Chloe ChamberlandWORDFENCE:08D8A15C5489A721855519959B74F93BWordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
41.5%
Last week, there were 64 vulnerabilities disclosed in 67 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Avada <= 7.11.1 - Authenticated(Contributor+) Server Side Request Forgery
- Avada <= 7.11.1 - Authenticated(Author+) Arbitrary File Upload via Zip Extraction
- Post Grid <= 2.2.50 - Missing Authorization to Sensitive Information Exposure via REST API
- WAF-RULE-627, data redacted while we work with the developer to ensure this gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 24 |
| Patched | 40 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 50 |
| High Severity | 9 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 26 |
| Missing Authorization | 12 |
| Cross-Site Request Forgery (CSRF) | 9 |
| Improper Privilege Management | 2 |
| Use of Less Trusted Source | 2 |
| Information Exposure | 2 |
| Deserialization of Untrusted Data | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Improper Control of Generation of Code ('Code Injection') | 1 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 1 |
| URL Redirection to Untrusted Site ('Open Redirect') | 1 |
| Improper Authorization | 1 |
| Improper Access Control | 1 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 1 |
| Weak Password Recovery Mechanism for Forgotten Password | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Abdi Pranata | 5 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 4 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 4 |
| Mika | 4 |
| minhtuanact | 3 |
| thiennv | 3 |
| David | 2 |
| Truoc Phan | 2 |
| Rio Darmawan | 2 |
| LEE SE HYOUNG | 2 |
| Yuki Haruma | 2 |
| Muhammad Arsalan Diponegoro | 2 |
| Jonatas Souza Villa Flor | 1 |
| Ivy | 1 |
| Random Robbie | 1 |
| Nithissh S | 1 |
| TomS | 1 |
| NGÔ THIÊN AN | 1 |
| Le Ngoc Anh | 1 |
| Debangshu Kundu | 1 |
| Arpeet Rathi | 1 |
| Rafie Muhammad | 1 |
| Utkarsh Agrawal | 1 |
| Hung Duong | 1 |
| Bartłomiej Marek | 1 |
| Tomasz Swiadek | 1 |
| Prasanna V Balaji | 1 |
| Nguyen Xuan Chien | 1 |
| Elliot | 1 |
| Lokesh Dachepalli | 1 |
| Rafshanzani Suhada | 1 |
| Dmitrii Ignatyev | 1 |
| Dmitrii | 1 |
| Skalucy | 1 |
| yuyudhn | 1 |
| Francesco Carlucci | 1 |
| Jonas Höbenreich | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 123.chat – 1:1 Live Video Chat Tool Plugin | 123-chat-videochat |
| Accordion Slider | accordion-slider |
| Accordion and Accordion Slider | accordion-and-accordion-slider |
| Advanced File Manager | file-manager-advanced |
| Album and Image Gallery plus Lightbox | album-and-image-gallery-plus-lightbox |
| BigBlueButton | bigbluebutton |
| Blog Designer – Post and Widget | blog-designer-for-post-and-widget |
| CLUEVO LMS, E-Learning Platform | cluevo-lms |
| CT Commerce | ct-commerce |
| Carrrot | carrrot |
| Cleverwise Daily Quotes | cleverwise-daily-quotes |
| Comments Like Dislike | comments-like-dislike |
| Contact form 7 Custom validation | cf7-field-validation |
| Cookies and Content Security Policy | cookies-and-content-security-policy |
| Cost Calculator Builder | cost-calculator-builder |
| Countdown Timer Ultimate | countdown-timer-ultimate |
| Custom Admin Login Page | WPZest |
| Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress | charitable |
| Donations Made Easy – Smart Donations | smart-donations |
| Doofinder WP & WooCommerce Search | doofinder-for-woocommerce |
| Dynamic Pricing and Discount Rules for WooCommerce | woo-conditional-discount-rules-for-checkout |
| Enhanced Ecommerce Google Analytics for WooCommerce | woo-ecommerce-tracking-for-google-and-facebook |
| Event Tickets with Ticket Scanner | event-tickets-with-ticket-scanner |
| GD Security Headers | gd-security-headers |
| InfiniteWP Client | iwp-client |
| JS Help Desk – Best Help Desk & Support Plugin | js-support-ticket |
| Kanban Boards for WordPress | kanban |
| Make Paths Relative | make-paths-relative |
| Media from FTP | media-from-ftp |
| Meta Slider and Carousel with Lightbox | meta-slider-and-carousel-with-lightbox |
| Orders Tracking for WooCommerce | woo-orders-tracking |
| Paid Memberships Pro CCBill Gateway | pmpro-ccbill |
| Password Reset with Code for WordPress REST API | bdvs-password-reset |
| Plausible Analytics | plausible-analytics |
| Portfolio Gallery – Responsive Image Gallery | gallery-portfolio |
| Portfolio and Projects | portfolio-and-projects |
| Post Ticker Ultimate | ticker-ultimate |
| Post grid and filter ultimate | post-grid-and-filter-ultimate |
| Products Quick View for WooCommerce | woocommerce-products-quick-view |
| Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store | woocommerce-putler-connector |
| RSVPMaker | rsvpmaker |
| Schedule Posts Calendar | schedule-posts-calendar |
| Serial Codes Generator and Validator with WooCommerce Support | serial-codes-generator-and-validator |
| Simple Org Chart | simple-org-chart |
| Simple Staff List | simple-staff-list |
| Smart SEO Tool – SEO优化插件 | smart-seo-tool |
| Stripe Payment Plugin for WooCommerce | payment-gateway-stripe-and-woocommerce-integration |
| Tabs & Accordion | tabs |
| Team Slider and Team Grid Showcase plus Team Carousel | wp-team-showcase-and-slider |
| Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget | wp-testimonial-with-widget |
| Timeline and History slider | timeline-and-history-slider |
| Trending/Popular Post Slider and Widget | wp-trending-post-slider-and-widget |
| Typing Effect | animated-typing-effect |
| User Activity Log | user-activity-log |
| User Submitted Posts – Enable Users to Submit Posts from the Front End | user-submitted-posts |
| Video Gallery for YouTube Videos and WordPress | youtube-showcase |
| Video gallery and Player | html5-videogallery-plus-player |
| WP LINE Notify | wp-line-notify |
| WP Remote Users Sync | wp-remote-users-sync |
| WP VR – 360 Panorama and Virtual Tour Builder For WordPress | wpvr |
| WP-PostRatings | wp-postratings |
| WebLibrarian | weblibrarian |
| WooCommerce PDF Invoice Builder, Create invoices, packing slips and more | woo-pdf-invoice-builder |
| WordPress Mortgage Calculator Estatik | estatik-mortgage-calculator |
| fitness calculators plugin | fitness-calculators |
| tagDiv Composer | td-composer |
| wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | wpdatatables |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Aapna | aapna |
| Anand | anand |
| Anfaust | anfaust |
| Arendelle | arendelle |
| Atlast Business | [atlast-business](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Atlast Business>) |
| Bazaar Lite | [bazaar-lite](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Bazaar Lite>) |
| Brain Power | [brain-power](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Brain Power>) |
| BunnyPressLite | bunnypresslite |
| Cafe Bistro | [cafe-bistro](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Cafe Bistro>) |
| College | college |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Kanban Boards <= 2.5.21 - Authenticated (Administrator+) Remote Code Execution
Affected Software: Kanban Boards for WordPress CVE ID: CVE-2023-40606 CVSS Score: 9.8 (Critical) Researcher/s: TomS Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3adea276-6b55-422d-adc9-a767f569181c>
Donation Forms by Charitable <= 1.7.0.12 - Unauthenticated Privilege Escalation
Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress CVE ID: CVE-2023-4404 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/522ecc1c-5834-4325-9234-79cf712213f3>
Contact form 7 Custom validation <= 1.1.3 - Unauthenticated SQL Injection via 'post'
Affected Software: Contact form 7 Custom validation CVE ID: CVE-2023-40609 CVSS Score: 9.8 (Critical) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dbfc52a4-6c9d-480b-9247-1513318ff84b>
Password Reset with Code for WordPress REST API <= 0.0.15 - Weak Password Recovery Mechanism
Affected Software: Password Reset with Code for WordPress REST API CVE ID: CVE-2023-35039 CVSS Score: 9.8 (Critical) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f44b9e6d-2f84-45f6-9f74-3f23b03c5a49>
WP Remote Users Sync <= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery
Affected Software: WP Remote Users Sync CVE ID: CVE-2023-3958 CVSS Score: 8.5 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46>
InfiniteWP Client <= 1.11.1 - Authenticated (Subscriber+) Sensitive Information Exposure
Affected Software: InfiniteWP Client CVE ID: CVE-2023-2916 CVSS Score: 7.5 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19>
User Submitted Posts <= 20230809 - Unauthenticated Stored Cross-Site Scripting via 'user-submitted-content'
Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End CVE ID: CVE-2023-4308 CVSS Score: 7.2 (High) Researcher/s: NGÔ THIÊN AN Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3bb4d37c-c4c2-4523-9b4e-73ffb7be81ea>
tagDiv Composer <= 4.1 - Unauthenticated Stored Cross-Site Scripting
Affected Software: tagDiv Composer CVE ID: CVE-2023-3169 CVSS Score: 7.2 (High) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6998cf4c-6086-402b-a95f-ee6a4980dffb>
Cleverwise Daily Quotes <= 3.2 - Reflected Cross-Site Scripting
Affected Software: Cleverwise Daily Quotes CVE ID: CVE-2023-40335 CVSS Score: 7.2 (High) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71f7733a-1350-4e22-98d8-28be401aee69>
GD Security Headers <= 1.6.1 - Unauthenticated Cross-Site Scripting
Affected Software: GD Security Headers CVE ID: CVE-2023-40330 CVSS Score: 7.2 (High) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ce32ecf-6995-4794-8559-2f84533ecf50>
RSVPMarker <= 10.6.5 - Unauthenticated Stored Cross-Site Scripting via 'email'
Affected Software: RSVPMaker CVE ID: CVE-2023-27616 CVSS Score: 7.2 (High) Researcher/s: Muhammad Arsalan Diponegoro Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aaf0e58c-0430-44fe-980f-8ea469802c86>
Mortgage Calculator Estatik <= 2.0.7 - Unauthenticated Cross-Site Scripting
Affected Software: WordPress Mortgage Calculator Estatik CVE ID: CVE-2023-40601 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb73e92b-b807-4406-b378-cef6cff9eb82>
JS Help Desk – Best Help Desk & Support Plugin <= 2.7.7 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: JS Help Desk – Best Help Desk & Support Plugin CVE ID: CVE-2023-25444 CVSS Score: 7.2 (High) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa75366a-651c-43d0-a32b-cdabf5b07b66>
wpDataTables - Tables & Table Charts <= 2.1.65 - Authenticated(Administrator+) PHP Object Injection
Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin CVE ID: CVE Unknown CVSS Score: 6.6 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c458644-a799-4bea-abcb-06a946dc19df>
Advanced File Manager <= 5.1 - Authenticated(Administrator+) Arbitrary File and Folder Access
Affected Software: Advanced File Manager CVE ID: CVE-2023-3814 CVSS Score: 6.6 (Medium) Researcher/s: Dmitrii Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ceba35c3-16b0-4366-b33c-603bdc2c1006>
Gallery Portfolio <= 1.4.6 - Missing Authorization via Multiple AJAX actions
Affected Software: Portfolio Gallery – Responsive Image Gallery CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/96112707-04ca-4647-9008-31954764486f>
Event Tickets with Ticket Scanner <= 1.5.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Event Tickets with Ticket Scanner CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2ec40d89-9caa-44dc-8577-00fa6463348c>
BigBlueButton <= 3.0.0-beta.4 - Authenticated (Author+) Stored Cross-Site Scripting
Affected Software: BigBlueButton CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5f829d21-5347-46ec-9218-2b3cbe7d7b95>
Serial Codes Generator and Validator with WooCommerce Support <= 2.4.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Serial Codes Generator and Validator with WooCommerce Support CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4886822-3a05-45b3-ad1d-4d4a4f921817>
Typing Effect <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Typing Effect CVE ID: CVE-2023-40605 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db12f986-580e-4e81-8bd2-124393e5d21b>
Media from FTP <= 11.16 - Authenticated (Author+) Improper Privilege Management
Affected Software: Media from FTP CVE ID: CVE-2023-4019 CVSS Score: 6.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9764d402-b8a2-43d5-882a-bc3886078b7f>
LINE Notify <= 1.4.4 - Reflected Cross-Site Scripting via 'uid'
Affected Software: WP LINE Notify CVE ID: CVE-2023-30497 CVSS Score: 6.1 (Medium) Researcher/s: Ivy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b4e7c02-48d3-4271-a3bc-e7d3256b7217>
Multiple Themes (Various Versions) - Reflected Cross-Site Scripting via Search Field
Affected Software/s: College, Anfaust, Brain Power, BunnyPressLite, Bazaar Lite, Cafe Bistro, Arendelle, Anand, Atlast Business, Aapna CVE ID: CVE-2023-2813 CVSS Score: 6.1 (Medium) Researcher/s: Random Robbie Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/32253923-ffec-4312-bcdf-06c5aed77d30>
Plausible Analytics <= 1.3.3 - Reflected Cross-Site Scripting via page-url
Affected Software: Plausible Analytics CVE ID: CVE-2023-40553 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ed6d5e6-1094-46ec-afb9-43c142f334ed>
WebLibrarian <= 3.5.8.1 - Reflected Cross-Site Scripting via multiple parameters
Affected Software: WebLibrarian CVE ID: CVE-2023-29441 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b4b05a8-3a32-4fa9-9ff5-a2a62b11a05d>
Donations Made Easy – Smart Donations <= 4.0.12 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Donations Made Easy – Smart Donations CVE ID: CVE-2023-40664 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/799975aa-44fe-48dc-8ac9-469c89a03c67>
WP VR <= 8.3.4 - Reflected Cross-Site Scripting
Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress CVE ID: CVE-2023-40663 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc08e4cf-3964-406e-9046-420e749df4b5>
Fitness calculators plugin <= 2.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Affected Software: fitness calculators plugin CVE ID: CVE-2023-40552 CVSS Score: 5.5 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aafbdd50-c78b-4aad-a3e2-f1339d698e77>
Smart SEO Tool-WordPress SEO优化插件 <= 4.0.1 - Cross-Sitquest Forgery via 'wp_ajax_wb_smart_seo_tool'
Affected Software: Smart SEO Tool – SEO优化插件 CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/078d06ad-555b-4de4-a032-d81440c7dfb5>
Doofinder for WooCommerce <= 1.5.49 - Unauthenticated Open Redirect
Affected Software: Doofinder WP & WooCommerce Search CVE ID: CVE-2023-40602 CVSS Score: 5.4 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7414779e-7241-4ab2-9b1f-34c3e1acc66b>
Cost Calculator Builder <= 3.1.42 - Improper Authorization
Affected Software: Cost Calculator Builder CVE ID: CVE-2023-40011 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94d60fcb-a542-41a9-b6ac-6ac2607068aa>
WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking <= 3.7.1 - Cross-Site Request Forgery
Affected Software: Enhanced Ecommerce Google Analytics for WooCommerce CVE ID: CVE-2023-40561 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3f7e1a4-88b2-4069-adb8-d51278b48234>
Putler Connector for WooCommerce <= 2.12.0 - Missing Authorization via 'putler_connector_sync_complete'
Affected Software: Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store CVE ID: CVE-2023-40327 CVSS Score: 5.3 (Medium) Researcher/s: David Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09a1388e-6c87-44cd-a137-4212b569423b>
Multiple WPOnlineSupport Plugins <= (Various Versions) - Missing Authorization to Notice Dismissal
Affected Software/s: Portfolio and Projects, Video gallery and Player, Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget, Accordion and Accordion Slider, Album and Image Gallery plus Lightbox, Meta Slider and Carousel with Lightbox, Blog Designer – Post and Widget, Trending/Popular Post Slider and Widget, Countdown Timer Ultimate, Post Ticker Ultimate, Team Slider and Team Grid Showcase plus Team Carousel, Post grid and filter ultimate, Timeline and History slider CVE ID: CVE-2023-40200 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2931fda2-edc8-44ea-9fff-ae9d94aa01bf>
Paid Memberships Pro CCBill Gateway <= 0.3 - Insufficient Authorization
Affected Software: Paid Memberships Pro CCBill Gateway CVE ID: CVE-2023-40608 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47bb46df-3ed6-4331-8c05-c76331aa6995>
Comments Like Dislike <= 1.2.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset
Affected Software: Comments Like Dislike CVE ID: CVE-2023-3244 CVSS Score: 5.3 (Medium) Researcher/s: Hung Duong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66019297-a8a8-4bbc-99db-4b47066f3e50>
WP-PostRatings <= 1.91 - IP Spoofing
Affected Software: WP-PostRatings CVE ID: CVE-2023-40332 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6aed9434-1681-47d6-bbc1-0815db548a24>
User Activity Log <= 1.6.6 - IP Address Spoofing
Affected Software: User Activity Log CVE ID: CVE-2023-4279 CVSS Score: 5.3 (Medium) Researcher/s: Bartłomiej Marek, Tomasz Swiadek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77462f1f-f7d8-4d11-aaf1-82395897fcfa>
Cookies and Content Security Policy <= 2.15 - Sensitive Information Exposure
Affected Software: Cookies and Content Security Policy CVE ID: CVE-2023-40662 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/79e68c5b-1f1a-4af3-acf4-1a38f2d72424>
Simple Org Chart <= 2.3.4 - Missing Authorization
Affected Software: Simple Org Chart CVE ID: CVE-2023-40603 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c674ec32-7959-414a-8c31-3455bebb47bb>
Stripe Payment Plugin for WooCommerce <= 3.7.9 - Missing Authorization to Arbitrary Order Status Modification
Affected Software: Stripe Payment Plugin for WooCommerce CVE ID: CVE-2023-4040 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef543c61-2acc-4b72-81ff-883960d4c7c3>
123.chat <= 1.3.0 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: 123.chat – 1:1 Live Video Chat Tool Plugin CVE ID: CVE-2023-4298 CVSS Score: 4.4 (Medium) Researcher/s: Jonatas Souza Villa Flor Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a0ced4d-368d-4f12-9099-1f8c0b0fe245>
tagDiv Composer <= 4.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: tagDiv Composer CVE ID: CVE-2023-3170 CVSS Score: 4.4 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3861f675-1a26-4947-91ef-8ab04646704f>
CT Commerce <= 2.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Affected Software: CT Commerce CVE ID: CVE-2023-40007 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/399109be-7efe-428e-a9b8-7a68864b2790>
Schedule Posts Calendar <= 5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Affected Software: Schedule Posts Calendar CVE ID: CVE-2023-40560 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61c815c2-a5ea-431c-bfde-c08a4eb5fda6>
WooCommerce PDF Invoice Builder <= 1.2.90 - Authenticated (Administrator+) Cross-Site Scripting
Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more CVE ID: CVE-2023-4160 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a765360-8603-4ba1-a6db-dd0175ff3ddf>
Carrot <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Carrrot CVE ID: CVE-2023-40328 CVSS Score: 4.4 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77fa042d-1e4f-4344-bf5a-3860add7aae3>
Custom Admin Login Page | WPZest <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Custom Admin Login Page | WPZest CVE ID: CVE-2023-40329 CVSS Score: 4.4 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/906dcf2a-6be1-4966-9a70-1ef9a8f1017d>
RSVPMarker <= 10.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Affected Software: RSVPMaker CVE ID: CVE-2023-27617 CVSS Score: 4.4 (Medium) Researcher/s: Muhammad Arsalan Diponegoro Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cfb27513-61ad-4cf0-a471-0ab7aeb0801b>
Simple Staff List <= 2.2.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Affected Software: Simple Staff List CVE ID: CVE-2023-28790 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5880581-3505-4851-b32f-cd2873072f73>
WooCommerce PDF Invoice Builder <= 1.2.89 - Missing Authorization to Sensitive Information Exposure
Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more CVE ID: CVE-2023-4245 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/200fbfc1-df21-43b0-8eb1-b2ba0cc0c0df>
WP Remote Users Sync <= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View
Affected Software: WP Remote Users Sync CVE ID: CVE-2023-4374 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb>
Putler Connector for WooCommerce <= 2.12.0 - Missing Authorization via 'send_resync_request'
Affected Software: Putler Connector for WooCommerce – Accurate Analytics and Reports for your WooCommerce Store CVE ID: CVE-2023-40326 CVSS Score: 4.3 (Medium) Researcher/s: David Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38537f60-52f4-4007-b26f-6948b9263931>
Products Quick View for WooCommerce <= 2.2.0 - Missing Authorization
Affected Software: Products Quick View for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/39c9f055-2527-4678-bda1-27a29ab24acd>
WooCommerce PDF Invoice Builder <= 1.2.90 - Cross-Site Request Forgery to Custom Field Creation
Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more CVE ID: CVE-2023-4161 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3b7aac1c-6962-49cf-850f-ab7b1d220090>
Accordion Slider <= 1.9.6 - Missing Authorization to Notice Dismissal
Affected Software: Accordion Slider CVE ID: CVE-2023-40331 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3dc69bba-39e0-46bd-8cdb-7cf1f7d36282>
CLUEVO LMS, E-Learning Platform <= 1.10.0 - Cross-Site Request Forgery
Affected Software: CLUEVO LMS, E-Learning Platform CVE ID: CVE-2023-40607 CVSS Score: 4.3 (Medium) Researcher/s: Debangshu Kundu, Arpeet Rathi Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/414165a3-78f8-4254-ac24-2de177cad3dd>
Schedule Posts Calendar <= 5.2 - Cross-Site Request Forgery
Affected Software: Schedule Posts Calendar CVE ID: CVE-2023-40556 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d4f490e-c86e-490e-8041-36c154b890aa>
Make Paths Relative <= 1.3.0 - Cross-Site Request Forgery via 'admin/class-make-paths-relative-admin.php'
Affected Software: Make Paths Relative CVE ID: CVE-2023-27433 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/85317781-7e77-4a78-af67-0a1dce39364c>
Simple Org Chart <= 2.3.4 - Cross-Site Request Forgery
Affected Software: Simple Org Chart CVE ID: CVE-2023-28791 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8d413350-f520-4dd9-af7d-e776628aef1d>
WooCommerce Dynamic Pricing and Discount Rules <= 2.4.0 - Cross-Site Request Forgery
Affected Software: Dynamic Pricing and Discount Rules for WooCommerce CVE ID: CVE-2023-40559 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d624f234-c57a-4a66-900d-362194a79d34>
Video Gallery & Management <= 3.3.5 - Cross-Site Request Forgery
Affected Software: Video Gallery for YouTube Videos and WordPress CVE ID: CVE-2023-40558 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e226d75f-37b2-4af2-bba0-0fd3a96cc1a0>
Tabs & Accordion <= 1.3.10 - Authenticated (Contributor+) Content Injection
Affected Software: Tabs & Accordion CVE ID: CVE-2023-40557 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eaead805-b122-4418-a4a0-cf1b0925f3c3>
Orders Tracking for WooCommerce <= 1.2.5 - Authenticated (Administrator+) Directory Traversal via 'file_url'
Affected Software: Orders Tracking for WooCommerce CVE ID: CVE-2023-4216 CVSS Score: 2.7 (Low) Researcher/s: Utkarsh Agrawal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5a62e8b2-7606-4842-8be5-dff8634539d0>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 14, 2023 to August 20, 2023) appeared first on Wordfence.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
41.5%