a96-98f45d890822

POEditor <= 0.9.4 – Cross-Site Request Forgery

Affected Software: POEditor
CVE ID: CVE-2023-32091
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e81e947-4892-4028-8a09-6a048bf6a572

Carousel Slider <= 2.2.2 – Missing Authorization

Affected Software: Carousel Slider
CVE ID: CVE-2023-41848
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5465eaab-03c0-438a-8553-c1f8b06b82bc

SIS Handball <= 1.0.45 – Cross-Site Request Forgery

Affected Software: SIS Handball
CVE ID: CVE-2023-41684
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5973afaa-5a64-4db1-8e32-3b39d1367eb8

Bulk NoIndex & NoFollow Toolkit <= 1.5 – Missing Authorization

Affected Software: Bulk NoIndex & NoFollow Toolkit
CVE ID: CVE-2023-41688
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5cb79fbc-705a-4fb4-b441-7fe7ab6dea10

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization to Settings Update

Affected Software: rtMedia for WordPress, BuddyPress and bbPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dfc145e-d2d4-4137-a5c6-dec2ebb41876

WP-dTree <= 4.4.5 – Cross-Site Request Forgery

Affected Software: WP-dTree
CVE ID: CVE-2023-41667
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61808624-b2c7-4e86-b5a1-56f32fca9eaa

Realbig <= 1.0.2 – Cross-Site Request Forgery

Affected Software: Realbig For WordPress
CVE ID: CVE-2023-41694
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70ae0f3e-75a8-41c7-91c0-52d672809835

Order Delivery Date for WP e-Commerce <= 1.2 – Cross-Site Request Forgery

Affected Software: Order Delivery Date for WP e-Commerce
CVE ID: CVE-2023-41858
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74a74817-30ff-42ec-9bd4-7d0638d6643c

Click To Tweet <= 2.0.14 – Missing Authorization

Affected Software: Click To Tweet
CVE ID: CVE-2023-41857
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f765327-3872-46cc-a4f9-40219bf0dd99

Outbound Link Manager <= 1.2 – Cross-Site Request Forgery

Affected Software: Outbound Link Manager
CVE ID: CVE-2023-41850
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8dfc0d5e-bdc4-4f71-8aa3-0a4fbd7ef37d

Analytify Dashboard <= 5.1.0 – Missing Authorization to Opt-In

Affected Software: Analytify – Google Analytics Dashboard For WordPress (GA4 made easy)
CVE ID: CVE-2023-41695
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/970b3a0f-c1cc-4d85-8271-a523ccdbcc39

AWP Classifieds <= 4.3 – Cross-Site Request Forgery

Affected Software: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds
CVE ID: CVE-2023-41801
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b06a1b66-9057-4f16-878c-4fa66489f0ff

Use Memcached <= 1.0.5 – Cross-Site Request Forgery

Affected Software: Use Memcached
CVE ID: CVE-2023-41670
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b63f4de2-32e1-4c5e-a64d-fb66d2e2b3a8

WP Custom Post Template <= 1.0 – Cross-Site Request Forgery

Affected Software: WP Custom Post Template
CVE ID: CVE-2023-41851
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b796b514-b6ca-4a22-9340-df02fec97075

Laposta Signup Basic <= 1.4.1 – Missing Authorization

Affected Software: Laposta Signup Basic
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7e417c2-bf9c-4c88-be2b-9c2324897b07

WP Accessibility Helper (WAH) <= 0.6.2.4 – Missing Authorization via AJAX action

Affected Software: WP Accessibility Helper (WAH)
CVE ID: CVE-2023-41869
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b97b84a8-cf4e-4648-8d58-b81a71b7988c

Hide admin notices – Admin Notification Center <= 2.3.2 – Cross-Site Request Forgery

Affected Software: Hide admin notices – Admin Notification Center
CVE ID: CVE-2023-41672
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b98c5623-15fe-4937-9a0e-770aa0ab06f3

WP iCal Availability <= 1.0.3 – Cross-Site Request Forgery

Affected Software: WP iCal Availability
CVE ID: CVE-2023-41853
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc3f1d4e-84f7-4878-8b06-10444caa7dcf

Super Socializer <= 7.13.54 – Cross-Site Request Forgery

Affected Software:
CVE ID: CVE-2023-41802
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc6cfad1-d23a-4a96-9d6c-841b6d795a01

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization to Sensitive Information Exposure

Affected Software: rtMedia for WordPress, BuddyPress and bbPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be837a77-9b25-43af-aaba-94a8aa59e7e3

SAML SP Single Sign On <= 5.0.4 – Missing Authorization to notice dismissal

Affected Software: SAML Single Sign On – SSO Login Standard
CVE ID: CVE-2023-41873
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3114906-fac1-42b9-9ba1-0a5d44c2fb3a

WP Crowdfunding <= 2.1.4 – Missing Authorization via settings_reset

Affected Software: WP Crowdfunding
CVE ID: CVE-2023-41870
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cddf4aa1-5c7d-4aa1-9384-1c352f0c6da9

Laposta Signup Basic <= 1.4.1 – Cross-Site Request Forgery

Affected Software: Laposta Signup Basic
CVE ID: CVE-2023-41950
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1ba4b18-ff46-45ef-b7d4-0a314cf2d74c

Duplicate Post Page Menu & Custom Post Type <= 2.3.1 – Missing Authorization to Post Duplication

Affected Software: Duplicate Post Page Menu & Custom Post Type
CVE ID: CVE-2023-4792
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6bb08e8-9ef5-41db-a111-c377a5dfae77

ProfilePress <= 4.13.1 Cross-Site Request Forgery via ‘admin_notice’


WP Crowdfunding <= 2.1.5 – Cross-Site Request Forgery

Affected Software: WP Crowdfunding
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4dc8f18-d990-4e41-8bf8-dfa9de4c0f6e

MyCryptoCheckout <= 2.125 – Cross-Site Request Forgery

Affected Software: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce
CVE ID: CVE-2023-41693
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5575725-99ba-4499-93e5-f7648c82ac52

Starter Templates <= 3.2.5 – Incorrect Authorization

Affected Software/s: Starter Templates — Elementor, WordPress & Beaver Builder Templates, Premium Starter Templates
CVE ID: CVE-2023-41805
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ebd78e52-f20d-42be-8f68-3d09d5abf837

Easy Form by AYS <= 1.3.8 – Cross-Site Request Forgery

Affected Software: Easy Form by AYS
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee595f48-b72f-4569-a248-7dbd0b9152ae

MailMunch – Grow your Email List <= 3.1.2 – Cross-Site Request Forgery

Affected Software: MailMunch – Grow your Email List
CVE ID: CVE-2023-41852
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6409626-c8cb-412c-aff3-cbb2da212e5d

Slider Pro <= 4.8.6 – Missing Authorization via AJAX actions

Affected Software: Slider Pro
CVE ID: CVE-2023-41865
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f813cb1a-5922-48a5-a026-66ec9aaac294

SendPress Newsletters <= 1.22.3.31 – Cross-Site Request Forgery

Affected Software: SendPress Newsletters
CVE ID: CVE-2023-41730
CVSS Score: 4.3 (Medium)
Researcher/s:
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb70339c-0f1a-4acc-af7a-8a0320fdfe71

Directorist <= 7.7.1 – CSV Injection

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
CVE ID: CVE-2023-41798
CVSS Score: 3.8 (Low)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab233ceb-270c-4694-9cf9-2de8ddfcbbfd

Modula <= 2.7.4 – Incomplete Authorization via ‘save_image’ and ‘save_images’

Affected Software: Customizable WordPress Gallery Plugin – Modula Image Gallery
CVE ID: CVE Unknown
CVSS Score: 2.2 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f029bd86-d979-45d1-97fe-75c43fb71148

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023) appeared first on Wordfence.

This content was originally published here.