Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:1395B32595A034EA2687D214F7D46B98
HistoryOct 26, 2023 - 6:41 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)

2023-10-2618:41:12
Chloe Chamberland
www.wordfence.com
57
wordfence intelligence
wordpress
vulnerability report
cve severity
researcher contributions
plugin vulnerabilities
theme vulnerabilities
threat intel
web page generation
csrf
sql injection
webhook integration
mailing list

0.003 Low

EPSS

Percentile

69.2%

JSON

Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 68
Patched 41

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 91
High Severity 15
Critical Severity 2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 47
Cross-Site Request Forgery (CSRF) 25
Missing Authorization 17
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 4
Unrestricted Upload of File with Dangerous Type 3
Improper Authorization 3
Information Exposure 3
Deserialization of Untrusted Data 2
Authorization Bypass Through User-Controlled Key 1
Server-Side Request Forgery (SSRF) 1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1
Improper Privilege Management 1
Authentication Bypass by Primary Weakness 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
LEE SE HYOUNG 14
Lana Codes
(Wordfence Vulnerability Researcher) 12
Rafie Muhammad 8
Abdi Pranata 7
Mika 5
Nguyen Xuan Chien 4
thiennv 4
Francesco Carlucci 4
Le Ngoc Anh 4
Rio Darmawan 3
Marco Wotschka
(Wordfence Vulnerability Researcher) 3
Revan Arifio 3
Jonas Höbenreich 2
Emili Castells 2
Skalucy 2
Shuning Xu 1
qilin_99 1
niclo 1
Ala Arfaoui 1
Taihei Shimamine 1
Milad Hacking 1
Alexander Concha 1
NGÔ THIÊN AN 1
Phd 1
Alex Thomas
(Wordfence Vulnerability Researcher) 1
minhtuanact 1
Nguyen Anh Tien 1
DoYeon Park 1
Dimas Maulana 1
emad 1
juweihuitao 1
Dmitrii Ignatyev 1
Krzysztof Zając 1
Elliot 1
Theodoros Malachias 1
trein 1
TP Cyber Security 1
Rafshanzani Suhada 1
Joshua Chan 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
404 Solution 404-solution
Add Custom Body Class add-custom-body-class
Add Shortcodes Actions And Filters add-actions-and-filters
Advanced Local Pickup for WooCommerce advanced-local-pickup-for-woocommerce
Ajax Archive Calendar ajax-archive-calendar
ApplyOnline – Application Form Builder and Manager apply-online
Appointment Calendar appointment-calendar
Archivist – Custom Archive Templates archivist-custom-archive-templates
Ashe Extra ashe-extra
Auto Login New User After Registration auto-login-new-user-after-registration
BetterLinks – Shorten, Track and Manage any URL betterlinks
Booster for WooCommerce woocommerce-jetpack
Broken Link Checker Finder
CPO Shortcodes cpo-shortcodes
Category SEO Meta Tags category-seo-meta-tags
Comments – wpDiscuz wpdiscuz
Contact Form Builder, Contact Widget contact-forms-builder
Contact Form builder with drag & drop for WordPress – Kali Forms kali-forms
Custom post types, Custom Fields & more custom-post-types
DX Delete Attached Media dx-delete-attached-media
Delete Usermetas delete-usermetas
Duplicate Theme duplicate-theme
E2Pdf – Export To Pdf Tool for WordPress e2pdf
EG-Attachments eg-attachments
Envo Extra envo-extra
Eonet Manual User Approve eonet-manual-user-approve
EventON eventon-lite
Freesoul Deactivate Plugins – Plugin manager and cleanup freesoul-deactivate-plugins
FreshMail For WordPress freshmail-integration
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory geodirectory
Grid Plus – Unlimited grid layout grid-plus
Headline Analyzer headline-analyzer
Icons Font Loader icons-font-loader
Internal Link Building internal-link-building-plugin
Just Custom Fields just-custom-fields
Lava Directory Manager lava-directory-manager
MW WP Form mw-wp-form
Maileon for WordPress xqueue-maileon
Mediabay – Media Library Folders mediabay-lite
Minimum Purchase for WooCommerce minimum-purchase-for-woocommerce
Modern Footnotes modern-footnotes
Motors – Car Dealer, Classifieds & Listing motors-car-dealership-classified-listings
Novo-Map : your WP posts on custom google maps novo-map
Open Graph Metabox open-graph-metabox
Popup by Supsystic popup-by-supsystic
Post Meta Data Manager post-meta-data-manager
Product Category Tree product-category-tree
Protección de Datos RGPD click-datos-lopd
Recip.ly Plugin reciply
Rocket Font rocket-font
SALESmanago salesmanago
Simple Calendar – Google Calendar Plugin google-calendar-events
Simple Table Manager simple-table-manager
Skype Legacy Buttons skype-online-status
Smart App Banner smart-app-banner
Smart Online Order for Clover clover-online-orders
Smooth Scroll Links [SSL] smooth-scrolling-links-ssl
Social Media Share Buttons & Social Sharing Icons ultimate-social-media-icons
Social proof testimonials and reviews by Repuso social-testimonials-and-reviews-widget
Soisy Pagamento Rateale soisy-pagamento-rateale
Super Testimonials super-testimonial
TCD Google Maps tcd-google-maps
Tab Ultimate tabs-pro
Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics taggbox-widget
Team Showcase team-showcase
Templately – Templates Cloud for Elementor & Gutenberg : 4000+ Free & Premium Designs! templately
The Awesome Feed – Custom Feed wp-facebook-feed
Theme Blvd Shortcodes theme-blvd-shortcodes
Theme Switcha – Easily Switch Themes for Development and Testing theme-switcha
Thumbnail Slider With Lightbox wp-responsive-slider-with-lightbox
Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce enhanced-e-commerce-for-woocommerce-store
Triberr triberr-wordpress-plugin
Ultimate Addons for WPBakery Ultimate_VC_Addons
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds userfeedback-lite
Userback userback
WC Captcha wc-captcha
WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce wc-serial-numbers
WDSocialWidgets spider-facebook
WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor
WP EXtra wp-extra
WP Full Stripe Free wp-full-stripe-free
WP Hotel Booking wp-hotel-booking
WP Post Columns wp-post-columns
WP Radio – Worldwide Online Radio Stations Directory for WordPress wp-radio
Web Push Notifications – Webpushr webpushr-web-push-notifications
Webmaster Tools webmaster-tools
WhatsApp Share Button whatsapp
Who Hit The Page – Hit Counter who-hit-the-page-hit-counter
Widgets for Google Reviews wp-reviews-plugin-for-google
WooCommerce Ninja Forms Product Add-ons woocommerce-ninjaforms-product-addons
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more woo-pdf-invoice-builder
WooCommerce Stripe Payment Gateway woocommerce-gateway-stripe
Wp Ultimate Review wp-ultimate-review
iPanorama 360 – WordPress Virtual Tour Builder ipanorama-360-virtual-tour-builder-lite
mpOperationLogs mpoperationlogs

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
themify-ultra themify-ultra

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Recip.ly <= 1.1.7 - Unauthenticated Arbitrary File Upload in uploadImage.php

Affected Software: Recip.ly Plugin CVE ID: CVE-2011-10004 CVSS Score: 9.8 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/068da172-629d-422a-bcd5-1b73af2a5933&gt;

WooCommerce Ninja Forms Product Add-ons <= 1.7.0 - Unauthenticated Arbitrary File Upload

Affected Software: WooCommerce Ninja Forms Product Add-ons CVE ID: CVE-2023-5601 CVSS Score: 9.8 (Critical) Researcher/s: Alexander Concha Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/601d70ff-2e0e-403b-9c58-130d378a8240&gt;

Themify Ultra <= 7.3.3 - Authenticated (Subscriber+) PHP Object Injection

Affected Software: themify-ultra CVE ID: CVE-2023-46147 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17c6a91c-e2a6-4f17-b145-145e9e7a0079&gt;

iPanorama 360 – WordPress Virtual Tour Builder <= 1.8.0 - Authenticated (Contributor+) SQL Injection via Shortcode

Affected Software: iPanorama 360 – WordPress Virtual Tour Builder CVE ID: CVE-2023-5336 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3566b602-c991-488f-9de2-57236c4735b5&gt;

Icons Font Loader <= 1.1.2 - Authenticated (Subscriber+) SQL Injection

Affected Software: Icons Font Loader CVE ID: CVE-2023-46084 CVSS Score: 8.8 (High) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8564fc82-ff23-44b6-91b0-d63e6afb1a73&gt;

Themify Ultra <= 7.3.3 - Privilege Escalation

Affected Software: themify-ultra CVE ID: CVE-2023-46145 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc994b2a-b3da-4edc-ada3-1150065efd30&gt;

Webpushr <= 4.34.0 - Cross-Site Request Forgery to Local File Inclusion via menu

Affected Software: Web Push Notifications – Webpushr CVE ID: CVE-2023-35041 CVSS Score: 8.8 (High) Researcher/s: Theodoros Malachias Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e140973b-d37c-45bf-aed2-9223bd812957&gt;

Themify Ultra <= 7.3.3 - Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: themify-ultra CVE ID: CVE-2023-46149 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed5251e7-64d2-4210-9864-144952a49327&gt;

Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure

Affected Software: Soisy Pagamento Rateale CVE ID: CVE-2023-5132 CVSS Score: 7.5 (High) Researcher/s: Francesco Carlucci Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3c997cd-37b4-4b9c-b99e-397be484aa36&gt;

Advanced Local Pickup for WooCommerce <= 1.5.5 - Authenticated (Administrator+) SQL Injection

Affected Software: Advanced Local Pickup for WooCommerce CVE ID: CVE-2023-2841 CVSS Score: 7.2 (High) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/125e7ea3-574a-4760-b10b-7a98d94c87a5&gt;

GeoDirectory <= 2.3.28 - Authenticated (Administrator+) SQL Injection via orderby

Affected Software: GeoDirectory – WordPress Business Directory Plugin, or Classified Directory CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3bcd61d4-4775-4297-b7f5-664991fcd6d2&gt;

Lava Directory Manager <= 1.1.34 - Unauthenticated Stored Cross-Site Scripting via New Listing

Affected Software: Lava Directory Manager CVE ID: CVE-2023-46081 CVSS Score: 7.2 (High) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3bf669ed-ea31-4144-96b3-b1f29057b86d&gt;

Motors – Car Dealer & Classified Ads <= 1.4.6 - Server Side Request Forgery

Affected Software: Motors – Car Dealer, Classifieds & Listing CVE ID: CVE-2023-46207 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/437423f0-978f-4c7c-9ec3-40668c630c93&gt;

User Feedback <= 1.0.9 - Unauthenticated Cross-Site Scripting

Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds CVE ID: CVE-2023-46153 CVSS Score: 7.2 (High) Researcher/s: Dimas Maulana Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abc056b0-55a2-439c-b7f6-4a2fc48c9823&gt;

MpOperationLogs <= 1.0.1 - Unauthenticated Stored Cross-Site Scripting

Affected Software: mpOperationLogs CVE ID: CVE-2023-5538 CVSS Score: 7.2 (High) Researcher/s: juweihuitao Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc5f1b00-acee-4dc8-acd7-2d3f3493f253&gt;

E2Pdf <= 1.20.18 - Authenticated (Administrator+) PHP Object Injection

Affected Software: E2Pdf – Export To Pdf Tool for WordPress CVE ID: CVE-2023-46154 CVSS Score: 7.2 (High) Researcher/s: trein Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea7f654b-88d1-4ed8-bab0-701e2e66e060&gt;

Ultimate Addons for WPBakery Page Builder <= 3.19.14 - Authenticated(Contributor+) Local File Inclusion

Affected Software: Ultimate Addons for WPBakery CVE ID: CVE-2023-46205 CVSS Score: 7.1 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5222ce69-ac9f-4bb0-9832-8cdff1f8b078&gt;

BetterLinks <= 1.6.0 - Improper Authorization to Data Import and Export

Affected Software: BetterLinks – Shorten, Track and Manage any URL CVE ID: CVE-2023-45104 CVSS Score: 6.5 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92b8829e-a8eb-4fdb-a772-9efbb5aaeb6c&gt;

Headline Analyzer <= 1.3.1 - Missing Authorization via REST APIs

Affected Software: Headline Analyzer CVE ID: CVE-2023-46195 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a057ad05-0ed7-48c4-9dc1-0e7b1d3cb270&gt;

Templately <= 2.2.5 - Improper Authorization to Arbitrary Post Deletion

Affected Software: Templately – Templates Cloud for Elementor & Gutenberg : 4000+ Free & Premium Designs! CVE ID: CVE-2023-5454 CVSS Score: 6.5 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c74553c0-366e-44d7-8c4a-161a05ef02b4&gt;

Social Media Share Buttons & Social Sharing Icons <= 2.8.5 - Information Exposure

Affected Software: Social Media Share Buttons & Social Sharing Icons CVE ID: CVE-2023-5070 CVSS Score: 6.5 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9e43c5b-a094-44ab-a8a3-52d437f0e00d&gt;

Tab Ultimate <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Tab Ultimate CVE ID: CVE-2023-5667 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08220b23-d6fa-4005-bbbb-019412d328a5&gt;

Theme Switcha <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Theme Switcha – Easily Switch Themes for Development and Testing CVE ID: CVE-2023-5614 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b0937fe-3ea6-427a-aef7-539c08687abb&gt;

Minimum Purchase for WooCommerce <= 2.0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Minimum Purchase for WooCommerce CVE ID: CVE-2023-30492 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4633c5b1-a6e3-4ee8-94ca-8afa8ff16a35&gt;

TCD Google Maps <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: TCD Google Maps CVE ID: CVE-2023-5128 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50f6d0aa-059d-48d9-873b-6404f288f002&gt;

Super Testimonials <= 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Super Testimonials CVE ID: CVE-2023-5613 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52659f1c-642e-4c88-b3d0-d5c5a206b11c&gt;

Ajax Archive Calendar <= 2.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ajax Archive Calendar CVE ID: CVE-2023-46069 CVSS Score: 6.4 (Medium) Researcher/s: NGÔ THIÊN AN Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/664d22f2-b7a3-42df-9530-4040160ead2c&gt;

WhatsApp Share Button <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WhatsApp Share Button CVE ID: CVE-2023-5668 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77911b0f-c028-49ae-b85e-15909d806e30&gt;

Theme Blvd Shortcodes <= 1.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Theme Blvd Shortcodes CVE ID: CVE-2023-5338 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88809668-ea6b-41df-b2a7-ffe03a931c86&gt;

Ultimate Addons for WPBakery Page Builder <= 3.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ultimate Addons for WPBakery CVE ID: CVE-2023-46211 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/90a8230f-7008-48af-a1a9-fbaf38dcb21c&gt;

Skype Legacy Buttons <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Skype Legacy Buttons CVE ID: CVE-2023-5615 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/914bcc8f-fecd-450e-b2a7-0989b7a0dd4c&gt;

Add Custom Body Class <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Add Custom Body Class CVE ID: CVE-2023-5205 CVSS Score: 6.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9841b57b-b869-4282-8781-60538f6f269f&gt;

Mediabay <= 1.6 - Authenticated (Editor+) Stored Cross-Site Scripting Vulnerability

Affected Software: Mediabay – Media Library Folders CVE ID: CVE-2023-46066 CVSS Score: 6.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1954340-397c-4cc0-ba9d-d698d94ea608&gt;

Modern Footnotes <= 1.4.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Modern Footnotes CVE ID: CVE-2023-5618 CVSS Score: 6.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c20c674f-54b5-470f-b470-07a63501eb4d&gt;

Team Showcase <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Team Showcase CVE ID: CVE-2023-5639 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3b26060-294e-4d4c-9295-0b08f533d5c4&gt;

WP Post Columns <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Post Columns CVE ID: CVE-2023-5708 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d96e5986-8c89-4e7e-aa63-f41aa13eeff4&gt;

Booster for WooCommerce <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Booster for WooCommerce CVE ID: CVE-2023-5638 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f0257620-3a0e-4011-9378-7aa423e7c0b2&gt;

CPO Shortcodes <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: CPO Shortcodes CVE ID: CVE-2023-5704 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8ba38c3-51d2-43a7-89ff-c72a8edc946b&gt;

The Awesome Feed – Custom Feed <= 2.2.5 - Reflected Cross-Site Scripting

Affected Software: The Awesome Feed – Custom Feed CVE ID: CVE-2023-46077 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01878991-37c7-4c7b-b68c-d59ca66521e7&gt;

EventON <= 2.2.2 - Reflected Cross-Site Scripting

Affected Software: EventON CVE ID: CVE-2023-4635 CVSS Score: 6.1 (Medium) Researcher/s: Shuning Xu Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/115ad0b2-febe-485a-8fb5-9bd6edc37ef7&gt;

Motors – Car Dealer & Classified Ads <= 1.4.6 - Reflected Cross-Site Scripting

Affected Software: Motors – Car Dealer, Classifieds & Listing CVE ID: CVE-2023-46208 CVSS Score: 6.1 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f06b855-c1e1-4378-a340-9dda2919fb83&gt;

Contact Form Builder, Contact Widget <= 2.1.6 - Reflected Cross-Site Scripting

Affected Software: Contact Form Builder, Contact Widget CVE ID: CVE-2023-46075 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/43ea0665-2c6e-4c78-8bc5-056f47f190ab&gt;

Add Shortcodes Actions And Filters <= 2.0.9 - Reflected Cross-Site Scripting

Affected Software: Add Shortcodes Actions And Filters CVE ID: CVE-2023-46072 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44cb21f9-467a-4119-99fb-5cd21166a334&gt;

Smart Online Order for Clover <= 1.5.4 - Reflected Cross-Site Scripting

Affected Software: Smart Online Order for Clover CVE ID: CVE-2023-46312 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5f1e0dfa-f99a-43d1-bdc9-6fc7a4ea381d&gt;

Conversios.io <= 6.5.3 - Reflected Cross-Site Scripting

Affected Software: Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce CVE ID: CVE-2023-46094 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ad84e6e-5498-4bf1-b662-15b7628ceba2&gt;

Grid Plus <= 1.3.2 - Reflected Cross-Site Scripting via grid_id

Affected Software: Grid Plus – Unlimited grid layout CVE ID: CVE-2023-46209 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b213baa-8508-4eb2-ac09-d320e2b4276c&gt;

Spider Facebook <= 1.0.15 - Reflected Cross-Site Scripting

Affected Software: WDSocialWidgets CVE ID: CVE-2023-46090 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a74d6b36-e0f1-4cfb-b1e9-0573081ed975&gt;

EG-Attachments <= 2.1.3 - Reflected Cross-Site Scripting via 'paged'

Affected Software: EG-Attachments CVE ID: CVE-2023-46070 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b63ccc9a-222d-4119-909b-d04bab78d663&gt;

Archivist – Custom Archive Templates <= 1.7.5 - Reflected Cross-Site Scripting

Affected Software: Archivist – Custom Archive Templates CVE ID: CVE-2023-46194 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3f59671-0db2-4acf-8e97-a0ead518bebd&gt;

FreshMail For WordPress <= 2.3.2 - Reflected Cross-Site Scripting

Affected Software: FreshMail For WordPress CVE ID: CVE-2023-46074 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e87fe70d-5ac3-40ee-a8d0-601d7b417562&gt;

Protección de Datos RGPD <= 3.1.0 - Reflected Cross-Site Scripting

Affected Software: Protección de Datos RGPD CVE ID: CVE-2023-46071 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eaebcae4-cdf5-4eb7-9246-07185fe62d07&gt;

WooCommerce PDF Invoice Builder <= 1.2.101 - Reflected Cross-Site Scripting

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more CVE ID: CVE-2023-46076 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb0d093b-c339-4b19-a6cd-d2589b8e57ff&gt;

Appointment Calendar <= 2.9.6 - Cross-Site Request Forgery

Affected Software: Appointment Calendar CVE ID: CVE-2023-46198 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06a92619-5281-414e-8846-be0db38df89d&gt;

Themify Ultra <= 7.3.3 - Missing Authorization

Affected Software: themify-ultra CVE ID: CVE-2023-46148 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5cf17465-59a9-475d-bd1a-9e3623190926&gt;

Stripe Gateway <= 7.6.0 - Cross-Site Request Forgery

Affected Software: WooCommerce Stripe Payment Gateway CVE ID: CVE-2023-44999 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e4ad8fa-b04c-4821-aadb-3120f824557f&gt;

Themify Ultra <= 7.3.3 - Missing Authorization

Affected Software: themify-ultra CVE ID: CVE-2023-46146 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a32f50f7-d271-45f6-9a73-838a8dcb901f&gt;

Taggbox <= 2.9 - Missing Authorization

Affected Software: Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics CVE ID: CVE-2023-33215 CVSS Score: 5.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d970a9f6-69f6-42d2-b863-82b8110e52c3&gt;

WP Hotel Booking <= 2.0.7 - Missing Authorization to (Subscriber+) Arbitrary Post Deletion

Affected Software: WP Hotel Booking CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0439d2ee-7742-4aa7-ba4e-db55c6b2718e&gt;

Post Meta Data Manager <= 1.2.0 - Missing Authorization to Post, Term, and User Meta Deletion

Affected Software: Post Meta Data Manager CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1958c166-282d-4469-b79d-4e959e0492c1&gt;

wpDiscuz <= 7.6.11 - Insufficient Authorization to Comment Submission on Deleted Posts

Affected Software: Comments – wpDiscuz CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a1fe36b-75d2-48c3-bfac-af965eb9363f&gt;

MW WP Form <= 4.4.5 - Missing Authorization

Affected Software: MW WP Form CVE ID: CVE-2023-46206 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/616de170-6645-4a06-a393-51bec1d8bd8c&gt;

Contact Form builder with drag & drop - Kali Forms <= 2.3.27 - Missing Authorization via Contact Form

Affected Software: Contact Form builder with drag & drop for WordPress – Kali Forms CVE ID: CVE-2023-46083 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfb473a6-08ba-4b23-877d-4aa661c0053f&gt;

SALESmanago <= 3.2.4 - Log Injection via Weak Authentication Token

Affected Software: SALESmanago CVE ID: CVE-2023-4939 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de7db1d6-b352-44c7-a6cc-b21cb65a0482&gt;

Broken Link Checker | Finder <= 2.4.2 - Missing Authorization via moblc_auth_save_settings

Affected Software: Broken Link Checker | Finder CVE ID: CVE-2023-46082 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4383f41-bd08-4fab-9491-4cf9f7326300&gt;

Draft Vulnerability for 404 Solution 2.33.0 - Sensitive Information Exposure

Affected Software: 404 Solution CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fadc1374-fe4d-414a-af84-1a4de5b89807&gt;

Smart App Banner <= 1.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Smart App Banner CVE ID: CVE-2023-46200 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c7497fc-e42c-49a6-99ee-6ec774cc4617&gt;

Auto Login New User After Registration <= 1.9.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via alnuar_auto_login_new_user_after_registration_redirect

Affected Software: Auto Login New User After Registration CVE ID: CVE-2023-46201 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0fb82b48-3cf8-47a5-b68d-e37a1823a125&gt;

Eonet Manual User Approve <= 2.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Eonet Manual User Approve CVE ID: CVE-2023-32738 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b696e0b-d4e1-4a81-9204-929100ade073&gt;

WC Captcha <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WC Captcha CVE ID: CVE-2023-46210 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/400dde23-eafb-4ace-8b4a-ac88d0b200ac&gt;

Simple Table Manager <= 1.5.6 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Table Manager CVE ID: CVE-2023-4858 CVSS Score: 4.4 (Medium) Researcher/s: niclo Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53760acf-e8b2-4e35-8c01-768472fc0996&gt;

Thumbnail Slider With Lightbox <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Image Title

Affected Software: Thumbnail Slider With Lightbox CVE ID: CVE-2023-5621 CVSS Score: 4.4 (Medium) Researcher/s: Ala Arfaoui Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/547c425d-8b0f-4e65-8b8a-c3a3059301fe&gt;

Custom post types <= 4.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom post types, Custom Fields & more CVE ID: CVE-2023-32116 CVSS Score: 4.4 (Medium) Researcher/s: Taihei Shimamine Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/58ee5f31-7d10-4772-929c-98249a351342&gt;

Triberr <= 4.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Triberr CVE ID: CVE-2023-46199 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e8a8e0e-6dc0-4d9f-aee3-1fd940c49d3d&gt;

Category SEO Meta Tags <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Category SEO Meta Tags CVE ID: CVE-2023-46091 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6985a8bb-0ad5-4b02-9a95-9dbc6018dec0&gt;

Maileon <= 2.16.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Maileon for WordPress CVE ID: CVE-2023-46068 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a67972d7-abfd-4ce3-9e47-30736ab32af5&gt;

WP Full Stripe Free <= 1.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Full Stripe Free CVE ID: CVE-2023-46088 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7c630c0-b37f-48d5-a87c-8e7c60103a30&gt;

Internal Link Building <= 1.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Internal Link Building CVE ID: CVE-2023-46192 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd300737-dda4-4ed3-b21f-0407a5e32a05&gt;

Webmaster Tools <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Webmaster Tools CVE ID: CVE-2023-46093 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e80bb7de-ce18-40d5-bf4c-9616739b2f9d&gt;

Who Hit The Page – Hit Counter <= 1.4.14.3 - Cross-Site Request Forgery

Affected Software: Who Hit The Page – Hit Counter CVE ID: CVE-2023-46087 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07663fae-53e9-45d2-834c-6e1392484e0a&gt;

Ashe Extra <= 1.2.6 - Missing Authorization via multiple AJAX actions

Affected Software: Ashe Extra CVE ID: CVE-2023-46079 CVSS Score: 4.3 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09551d22-c8c2-435c-9d00-bb4833497c16&gt;

Google Calendar Events <= 3.2.5 - Cross-Site Request Forgery via bulk_actions

Affected Software: Simple Calendar – Google Calendar Plugin CVE ID: CVE-2023-46189 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1218ed3b-badc-464e-adbc-76fb4f6af008&gt;

Product Category Tree <= 2.5 - Cross-Site Request Forgery

Affected Software: Product Category Tree CVE ID: CVE-2023-46151 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/147e47f8-c40b-4ae7-8627-b32b36e4d14f&gt;

Wp Ultimate Review <= 2.2.4 - Cross-Site Request Forgery via wur_settings_view

Affected Software: Wp Ultimate Review CVE ID: CVE-2023-46085 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1559fb43-cc5e-4dd2-80d8-06a137c7276d&gt;

Userback <= 1.0.13 - Cross-Site Request Forgery

Affected Software: Userback CVE ID: CVE-2023-46089 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2178b39c-5341-4f53-82be-668b400d7f25&gt;

Delete Usermetas <= 1.1.2 - Cross-Site Request Forgery

Affected Software: Delete Usermetas CVE ID: CVE-2023-5537 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/23b46e5b-ce1e-4215-921c-edea7fd6c56a&gt;

Simple Calendar <= 3.2.4 - Cross-Site Request Forgery via duplicate_feed

Affected Software: Simple Calendar – Google Calendar Plugin CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38adede2-73ca-470c-8ace-4f5bbec51d28&gt;

Webmaster Tools <= 2.0 - Cross-Site Request Forgery vin lionscripts_plg_f

Affected Software: Webmaster Tools CVE ID: CVE-2023-46092 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4112ca9a-39fa-4fe8-a060-9f8f492eb846&gt;

Smooth Scroll Links <= 1.1.0 - Cross-Site Request Forgery

Affected Software: Smooth Scroll Links [SSL] CVE ID: CVE-2023-46095 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49018b4b-2833-4ced-b36a-ebe69c5cb096&gt;

Open Graph Metabox <= 1.4.4 - Cross-Site Request Forgery

Affected Software: Open Graph Metabox CVE ID: CVE-2023-46191 CVSS Score: 4.3 (Medium) Researcher/s: Milad Hacking Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5a2b7aac-b11d-4c52-b3d8-7b3f4b3eecd5&gt;

Rocket Font <= 1.2.3 - Cross-Site Request Forgery via update_option_check_match_default

Affected Software: Rocket Font CVE ID: CVE-2023-46067 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/635f448b-5c51-4152-b6f5-076a686709bf&gt;

Widgets for Google Reviews <= 10.9 - Cross-Site Request Forgery to Plugin Settings Reset

Affected Software: Widgets for Google Reviews CVE ID: CVE-2023-3254 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70968476-b064-477f-999f-4aa2c51d89cc&gt;

Internal Link Building <= 1.2.3 - Cross-Site Request Forgery

Affected Software: Internal Link Building CVE ID: CVE-2023-46193 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/78ce6a2a-aa28-4ae9-a2e7-ca3861a9677f&gt;

Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery on AJAX Actions

Affected Software: Just Custom Fields CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/79899dc1-4953-4f95-95f5-853d24e7b9ab&gt;

Serial Numbers for WooCommerce – License Manager <= 1.6.3 - Cross-Site Request Forgery

Affected Software: WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce CVE ID: CVE-2023-46078 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8671b549-2cce-4f38-ad2d-a9472f7e8e7b&gt;

WP Radio – Worldwide Online Radio Stations Directory for WordPress <= 3.1.9 - Cross-Site Request Forgery

Affected Software: WP Radio – Worldwide Online Radio Stations Directory for WordPress CVE ID: CVE-2023-46150 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/874e9e14-1330-40f0-8199-8abcaae58e98&gt;

WOLF <= 1.0.7.1 - Cross-Site Request Forgery

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional CVE ID: CVE-2023-46152 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b771d76-b79a-4ff2-9433-8d35734a4396&gt;

Auto Login New User After Registration <= 1.9.6 - Cross-Site Request Forgery to Settings Modification

Affected Software: Auto Login New User After Registration CVE ID: CVE-2023-46202 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9311c7b6-2c32-4f30-8286-6d59c267c09d&gt;

DX Delete Attached Media <= 2.0.5.1 - Cross-Site Request Forgery via add_to_base

Affected Software: DX Delete Attached Media CVE ID: CVE-2023-46073 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/961d6d1d-46e8-489f-ac5f-51b55c5a0460&gt;

ApplyOnline – Application Form Builder and Manager <= 2.5.2 - Missing Authorization

Affected Software: ApplyOnline – Application Form Builder and Manager CVE ID: CVE-2023-46080 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3473b5e-2f50-4845-9cfa-d19129f2a430&gt;

Social Media Share Buttons & Social Sharing Icons <= 2.8.5 - Cross-Site Request Forgery

Affected Software: Social Media Share Buttons & Social Sharing Icons CVE ID: CVE-2023-5602 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d44a45fb-3bff-4a1f-8319-a58a47a9d76b&gt;

Duplicate Theme <= 0.1.6 - Cross-Site Request Forgery via themeDuplicationAction

Affected Software: Duplicate Theme CVE ID: CVE-2023-46204 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d93e0175-db55-42ab-8475-cd0f47e5dcbb&gt;

Social proof testimonials and reviews by Repuso <= 4.97 - Missing Authorization

Affected Software: Social proof testimonials and reviews by Repuso CVE ID: CVE-2023-46196 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec311df2-33af-4b91-80a1-252d934c7f61&gt;

WP EXtra <= 6.2 - Missing Authorization to Export Settings

Affected Software: WP EXtra CVE ID: CVE-2023-46212 CVSS Score: 4.3 (Medium) Researcher/s: TP Cyber Security Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed5c433b-eaab-4716-8749-2a5598a1dbb9&gt;

Freesoul Deactivate Plugins <= 2.1.3 - Cross-Site Request Forgery via eos_dp_pro_delete_transient

Affected Software: Freesoul Deactivate Plugins – Plugin manager and cleanup CVE ID: CVE-2023-46188 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f2949ff1-5c69-4189-99a9-e50c65c78461&gt;

Popup by Supsystic <= 1.10.19 - Missing Authorization to Sensitive Information Exposure

Affected Software: Popup by Supsystic CVE ID: CVE-2023-46197 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f458663f-6b1a-4acd-b2db-c66d7a915ab7&gt;

Just Custom Fields <= 3.3.2 - Missing Authorization on AJAX Actions

Affected Software: Just Custom Fields CVE ID: CVE-2023-46203 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f6d44749-8b1a-4d22-9917-fee134737063&gt;

Novo-Map : your WP posts on custom google maps <= 1.1.2 - Cross-Site Request Forgery

Affected Software: Novo-Map : your WP posts on custom google maps CVE ID: CVE-2023-46190 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f6f91816-a263-4938-bac1-eeb3bb2fc120&gt;

Envo Extra <= 1.8.3 - Cross-Site Request Forgery

Affected Software: Envo Extra CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f709fca2-b7b6-4567-8055-1156f510d1ca&gt;

wpDiscuz <= 7.6.3 - Authenticated(Author+) Insecure Direct Object Reference

Affected Software: Comments – wpDiscuz CVE ID: CVE-2023-46311 CVSS Score: 2.7 (Low) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/359c573f-7031-4f56-b66f-c37339667aca&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023) appeared first on Wordfence.

Related

openvas 1
wpvulndb 47
cve 40
prion 33
nvd 38
cvelist 37
vulnrichment 3
openvas
openvas
WordPress Social Media Share Buttons & Social Sharing Icons Plugin < 2.8.6 Multiple Vulnerabilities
2023-10-25 00:00:00
wpvulndb
wpvulndb
Social proof testimonials and reviews by Repuso < 5.00 - Missing Authorization
2023-11-23 00:00:00
The Awesome Feed – Custom Feed <= 2.2.5 - Reflected XSS
2023-10-27 00:00:00
MW WP Form < 5.0.0 - Missing Authorization
2023-11-24 00:00:00
cve
cve
CVE-2023-46189
2023-10-25 18:17:37
CVE-2023-46194
2023-10-27 08:15:31
CVE-2023-46197
2024-05-17 09:15:09
prion
prion
Cross site scripting
2023-10-27 08:15:00
Cross site scripting
2023-10-27 21:15:00
Cross site scripting
2023-10-27 21:15:00
nvd
nvd
CVE-2023-46066
2023-10-16 12:15:10
CVE-2023-46081
2023-10-26 13:15:09
CVE-2023-44999
2024-03-27 14:15:09
cvelist
cvelist
CVE-2023-46190 WordPress Novo-Map : your WP posts on custom google maps Plugin <= 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF)
2023-10-24 10:23:31
CVE-2023-46311 WordPress wpDiscuz Plugin <= 7.6.3 is vulnerable to Insecure Direct Object References (IDOR)
2023-12-20 13:32:29
CVE-2023-46075 WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS)
2023-10-26 12:02:16
vulnrichment
vulnrichment
CVE-2023-46205 WordPress Ultimate Addons for WPBakery Page Builder plugin <= 3.19.14 - Local File Inclusion vulnerability
2024-05-17 08:34:21
CVE-2023-30492 WordPress Minimum Purchase for WooCommerce Plugin <= 2.0.0.1 is vulnerable to Cross Site Scripting (XSS)
2023-10-26 11:58:32
CVE-2023-46197 WordPress Popup by Supsystic plugin <= 1.10.19 - Unauthenticated Subscriber Email Addresses Disclosure
2024-05-17 08:33:09

0.003 Low

EPSS

Percentile

69.2%

JSON
Related for WORDFENCE:1395B32595A034EA2687D214F7D46B98
openvas1wpvulndb47cve40prion33nvd38cvelist37vulnrichment3