Chloe ChamberlandWORDFENCE:A4F5A8F1D2F8B3C1C3ACC251D1D595B5Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023)
0.053 Low
EPSS
Percentile
93.1%
Last week, there were 97 vulnerabilities disclosed in 63 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Front End Users <= 3.2.24 - Missing Authorization in Multiple Functions
- ACF Quick Edit Fields <= 3.2.2 - Authenticated (Contributor+) Insecure Direct Object Reference
- WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation
- Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection
- HappyFiles Pro <= 1.8.1 - Missing Authorization
- WP Fastest Cache <= 1.1.2 - Missing Authorization
- Formidable Forms <= 6.1.2 - Unauthenticated PHP Object Injection
- WAF-RULE-579 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
- WAF-RULE-576 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
- WAF-RULE-577 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 25 |
| Patched | 72 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 79 |
| High Severity | 14 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 37 |
| Cross-Site Request Forgery (CSRF) | 29 |
| Missing Authorization | 17 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 6 |
| Deserialization of Untrusted Data | 3 |
| Improper Authorization | 2 |
| Incorrect Privilege Assignment | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Marco Wotschka | 24 |
| Chloe Chamberland | 8 |
| Mika | 7 |
| minhtuanact | 5 |
| Lana Codes | 5 |
| yuyudhn | 3 |
| Ramuel Gall | 3 |
| MyungJu Kim | 3 |
| Rafshanzani Suhada | 3 |
| Erwan LR | 3 |
| Ameen Alkurdy | 2 |
| Rafie Muhammad | 2 |
| Simone Onofri | 2 |
| Donato Onofri | 2 |
| Rio Darmawan | 2 |
| Shreya Pohekar | 2 |
| FearZzZz | 2 |
| Nguyen Huu Do | 2 |
| Abdi Pranata | 2 |
| Elliot | 1 |
| jidle | 1 |
| xplo1t | 1 |
| Taliya Bilal | 1 |
| Dave Jong | 1 |
| Pablo Sanchez | 1 |
| Romés Akhan | 1 |
| Yogesh Verma | 1 |
| abdi paranata | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advanced Custom Fields (ACF) | advanced-custom-fields |
| Ajax Search Lite | ajax-search-lite |
| Ajax Search Pro | ajax-search-pro |
| Albo Pretorio On line | albo-pretorio-on-line |
| Appointment and Event Booking Calendar for WordPress – Amelia | ameliabooking |
| Call Now Accessibility Button | accessibility-help-button |
| Cancel order request / Return order / Repeat Order / Reorder for WooCommerce | cancel-order-request-woocommerce |
| Comment Reply Notification | comment-reply-notification |
| Comments Ratings | comments-ratings |
| Connections Business Directory | connections |
| CopySafe Web Protection | wp-copysafe-web |
| Cryptocurrency All-in-One | cryptocurrency-prices |
| Dynamics 365 Integration | integration-dynamics |
| Easy Sign Up | easy-sign-up |
| Email Subscription Popup | email-subscribe |
| Fancy Product Designer | fancy-product-designer |
| Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder | formidable |
| Front End Users | front-end-only-users |
| HT Builder – WordPress Theme Builder for Elementor | ht-builder |
| Hustle – Email Marketing, Lead Generation, Optins, Popups | wordpress-popup |
| IFrame Shortcode | flynsarmy-iframe-shortcode |
| IMPress Listings | wp-listings |
| Libsyn Publisher Hub | libsyn-podcasting |
| Limit Login Attempts | limit-login-attempts |
| Magic Post Thumbnail | magic-post-thumbnail |
| MapPress Maps for WordPress | mappress-google-maps-for-wordpress |
| Maps Widget for Google Maps | google-maps-widget |
| MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
| MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce | mycryptocheckout |
| Optin Forms – Simple List Building Plugin for WordPress | optin-forms |
| PHP Compatibility Checker | php-compatibility-checker |
| PixTypes | pixtypes |
| Product Catalog Simple | post-type-x |
| Product Enquiry for WooCommerce, WooCommerce product catalog | enquiry-quotation-for-woocommerce |
| Product Feed PRO for WooCommerce | woo-product-feed-pro |
| Product page shipping calculator for WooCommerce | product-page-shipping-calculator-for-woocommerce |
| PropertyHive | propertyhive |
| Random Text | randomtext |
| SEOPress – On-site SEO | wp-seopress |
| SMTP Mailing Queue | smtp-mailing-queue |
| Simple Job Board | simple-job-board |
| SimpleModal Contact Form (SMCF) | simplemodal-contact-form-smcf |
| Site Reviews | site-reviews |
| Sp*tify Play Button for WordPress | spotify-play-button-for-wordpress |
| Spreadshop Plugin | spreadshop |
| StagTools | stagtools |
| Steveas WP Live Chat Shoutbox | wp-shoutbox-live-chat |
| Superb Social Media Share Buttons and Follow Buttons for WordPress | superb-social-share-and-follow-buttons |
| Tiny carousel horizontal slider plus | tiny-carousel-horizontal-slider-plus |
| Transbank Webpay REST | transbank-webpay-plus-rest |
| User Registration – Custom Registration Form, Login Form And User Profile For WordPress | user-registration |
| WCFM Marketplace – Best Multivendor Marketplace for WooCommerce | wc-multivendor-marketplace |
| WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | wc-multivendor-membership |
| WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible | wc-frontend-manager |
| WP Data Access | wp-data-access |
| WP FEvents Book | wp-fevents-book |
| WP Fastest Cache | wp-fastest-cache |
| WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager | insert-headers-and-footers |
| YourChannel: Everything you want in a YouTube plugin. | yourchannel |
| ZYREX POPUP | popup-zyrex |
| amr ical events lists | amr-ical-events-list |
| qTranslate X Cleanup and WPML Import | qtranslate-to-wpml-export |
| tencentcloud-cos | tencentcloud-cos |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Houzez | houzez |
| The7 — Website and eCommerce Builder for WordPress | [dt-the7](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/The7 — Website and eCommerce Builder for WordPress>) |
| TheRoof | theroof |
| Weaver Xtreme | [weaver-xtreme](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Weaver Xtreme>) |
| outdoor | outdoor |
Vulnerability Details
WCFM Membership <= 2.10.0 - Unauthenticated Privilege Escalation
Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace CVE ID: CVE-2022-4939 CVSS Score: 9.8 (Critical) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0870de2d-bca5-4d57-a07f-877a416ce0d5>
Houzez <= 2.8.2 - Unauthenticated SQL Injection
Affected Software: Houzez CVE ID: CVE-2023-29432 CVSS Score: 9.8 (Critical) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64087631-3514-4fec-ad2f-b095d7c727bd>
Formidable Forms <= 6.1.2 - Unauthenticated PHP Object Injection
Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder CVE ID: CVE-2023-1405 CVSS Score: 9.8 (Critical) Researcher/s: Nguyen Huu Do Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7db04a93-a384-4093-8cab-6f1d6822f625>
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated SQL Injection
Affected Software: Steveas WP Live Chat Shoutbox CVE ID: CVE-2023-1020 CVSS Score: 9.8 (Critical) Researcher/s: Simone Onofri, Donato Onofri Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4e1ca02-4eb5-4a46-99d5-89630f37d9ed>
WCFM Marketplace <= 3.4.11 - Missing Authorization
Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce CVE ID: CVE-2022-4935 CVSS Score: 8.8 (High) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/85730e9b-c5da-473c-a324-891c5c9f7ba3>
MapPress Maps for WordPress <= 2.85.4 - Authenticated (Contributor+) SQL Injection via get_maps
Affected Software: MapPress Maps for WordPress CVE ID: CVE-2023-26015 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aab16b6f-4daf-4eb1-9526-dd05b2b41dee>
Advanced Custom Fields <= 6.0.7 - Authenticated (Contributor+) PHP Object Injection
Affected Software: Advanced Custom Fields (ACF) CVE ID: CVE-2023-1196 CVSS Score: 8.8 (High) Researcher/s: Nguyen Huu Do Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b13e1916-2a02-4a91-acf1-6e5d7c55bd57>
Fancy Product Designer <= 4.6.9 - Insufficient Authorization to Arbitrary Options Update via fpd_update_options
Affected Software: Fancy Product Designer CVE ID: CVE-2021-4334 CVSS Score: 8.8 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea097cb7-85f4-4b6d-9f29-bc2636993f21>
WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation
Affected Software: WP Data Access CVE ID: CVE-2023-1874 CVSS Score: 7.5 (High) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f562e33-2aef-46f0-8a65-691155ede9e7>
WCFM Membership <= 2.10.0 - Missing Authorization
Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace CVE ID: CVE-2022-4940 CVSS Score: 7.3 (High) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9c6577a2-6722-4d3b-958d-1143dca414cd>
CopySafe Web Protection <= 3.13 - Unauthenticated Stored Cross-Site Scripting
Affected Software: CopySafe Web Protection CVE ID: CVE-2023-29098 CVSS Score: 7.2 (High) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07e110b3-ef10-482d-a564-c9f23631e5f3>
Magic Post Thumbnail <= 4.1.10 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Magic Post Thumbnail CVE ID: CVE-2023-29171 CVSS Score: 7.2 (High) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08bbde25-bb9a-469c-83de-b680bb501ad6>
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Steveas WP Live Chat Shoutbox CVE ID: CVE-2023-0899 CVSS Score: 7.2 (High) Researcher/s: Simone Onofri, Donato Onofri Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2630dbfe-2e11-4671-9a75-377237ac1ea1>
Transbank Webpay REST <= 1.6.6 - Authenticated (Administrator+) SQL Injection via orderby
Affected Software: Transbank Webpay REST CVE ID: CVE-2023-27610 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b737a26-e4ae-4c9f-a98a-a22a31ac4f99>
Albo Pretorio Online <= 4.6.1 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Albo Pretorio On line CVE ID: CVE-2023-28993 CVSS Score: 7.2 (High) Researcher/s: Romés Akhan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8fbcd728-d2a2-4787-841d-0ce77356f737>
Limit Login Attempts <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Limit Login Attempts CVE ID: CVE-2023-1912 CVSS Score: 7.2 (High) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb8c80fc-3b51-4003-b221-6f02e74bead0>
Zyrex Popup <= 1.1 - Authenticated (Admin+) Arbitrary File Upload
Affected Software: ZYREX POPUP CVE ID: CVE-2023-0924 CVSS Score: 7.2 (High) Researcher/s: Yogesh Verma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf992c75-a1ae-49c3-8110-2f3b31b23f6c>
Ajax Search Lite <= 4.11 - Reflected Cross-Site Scripting
Affected Software: Ajax Search Lite CVE ID: CVE-2023-1420 CVSS Score: 7.2 (High) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5e6cb50-8262-406b-b01e-37d62a4bd394>
SEOPress <= 6.5.0.2 - Authenticated (Administrator+) PHP Object Injection
Affected Software: SEOPress – On-site SEO CVE ID: CVE Unknown CVSS Score: 6.6 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06863974-e428-418b-891a-ade59ee46c4f>
Amr Ical Events Lists <= 6.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: amr ical events lists CVE ID: CVE-2023-1021 CVSS Score: 6.6 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4531261-d76e-4419-b915-749c72830608>
YourChannel <= 1.2.3 - Missing Authorization to Plugin Settings Reset
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1865 CVSS Score: 6.5 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/34817e32-d5a3-403a-85f0-1d60af8945de>
YourChannel <= 1.2.3 - Missing Authorization to Plugin Cache Reset
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1868 CVSS Score: 6.5 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/541d202b-f3ed-44d8-93a6-e158209db885>
Front End Users <= 3.2.24 - Missing Authorization to Unauthenticated Registered User Deletion
Affected Software: Front End Users CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ccfafaf-902f-4142-90b3-9f70800eb377>
WP FEvents Book <= 0.46 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: WP FEvents Book CVE ID: CVE-2023-1126 CVSS Score: 6.4 (Medium) Researcher/s: Ameen Alkurdy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/088aead8-37bb-4277-81e0-b7e2c13e9072>
IFrame Shortcode <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: IFrame Shortcode CVE ID: CVE-2023-29436 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f28b1b2-e751-423e-b4c5-893778eebf3f>
Stagtools <= 2.3.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: StagTools CVE ID: CVE-2023-0891 CVSS Score: 6.4 (Medium) Researcher/s: xplo1t Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45754b5b-8f94-4806-a931-bb423450682c>
Weaver Xtreme Theme <= 5.0.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
Affected Software: Weaver Xtreme CVE ID: CVE-2023-1403 CVSS Score: 6.4 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b2bef63-c871-45e4-bb05-12bbba20ca5e>
Cryptocurrency All-in-One <= 3.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Cryptocurrency All-in-One CVE ID: CVE-2023-29435 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7492cffe-6e17-4c59-8979-2fa168b4f41d>
Easy Sign Up <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Easy Sign Up CVE ID: CVE-2023-23701 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af718d65-9f8f-4ed8-80ed-e7ed34169016>
WCFM Membership <= 2.10.0 - Cross-Site Request Forgery
Affected Software: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace CVE ID: CVE-2022-4941 CVSS Score: 6.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3758db41-a3c5-436a-bb9a-5886f10d1519>
WCFM Marketplace <= 3.4.12 - Cross-Site Request Forgery
Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce CVE ID: CVE-2022-4936 CVSS Score: 6.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c2cc9a3-cd20-4c9e-baa4-1aea69f84331>
Fancy Product Designer <= 4.6.9 - Insufficient Authorization on Mulitple AJAX Actions
Affected Software: Fancy Product Designer CVE ID: CVE-2021-4335 CVSS Score: 6.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/644624d8-c193-4ee6-bc82-7ccda5d7f2ac>
WCFM Frontend Manager <= 6.5.13 - Cross-Site Request Forgery
Affected Software: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible CVE ID: CVE-2022-4938 CVSS Score: 6.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/798b57ad-0922-435c-8b4d-8a96b388b314>
WCFM Frontend Manager <= 6.6.0 - Missing Authorization
Affected Software: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible CVE ID: CVE-2022-4937 CVSS Score: 6.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d946d4b5-bed7-4808-b133-783b2dcd7992>
WP FEvents Book <= 0.46 - Authenticated (Subscriber+) Insecure Direct Object Reference to Booking Manipulation
Affected Software: WP FEvents Book CVE ID: CVE-2023-1129 CVSS Score: 6.3 (Medium) Researcher/s: Ameen Alkurdy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f63d494c-1d1e-4faa-930a-3fcf2b136182>
The7 <= 11.6.0 - Reflected Cross-Site Scripting
Affected Software: The7 — Website and eCommerce Builder for WordPress CVE ID: CVE-2023-29100 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24c67243-0452-4820-bfb4-b7ac4804aa4b>
TheRoof <= 1.0.3 - Reflected Cross-Site Scripting
Affected Software: TheRoof CVE ID: CVE-2023-29430 CVSS Score: 6.1 (Medium) Researcher/s: FearZzZz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/624d9627-0ffc-409f-beb7-60e80177aa9b>
Product Catalog Simple <= 1.6.17 - Reflected Cross-Site Scripting
Affected Software: Product Catalog Simple CVE ID: CVE-2023-29388 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6cd58adb-31cd-49e2-9c9d-e248b4b0a778>
MyCryptoCheckout <= 2.123 - Reflected Cross-Site Scripting via url
Affected Software: MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce CVE ID: CVE-2023-1546 CVSS Score: 6.1 (Medium) Researcher/s: Pablo Sanchez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7633b5cd-0e8f-4744-bfee-d6d54a44c143>
Amelia <= 1.0.75 - Unauthenticated Reflected Cross-Site Scripting via 'code'
Affected Software: Appointment and Event Booking Calendar for WordPress – Amelia CVE ID: CVE-2023-29427 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a41f96d-216f-4e5a-a28d-665b052666fb>
PropertyHive <= 1.5.46 - Reflected Cross-Site Scripting via 'merge_ids'
Affected Software: PropertyHive CVE ID: CVE-2023-29172 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f395100-cf1f-4a3e-a353-1aec6b4e7448>
Ajax Search Pro <= 4.26.1 - Reflected Cross-Site Scripting
Affected Software: Ajax Search Pro CVE ID: CVE-2023-1435 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1a0d54f-08f7-4ec5-8cfe-6c4a6eb26748>
Outdoor <= 3.9.6 - Reflected Cross-Site Scripting
Affected Software: outdoor CVE ID: CVE-2023-29236 CVSS Score: 6.1 (Medium) Researcher/s: FearZzZz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef60f4c3-e38f-4f95-80cd-5e1f5512ebf5>
YourChannel <= 1.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1869 CVSS Score: 5.5 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317>
YourChannel <= 1.2.3 - Cross-Site Request Forgery to Plugin Channel Reset
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1866 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45851efe-2584-4b5e-8e4c-24f289d3bc32>
YourChannel <= 1.2.3 - Cross-Site Request Forgery to Plugin Settings Change
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1867 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4c20db2d-f73d-4e52-a275-ab1975ae4b17>
Random Text <= 0.3.0 - Authenticated (Subscriber+) SQL Injection
Affected Software: Random Text CVE ID: CVE-2023-0388 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6badba6d-1ff1-4d6f-bccf-1f0278edb17d>
Connections Business Directory <= 10.4.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Connections Business Directory CVE ID: CVE-2023-29437 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae40fd4a-8448-48ea-9b31-067643972b44>
IMPress Listings <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields
Affected Software: IMPress Listings CVE ID: CVE-2023-22711 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d31b9022-ae45-4bc2-b820-fb88faf0796f>
YourChannel <= 1.2.3 - Cross-Site Request Forgery to Plugin Language Translation Reset
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1871 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7ae863c-4638-49ab-bb1f-52346884c3aa>
User Registration <= 2.3.2.1 - Missing Authorization via send_test_email
Affected Software: User Registration – Custom Registration Form, Login Form And User Profile For WordPress CVE ID: CVE-2023-29429 CVSS Score: 5.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a671128a-74e6-4f92-94af-9e5e37ed7b7a>
Libsyn Publisher Hub <= 1.3.2 - Sensitive Information Exposure
Affected Software: Libsyn Publisher Hub CVE ID: CVE-2023-25057 CVSS Score: 5.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbafdc15-cf42-4a12-bd79-5c602ce10625>
Email Subscription Popup <= 1.2.16 - Reflected Cross-Site Scripting
Affected Software: Email Subscription Popup CVE ID: CVE Unknown CVSS Score: 4.7 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63b30d03-43d2-4696-aa36-8b39ec2c4ed0>
WPCode <= 2.0.8 - Cross-Site Request Forgery
Affected Software: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager CVE ID: CVE-2023-1624 CVSS Score: 4.7 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e52c53c1-4f04-4075-9329-d93fabf5a6ce>
Tiny carousel horizontal slider plus <= 3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Tiny carousel horizontal slider plus CVE ID: CVE-2023-24418 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/167ae586-1f18-43ac-a7c1-e67a00ce8787>
SMTP Mailing Queue <= 1.4.7 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: SMTP Mailing Queue CVE ID: CVE-2023-1090 CVSS Score: 4.4 (Medium) Researcher/s: jidle Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a0ba31d-d2d8-4614-8f77-a041c25c0519>
Sp*tify Play Button for WordPress <= 2.07 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Sp*tify Play Button for WordPress CVE ID: CVE-2023-1840 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/308f6887-7c1c-4efd-85e2-b71bb6d26dab>
Optin Forms <= 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Optin Forms – Simple List Building Plugin for WordPress CVE ID: CVE-2023-29434 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3971c145-6dca-49af-bbb3-7ef4ce51507f>
Call Now Accessibility Button <= 1.1 - Authenticated (Administrator+) Cross-Site Scripting
Affected Software: Call Now Accessibility Button CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Taliya Bilal Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/561821b3-e667-428a-9900-e93cab6019b6>
Site Reviews <= 6.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Site Reviews CVE ID: CVE-2023-1525 CVSS Score: 4.4 (Medium) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c31072d-9921-4bef-809c-b97a1020a2cf>
Cancel order request WooCommerce <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Cancel order request / Return order / Repeat Order / Reorder for WooCommerce CVE ID: CVE-2023-29423 CVSS Score: 4.4 (Medium) Researcher/s: MyungJu Kim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f49477f-7a43-489b-8d3c-db8d0efeb596>
Product Enquiry for WooCommerce <= 2.2.12 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Product Enquiry for WooCommerce, WooCommerce product catalog CVE ID: CVE-2023-29170 CVSS Score: 4.4 (Medium) Researcher/s: MyungJu Kim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/889986f8-224e-4af4-a1d2-ef4b04a7e83f>
SimpleModal Contact Form (SMCF) <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: SimpleModal Contact Form (SMCF) CVE ID: CVE-2023-29438 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d8c19868-49c2-4ee2-883a-93549e65d41a>
Maps Widget for Google Maps <= 4.24 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Maps Widget for Google Maps CVE ID: CVE-2023-1913 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de871598-e4e7-49f6-8530-68243544c06c>
Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Hustle – Email Marketing, Lead Generation, Optins, Popups CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e74be387-1413-49c5-91c6-66e620562b42>
Product page shipping calculator for WooCommerce <= 1.3.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Product page shipping calculator for WooCommerce CVE ID: CVE-2023-29094 CVSS Score: 4.4 (Medium) Researcher/s: MyungJu Kim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed0a37cc-49db-4919-8d0d-cb7739332229>
Dynamics 365 Integration <= 1.3.13 - Missing Authorization via init
Affected Software: Dynamics 365 Integration CVE ID: CVE-2023-29422 CVSS Score: 4.3 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01cc3955-ef2f-4e2b-8dc6-b26f5a3d2f89>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_save_settings_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1919 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/024f4058-065b-48b4-a08a-d9732d4375cd>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_clear_cache_of_allsites_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1925 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/096257a4-6ee9-41e1-8a59-4ffcd309f83c>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_start_cdn_integration_ajax_request_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1921 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17c7c61d-c110-448e-ad8a-bc1c00393524>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1918 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c8034ff-cf36-498f-9efc-a4e6bbb92b2c>
MasterStudy LMS WordPress Plugin <= 2.9.34 - Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ddcd2eb-fd7a-48b7-b9ea-3632d49e9734>
WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_purgecache_varnish_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1929 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1e567aec-07e5-494a-936d-93b40d3e3043>
Comment Reply Notification <= 1.4 - Cross-Site Request Forgery
Affected Software: Comment Reply Notification CVE ID: CVE-2023-25051 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/27eb0101-b3d1-458d-b7d7-69d92e3a4bb8>
PixTypes <= 1.4.14 - Cross-Site Request Forgery
Affected Software: PixTypes CVE ID: CVE-2023-25487 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2ac7414c-8035-406a-ab1e-94d9f64e52fa>
Comments Ratings <= 1.1.6 - Cross-Site Request Forgery
Affected Software: Comments Ratings CVE ID: CVE-2023-23704 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2bbf9526-1a82-496e-b762-6fa114ba8d46>
PHP Compatibility Checker <= 1.5.2 - Cross-Site Request Forgery
Affected Software: PHP Compatibility Checker CVE ID: CVE-2023-24421 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41fada19-c697-4078-825b-0bdf6a827b02>
qTranslate X Cleanup and WPML Import <= 3.0.1 - Cross-Site Request Forgery via clean_ajx
Affected Software: qTranslate X Cleanup and WPML Import CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/43d534f8-fb1c-4170-a66e-2cef72cd40de>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_remove_cdn_integration_ajax_request_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1923 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49ba5cfa-c2cc-49ac-b22d-7e36ccca6ac5>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCssAndJsCacheToolbar'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1927 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d3858f5-3f13-400c-acf4-eb3dc3a43308>
WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_preload_single_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1928 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/56a90042-a6c0-4487-811b-ced23c97f9f4>
Spreadshop Plugin <= 1.6.5 - Cross-Site Request Forgery
Affected Software: Spreadshop Plugin CVE ID: CVE-2023-29426 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f15ac06-b5d3-4265-b69b-1d46b12a0522>
tencentcloud-cos <= 1.0.7 - Missing Authorization via AJAX actions
Affected Software: tencentcloud-cos CVE ID: CVE-2023-29433 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91ea157f-7a74-427f-b1eb-a9187f2d9096>
Simple Job Board <= 2.10.3 - Cross-Site Request Forgery via sjb_save_settings_section
Affected Software: Simple Job Board CVE ID: CVE-2023-29440 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9bbd528a-94fe-4979-b30f-02c6872db086>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_pause_cdn_integration_ajax_request_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1922 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a1743b26-861e-4a61-80de-b8cc82308228>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_toolbar_save_settings_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1924 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a87f610a-c1ef-4365-bd74-569989587d41>
WP Fastest Cache <= 1.1.2 - Missing Authorization in 'deleteCssAndJsCacheToolbar'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1931 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4bb2d72-ff31-4220-acb3-ed17bb9229b5>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCacheToolbar'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1926 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b793a4cb-3130-428e-9b61-8ce29fcdaf70>
WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_clear_cache_of_allsites_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1930 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bae67a68-4bd1-4b52-b3dd-af0eef014028>
qTranslate X Cleanup and WPML Import <= 3.0.1 - Missing Authorization via clean_ajx
Affected Software: qTranslate X Cleanup and WPML Import CVE ID: CVE-2023-29431 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bbe973a3-a8bf-4037-9067-7cc0987291fe>
YourChannel <= 1.2.3 - Cross-Site Request Forgery to Plugin Language Translation Update
Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1870 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1cec0b1-b77c-4d21-a3d2-c79fd3250bb0>
Product Feed PRO for WooCommerce <= 12.4.4 - Cross-Site Request Forgery
Affected Software: Product Feed PRO for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c80833c3-8ffc-41a1-8d11-dafa962191fd>
WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_purgecache_varnish_callback'
Affected Software: WP Fastest Cache CVE ID: CVE-2023-1920 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8e90994-3b5c-4ae6-a27f-890a9101b440>
Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 - Missing Authorization via spbsmAjax
Affected Software: Superb Social Media Share Buttons and Follow Buttons for WordPress CVE ID: CVE-2023-29428 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca4dead2-c6da-4613-8ce6-13699a7495a1>
HT Builder <= 1.2.9 - Cross-Site Request Forgery via plugin_activation
Affected Software: HT Builder – WordPress Theme Builder for Elementor CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/df413b9d-5c22-4276-a11b-4f193c48740d>
Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 - Cross-Site Request Forgery via spbsmAjax
Affected Software: Superb Social Media Share Buttons and Follow Buttons for WordPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: abdi paranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ebea0ec0-f7ee-41c5-b0a5-a78e9cd11d41>
Front End Users <= 3.2.24 - Cross-Site Request Forgery
Affected Software: Front End Users CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ee13399f-0fc9-40f3-93f5-34c913d54aa0>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 3, 2023 to Apr 9, 2023) appeared first on Wordfence.
Related
