Chloe ChamberlandWORDFENCE:7F79B84A15FB943C28B6FFD1FCB9A96BWordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)
Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!
Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week:
- wp-autoload.php backdoor - while we typically write firewall rules for vulnerabilities, we wrote a firewall rule to block successful exploitation of this piece of malware we wrote about here.
- Backup Migration <= 1.3.6 - Unauthenticated Arbitrary File Download to Sensitive Information Exposure
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 66 |
| Patched | 58 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 113 |
| High Severity | 10 |
| Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 53 |
| Missing Authorization | 24 |
| Cross-Site Request Forgery (CSRF) | 21 |
| Information Exposure | 7 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 4 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Server-Side Request Forgery (SSRF) | 2 |
| Incorrect Authorization | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Guessable CAPTCHA | 1 |
| Use of Less Trusted Source | 1 |
| Protection Mechanism Failure | 1 |
| Improper Access Control | 1 |
| Improper Authorization | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 1 |
| Reliance on Untrusted Inputs in a Security Decision | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rafie Muhammad | 9 |
| Abdi Pranata | 8 |
| emad | 7 |
| Mika | 7 |
| DoYeon Park (p6rkdoye0n) | 6 |
| NgΓ΄ ThiΓͺn An (ancorn_) | 6 |
| Joshua Chan | 5 |
| Le Ngoc Anh | 4 |
| LEE SE HYOUNG | 4 |
| qilin_99 | 4 |
| LVT-tholv2k | 4 |
| Rafshanzani Suhada | 3 |
| Vladislav Pokrovsky (ΞX.MI) | 3 |
| Abu Hurayra (HurayraIIT) | 3 |
| Skalucy | 3 |
| resecured.io | 2 |
| Revan Arifio | 2 |
| Francesco Carlucci | 2 |
| yuyudhn | 2 |
| IstvΓ‘n MΓ‘rton | |
| (Wordfence Vulnerability Researcher) | 2 |
| thiennv | 2 |
| Elliot | 2 |
| SeungYongLee | 2 |
| Phd | 2 |
| Abdullah Hussam | 1 |
| Sebastian Neef | 1 |
| Yudistira Arya | 1 |
| Nguyen Xuan Chien | 1 |
| Brandon James Roldan (tomorrowisnew) | 1 |
| Alex Thomas | |
| (Wordfence Vulnerability Researcher) | 1 |
| Shahzaib Ali Khan | 1 |
| Dmitrii Ignatyev | 1 |
| Bob Matyas | 1 |
| Krzysztof ZajΔ c | 1 |
| Truoc Phan | 1 |
| Dave Jong | 1 |
| Nguyen Anh Tien | 1 |
| Yuchen Ji | 1 |
| Arvandy | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 12 Step Meeting List | 12-step-meeting-list |
| 360 Javascript Viewer | 360deg-javascript-viewer |
| AMP for WP β Accelerated Mobile Pages | accelerated-mobile-pages |
| Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
| AdFoxly β Ad Manager, AdSense Ads & Ads.txt | adfoxly |
| Add to Cart Text Changer and Customize Button, Add Custom Icon | woo-add-to-cart-text-change |
| Ads by datafeedr.com | ads-by-datafeedrcom |
| Affiliate Booster β Pros & Cons, Notice, and CTA Blocks for Affiliates | affiliatebooster-blocks |
| Antispam Bee | antispam-bee |
| Aparat | aparat |
| Aruba HiSpeed Cache | aruba-hispeed-cache |
| Author Box, Guest Author and Co-Authors for Your Posts β Molongui | molongui-authorship |
| Automatic Youtube Video Posts Plugin | automatic-youtube-video-posts |
| BSK Forms Blacklist | bsk-gravityforms-blacklist |
| Backup Migration | backup-backup |
| Better Messages β Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss | bp-better-messages |
| BigCommerce For WordPress | bigcommerce |
| BookingPress β Appointment Booking Calendar Plugin and Online Scheduling Plugin | bookingpress-appointment-booking |
| BrainCert β HTML5 Virtual Classroom | html5-virtual-classroom |
| Bravo Translate | bravo-translate |
| Button Generator β easily Button Builder | button-generation |
| CF7 Google Sheets Connector | cf7-google-sheets-connector |
| Campaign Monitor for WordPress | forms-for-campaign-monitor |
| Chartify β WordPress Chart Plugin | chart-builder |
| Chat Bubble β Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back | chat-bubble |
| Client Dash | client-dash |
| Coming soon and Maintenance mode | coming-soon-page |
| CommentLuv | commentluv |
| Contact Form 7 | contact-form-7 |
| Contact Form β Custom Builder, Payment Form, and More | powr-pack |
| Credit Tracker | credit-tracker |
Crypto Converter  Widget |
crypto-converter-widget |
| Currency Converter Calculator | currency-converter-calculator |
| Database for CF7 | database-for-cf7 |
| Debug Log Manager | debug-log-manager |
| Delete Post Revisions In WordPress | delete-post-revisions-on-single-click |
| Doofinder WP & WooCommerce Search | doofinder-for-woocommerce |
| Ecwid Ecommerce Shopping Cart | ecwid-shopping-cart |
| Email Address Encoder | email-address-encoder |
| Enhanced Text Widget | enhanced-text-widget |
| Event post | event-post |
| Evergreen Content Poster β Auto Post and Schedule Your Best Content to Social Media | evergreen-content-poster |
| Export WP Page to Static HTML/CSS | export-wp-page-to-static-html |
| File Gallery | file-gallery |
| Form builder to get in touch with visitors, grow your email list and collect payments β Happyforms | happyforms |
| Forms by CaptainForm β Form Builder for WordPress | captainform |
| Formzu WP | formzu-wp |
| GDPR Cookie Consent by Supsystic | gdpr-compliance-by-supsystic |
| Gift Up Gift Cards for WordPress and WooCommerce | gift-up |
| GoDaddy Email Marketing | godaddy-email-marketing-sign-up-forms |
| Guest Author | guest-author |
| HDW Player Plugin (Video Player & Video Gallery) | hdw-player-video-player-video-gallery |
| HUSKY β Products Filter for WooCommerce Professional | woocommerce-products-filter |
| Hubbub Lite (formerly Grow Social) | social-pug |
| IdeaPush | ideapush |
| Importify β Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More | importify |
| Innovs HR β Complete Human Resource Management System for Your Business | innovs-hr-manager |
| JetBlocks for Elementor | jet-blocks |
| JetBlog for Elementor | jet-blog |
| JetCompareWishlist for Elementor | jet-compare-wishlist |
| JetElements | jet-elements |
| JetEngine | jet-engine |
| JetFormBuilder β Dynamic Blocks Form Builder | jetformbuilder |
| JetMenu for Elementor | jet-menu |
| JetPopup | jet-popup |
| JetProductGallery | jet-woo-product-gallery |
| JetReviews for Elementor | jet-reviews |
| JetSearch | jet-search |
| JetSmartFilters for Elementor | jet-smart-filters |
| JetTabs for Elementor | jet-tabs |
| JetThemeCore for Elementor | jet-theme-core |
| JetTricks for Elementor | jet-tricks |
| JetWooBuilder for Elementor | jet-woo-builder |
| KP Fastest Tawk.to Chat | kp-fastest-tawk-to-chat |
| LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing⦠| ladipage |
| List all posts by Authors, nested Categories and Titles | list-all-posts-by-authors-nested-categories-and-titles |
| MSync | msync |
| Media File Renamer: Rename Files (Manual, Auto & AI) | media-file-renamer |
| MkRapel Regiones y Ciudades de Chile para WC | wc-ciudades-y-regiones-de-chile |
| Mollie Payments for WooCommerce | mollie-payments-for-woocommerce |
| Multiple Post Passwords | multiple-post-passwords |
| MyTube PlayList | mytube |
| Nested Pages | wp-nested-pages |
| NextScripts: Social Networks Auto-Poster | social-networks-auto-poster-facebook-twitter-g |
| Ocean Extra | ocean-extra |
| Page Builder: Pagelayer β Drag and Drop website builder | pagelayer |
| Parallax Slider Block | parallax-slider-block |
| Participants Database | participants-database |
| Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) | wp-retina-2x |
| PowerPack Pro for Elementor | powerpack-elements |
| Prevent Landscape Rotation | prevent-landscape-rotation |
| Product Size Chart For WooCommerce | product-size-chart-for-woo |
| Qode Essential Addons | qode-essential-addons |
| Quotes for WooCommerce | quotes-for-woocommerce |
| Razorpay for WooCommerce | woo-razorpay |
| RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
| Related Post | related-post |
| Responsive Lightbox & Gallery | responsive-lightbox |
| SchedulePress β Best Editorial Calendar, Missed Schedule & Auto Social Share | wp-scheduled-posts |
| Seraphinite Accelerator | seraphinite-accelerator |
| Sign In Scheduling Online Appointment Booking System | 10to8-online-booking |
| Simple Long Form | simple-long-form |
| Site Offline Or Coming Soon Or Maintenance Mode | site-offline |
| SiteOrigin Widgets Bundle | so-widgets-bundle |
| Social Share Buttons & Analytics Plugin β GetSocial.io | wp-share-buttons-analytics-by-getsocial |
| SoundCloud Shortcode | soundcloud-shortcode |
| SpeedyCache β Cache, Optimization, Performance | speedycache |
| Spiffy Calendar | spiffy-calendar |
| Swift Performance Lite | swift-performance-lite |
| Track Geolocation Of Users Using Contact Form 7 | track-geolocation-of-users-using-contact-form-7 |
| UPS, Mondial Relay & Chronopost for WooCommerce β WCMultiShipping | wc-multishipping |
| WP Catalogue | wp-catalogue |
| WP CleanFix | wp-cleanfix |
| WP Event Manager β Events Calendar, Registrations, Sell Tickets with WooCommerce | wp-event-manager |
| WP Forms Puzzle Captcha | wp-forms-puzzle-captcha |
| WP Pocket URLs | wp-pocket-urls |
| WP Shortcodes Plugin β Shortcodes Ultimate | shortcodes-ultimate |
| WordPress Brute Force Protection β Stop Brute Force Attacks | guardgiant |
| YASR β Yet Another Star Rating Plugin for WordPress | yet-another-stars-rating |
| affiliate-toolkit β WordPress Affiliate Plugin | affiliate-toolkit-starter |
| canvasio3D Light | canvasio3d-light |
| teachPress | teachpress |
| which template file | which-template-file |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| adifier | adifier |
| restricted-site-access | restricted-site-access |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldβve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
HUSKY β Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 - Unauthenticated SQL Injection via search terms
Affected Software: HUSKY β Products Filter for WooCommerce Professional CVE ID: CVE-2023-40010 CVSS Score: 9.8 (Critical) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba>
JetEngine <= 3.2.4 - Authenticated (Contributor+) Privilege Escalation
Affected Software: JetEngine CVE ID: CVE-2023-48757 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b>
CommentLuv <= 3.0.4 - Server Side Request Forgery via do_click
Affected Software: CommentLuv CVE ID: CVE-2023-49159 CVSS Score: 8.2 (High) Researcher/s: Yuchen Ji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c>
Backup Migration <= 1.3.6 - Unauthenticated Arbitrary File Download to Sensitive Information Exposure
Affected Software: Backup Migration CVE ID: CVE-2023-6266 CVSS Score: 7.5 (High) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612>
CF7 Google Sheets Connector <= 5.0.5 - Unauthenticated Sensitive Information Exposure via Debug Log
Affected Software: CF7 Google Sheets Connector CVE ID: CVE-2023-44989 CVSS Score: 7.5 (High) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4>
Multiple Plugins by Crocoblock <= (Various Versions) - Missing Authorization to Unauthenticated Unauthorized Action
Affected Software/s: JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetWooBuilder for Elementor, JetReviews for Elementor, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor CVE ID: CVE-2023-48760 CVSS Score: 7.3 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7addc83b-cde5-4f91-b286-70db6f384a9f>
MSync <= 1.0.0 - Authenticated (Administrator+) SQL Injection
Affected Software: MSync CVE ID: CVE-2023-49166 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf>
Mollie Payments for WooCommerce <= 7.3.11 - Authenticated (Shop Manager+) Arbitrary File Upload
Affected Software: Mollie Payments for WooCommerce CVE ID: CVE-2023-6090 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c>
BookingPress <= 1.0.76 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: BookingPress β Appointment Booking Calendar Plugin and Online Scheduling Plugin CVE ID: CVE-2023-6219 CVSS Score: 7.2 (High) Researcher/s: IstvΓ‘n MΓ‘rton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29>
JetEngine <= 3.2.4 - Missing Authorization
Affected Software: JetEngine CVE ID: CVE-2023-48758 CVSS Score: 7.1 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c>
WP Cleanfix <= 5.5.0 - Missing Authorization via register
Affected Software: WP CleanFix CVE ID: CVE-2023-48775 CVSS Score: 7.1 (High) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac>
WordPress Brute Force Protection β Stop Brute Force Attacks <= 2.2.5 - Authenticated (Administrator+) SQL Injection via orderby
Affected Software: WordPress Brute Force Protection β Stop Brute Force Attacks CVE ID: CVE-2023-48764 CVSS Score: 6.6 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056>
Contact Form 7 <= 5.8.3 - Authenticated (Editor+) Arbitrary File Upload
Affected Software: Contact Form 7 CVE ID: CVE-2023-6449 CVSS Score: 6.6 (Medium) Researcher/s: IstvΓ‘n MΓ‘rton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6>
Bravo Translate <= 1.2 - Authenticated (Administrator+) SQL Injection
Affected Software: Bravo Translate CVE ID: CVE-2023-49161 CVSS Score: 6.6 (Medium) Researcher/s: Arvandy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d>
Chat Bubble <= 2.3 - Cross-Site Request Forgery via cbb_submit_settings_data
Affected Software: Chat Bubble β Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back CVE ID: CVE-2023-48769 CVSS Score: 6.5 (Medium) Researcher/s: Vladislav Pokrovsky (ΞX.MI) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/206261fa-58b6-4407-b8e1-2315836b6c88>
Prevent Landscape Rotation <= 2.0 - Cross-Site Request Forgery via adminpage.php
Affected Software: Prevent Landscape Rotation CVE ID: CVE-2023-48772 CVSS Score: 6.5 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6>
Database for CF7 <= 1.2.4 - Missing Authorization via wpcf7db_delete AJAX action
Affected Software: Database for CF7 CVE ID: CVE-2023-49167 CVSS Score: 6.5 (Medium) Researcher/s: Vladislav Pokrovsky (ΞX.MI) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61>
MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 - Cross-Site Request Forgery via multiple functions
Affected Software: MkRapel Regiones y Ciudades de Chile para WC CVE ID: CVE-2023-48781 CVSS Score: 6.5 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487>
Product Size Chart For WooCommerce <= 1.1.5 - Cross-Site Request Forgery via get_save_option
Affected Software: Product Size Chart For WooCommerce CVE ID: CVE-2023-48778 CVSS Score: 6.5 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46>
Guest Author <= 2.3 - Authenticated Stored Cross-Site Scripting
Affected Software: Guest Author CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455>
Powr Pack <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Contact Form β Custom Builder, Payment Form, and More CVE ID: CVE-2023-45609 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a>
Responsive Lightbox <= 2.4.5 - Authenticated (Author+) Stored Cross-Site Scripting via name
Affected Software: Responsive Lightbox & Gallery CVE ID: CVE-2023-49174 CVSS Score: 6.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08>
12 Step Meeting List <= 3.14.24 - Authenticated (Contributor+) Server-Side Request Forgery
Affected Software: 12 Step Meeting List CVE ID: CVE-2023-46641 CVSS Score: 6.4 (Medium) Researcher/s: Shahzaib Ali Khan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92>
WP Shortcodes Plugin β Shortcodes Ultimate <= 5.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: WP Shortcodes Plugin β Shortcodes Ultimate CVE ID: CVE-2023-6225 CVSS Score: 6.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574>
WP Catalogue <= 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: WP Catalogue CVE ID: CVE-2023-48780 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66>
Ads by datafeedr.com <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Ads by datafeedr.com CVE ID: CVE-2023-49169 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f>
Event post <= 5.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Event post CVE ID: CVE-2023-49179 CVSS Score: 6.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131>
Formzu WP <= 1.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id
Affected Software: Formzu WP CVE ID: CVE-2023-49160 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd>
Accelerated Mobile Pages <= 1.0.88.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: AMP for WP β Accelerated Mobile Pages CVE ID: CVE-2023-48321 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1>
Currency Converter Calculator <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Currency Converter Calculator CVE ID: CVE-2023-49149 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe>
10to8 Online Appointment Booking System <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Sign In Scheduling Online Appointment Booking System CVE ID: CVE-2023-49173 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510>
BP Better Messages <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Better Messages β Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss CVE ID: CVE-2023-49168 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4ccc7f8-c8e0-457a-b437-2a23530a9df4>
Email Address Encoder 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Email Address Encoder CVE ID: CVE-2023-48765 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e>
Parallax Slider Block <= 1.2.4 - Authenticated (Author+) Stored Cross-Site Scripting
Affected Software: Parallax Slider Block CVE ID: CVE-2023-49184 CVSS Score: 6.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8>
Credit Tracker <= 1.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Credit Tracker CVE ID: CVE-2023-49152 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955>
Crypto Converter Widget <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Crypto Converter Widget CVE ID: CVE-2023-49150 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2>
Aparat <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Aparat CVE ID: CVE-2023-48770 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4>
Related Post <= 2.0.53 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Related Post CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f08ca5e3-8b48-4333-9c42-cc103d40394c>
Spiffy Calendar <= 4.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Spiffy Calendar CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5>
Multiple Plugins by Crocoblock <= (Various Versions) - Missing Authorization
Affected Software/s: JetSearch, JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetPopup, JetWooBuilder for Elementor, JetReviews for Elementor, JetEngine, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor CVE ID: CVE-2023-48761 CVSS Score: 6.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/893500ba-cc16-4429-bbe1-725aa65589c9>
File Gallery <= 1.8.5.4 - Reflected Cross-Site Scripting via post_id
Affected Software: File Gallery CVE ID: CVE-2023-48771 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64>
affiliate-toolkit β WordPress Affiliate Plugin <= 3.4.3 - Reflected Cross-Site Scripting via keyword
Affected Software: affiliate-toolkit β WordPress Affiliate Plugin CVE ID: CVE-2023-46086 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752>
NextScripts <= 4.4.2 - Reflected Cross-Site Scripting via code
Affected Software: NextScripts: Social Networks Auto-Poster CVE ID: CVE-2023-49183 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1>
Adifier (Premium Theme) < 3.1.4 - Reflected Cross-Site Scripting
Affected Software: adifier CVE ID: CVE-2023-49187 CVSS Score: 6.1 (Medium) Researcher/s: Vladislav Pokrovsky (ΞX.MI) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30>
JetBlocks For Elementor <= 1.3.8 - Reflected Cross Site Scripting
Affected Software: JetBlocks for Elementor CVE ID: CVE-2023-48756 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1>
WP Forms Puzzle Captcha <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting
Affected Software: WP Forms Puzzle Captcha CVE ID: CVE-2023-48278 CVSS Score: 6.1 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc>
PowerPack Pro for Elementor <= 2.9.23 - Reflected Cross-Site Scripting
Affected Software: PowerPack Pro for Elementor CVE ID: CVE-2023-49739 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504>
MyTube PlayList <= 2.0.3 - Reflected Cross-Site Scripting via addplaylistid
Affected Software: MyTube PlayList CVE ID: CVE-2023-48767 CVSS Score: 6.1 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792>
Seraphinite Accelerator <= 2.20.28 - Reflected Cross-Site Scripting via rt
Affected Software: Seraphinite Accelerator CVE ID: CVE-2023-49740 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f>
List all posts by Authors, nested Categories and Title <= 2.7.10 - Cross-Site Scripting
Affected Software: List all posts by Authors, nested Categories and Titles CVE ID: CVE-2023-49182 CVSS Score: 6.1 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10>
BrainCert β HTML5 Virtual Classroom <= 1.30 - Reflected Cross-Site Scripting
Affected Software: BrainCert β HTML5 Virtual Classroom CVE ID: CVE-2023-49172 CVSS Score: 6.1 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea>
HDW Player Plugin (Video Player & Video Gallery) <= 5.0 - Cross-Site Scripting
Affected Software: HDW Player Plugin (Video Player & Video Gallery) CVE ID: CVE-2023-49178 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd>
Forms by CaptainForm <= 2.5.3 - Reflected Cross-Site Scripting via REQUEST_URI
Affected Software: Forms by CaptainForm β Form Builder for WordPress CVE ID: CVE-2023-49170 CVSS Score: 6.1 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62>
WP Pocket URLs <= 1.0.2 - Reflected Cross-Site Scripting
Affected Software: WP Pocket URLs CVE ID: CVE-2023-49176 CVSS Score: 6.1 (Medium) Researcher/s: SeungYongLee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920>
Campaign Monitor for WordPress <= 2.8.12 - Reflected Cross-Site Scripting
Affected Software: Campaign Monitor for WordPress CVE ID: CVE-2023-38474 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b>
which template file <= 4.9.0 - Unauthenticated Cross-Site Scripting
Affected Software: which template file CVE ID: CVE-2023-49177 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d>
Doofinder for WooCommerce <= 2.1.4 - Reflected Cross-Site Scripting
Affected Software: Doofinder WP & WooCommerce Search CVE ID: CVE-2023-49185 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90>
Innovs HR <= 1.0.3.4 - Reflected Cross-Site Scripting
Affected Software: Innovs HR β Complete Human Resource Management System for Your Business CVE ID: CVE-2023-49171 CVSS Score: 6.1 (Medium) Researcher/s: SeungYongLee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b>
Happyforms <= 1.25.9 - Reflected Cross-Site Scripting
Affected Software: Form builder to get in touch with visitors, grow your email list and collect payments β Happyforms CVE ID: CVE-2023-48752 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff986a66-93f7-4926-8818-7af745c0166c>
SiteOrigin Widgets Bundle < 1.51.0 - Authenticated (Admin+) Local File Inclusion
Affected Software: SiteOrigin Widgets Bundle CVE ID: CVE-2023-6295 CVSS Score: 5.9 (Medium) Researcher/s: Sebastian Neef Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda>
Automatic Youtube Video Posts Plugin <= 5.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Automatic Youtube Video Posts Plugin CVE ID: CVE-2023-49180 CVSS Score: 5.5 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b>
Client Dash <= 2.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Client Dash CVE ID: CVE-2023-49165 CVSS Score: 5.5 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441>
WP Event Manager <= 3.1.39 - Authenticated (Editor+) Stored Cross-Site Scripting
Affected Software: WP Event Manager β Events Calendar, Registrations, Sell Tickets with WooCommerce CVE ID: CVE-2023-49181 CVSS Score: 5.5 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f>
Download canvasio3D Light <= 2.4.6 - Missing Authorization
Affected Software: canvasio3D Light CVE ID: CVE-2023-48776 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b>
Export WP Page to Static HTML/CSS <= 2.1.9 - Missing Authorization via Multiple AJAX Actions
Affected Software: Export WP Page to Static HTML/CSS CVE ID: CVE-2023-6369 CVSS Score: 5.4 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1>
Abandoned Cart Lite for WooCommerce <= 5.16.1 - Missing Authorization via multiple AJAX functions
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE-2023-41671 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86>
Chronopost & Mondial relay pour WooCommerce - WCMultiShipping <= 2.3.7 - Incorrect Authorization
Affected Software: UPS, Mondial Relay & Chronopost for WooCommerce β WCMultiShipping CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5>
Abandoned Cart Lite for WooCommerce <= 5.16.1 - Cross-Site Request Forgery
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726>
Social Pug <= 1.20.3 - Missing Authorization via multiple admin_init actions
Affected Software: Hubbub Lite (formerly Grow Social) CVE ID: CVE-2023-49193 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5>
Enhanced Text Widget <= 1.6.2 - Missing Authorization via etw_hide_admin_notification_callback
Affected Software: Enhanced Text Widget CVE ID: CVE-2023-49192 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc>
360 Javascript Viewer <= 1.7.11 - Missing Authorization
Affected Software: 360 Javascript Viewer CVE ID: CVE-2023-48779 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead>
Yet Another Stars Rating <= 3.4.3 - Missing Authorization via init
Affected Software: YASR β Yet Another Star Rating Plugin for WordPress CVE ID: CVE-2023-39305 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c>
PageLayer <= 1.7.7 - Cross-Site Request Forgery via pagelayer_load_plugin
Affected Software: Page Builder: Pagelayer β Drag and Drop website builder CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0>
Participants Database <= 2.5.5 - Missing Authorization
Affected Software: Participants Database CVE ID: CVE-2023-48751 CVSS Score: 5.3 (Medium) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4>
WP Retina 2x <= 6.4.5 - Sensitive Information Exposure
Affected Software: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina) CVE ID: CVE-2023-44982 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7>
WP Forms Puzzle Captcha <= 4.1 - Captcha Bypass
Affected Software: WP Forms Puzzle Captcha CVE ID: CVE-2023-48276 CVSS Score: 5.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917>
Media File Renamer <= 5.6.9 - Sensitive Information Exposure via Log File
Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI) CVE ID: CVE-2023-44991 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba>
Aruba HiSpeed Cache <= 2.0.6 - Sensitive Information Exposure via Log File
Affected Software: Aruba HiSpeed Cache CVE ID: CVE-2023-44983 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0>
Button Generator β easily Button Builder <= 2.3.8 - Missing Authorization
Affected Software: Button Generator β easily Button Builder CVE ID: CVE-2023-49154 CVSS Score: 5.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56>
Restricted Site Access <= 7.4.1 - IP Spoofing to Protection Mechanism Bypass
Affected Software: restricted-site-access CVE ID: CVE-2023-48753 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4>
Importify <= 1.0.4 - Unauthenticated Sensitive Information Exposure
Affected Software: Importify β Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More CVE ID: CVE-2023-49194 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52>
Swift Performance Lite <= 2.3.6.14 - Missing Authorization to Unauthenticated Settings Export
Affected Software: Swift Performance Lite CVE ID: CVE-2023-6289 CVSS Score: 5.3 (Medium) Researcher/s: Krzysztof ZajΔ c Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7>
Gift Up 2.21.3 - Cross-Site Request Forgery via consume_post
Affected Software: Gift Up Gift Cards for WordPress and WooCommerce CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f>
teachPress <= 9.0.4 - Cross-Site Request Forgery
Affected Software: teachPress CVE ID: CVE-2023-48755 CVSS Score: 5.3 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f>
Coming soon and Maintenance mode <= 3.7.3 - IP Address Spoofing via get_real_ip
Affected Software: Coming soon and Maintenance mode CVE ID: CVE-2023-49741 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2>
JetElements For Elementor <= 2.6.13 - Missing Authorization to Unauthenticated Arbitrary Attachment Download
Affected Software: JetElements CVE ID: CVE-2023-48759 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d>
BigCommerce <= 5.0.6 - Unauthenticated Sensitive Information Exposure
Affected Software: BigCommerce For WordPress CVE ID: CVE-2023-49162 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df>
JetFormBuilder <= 3.1.4 - Unauthenticated Content Injection
Affected Software: JetFormBuilder β Dynamic Blocks Form Builder CVE ID: CVE-2023-48763 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635>
Antispam Bee <= 2.11.3 - IP Address Spoofing via get_client_ip
Affected Software: Antispam Bee CVE ID: CVE-2023-41134 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b>
KP Fastest Tawk.to Chat <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: KP Fastest Tawk.to Chat CVE ID: CVE-2023-49175 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69>
GDPR Cookie Consent by Supsystic <= 2.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: GDPR Cookie Consent by Supsystic CVE ID: CVE-2023-49191 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2>
Molongui <= 4.6.19 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Author Box, Guest Author and Co-Authors for Your Posts β Molongui CVE ID: CVE-2023-39921 CVSS Score: 4.4 (Medium) Researcher/s: Abdullah Hussam Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d>
Chart Builder <= 1.9.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Chartify β WordPress Chart Plugin CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9>
SoundCloud Shortcode <= 3.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: SoundCloud Shortcode CVE ID: CVE-2023-34018 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82>
Social Share Buttons & Analytics Plugin β GetSocial.io <= 4.3.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Social Share Buttons & Analytics Plugin β GetSocial.io CVE ID: CVE-2023-49189 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c>
Simple Long Form <= 2.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Simple Long Form CVE ID: CVE-2023-41136 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d>
Track Geolocation Of Users Using Contact Form 7 <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Track Geolocation Of Users Using Contact Form 7 CVE ID: CVE-2023-49188 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6>
BSK Forms Blacklist <= 3.6.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: BSK Forms Blacklist CVE ID: CVE-2023-5980 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7>
Multiple Post Passwords <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Multiple Post Passwords CVE ID: CVE-2023-49157 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366>
Site Offline <= 1.5.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Site Offline Or Coming Soon Or Maintenance Mode CVE ID: CVE-2023-49190 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c>
Evergreen Content Poster <= 1.3.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Evergreen Content Poster β Auto Post and Schedule Your Best Content to Social Media CVE ID: CVE-2023-41127 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7b67c83-7fb7-4bac-a8eb-7fc318f2ff50>
Nested Pages <= 3.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Nested Pages CVE ID: CVE-2023-49195 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9>
Multiple Plugins by Crocoblock <= (Various Versions) - Cross-Site Request Forgery
Affected Software/s: JetSearch, JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetPopup, JetWooBuilder for Elementor, JetReviews for Elementor, JetEngine, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor CVE ID: CVE-2023-48762 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c85e5e0-d8ee-46d3-99b1-df6c6744f020>
teachPress <= 9.0.5 - Cross-Site Request Forgery via delete_database()
Affected Software: teachPress CVE ID: CVE-2023-49163 CVSS Score: 4.3 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d>
Qode Essential Addons <= 1.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Affected Software: Qode Essential Addons CVE ID: CVE-2023-47840 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1>
WP Shortcodes Plugin β Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure
Affected Software: WP Shortcodes Plugin β Shortcodes Ultimate CVE ID: CVE-2023-6226 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7>
IdeaPush <= 8.53 - Missing Authorization
Affected Software: IdeaPush CVE ID: CVE-2023-48774 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72>
Quotes for WooCommerce <= 2.0.1 - Missing Authorization
Affected Software: Quotes for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8>
Quotes for WooCommerce <= 2.0.1 - Cross-Site Request Forgery
Affected Software: Quotes for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6954364e-567c-407c-afc6-983b7257cc88>
RegistrationMagic <= 5.2.2.6 - Cross-Site Request Forgery
Affected Software: RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login CVE ID: CVE-2023-47645 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521>
Debug Log Manager <= 2.2.0 - Cross-Site Request Forgery
Affected Software: Debug Log Manager CVE ID: CVE-2023-5772 CVSS Score: 4.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a>
LadiApp <= 4.3 - Missing Authorization
Affected Software: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing⦠CVE ID: CVE-2023-49158 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6>
Ocean Extra <= 2.2.2 - Cross-Site Request Forgery to Arbitrary Plugin Activation
Affected Software: Ocean Extra CVE ID: CVE-2023-49164 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca>
SpeedyCache <= 1.1.2 - Missing Authorization via speedycache_create_test_cache
Affected Software: SpeedyCache β Cache, Optimization, Performance CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812>
Button Generator β easily Button Builder <= 2.3.8 - Cross-Site Request Forgery
Affected Software: Button Generator β easily Button Builder CVE ID: CVE-2023-49155 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b>
Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 - Cross-Site Request Forgery via wactc_text_form
Affected Software: Add to Cart Text Changer and Customize Button, Add Custom Icon CVE ID: CVE-2023-49153 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5>
GoDaddy Email Marketing <= 1.4.3 - Missing Authorization
Affected Software: GoDaddy Email Marketing CVE ID: CVE-2023-49156 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618>
SchedulePress <= 5.0.4 - Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications
Affected Software: SchedulePress β Best Editorial Calendar, Missed Schedule & Auto Social Share CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd>
Ecwid Ecommerce Shopping Cart <= 6.12.4 - Cross-Site Request Forgery
Affected Software: Ecwid Ecommerce Shopping Cart CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed>
AdFoxly β Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 - Cross-Site Request Forgery
Affected Software: AdFoxly β Ad Manager, AdSense Ads & Ads.txt CVE ID: CVE-2023-46617 CVSS Score: 4.3 (Medium) Researcher/s: LVT-tholv2k Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569>
Affiliate Booster β Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 - Cross-Site Request Forgery via process_bulk_action
Affected Software: Affiliate Booster β Pros & Cons, Notice, and CTA Blocks for Affiliates CVE ID: CVE-2023-49148 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a>
Razorpay for WooCommerce <= 4.5.6 - Cross-Site Request Forgery
Affected Software: Razorpay for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e>
Delete Post Revisions In WordPress <= 4.6 - Cross-Site Request Forgery
Affected Software: Delete Post Revisions In WordPress CVE ID: CVE-2023-48754 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36>
Razorpay for WooCommerce <= 4.5.6 - Missing Authorization
Affected Software: Razorpay for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfenceβs highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023) appeared first on Wordfence.
Related
9.6 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.9%