Chloe ChamberlandWORDFENCE:08A0505B9E40CF4662CB41A16D06BC6AWordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023)
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 40 |
| Patched | 86 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 2 |
| Medium Severity | 105 |
| High Severity | 14 |
| Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 43 |
| Missing Authorization | 36 |
| Cross-Site Request Forgery (CSRF) | 26 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 3 |
| Information Exposure | 2 |
| Deserialization of Untrusted Data | 2 |
| Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 1 |
| Improper Privilege Management | 1 |
| Unverified Password Change | 1 |
| Protection Mechanism Failure | 1 |
| URL Redirection to Untrusted Site ('Open Redirect') | 1 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 1 |
| Use of Less Trusted Source | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 1 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 1 |
| Improper Authorization | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Abdi Pranata | 23 |
| Rafie Muhammad | 18 |
| Ngô Thiên An (ancorn_) | 10 |
| Le Ngoc Anh | 5 |
| István Márton | |
| (Wordfence Vulnerability Researcher) | 4 |
| Mika | 4 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 4 |
| Paolo Tresso | |
| (Wordfence Vulnerability Researcher) | 4 |
| emad | 3 |
| Huynh Tien Si | 3 |
| Ala Arfaoui | 2 |
| Vincenzo Turturro | 2 |
| Gianluca Parisi | 2 |
| Vincenzo Cantatore | 2 |
| Revan Arifio | 1 |
| Enrico Marcolini | 1 |
| Claudio Marchesini (Dottormarc) | 1 |
| wpdabh | 1 |
| RIN MIYACHI | 1 |
| Nicolas Surribas | 1 |
| Naveen Muthusamy | 1 |
| Vladislav Pokrovsky (ΞX.MI) | 1 |
| niclo | 1 |
| LEE SE HYOUNG | 1 |
| Muhammad Daffa | 1 |
| Brandon James Roldan (tomorrowisnew) | 1 |
| BuShiYue | 1 |
| Alex Sanford | 1 |
| thiennv | 1 |
| Nguyen Xuan Chien | 1 |
| Furkan ÖZER | 1 |
| DoYeon Park (p6rkdoye0n) | 1 |
| Dmitrii Ignatyev | 1 |
| Bartłomiej Marek | 1 |
| Tomasz Swiadek | 1 |
| resecured.io | 1 |
| Ivy (TOOR, Lisa) | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 10WebAnalytics | wd-google-analytics |
| AMP+ Plus | amp-plus |
| ARI Stream Quiz – WordPress Quizzes Builder | ari-stream-quiz |
| AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | aweber-web-form-widget |
| Accordion | accordions-wp |
| Acme Fix Images | acme-fix-images |
| Add Widgets to Page | add-widgets-to-page |
| Ajax Domain Checker | ajax-domain-checker |
| Anywhere Flash Embed | anywhere-flash-embed |
| AppPresser – Mobile App Framework | apppresser |
| Audio Merchant | audio-merchant |
| BMI Calculator Plugin | bmi-calculator-shortcode |
| BP Profile Shortcodes Extra | bp-profile-shortcodes-extra |
| BSK Contact Form 7 Blacklist | bsk-contact-form-7-blacklist |
| Bamboo Columns | bamboo-columns |
| Better RSS Widget | better-rss-widget |
| BetterDocs – Best Documentation & Knowledge Base Plugin | betterdocs |
| Big File Uploads – Increase Maximum File Upload Size | tuxedo-big-file-uploads |
| Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin |
| Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress | sprout-invoices |
| CodeBard's Patron Button and Widgets for Patreon | patron-button-and-widgets-by-codebard |
| Comments – wpDiscuz | wpdiscuz |
| Community by PeepSo – Social Network, Membership, Registration, User Profiles | peepso-core |
| Conditional Fields for Contact Form 7 | cf7-conditional-fields |
| Customer Reviews for WooCommerce | customer-reviews-woocommerce |
| Daily Prayer Time | daily-prayer-time-for-mosques |
| Delete Duplicate Posts | delete-duplicate-posts |
| Ditty – Responsive News Tickers, Sliders, and Lists | ditty-news-ticker |
| DrawIt (draw.io) | drawit |
| EWWW Image Optimizer | ewww-image-optimizer |
| Easy Call Now by ThikShare | easy-call-now |
| EasyAzon – Amazon Associates Affiliate Plugin | easyazon |
| Elementor Addon Elements | addon-elements-for-elementor-page-builder |
| Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
| Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification | miniorange-otp-verification |
| Embed Privacy | embed-privacy |
| EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
| Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
| Essential Grid Portfolio – Photo Gallery | essential-grid |
| Events Addon for Elementor | events-addon-for-elementor |
| Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty | chaty |
| Footer Putter | footer-putter |
| FormCraft – Contact Form Builder for WordPress | formcraft-form-builder |
| Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
| Frontend File Manager Plugin | nmedia-user-file-uploader |
| Hreflang Manager | hreflang-manager-lite |
| Image Compressor & Optimizer – iLoveIMG | iloveimg |
| Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms | cf7-constant-contact |
| Interactive World Map | interactive-world-map |
| Jetpack – WP Security, Backup, Speed, & Growth | jetpack |
| LWS Hide Login | lws-hide-login |
| LayerSlider | layerslider |
| Leadster | leadster-marketing-conversacional |
| Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | legal-pages |
| Live Preview for Contact Form 7 | cf7-live-preview |
| LuckyWP Scripts Control | luckywp-scripts-control |
| MP3 Audio Player for Music, Radio & Podcast by Sonaar | mp3-music-player-by-sonaar |
| Namaste! LMS | namaste-lms |
| Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
| Permalinks Customizer | permalinks-customizer |
| Phlox Shop | auxin-shop |
| Popup Box – Best WordPress Popup Plugin | ays-popup-box |
| Post Status Notifier Lite | post-status-notifier-lite |
| Premium Portfolio Features for Phlox theme | auxin-portfolio |
| Premmerce Redirect Manager | premmerce-redirect-manager |
| Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic | shareaholic |
| Pz-LinkCard | pz-linkcard |
| Quick Call Button | quick-call-button |
| Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress | quiz-master-next |
| Restaurant & Cafe Addon for Elementor | restaurant-cafe-addon-for-elementor |
| SearchIQ – The Search Solution | searchiq |
| Shortcodes and extra features for Phlox theme | auxin-elements |
| Simple 301 Redirects by BetterLinks | simple-301-redirects |
| Simply Excerpts | simply-excerpts |
| Slider Revolution | revslider |
| Slider – Ultimate Responsive Image Slider | ultimate-responsive-image-slider |
| Star CloudPRNT for WooCommerce | star-cloudprnt-for-woocommerce |
| Theater for WordPress | theatre |
| URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress | url-shortify |
| Ultimate Dashboard – Custom WordPress Dashboard | ultimate-dashboard |
| WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses | wp-courses |
| WP Custom Admin Interface | wp-custom-admin-interface |
| WP EXtra | wp-extra |
| WP Fastest Cache | wp-fastest-cache |
| WP Like Button | wp-like-button |
| WP Maintenance | wp-maintenance |
| WP Meta and Date Remover | wp-meta-and-date-remover |
| WP Not Login Hide (WPNLH) | wp-not-login-hide-wpnlh |
| WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation | wp-cafe |
| Website Optimization – Plerdy | plerdy-heatmap |
| Welcart e-Commerce | usc-e-shop |
| Welcome Email Editor | welcome-email-editor |
| WooCommerce | woocommerce |
| WooCommerce Blocks | woo-gutenberg-products-block |
| WooCommerce Bookings | woocommerce-bookings |
| WooCommerce Product Carousel Slider | product-carousel-slider-for-woocommerce |
| Woocommerce Shipping Canada Post | woocommerce-shipping-canada-post |
| WordPress File Upload | wp-file-upload |
| YOP Poll | yop-poll |
| avalex – Automatisch sichere Rechtstexte | avalex |
| eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
| wpMandrill | wpmandrill |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Betheme | betheme |
| Thrive Themes Builder | [thrive-theme](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Thrive Themes Builder>) |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Shortcodes and extra features for Phlox theme <= 2.14.0 - Unauthenticated Local File Inclusion
Affected Software: Shortcodes and extra features for Phlox theme CVE ID: CVE-2023-37888 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09437329-f01a-4998-90ec-e4b2e271e896>
WP Fastest Cache <= 1.2.2 - Unauthenticated SQL Injection
Affected Software: WP Fastest Cache CVE ID: CVE-2023-6063 CVSS Score: 9.8 (Critical) Researcher/s: Alex Sanford Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/876efd71-8867-44b8-8017-86fad2a1b89f>
Phlox Shop <= 2.0.0 - Unauthenticated Local File Inclusion
Affected Software: Phlox Shop CVE ID: CVE-2023-39163 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e11e4bab-f8a9-4ecb-b36e-09a55e47f1ae>
Phlox Portfolio <= 2.3.1 - Unauthenticated Local File Inclusion
Affected Software: Premium Portfolio Features for Phlox theme CVE ID: CVE-2023-38399 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f6f3f82e-6b1b-4138-b8f3-82e8dcd24479>
Frontend File Manager Plugin <= 22.5 - Authenticated (Editor+) Directory Traversal
Affected Software: Frontend File Manager Plugin CVE ID: CVE-2023-5105 CVSS Score: 9.1 (Critical) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b59b5c41-6173-485e-869d-4165dc18e2bd>
Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload
Affected Software: Audio Merchant CVE ID: CVE-2023-6196 CVSS Score: 8.8 (High) Researcher/s: Ala Arfaoui Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06513dfe-f263-48b7-ba01-2c205247095b>
Thrive Theme Builder <= 3.20.1 - Cross-Site Request Forgery
Affected Software: Thrive Themes Builder CVE ID: CVE-2023-47781 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/353c3cd9-5ada-466b-b8e5-d40e0ec4e867>
Thrive Theme Builder <= 3.20.1 - Privilege Escalation
Affected Software: Thrive Themes Builder CVE ID: CVE-2023-47782 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3b345dfe-3945-405a-9825-c88816b2adee>
WP Courses LMS <= 3.2.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a6f7952-cb64-4cff-aae7-0f03692cd95f>
Welcart e-Commerce <= 2.9.4 - Cross-Site Request Forgery
Affected Software: Welcart e-Commerce CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f59004bb-b026-4137-a332-f46a09237e7b>
Welcart e-Commerce <= 2.9.4 - Authenticated (Subscriber+) Arbitrary File Upload
Affected Software: Welcart e-Commerce CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f690e67c-119f-4ea6-9505-101e7f7a3dea>
Essential Grid <= 3.0.18 - Missing Authorization
Affected Software: Essential Grid Portfolio – Photo Gallery CVE ID: CVE-2023-47771 CVSS Score: 8.3 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/326618eb-186b-44a2-a779-00d5366bfff2>
Thrive Theme Builder <= 3.20.1 - Missing Authorization
Affected Software: Thrive Themes Builder CVE ID: CVE-2023-47783 CVSS Score: 8.3 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4fd6fa4f-8f4d-4d2f-ac67-98124cfa9592>
AppPresser <= 4.2.5 - Insecure Password Reset Mechanism
Affected Software: AppPresser – Mobile App Framework CVE ID: CVE-2023-4214 CVSS Score: 8.1 (High) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde>
Paid Memberships Pro <= 2.12.3 - Authenticated (Subscriber+) Arbitrary File Upload
Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID: CVE-2023-6187 CVSS Score: 7.5 (High) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5979f2eb-2ca8-4b06-814c-c4236bb81af0>
Image Compressor & Optimizer - iLoveIMG <= 1.0.5 - Authenticated (Administrator+) PHP Object Injection
Affected Software: Image Compressor & Optimizer – iLoveIMG CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/501e9cd1-1187-4d01-a3cc-5edba64c391f>
Welcart e-Commerce <= 2.9.5 - Authenticated (Administrator+) PHP Object Injection
Affected Software: Welcart e-Commerce CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91f86c22-94db-4c43-985a-2f3dd96ece21>
Slider Revolution <= 6.6.15 - Authenticated (Author+) Arbitrary File Upload
Affected Software: Slider Revolution CVE ID: CVE-2023-47784 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e2d29afd-06e8-461a-918f-38228441a51a>
Bus Ticket Booking with Seat Reservation <= 5.2.5 - Unauthenticated Cross-Site Scripting
Affected Software: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin CVE ID: CVE-2023-30496 CVSS Score: 7.2 (High) Researcher/s: Ivy (TOOR, Lisa) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9960282-4730-4ee8-b338-adcc57f01cc6>
Forminator <= 1.27.0 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE-2023-6133 CVSS Score: 6.6 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3>
Email Encoder Bundle <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers CVE ID: CVE-2023-47821 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09f328f6-8a66-46bf-80d9-3ffeaecfec32>
Better RSS Widget <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Better RSS Widget CVE ID: CVE-2023-47813 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12660e7a-51fc-42c5-8a09-49df1db51efb>
eCommerce Product Catalog for WordPress <= 3.3.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: eCommerce Product Catalog Plugin for WordPress CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/39695b53-9af7-42f0-8bde-3969398a7186>
LayerSlider <= 7.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: LayerSlider CVE ID: CVE-2023-47786 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/441bc9fe-3dd6-40a6-b7f3-36511115c083>
WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute
Affected Software/s: WooCommerce, WooCommerce Blocks CVE ID: CVE-2023-47777 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/525dec5b-b457-483c-ab2d-09dd320edcaa>
Quiz And Survey Master <= 8.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress CVE ID: CVE-2023-47834 CVSS Score: 6.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c482b6e-ce1e-46e2-8847-10c485594448>
Ajax Domain Checker <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Ajax Domain Checker CVE ID: CVE-2023-47810 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/699459a1-d407-4561-9d08-dd5d918ea601>
Add Widgets to Page <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Add Widgets to Page CVE ID: CVE-2023-47808 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6af20a2c-065c-48d5-a95c-2883ceeb50c6>
Slider Revolution <= 6.6.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Slider Revolution CVE ID: CVE-2023-47772 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/772e843b-00ea-45f5-b730-c9a793d4c2db>
Jetpack <= 12.8-a.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute
Affected Software: Jetpack – WP Security, Backup, Speed, & Growth CVE ID: CVE-2023-45050 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/824360ab-c797-465a-8480-baeae941af29>
BMI Calculator Plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: BMI Calculator Plugin CVE ID: CVE-2023-47814 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8bf0e224-d8c7-4bf9-b9a3-97545da9d90c>
Bamboo Columns <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Bamboo Columns CVE ID: CVE-2023-47812 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e7b40e4-c80a-4317-acff-77696fd8098f>
Anywhere Flash Embed <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Anywhere Flash Embed CVE ID: CVE-2023-47811 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a95d7ff6-55ce-4d63-8433-60cece306628>
DrawIt (draw.io) <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: DrawIt (draw.io) CVE ID: CVE-2023-47831 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ddde9db5-3ed7-42f7-97c1-4ff9b9d1f627>
WooCommerce Product Carousel Slider <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: WooCommerce Product Carousel Slider CVE ID: CVE-2023-47755 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6f6dab2-da03-43b6-b9c1-ebc6a7e1d1c9>
BP Profile Shortcodes Extra <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: BP Profile Shortcodes Extra CVE ID: CVE-2023-47815 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea9eaca6-3441-4976-8556-0ce288d1a0c6>
ARI Stream Quiz <= 1.2.32 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: ARI Stream Quiz – WordPress Quizzes Builder CVE ID: CVE-2023-47835 CVSS Score: 6.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/edb4f4b7-a59c-454b-82b5-d8e91c1c82a3>
Daily Prayer Time <= 2023.10.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Daily Prayer Time CVE ID: CVE-2023-47817 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f0ccd265-2e64-4b23-a032-aaeb9941df34>
Shareaholic <= 9.7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic CVE ID: CVE-2023-4889 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff6932c6-f3ec-46a8-a03b-95512eee5bf1>
AWeber <= 7.3.9 - Missing Authorization via AJAX actions
Affected Software: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth CVE ID: CVE-2023-47757 CVSS Score: 6.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/397f20d8-2400-4403-8543-f57141378012>
Betheme <= 27.1.1 - Missing Authorization
Affected Software: Betheme CVE ID: CVE-2023-47770 CVSS Score: 6.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72bdc81e-1a9d-4dd8-93a5-fb1026d6a2d9>
Interactive World Map <= 3.2.0 - Reflected Cross-Site Scripting
Affected Software: Interactive World Map CVE ID: CVE-2023-47767 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09b0bfd3-93a7-4f13-828d-772f54085a60>
BSK Contact Form 7 Blacklist <= 1.0.1 - Reflected Cross-Site Scripting
Affected Software: BSK Contact Form 7 Blacklist CVE ID: CVE-2023-5141 CVSS Score: 6.1 (Medium) Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e27b0a8-e052-49ed-8744-a2376aa386f5>
Star CloudPRNT for WooCommerce <= 2.0.3 - Reflected Cross-Site Scripting
Affected Software: Star CloudPRNT for WooCommerce CVE ID: CVE-2023-4603 CVSS Score: 6.1 (Medium) Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/110c6d41-e814-41c9-a3e7-d94ec3d953e6>
AMP+ Plus <= 3.0 - Reflected Cross Site Scripting
Affected Software: AMP+ Plus CVE ID: CVE-2023-5210 CVSS Score: 6.1 (Medium) Researcher/s: Nicolas Surribas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/417ff4fd-e514-4366-b9a6-c04d7434eac1>
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting
Affected Software: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41edf49a-18a2-4cf0-b498-738e77287b90>
Footer Putter <= 6.1.3 - Reflected Cross-Site Scripting
Affected Software: Footer Putter CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/688353c9-e4e5-4717-9651-15d05248554f>
Post Status Notifier Lite <= 1.11.0 - Reflected Cross-Site Scripting
Affected Software: Post Status Notifier Lite CVE ID: CVE-2023-47766 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6af1224e-0ed3-4770-96c0-c15cc895d36d>
Permalinks Customizer <= 2.8.2 - Reflected Cross-Site Scripting
Affected Software: Permalinks Customizer CVE ID: CVE-2023-47773 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/702dca65-fa8c-48c7-89e4-cba4b151e2c4>
Namaste! LMS <= 2.6.1.1 - Reflected Cross-Site Scripting
Affected Software: Namaste! LMS CVE ID: CVE-2023-4602 CVSS Score: 6.1 (Medium) Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d014f512-9030-49ce-945d-4900594fb373>
Accordion <= 2.6 - Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings
Affected Software: Accordion CVE ID: CVE-2023-47809 CVSS Score: 5.5 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff656409-2344-4190-a731-5a282e21375c>
Embed Privacy <= 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Embed Privacy CVE ID: CVE-2023-48300 CVSS Score: 5.4 (Medium) Researcher/s: wpdabh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/26d9dfc7-151c-4b32-9ae4-3085d08f137c>
Elementor Addon Elements <= 1.12.7 - Cross-Site Request Forgery
Affected Software: Elementor Addon Elements CVE ID: CVE-2023-4689 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka, Paolo Tresso Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/472cdbc4-3bfa-4254-b35a-be7ae10782e6>
MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10 - Missing Authorization to Template Import
Affected Software: MP3 Audio Player for Music, Radio & Podcast by Sonaar CVE ID: CVE-2023-47822 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6bcb9d95-acb4-4405-b785-1e5eace10dc9>
Legal Pages <= 1.3.8 - Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data
Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator CVE ID: CVE-2023-47824 CVSS Score: 5.4 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fb9c8c3-e491-4bca-adeb-b87d9f8f3b32>
Pz-LinkCard <= 2.4.8 - Cross-Site Request Forgery via page_cacheman
Affected Software: Pz-LinkCard CVE ID: CVE-2023-47790 CVSS Score: 5.4 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6de97ac-127d-47ec-8b74-03e7fa4932f6>
eCommerce Product Catalog for WordPress <= 3.3.25 - Cross-Site Request Forgery
Affected Software: eCommerce Product Catalog Plugin for WordPress CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba70f811-543f-4da4-ba45-715dbd6be6be>
Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting
Affected Software: Audio Merchant CVE ID: CVE-2023-6197 CVSS Score: 5.4 (Medium) Researcher/s: Ala Arfaoui Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7911337-57fa-4268-8366-d37ff13fae86>
Delete Duplicate Posts <= 4.8.9 - Missing Authorization via AJAX Actions
Affected Software: Delete Duplicate Posts CVE ID: CVE-2023-47754 CVSS Score: 5.4 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f603a25f-7d56-4cf4-89aa-de87ee49522a>
Elementor Addon Elements <= 1.12.7 - Cross-Site Request Forgery
Affected Software: Elementor Addon Elements CVE ID: CVE-2023-4690 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka, Paolo Tresso Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd53b4e1-c6b7-4111-911a-04b14c7a9c4e>
Restaurant & Cafe Addon for Elementor <= 1.5.2 - Missing Authorization
Affected Software: Restaurant & Cafe Addon for Elementor CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07712191-03b6-4de4-b0a4-e6f03ce9dc81>
Ditty <= 3.1.24 - Missing Authorization via save_ditty_permissions_check
Affected Software: Ditty – Responsive News Tickers, Sliders, and Lists CVE ID: CVE-2023-47764 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08630dfd-df43-4a5a-8fc7-ba8ff753db3d>
FormCraft <= 1.2.7 - Missing Authorization via formcraft_nag_update
Affected Software: FormCraft – Contact Form Builder for WordPress CVE ID: CVE-2023-47823 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25d5735a-8eed-4b4a-9bbe-9e42fb18ddf2>
SearchIQ <= 4.4 - Missing Authorization via getSIQPluginSettings
Affected Software: SearchIQ – The Search Solution CVE ID: CVE-2023-47832 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3001829b-f63b-4b99-91a0-53d615ac96c1>
YOP Poll <= 6.5.26 - Race Condition to Vote Manipulation
Affected Software: YOP Poll CVE ID: CVE-2023-6109 CVSS Score: 5.3 (Medium) Researcher/s: RIN MIYACHI Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c>
WPCafe <= 2.2.19 - Missing Authorization via dismiss_ajax_call
Affected Software: WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation CVE ID: CVE-2023-47805 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4261bc62-a091-408b-8643-e6fa61d62103>
LWS Hide Login <= 2.1.8 - Protection Mechanism Bypass
Affected Software: LWS Hide Login CVE ID: CVE-2023-47818 CVSS Score: 5.3 (Medium) Researcher/s: Naveen Muthusamy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/532cffdb-16e8-4ced-9477-483c96db343c>
avalex – Automatisch sichere Rechtstexte <= 3.0.8 - Missing Authorization
Affected Software: avalex – Automatisch sichere Rechtstexte CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7319293e-f921-46d1-aea6-2578d1a251a7>
WP Maintenance <= 6.1.3 - IP Restriction Bypass
Affected Software: WP Maintenance CVE ID: CVE-2023-47769 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/87a1cc00-330c-40c3-a174-8ea50075c4bd>
Elementor Addon Elements <= 1.12.7 - Missing Authorization to Sensitive Information Exposure
Affected Software: Elementor Addon Elements CVE ID: CVE-2023-4723 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka, Paolo Tresso Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89489218-263f-4157-a5cd-a12bc6a0dfe6>
Welcome Email Editor <= 5.0.5 - Missing Authorization via ajax_handler
Affected Software: Welcome Email Editor CVE ID: CVE-2023-47756 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/943cd10b-1b58-4803-ba6f-291f73353422>
Events Addon for Elementor <= 2.1.2 - Missing Authorization
Affected Software: Events Addon for Elementor CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7f52e71-da35-4b46-b658-d293f81b5dc9>
Acme Fix Images <= 1.0.0 - Missing Authorization via acme_fix_images_ajax_callback
Affected Software: Acme Fix Images CVE ID: CVE-2023-47793 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b9047775-2d72-4eb5-9339-419f95aa19b2>
EWWW Image Optimizer <= 7.2.0 - Unauthenticated Sensitive Information Exposure via Debug Log
Affected Software: EWWW Image Optimizer CVE ID: CVE-2023-40600 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d20ff1a8-8794-41e1-9e66-1cda90f9ff77>
WP Meta and Date Remover <= 2.3.0 - Cross-Site Request Forgery via updateSettings
Affected Software: WP Meta and Date Remover CVE ID: CVE-2023-47836 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/faa9ad87-44b2-47b3-a05c-52e59af7255a>
Jetpack < 12.7 - Authenticated(Contributor+) Clickjacking via Iframe Injection
Affected Software: Jetpack – WP Security, Backup, Speed, & Growth CVE ID: CVE-2023-47774 CVSS Score: 5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92a3e622-b3b2-450e-82a7-0a942711e8c0>
Integration for Contact Form 7 and Constant Contact <= 1.1.4 - Open Redirect
Affected Software: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms CVE ID: CVE-2023-47779 CVSS Score: 4.7 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c8404d2-7b37-40df-b756-328f827f273d>
Chaty <= 3.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty CVE ID: CVE-2023-47759 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/361deac0-f675-432c-b7d2-b99f168d476d>
Popup Box <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Popup Box – Best WordPress Popup Plugin CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5a40bac7-d3b8-486d-938a-30591ff3016c>
Simply Excerpts <= 1.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Simply Excerpts CVE ID: CVE-2023-5137 CVSS Score: 4.4 (Medium) Researcher/s: niclo Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e6a7f09-2166-426e-a548-daafb23363a6>
Quick Call Button <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Quick Call Button CVE ID: CVE-2023-47829 CVSS Score: 4.4 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b5e9c7f-e0c9-4c27-8b39-87e15fd29604>
Ultimate Dashboard <= 3.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Affected Software: Ultimate Dashboard – Custom WordPress Dashboard CVE ID: CVE-2023-4726 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/79cce1fc-a27f-4842-b1a2-2c53857add4c>
WP Not Login Hide <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: WP Not Login Hide (WPNLH) CVE ID: CVE-2023-5940 CVSS Score: 4.4 (Medium) Researcher/s: Furkan ÖZER Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fc46de4-af1c-4e38-9caa-55b7b18a69ae>
Theater for WordPress <= 0.18.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Theater for WordPress CVE ID: CVE-2023-47833 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0fdad22-5aee-468f-885c-f65c068cf413>
Premmerce Redirect Manager <= 1.0.11 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Premmerce Redirect Manager CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3d4f658-e9ce-490b-bcaa-1061a463dbb2>
Elementor Addon Elements <= 1.12.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Elementor Addon Elements CVE ID: CVE-2023-5381 CVSS Score: 4.4 (Medium) Researcher/s: Paolo Tresso Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bd2bc2e7-960e-40db-9dcc-a6a60117bd83>
Website Optimization – Plerdy <= 1.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Website Optimization – Plerdy CVE ID: CVE-2023-5715 CVSS Score: 4.4 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db18ac07-2e7a-466d-b00c-a598401f8633>
URL Shortify <= 1.7.9 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress CVE ID: CVE-2023-5605 CVSS Score: 4.4 (Medium) Researcher/s: Bartłomiej Marek, Tomasz Swiadek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ddc4b758-5a1e-4d0a-949e-869fcd9df0bc>
wpDiscuz <= 7.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Comments – wpDiscuz CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f68bc7e9-3bfe-4b2f-82a1-92bbde1a133a>
Community by PeepSo <= 6.1.6.0 - Cross-Site Request Forgery via delete
Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles CVE ID: CVE-2023-39925 CVSS Score: 4.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0aea5564-b1b9-4d57-9f7e-81dd791c8d48>
WP Courses LMS <= 3.2.3 - Missing Authorization
Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1127fe1e-4359-4dff-93a7-392a8bfded51>
Sprout Invoices <= 20.5.3 - Sensitive Information Exposure
Affected Software: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2330b18e-0907-47e1-b91f-1fe466bcf76b>
BetterDocs <= 2.5.2 - Missing Authorization via AJAX actions
Affected Software: BetterDocs – Best Documentation & Knowledge Base Plugin CVE ID: CVE-2023-47762 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a7d6059-4cef-4bd1-a14d-ad544bfaeea3>
Conditional Fields for Contact Form 7 <= 2.4.1 - Missing Authorization
Affected Software: Conditional Fields for Contact Form 7 CVE ID: CVE-2023-47838 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3cfd8b2d-cf2a-439d-9f9a-dbe499b1cd48>
WP Courses LMS <= 3.2.3 - Cross-Site Request Forgery
Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/487e23c9-9100-4240-8992-c4c85930c4a6>
LuckyWP Scripts Control <= 1.2.1 - Missing Authorization
Affected Software: LuckyWP Scripts Control CVE ID: CVE-2023-47778 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51c42ca2-cdba-49f5-bea2-83c9b8cf0db7>
Events Addon for Elementor <= 2.1.2 - Cross-Site Request Forgery
Affected Software: Events Addon for Elementor CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5256ef2b-e1fc-4746-b35e-07a265f47f95>
wpDiscuz <= 7.6.11 - Cross-Site Request Forgery
Affected Software: Comments – wpDiscuz CVE ID: CVE-2023-47775 CVSS Score: 4.3 (Medium) Researcher/s: Vladislav Pokrovsky (ΞX.MI) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f>
Ultimate Responsive Image Slider <= 3.5.11 - Missing Authorization via AJAX action
Affected Software: Slider – Ultimate Responsive Image Slider CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c92beb0-1fcf-4352-bd34-00e31b265c04>
10WebAnalytics <= 1.2.12 - Missing Authorization via gawd_wd_bp_install_notice_status
Affected Software: 10WebAnalytics CVE ID: CVE-2023-47807 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5dd2a4cb-dd74-4b00-82f5-3bf1452e71a3>
miniorange otp verification <= 4.2.1 - Missing Authorization via dismiss_notice
Affected Software: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification CVE ID: CVE-2023-47776 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/62ea1427-0990-4645-aa1a-42da6fd3944f>
WP EXtra <= 6.4 - Cross-Site Request Forgery ToolImport
Affected Software: WP EXtra CVE ID: CVE-2023-47825 CVSS Score: 4.3 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e3f3104-e213-4b0f-9821-b3f1a5c06191>
Leadster <= 1.1.2 - Cross-Site Request Forgery via leadster_script_code_action
Affected Software: Leadster CVE ID: CVE-2023-47791 CVSS Score: 4.3 (Medium) Researcher/s: BuShiYue Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86837f87-ea91-404a-92ac-38d1abf14cde>
Live Preview for Contact Form 7 <= 1.2.0 - Missing Authorization via update_option
Affected Software: Live Preview for Contact Form 7 CVE ID: CVE-2023-47830 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89dbf14f-1cc8-4a66-b3d3-3568cba9a0aa>
WP Custom Admin Interface <= 7.31 - Missing Authorization via wpcai_pro_notice_disable
Affected Software: WP Custom Admin Interface CVE ID: CVE-2023-47763 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b040f47-b126-4640-9fc5-bda8650f6c69>
EasyAzon – Amazon Associates Affiliate <= 5.1.0 - Missing Authorization on AJAX actions
Affected Software: EasyAzon – Amazon Associates Affiliate Plugin CVE ID: CVE-2023-47780 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91ba93de-4c5f-4611-8296-adfc85c8dd2b>
LayerSlider <= 7.7.9 - Cross-Site Request Forgery
Affected Software: LayerSlider CVE ID: CVE-2023-47785 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9225ebc6-bff9-4176-a86e-022ff8ec3b05>
Big File Uploads <= 2.1.1 - Cross-Site Request Forgery via actions
Affected Software: Big File Uploads – Increase Maximum File Upload Size CVE ID: CVE-2023-47792 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93b527a8-30c0-4e47-bb2b-522380b21699>
Easy Call Now by ThikShare <= 1.1.0 - Cross-Site Request Forgery via settings_page
Affected Software: Easy Call Now by ThikShare CVE ID: CVE-2023-47819 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9bd8c4e5-ef53-47e8-8658-291509e9b987>
Restaurant & Cafe Addon for Elementor <= 1.5.2 - Cross-Site Request Forgery
Affected Software: Restaurant & Cafe Addon for Elementor CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d986739-d6a5-491d-948f-4c58af75369a>
Conditional Fields for Contact Form 7 <= 2.4.0 - Missing Authorization
Affected Software: Conditional Fields for Contact Form 7 CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a175d2b2-0a35-4c5a-b05b-4d334e444e85>
CodeBard's Patron Button and Widgets for Patreon <= 2.1.9 - Cross-Site Request Forgery
Affected Software: CodeBard's Patron Button and Widgets for Patreon CVE ID: CVE-2023-47765 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4ea53bd-2ce7-4dce-8c57-51ba81838f1a>
WooCommerce Bookings <= 2.0.3 - Cross-Site Request Forgery
Affected Software: WooCommerce Bookings CVE ID: CVE-2023-47787 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a54841af-65ce-4434-a67e-79ea673ec8f9>
Customer Reviews for WooCommerce <= 5.38.1 - Cross-Site Request Forgery via manual review reminders
Affected Software: Customer Reviews for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b243722e-6510-48bd-be26-95ccbe79fa57>
WordPress File Upload 4.24.0 - Cross-Site Request Forgery
Affected Software: WordPress File Upload CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6048088-c11c-4741-8dde-da707f8f84f2>
ARI Stream Quiz <= 1.2.32 - Cross-Site Request Forgery
Affected Software: ARI Stream Quiz – WordPress Quizzes Builder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6c5f933-b71b-4475-abdf-4cffff2a1a6c>
wpMandrill <= 1.33 - Missing Authorization via getAjaxStats
Affected Software: wpMandrill CVE ID: CVE-2023-47828 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b89cf8ef-9fa0-4ede-8ec9-c166d0db74fe>
Essential Blocks for Gutenberg <= 4.2.0 - Missing Authorization via AJAX actions
Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-47760 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2136e1c-5f69-434d-bdc7-72a144da744b>
Hreflang Manager <= 1.06 - Cross-Site Request Forgery
Affected Software: Hreflang Manager CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c357e34f-2d0f-4af4-bb67-cbbc6cd4e141>
Customer Reviews for WooCommerce <= 5.38.1 - Missing Authorization via manual review reminders
Affected Software: Customer Reviews for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c6e2710f-f51a-487d-a4bb-a19f614ff254>
Legal Pages <= 1.3.8 - Missing Authorization
Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db0508dd-143f-4674-8193-d46967d2799f>
Simple 301 Redirects by BetterLinks <= 2.0.7 - Missing Authorization via clicked
Affected Software: Simple 301 Redirects by BetterLinks CVE ID: CVE-2023-47761 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ddacd612-0cd5-4b07-9184-bec6f1adbb4c>
Jetpack <= 12.6.2 - Improper Authorization via WPCom External Media REST endpoints
Affected Software: Jetpack – WP Security, Backup, Speed, & Growth CVE ID: CVE-2023-47788 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e62fa16f-a4a1-44a7-9a66-abafd8dddf67>
WooCommerce Canada Post Shipping <= 2.8.3 - Cross-Site Request Forgery
Affected Software: Woocommerce Shipping Canada Post CVE ID: CVE-2023-47789 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff850f88-6e89-48dd-ad70-dda4018c22fc>
Restaurant & Cafe Addon for Elementor <= 1.5.3 - Missing Authorization via multiple AJAX functions
Affected Software: Restaurant & Cafe Addon for Elementor CVE ID: CVE-2023-47826 CVSS Score: 3.1 (Low) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad003d57-a573-473e-80a9-5bf60d42a707>
WP Like Button <= 1.7.0 - Missing Authorization via crublabFBLBAjax
Affected Software: WP Like Button CVE ID: CVE-2023-47820 CVSS Score: 3.1 (Low) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/da550fd7-3c1a-4b07-afc0-2366e0f5cccd>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) appeared first on Wordfence.
Related
9 High
AI Score
Confidence
High
0.03 Low
EPSS
Percentile
91.0%