Chloe ChamberlandWORDFENCE:30A156179F2F1707FB4E4869BA6A14A9Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)
0.911 High
EPSS
Percentile
98.9%
Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WordPress Core < 6.3.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
- WordPress Core 6.3 - 6.3.1 - Authenticated(Contributor+) Cross-Site Scripting via Footnotes Block
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 52 |
| Patched | 51 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 91 |
| High Severity | 5 |
| Critical Severity | 7 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 46 |
| Cross-Site Request Forgery (CSRF) | 26 |
| Missing Authorization | 9 |
| Information Exposure | 6 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 4 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 3 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Improper Control of Generation of Code ('Code Injection') | 1 |
| Improper Input Validation | 1 |
| Guessable CAPTCHA | 1 |
| URL Redirection to Untrusted Site ('Open Redirect') | 1 |
| Improper Preservation of Consistency Between Independent Representations of Shared State | 1 |
| External Control of File Name or Path | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Mika | 11 |
| Rio Darmawan | 8 |
| thiennv | 8 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 7 |
| Abdi Pranata | 6 |
| Rafie Muhammad | 5 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 5 |
| minhtuanact | 4 |
| LEE SE HYOUNG | 3 |
| Satoo Nakano | 2 |
| DoYeon Park | 2 |
| Skalucy | 2 |
| yuyudhn | 2 |
| Phd | 2 |
| Lokesh Dachepalli | 2 |
| Prasanna V Balaji | 2 |
| Le Ngoc Anh | 2 |
| Elliot | 2 |
| Ala Arfaoui | 1 |
| Nguyen Xuan Chien | 1 |
| James Golovich | 1 |
| WhiteCyberSec | 1 |
| Karolis Narvilas | 1 |
| Marc-Alexandre Montpas | 1 |
| Francesco Marano | 1 |
| qilin_99 | 1 |
| Nano | 1 |
| Vladislav Pokrovsky | 1 |
| Chloe Chamberland | |
| (Wordfence Vulnerability Researcher) | 1 |
| Edourard L | 1 |
| Revan Arifio | 1 |
| Jb Audras | 1 |
| Jonas Höbenreich | 1 |
| SeungYongLee | 1 |
| Enrico Marcolini | 1 |
| Claudio Marchesini | 1 |
| mascara7784 | 1 |
| Fioravante Souza | 1 |
| Jorge Costa | 1 |
| s5s | 1 |
| raouf_maklouf | 1 |
| Bob Matyas | 1 |
| Rafshanzani Suhada | 1 |
| Bae Song Hyun | 1 |
| Nguyen Anh Tien | 1 |
| Emili Castells | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AGP Font Awesome Collection | agp-font-awesome-collection |
| AI ChatBot | chatbot |
| AMP WP – Google AMP For WordPress | amp-wp |
| Accessibility Suite by Online ADA | online-accessibility |
| Add to Calendar Button | add-to-calendar-button |
| Amministrazione Trasparente | amministrazione-trasparente |
| ApplyOnline – Application Form Builder and Manager | apply-online |
| BuddyPress Global Search | buddypress-global-search |
| CITS Support svg, webp Media and TTF,OTF File Upload | cits-support-svg-webp-media-upload |
| CPT Shortcode Generator | cpt-shortcode |
| Campaign Monitor Forms by Optin Cat | campaign-monitor-wp |
| Caret Country Access Limit | caret-country-access-limit |
| Comments Ratings | comments-ratings |
| Comments – wpDiscuz | wpdiscuz |
| Constant Contact Forms by MailMunch | constant-contact-forms-by-mailmunch |
| Contact Form Generator : Creative form builder for WordPress | contact-form-generator |
| Contact Form With Captcha | contact-form-with-captcha |
| Copy or Move Comments | copy-or-move-comments |
| Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress | charitable |
| Easy Testimonial Slider and Form | easy-testimonial-rotator |
| Ebook Store | ebook-store |
| Embed Calendly | embed-calendly-scheduling |
| Etsy Shop | etsy-shop |
| Eupago Gateway For Woocommerce | eupago-gateway-for-woocommerce |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| Fast WP Speed | fast-wp-speed |
| Fattura24 | fattura24 |
| Feed Statistics | wordpress-feed-statistics |
| Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
| GEO my WordPress | geo-my-wp |
| Gallery – Image and Video Gallery with Thumbnails | gallery-album |
| Get Custom Field Values | get-custom-field-values |
| Gutenberg | gutenberg |
| HTML5 Maps | html5-maps |
| History Log by click5 | history-log-by-click5 |
| IMPress Listings | wp-listings |
| Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce | email-subscribers |
| Image Regenerate & Select Crop | image-regenerate-select-crop |
| Lazy Load for Videos | lazy-load-for-videos |
| LeadSquared Suite | leadsquared-suite |
| Libsyn Publisher Hub | libsyn-podcasting |
| Login Screen Manager | login-screen-manager |
| MailChimp Forms by MailMunch | mailchimp-forms-by-mailmunch |
| Master Addons for Elementor | master-addons |
| Migration, Backup, Staging – WPvivid | wpvivid-backuprestore |
| Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress | newsletter-bulk-email |
| Next Page | next-page |
| Nexter Extension | nexter-extension |
| PDF Block | pdf-block |
| Peter’s Custom Anti-Spam | peters-custom-anti-spam-image |
| PixFields | pixfields |
| Poll Maker – Best WordPress Poll Plugin | poll-maker |
| Post Gallery | simple-post-gallery |
| Print, PDF, Email by PrintFriendly | printfriendly |
| Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages | wplegalpages |
| Proofreading | proofreading |
| QR Twitter Widget | qr-twitter-widget |
| Remote Content Shortcode | remote-content-shortcode |
| Responsive Column Widgets | responsive-column-widgets |
| Responsive Tabs | responsive-tabs |
| Royal Elementor Addons and Templates | royal-elementor-addons |
| RumbleTalk Live Group Chat – HTML5 | rumbletalk-chat-a-chat-with-themes |
| Scroll post excerpt | scroll-post-excerpt |
| Sendle Shipping Plugin | official-sendle-shipping-method |
| Simple File List | simple-file-list |
| Simple Tweet | simple-tweet |
| Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management | simple-urls |
| Slick Contact Forms | slick-contact-forms |
| Snap Pixel | snap-pixel |
| Sort SearchResult By Title | sort-searchresult-by-title |
| SpiderVPlayer | player |
| Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics | taggbox-widget |
| Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
| Tweeple | tweeple |
| Ultimate Taxonomy Manager | ultimate-taxonomy-manager |
| User Submitted Posts – Enable Users to Submit Posts from the Front End | user-submitted-posts |
| Video Playlist For YouTube | video-playlist-for-youtube |
| WP Attachments | wp-attachments |
| WP ERP | Complete HR solution with recruitment & job listings |
| WP GoToWebinar | wp-gotowebinar |
| WP Lightbox 2 | wp-lightbox-2 |
| WP Open Street Map | wp-open-street-map |
| WP ULike – Most Advanced WordPress Marketing Toolkit | wp-ulike |
| WordPress Backup & Migration | wp-migration-duplicator |
| which template file | which-template-file |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Accessibility Suite by Online ADA <= 4.11 - Authenticated (Subscriber+) SQL Injection
Affected Software: Accessibility Suite by Online ADA CVE ID: CVE-2023-45830 CVSS Score: 9.8 (Critical) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/10590944-e08e-4980-846d-7a88880b2dcd>
AI ChatBot <= 4.8.9 - Unauthenticated SQL Injection via qc_wpbo_search_response
Affected Software: AI ChatBot CVE ID: CVE-2023-5204 CVSS Score: 9.8 (Critical) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ad12146-200b-48e5-82de-7572541edcc4>
Royal Elementor Addons and Templates <= 1.3.78 - Unauthenticated Arbitrary File Upload
Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2023-5360 CVSS Score: 9.8 (Critical) Researcher/s: Fioravante Souza Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9d95af5-96da-4259-98c6-e2c4c574a896>
User Submitted Posts <= 20230902 - Unauthenticated Arbitrary File Upload
Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End CVE ID: CVE-2023-45603 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/babbe506-3abd-462a-b5b8-5979696eb6e6>
AI ChatBot <= 4.8.9 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Affected Software: AI ChatBot CVE ID: CVE-2023-5241 CVSS Score: 9.6 (Critical) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25199281-5286-4d75-8d27-26ce215e0993>
AI ChatBot <= 4.8.9 - Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file
Affected Software: AI ChatBot CVE ID: CVE-2023-5212 CVSS Score: 9.6 (Critical) Researcher/s: Marco Wotschka, Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9e-03d69ae7acf2>
Icegram Express <= 5.6.23 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read
Affected Software: Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce CVE ID: CVE-2023-5414 CVSS Score: 9.1 (Critical) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/417186ba-36ef-4d06-bbcd-e85eb9219689>
Contact Form Generator <= 2.6.0 - Authenticated (Contributor+) SQL Injection
Affected Software: Contact Form Generator : Creative form builder for WordPress CVE ID: CVE-2023-35911 CVSS Score: 8.8 (High) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa586468-d6ff-46a3-97f3-e2e1d365e5b1>
Migration, Backup, Staging – WPvivid <= 0.9.91 - Google Drive Client Secret Exposure
Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-5576 CVSS Score: 8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d>
RumbleTalk Live Group Chat <= 6.1.9 - Missing Authorization via handleRequest
Affected Software: RumbleTalk Live Group Chat – HTML5 CVE ID: CVE-2023-45828 CVSS Score: 7.6 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9d6e168-a768-4062-9ef1-0be9d6c65c51>
Nexter Extension <= 2.0.3 - Authenticated(Editor+) Remote Code Execution via metabox
Affected Software: Nexter Extension CVE ID: CVE-2023-45751 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/188c4417-962a-4b28-b215-1c567b39ba7a>
Campaign Monitor Forms <= 2.5.5 - Missing Authorization to Authenticated(Subscriber+) Options Update via ajax_dismiss_notice
Affected Software: Campaign Monitor Forms by Optin Cat CVE ID: CVE-2023-5098 CVSS Score: 7.1 (High) Researcher/s: Francesco Marano Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f11416c-c981-4c85-822c-497ecfaa842d>
History Log by click5 <= 1.0.12 - Authenticated(Administrator+) Time-Based Blind SQL Injection
Affected Software: History Log by click5 CVE ID: CVE-2023-5082 CVSS Score: 6.6 (Medium) Researcher/s: Karolis Narvilas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2881e144-a109-4034-afe8-2f72efd70360>
IMPress Listings <= 2.6.2 - Missing Authorization
Affected Software: IMPress Listings CVE ID: CVE-2023-45633 CVSS Score: 6.5 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f426c32e-a376-4447-b83f-409a8eb0c499>
Slick Contact Forms <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Slick Contact Forms CVE ID: CVE-2023-5468 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/22c63226-2bc6-40be-a5d1-1bd169fc78b8>
PDF Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: PDF Block CVE ID: CVE-2023-45646 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3a1d8adf-c49c-4d88-83c7-4515b0ab1f35>
QR Twitter Widget <= 0.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: QR Twitter Widget CVE ID: CVE-2023-45628 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b16df88-7d9f-4ee2-90ab-6da50c69148e>
Add to Calendar Button <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Add to Calendar Button CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60ba7f68-1fe1-4349-a3eb-11a63ae11e38>
WordPress Core 5.9-6.3.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Navigation Attributes
Affected Software/s: WordPress, Gutenberg CVE ID: CVE-2023-38000 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad, Edourard L Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66b1f597-f357-4525-8c67-e0be3a07bcfa>
Get Custom Field Values <= 4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta Widget
Affected Software: Get Custom Field Values CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Satoo Nakano Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66e55302-f889-4054-817f-aadbdd3c88de>
Newsletter & Bulk Email Sender <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress CVE ID: CVE-2023-45829 CVSS Score: 6.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7c19095-3c21-440f-aa28-0117aea29d97>
GEO my WordPress <= 4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: GEO my WordPress CVE ID: CVE-2023-5467 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a96ac71f-3dae-40eb-9268-d56688a5aa64>
Master Addons for Elementor <= 2.0.3 - Authenticated(Contributor+) Stored Cross-Site Scripting
Affected Software: Master Addons for Elementor CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abb7def7-df32-4901-b8ea-068ff1af664b>
WordPress Core 6.3 - 6.3.1 - Authenticated(Contributor+) Cross-Site Scripting via Footnotes Block
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Jorge Costa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af77d642-d383-48f2-a59a-3a9c738cd47f>
CITS Support svg, webp Media and TTF,OTF File Upload <= 2.1.0 - Authenticated(Author+) Stored Cross-Site Scripting via SVG Upload
Affected Software: CITS Support svg, webp Media and TTF,OTF File Upload CVE ID: CVE-2023-5458 CVSS Score: 6.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c7d3edf5-245f-42f2-9add-e87de6839ed1>
Embed Calendly <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Embed Calendly CVE ID: CVE-2023-4995 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1bf83df-7a1f-4572-9c8d-1013750d51d7>
WP ULike <= 4.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: WP ULike – Most Advanced WordPress Marketing Toolkit CVE ID: CVE-2023-45640 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2f777b6-5872-4196-81fb-82a9b6aaef2e>
Charitable <= 1.7.0.13 - Authenticated(Contributor+) Stored Cross-Site Scripting
Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dbaedb36-6710-48ab-8bb5-e6065fa8df51>
Etsy Shop <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Etsy Shop CVE ID: CVE-2023-5470 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4696f7a-8b87-4376-b4c9-596eca30b38c>
Remote Content Shortcode <= 1.5 - Authenticated(Contributor+) Local File Inclusion via shortcode
Affected Software: Remote Content Shortcode CVE ID: CVE-2023-45652 CVSS Score: 6.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1568e8d-9ea5-4673-a657-03e89cfb6000>
Ultimate Taxonomy Manager <= 2.0 - Unauthenticated Cross-Site Scripting
Affected Software: Ultimate Taxonomy Manager CVE ID: CVE-2023-45837 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06f56834-e1e9-4a02-988a-df4c563182c4>
EventPrime <= 3.1.5 - Reflected Cross-Site Scripting via 'event_id'
Affected Software: EventPrime – Events Calendar, Bookings and Tickets CVE ID: CVE-2023-45637 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/399848fd-e9f6-40e4-bfeb-08f53eb511c6>
Libsyn Publisher Hub <= 1.4.4 - Unauthenticated Cross-Site Scripting
Affected Software: Libsyn Publisher Hub CVE ID: CVE-2023-45835 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/56b3d629-014c-47b3-9726-4086e544011b>
ApplyOnline – Application Form Builder and Manager <= 2.5.2 - Reflected Cross-Site Scripting
Affected Software: ApplyOnline – Application Form Builder and Manager CVE ID: CVE-2023-45756 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c704356-e5f7-4b91-a162-647717cbbb7b>
Copy Or Move Comments <= 5.0.4 - Reflected Cross-Site Scripting
Affected Software: Copy or Move Comments CVE ID: CVE-2023-45634 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a7bf74b-1dc7-4159-a874-29694fe5895e>
Peter’s Custom Anti-Spam <= 3.2.2 - Reflected Cross-Site Scripting
Affected Software: Peter’s Custom Anti-Spam CVE ID: CVE-2023-45759 CVSS Score: 6.1 (Medium) Researcher/s: SeungYongLee Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8cea7f17-743a-4dce-bd86-5713ff6d8520>
Sendle Shipping <= 5.13 - Reflected Cross-Site Scripting
Affected Software: Sendle Shipping Plugin CVE ID: CVE-2023-45761 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e227e25-3dd9-47fd-bba8-e076f7f92d56>
Nexter Extension <= 2.0.3 - Reflected Cross-Site Scripting via post and post_id
Affected Software: Nexter Extension CVE ID: CVE-2023-45750 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f4dc917-028c-451a-9b32-26ef2c488850>
Video Player <= 1.5.22 - Reflected Cross-Site Scripting
Affected Software: SpiderVPlayer CVE ID: CVE-2023-45632 CVSS Score: 6.1 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93d78063-238d-40c0-92c9-6870d85d29f7>
Fattura24 <= 6.2.7 - Reflected Cross-Site Scripting via 'id'
Affected Software: Fattura24 CVE ID: CVE-2023-5211 CVSS Score: 6.1 (Medium) Researcher/s: Enrico Marcolini, Claudio Marchesini Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a19bff99-b680-40a6-8a5c-7a0233b293ac>
WordPress Core 5.6 - 6.3.1 - Reflected Cross-Site Scripting via Application Password Requests
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: mascara7784 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5368894-3277-47d0-8fad-adfb8df4fa93>
Fast WP Speed <= 1.0.0 - Reflected Cross-Site Scripting
Affected Software: Fast WP Speed CVE ID: CVE-2023-45770 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cd5a3d4b-6e8b-4abe-9f38-58accada2f57>
Ebook Store <= 5.785 - Reflected Cross-Site Scripting
Affected Software: Ebook Store CVE ID: CVE-2023-45602 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e36eed5b-f76d-451e-a0f8-fd4b91bcf9f1>
Proofreading <= 1.0.11 - Reflected Cross-Site Scripting
Affected Software: Proofreading CVE ID: CVE-2023-45772 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e76e4c4c-3f84-46b0-b305-2513714a8525>
Tweeple <= 0.9.5 - Reflected Cross-Site Scripting via id
Affected Software: Tweeple CVE ID: CVE-2023-30781 CVSS Score: 6.1 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f9b1c96c-ab87-43a8-a3ac-17fea337b690>
Responsive Image Gallery, Gallery Album <= 2.0.3 - Unauthenticated Cross-Site Scripting
Affected Software: Gallery – Image and Video Gallery with Thumbnails CVE ID: CVE-2023-45630 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa9e4635-43f8-4f3c-b62c-628e74028f7e>
Get Custom Field Values <= 4.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget
Affected Software: Get Custom Field Values CVE ID: CVE-2023-45604 CVSS Score: 5.5 (Medium) Researcher/s: Satoo Nakano Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1e0fd85a-2164-4b83-822e-845662591a78>
WP Lightbox 2 <= 3.0.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Affected Software: WP Lightbox 2 CVE ID: CVE-2023-45747 CVSS Score: 5.5 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ef104ae-b67c-4669-adeb-e5397561c0ae>
WPLegalPages <= 2.9.2 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode
Affected Software: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages CVE ID: CVE-2023-4968 CVSS Score: 5.5 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/68d7b5d0-c777-4ff9-bdef-a7762cfbdf1a>
Simple Tweet <= 1.4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Affected Software: Simple Tweet CVE ID: CVE-2023-45767 CVSS Score: 5.5 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de568a71-f51d-4948-839c-48e51d165a64>
WordPress Core < 6.3.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via parse-media-shortcode
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: James Golovich, WhiteCyberSec Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1fc3f65e-5fbe-403b-b7cd-dde16a7e5778>
Simple URLs <= 120 - Cross-Site Request Forgery via Multiple AJAX Actions
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-45606 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41d03524-7a53-40cd-a3d5-dafea4fc9a33>
wpDiscuz <= 7.6.3 - Missing Authorization via AJAX actions
Affected Software: Comments – wpDiscuz CVE ID: CVE-2023-45760 CVSS Score: 5.4 (Medium) Researcher/s: Vladislav Pokrovsky Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e8ad3c1-549b-4401-8cf4-a8b7f81fbc11>
Responsive Image Gallery, Gallery Album <= 2.0.3 - Cross-Site Request Forgery
Affected Software: Gallery – Image and Video Gallery with Thumbnails CVE ID: CVE-2023-45629 CVSS Score: 5.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66efc65e-48d3-4ef9-a369-51448e47686a>
WordPress Backup & Migration <= 1.4.1 - Missing Authorization to Settings and Schedule Modification
Affected Software: WordPress Backup & Migration CVE ID: CVE-2023-45636 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/adfc5084-ed33-4600-bd34-d3516f1a1b96>
Responsive Image Gallery, Gallery Album <= 2.0.3 - Missing Authorization via Multiple AJAX Actions
Affected Software: Gallery – Image and Video Gallery with Thumbnails CVE ID: CVE-2023-45631 CVSS Score: 5.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb08cf02-4766-4093-9306-3b4581f54f77>
MailChimp Forms by MailMunch <= 3.1.4 - Cross-Site Request Forgery via multiple AJAX actions
Affected Software: MailChimp Forms by MailMunch CVE ID: CVE-2023-45748 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4f96877-406b-4ec0-ac6b-ee1ffdb436e5>
Contact Form With Captcha <= 1.6.8 - Cross-Site Request Forgery
Affected Software: Contact Form With Captcha CVE ID: CVE-2023-45771 CVSS Score: 5.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f618a350-e089-40f7-b731-7ffb9ece30b3>
Image Regenerate & Select Crop 7.2.5 - Sensitive Information Exposure
Affected Software: Image Regenerate & Select Crop CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/307bfd18-840a-4cb4-86e6-33dc28e5514e>
WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint
Affected Software: WordPress CVE ID: CVE-2023-5561 CVSS Score: 5.3 (Medium) Researcher/s: Marc-Alexandre Montpas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38b63167-e1a6-4279-97cf-900df0651f20>
Form Maker <= 1.15.20 - Captcha Bypass
Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/46525a06-f3a4-4c78-ba32-4b937e1dbac6>
Poll Maker <= 4.7.1 - Missing Authorization
Affected Software: Poll Maker – Best WordPress Poll Plugin CVE ID: CVE-2023-45766 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a27fcc6-b1ac-4649-892b-7e0dee3f0d08>
Libsyn Publisher Hub <= 1.4.4 - Sensitive Information Exposure
Affected Software: Libsyn Publisher Hub CVE ID: CVE-2023-45834 CVSS Score: 5.3 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8bccefbe-2d20-40a7-b24f-d867d80250e3>
AI ChatBot <= 4.8.9 - Missing Authorization on AJAX actions
Affected Software: AI ChatBot CVE ID: CVE-2023-5533 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9db002f-ff41-493a-87b1-5f0b4b07cfc2>
WordPress Core 4.7.0-6.3.1 - Denial of Service via Cache Poisoning
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: s5s, raouf_maklouf Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bdc84664-2a04-4cc6-ac3f-48bfd432691f>
AI ChatBot <= 4.8.9 - Unauthenticated Sensitive Information Exposure via qcld_wb_chatbot_check_user
Affected Software: AI ChatBot CVE ID: CVE-2023-5254 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d897daf8-5320-4546-9a63-1d34a15b2a58>
Responsive Column Widgets <= 1.2.7 - Open Redirect via responsive_column_widgets_link
Affected Software: Responsive Column Widgets CVE ID: CVE-2023-45762 CVSS Score: 4.7 (Medium) Researcher/s: Phd Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a092266b-bd7f-424d-b8c4-d79e4811e6c9>
Easy Testimonial Slider and Form <= 1.0.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Easy Testimonial Slider and Form CVE ID: CVE-2023-45754 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01da1829-e3f4-4246-ae3d-72377c4b232e>
Amministrazione Trasparente <= 8.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Amministrazione Trasparente CVE ID: CVE-2023-45758 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ef02ecc-6a7b-4782-a891-a1d66d770c81>
CPT Shortcode Generator <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: CPT Shortcode Generator CVE ID: CVE-2023-45644 CVSS Score: 4.4 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4782d4ea-3d79-40d2-850d-1a7583267616>
Login Screen Manager <= 3.5.2 - Authenticated(Admin+) Stored Cross-Site Scripting
Affected Software: Login Screen Manager CVE ID: CVE-2023-5243 CVSS Score: 4.4 (Medium) Researcher/s: Nano Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d6c37ec-4a17-41b8-a29e-2a9adb382cea>
Scroll post excerpt <= 8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Scroll post excerpt CVE ID: CVE-2023-45764 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6da00adc-8fc0-4d8f-9ff3-8c21223199f4>
Next Page <= 1.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Next Page CVE ID: CVE-2023-45768 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c592887c-718c-46d7-8dc3-d337711471ee>
Print, PDF, Email by PrintFriendly <= 5.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Print, PDF, Email by PrintFriendly CVE ID: CVE-2023-25032 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e0403a76-86ce-4772-bc0b-22b183f0f684>
WP GoToWebinar <= 14.45 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: WP GoToWebinar CVE ID: CVE-2023-45832 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e40f07b5-9e6e-430b-86fc-3bb863a51b01>
Simple File List <= 6.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Simple File List CVE ID: CVE-2023-39924 CVSS Score: 4.4 (Medium) Researcher/s: Bae Song Hyun Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e61b6e54-b330-41a5-b13f-ba11c10d8bfe>
LeadSquared Suite <= 0.7.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: LeadSquared Suite CVE ID: CVE-2023-45833 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef1aafc2-e47b-49da-8a4e-9111209308c2>
BuddyPress Global Search <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: BuddyPress Global Search CVE ID: CVE-2023-45755 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f78cc71a-db22-4f5f-9231-52c66561df02>
WP ERP <= 1.12.6 - Missing Authorization via admin notice dismissal
Affected Software: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting CVE ID: CVE-2023-45765 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/048277c4-f313-484d-a330-420e0682eee2>
Thumbnail Slider With Lightbox <= 1.0 - Cross-Site Request Forgery
Affected Software: Thumbnail Slider With Lightbox CVE ID: CVE-2023-5531 CVSS Score: 4.3 (Medium) Researcher/s: Ala Arfaoui Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/055b7ed5-268a-485e-ac7d-8082dc9fb2ad>
Post Gallery <= 2.3.12 - Cross-Site Request Forgery
Affected Software: Post Gallery CVE ID: CVE-2023-45752 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0ac31c39-abbc-427f-aba3-d9ec3b51c4d2>
WP Open Street Map <= 1.25 - Cross-Site Request Forgery via wp_openstreetmaps
Affected Software: WP Open Street Map CVE ID: CVE-2023-45645 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1aa0fd9d-6c9f-4110-92a0-064fa4b9b589>
Eupago Gateway For Woocommerce <= 3.1.9 - Cross-Site Request Forgery via eupago_page_content
Affected Software: Eupago Gateway For Woocommerce CVE ID: CVE-2023-45638 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f1dcec6-1fcf-40e8-a15b-647b7161b6b5>
which template file <= 4.8.0 - Cross-Site Request Forgery
Affected Software: which template file CVE ID: CVE-2023-45753 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/279314a4-2d70-4036-ae9a-27bb694b03db>
Constant Contact Forms by MailMunch <= 2.0.10 - Cross-Site Request Forgery
Affected Software: Constant Contact Forms by MailMunch CVE ID: CVE-2023-45647 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f8dcbd2-af51-4cc9-9962-53fe644985e1>
Sort SearchResult By Title <= 10.0 - Cross-Site Request Forgery via settings_page
Affected Software: Sort SearchResult By Title CVE ID: CVE-2023-45639 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4147e973-5a17-41d8-b8d9-5e43a23c9bc9>
AMP WP <= 1.5.15 - Cross-Site Request Forgery via multiple settings pages
Affected Software: AMP WP – Google AMP For WordPress CVE ID: CVE-2023-45831 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44dd7b3f-5892-43e1-acf1-61f66db0b4a3>
XYDAC Ultimate Taxonomy Manager <= 2.0 - Cross-Site Request Forgery
Affected Software: Ultimate Taxonomy Manager CVE ID: CVE-2023-45836 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4baf39fd-4191-47eb-9b37-cdf290d6345b>
HTML5 Maps <= 1.7.1.4 - Cross-Site Request Forgery
Affected Software: HTML5 Maps CVE ID: CVE-2023-45650 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/502bc68d-778a-47df-a5c2-6bd0b4f130cc>
CPT Shortcode Generator <= 1.0 - Cross-Site Request Forgery
Affected Software: CPT Shortcode Generator CVE ID: CVE-2023-45643 CVSS Score: 4.3 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6125a8e6-4c87-4136-ba39-c3a089948733>
Snap Pixel <= 1.5.7 - Cross-Site Request Forgery
Affected Software: Snap Pixel CVE ID: CVE-2023-45642 CVSS Score: 4.3 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6150fd60-069f-4ba6-8f0c-773039eaaec6>
WordPress Core <= 6.3.1 - Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts
Affected Software: WordPress CVE ID: CVE-2023-39999 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad, Jb Audras Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6bea6a77-79e8-4d3a-bd3e-2bb3d20b6fe9>
Comments Ratings <= 1.1.7 - Cross-Site Request Forgery
Affected Software: Comments Ratings CVE ID: CVE-2023-45654 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8035484b-dc2f-4d54-802b-b09bd88a8bf6>
AI ChatBot <= 4.8.9 - Cross-Site Request Forgery on AJAX actions
Affected Software: AI ChatBot CVE ID: CVE-2023-5534 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/846bd929-45cd-4e91-b232-ae16dd2b12a0>
Taggbox <= 2.9 - Cross-Site Request Forgery
Affected Software: Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics CVE ID: CVE-2023-33214 CVSS Score: 4.3 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a27253d-bfc1-40b5-9da4-d16cc403ad41>
Caret Country Access Limit <= 1.0.2 - Cross-Site Request Forgery
Affected Software: Caret Country Access Limit CVE ID: CVE-2023-45641 CVSS Score: 4.3 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f8c5853-6e21-4a70-a547-e3f0f4b1d7d0>
Lazy Load for Videos <= 2.18.2 - Cross-Site Request Forgery
Affected Software: Lazy Load for Videos CVE ID: CVE-2023-45656 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a467ad30-8271-421c-8af4-8165fd60c03e>
AGP Font Awesome Collection <= 3.2.4 - Cross-Site Request Forgery
Affected Software: AGP Font Awesome Collection CVE ID: CVE-2023-45749 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abcb2e9f-a6f1-40c3-b419-e2f65ec5dd41>
PixFields <= 0.7.0 - Cross-Site Request Forgery
Affected Software: PixFields CVE ID: CVE-2023-45655 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3c6fb8b-9df8-4cf5-b9e6-702852bb1977>
Video Playlist For YouTube <= 6.0 - Cross-Site Request Forgery
Affected Software: Video Playlist For YouTube CVE ID: CVE-2023-45653 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d72c8140-90f1-49f5-bc42-925e29ecc0b1>
Responsive Tabs < 4.0.6 - Authenticated (Contributor+) Content Injection
Affected Software: Responsive Tabs CVE ID: CVE-2023-45635 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9af12ac-68ef-4c65-aecb-82ce7b927340>
WP Attachments <= 5.0.6 - Cross-Site Request Forgery
Affected Software: WP Attachments CVE ID: CVE-2023-45651 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f23b144e-4380-4099-89b5-816c8c2f710f>
Feed Statistics <= 4.1 - Cross-Site Request Forgery via init
Affected Software: Feed Statistics CVE ID: CVE-2023-45605 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5740c07-28b3-40ce-997e-e4ec76348cf4>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023) appeared first on Wordfence.
Related
