Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:36831DE4E2F315D8A98899008AE59677
HistorySep 07, 2023 - 12:51 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)

2023-09-0712:51:06
Chloe Chamberland
www.wordfence.com
50
wordfence intelligence
weekly report
wordpress
vulnerability
free access
user interface
api
webhook
august 28
september 3

0.085 Low

EPSS

Percentile

94.5%

JSON

Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 37
Patched 27

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 53
High Severity 6
Critical Severity 3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 29
Missing Authorization 12
Cross-Site Request Forgery (CSRF) 11
Unrestricted Upload of File with Dangerous Type 5
Server-Side Request Forgery (SSRF) 1
URL Redirection to Untrusted Site ('Open Redirect') 1
Improper Input Validation 1
Authorization Bypass Through User-Controlled Key 1
Improper Control of Generation of Code ('Code Injection') 1
Use of Less Trusted Source 1
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Rio Darmawan 11
Rafie Muhammad 5
Lana Codes
(Wordfence Vulnerability Researcher) 4
thiennv 3
LEE SE HYOUNG 3
Mika 2
Zlrqh 2
Dmitrii 2
László Radnai 2
Elliot 2
Marco Wotschka
(Wordfence Vulnerability Researcher) 2
Bartłomiej Marek 2
Tomasz Swiadek 2
Abdi Pranata 2
Phd 1
Emili Castells 1
Pavitra Tiwari 1
Ramuel Gall
(Wordfence Vulnerability Researcher) 1
FearZzZz 1
emad 1
Prasanna V Balaji 1
deokhunKim 1
yuyudhn 1
Le Ngoc Anh 1
Dipak Panchal 1
mehmet 1
Lokesh Dachepalli 1
Jonas Höbenreich 1
Enrico Marcolini 1
Animesh Gaurav 1
Jonatas Souza Villa Flor 1
Ravi Dharmawan 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Activity Log aryo-activity-log
AffiliateWP AffiliateWP
All-in-One WP Migration Box Extension all-in-one-wp-migration-box-extension
All-in-One WP Migration Dropbox Extension all-in-one-wp-migration-dropbox-extension
All-in-One WP Migration Google Drive Extension all-in-one-wp-migration-gdrive-extension
All-in-One WP Migration OneDrive Extension all-in-one-wp-migration-onedrive-extension
Better Elementor Addons better-elementor-addons
Bridge Core bridge-core
Ditty – Responsive News Tickers, Sliders, and Lists ditty-news-ticker
DoLogin Security dologin
Easy Coming Soon easy-coming-soon
Easy Newsletter Signups easy-newsletter-signups
Email Encoder – Protect Email Addresses and Phone Numbers email-encoder-bundle
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox holler-box
FileOrganizer – Manage WordPress and Website Files fileorganizer
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager folders
Font Awesome 4 Menus font-awesome-4-menus
Forminator – Contact Form, Payment Form & Custom Form Builder forminator
GiveWP – Donation Plugin and Fundraising Platform give
GuruWalk Affiliates guruwalk-affiliates
Happy Addons for Elementor Pro happy-elementor-addons-pro
Import XML and RSS Feeds import-xml-feed
Localize Remote Images localize-remote-images
Login and Logout Redirect login-and-logout-redirect
LuckyWP Scripts Control luckywp-scripts-control
Maintenance Switch maintenance-switch
MakeStories (for Google Web Stories) makestories-helper
Metform Elementor Contact Form Builder metform
Multi-column Tag Map multi-column-tag-map
Olive One Click Demo Import olive-one-click-demo-import
Order Tracking – WordPress Status Tracking Plugin order-tracking
Ovic Product Bundle ovic-product-bundle
Popup Builder – Create highly converting, mobile friendly marketing popups. popup-builder
Popup box ays-popup-box
PowerPress Podcasting plugin by Blubrry powerpress
Prevent files / folders access prevent-file-access
Pricing Deals for WooCommerce pricing-deals-for-woocommerce
RSVPMaker rsvpmaker
Remove/hide Author, Date, Category Like Entry-Meta removehide-author-date-category-like-entry-meta
Responsive Gallery Grid responsive-gallery-grid
Sermon'e – Sermons Online sermone-online-sermons-management
Simple 301 Redirects by BetterLinks simple-301-redirects
Site Reviews site-reviews
Sitekit sitekit
Slimstat Analytics wp-slimstat
Smarty for WordPress smarty-for-wordpress
Snap Pixel snap-pixel
Social Media Share Buttons & Social Sharing Icons ultimate-social-media-icons
Social Share Boost social-share-boost
Surfer – WordPress Plugin surferseo
URL Shortener by MyThemeShop mts-url-shortener
Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7
WP Bannerize Pro wp-bannerize-pro
WP GoToWebinar wp-gotowebinar
WP Search Analytics search-analytics
WP Super Minify wp-super-minify
WP Synchro – WordPress Migration Plugin for Database & Files wpsynchro
WP Users Media wp-users-media
WP-dTree wp-dtree-30
WordPress Ecommerce For Creating Fast Online Stores – By SureCart surecart
authLdap authldap

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Arya Multipurpose Pro [arya-multipurpose-pro](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Arya Multipurpose Pro>)
Everest News Pro [everest-news-pro](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Everest News Pro>)

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Forminator <= 1.24.6 - Unauthenticated Arbitrary File Upload

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE-2023-4596 CVSS Score: 9.8 (Critical) Researcher/s: mehmet Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513&gt;

Import XML and RSS Feeds <= 2.1.4 - Unauthenticated Remote Code Execution

Affected Software: Import XML and RSS Feeds CVE ID: CVE-2023-4521 CVSS Score: 9.8 (Critical) Researcher/s: Enrico Marcolini Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c0856920-5463-4dd3-a4fd-e56901a89b83&gt;

RSVPMarker <= 10.6.6 - Unauthenticated SQL Injection

Affected Software: RSVPMaker CVE ID: CVE-2023-41652 CVSS Score: 9.8 (Critical) Researcher/s: Ravi Dharmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f655704d-70a1-40d8-ae36-39029185d262&gt;

Folders <= 2.9.2 - Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload

Affected Software: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager CVE ID: CVE-2023-40204 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ab28410-76c5-43cb-b87a-c99f8867167c&gt;

Give - Donation Plugin <= 2.33.0 - Authenticated(Give Manager+) Privilege Escalation

Affected Software: GiveWP – Donation Plugin and Fundraising Platform CVE ID: CVE-2023-41665 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/22ff4b09-063b-425e-9d59-be2e5d283186&gt;

Olive One Click Demo Import <= 1.0.9 - Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file

Affected Software: Olive One Click Demo Import CVE ID: CVE-2023-29102 CVSS Score: 7.2 (High) Researcher/s: deokhunKim Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f3e3311-11d8-4e4f-9d99-36533fe44d56&gt;

DoLogin Security <= 3.6 - Unauthenticated Stored Cross-Site Scripting

Affected Software: DoLogin Security CVE ID: CVE-2023-4549 CVSS Score: 7.2 (High) Researcher/s: Bartłomiej Marek, Tomasz Swiadek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad34d657-da59-46ff-a54a-64e6c8974b69&gt;

Prevent files / folders access <= 2.5.1 - Authenticated (Administrator+) Arbitrary File Upload in mo_media_restrict_page

Affected Software: Prevent files / folders access CVE ID: CVE-2023-4238 CVSS Score: 7.2 (High) Researcher/s: Dmitrii Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b266bd10-dbc6-4058-a5b2-1578c0814cb4&gt;

Import XML and RSS Feeds <= 2.1.3 - Authenticated (Admin+) Arbitrary File Upload

Affected Software: Import XML and RSS Feeds CVE ID: CVE-2023-4300 CVSS Score: 7.2 (High) Researcher/s: Jonatas Souza Villa Flor Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f45b4c43-c6c4-41da-bd59-9a355800815a&gt;

Easy Newsletter Signups <= 1.0.4 - Missing Authorization

Affected Software: Easy Newsletter Signups CVE ID: CVE-2023-41664 CVSS Score: 6.5 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/288946ae-6e58-42e6-89d1-8951539728d3&gt;

Slimstat Analytics <= 5.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Slimstat Analytics CVE ID: CVE-2023-4597 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52aee4b8-f494-4eeb-8357-71ce8d5bc656&gt;

Sitekit <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sitekit_iframe ' shortcode

Affected Software: Sitekit CVE ID: CVE-2023-27628 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f0be29a-7896-4166-a2a6-64f99d845236&gt;

Font Awesome 4 Menus <= 4.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Font Awesome 4 Menus CVE ID: CVE-2023-4718 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc59510c-6eaf-4526-8acb-c07e39923ad9&gt;

Email Encoder <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers CVE ID: CVE-2023-4599 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e90f04e4-eb4c-4822-89c6-79f553987c37&gt;

Login and Logout Redirect <= 2.0.2 - Open Redirect

Affected Software: Login and Logout Redirect CVE ID: CVE-2023-41648 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09a0639e-4b14-4dc9-a50c-d18234faa7b1&gt;

Arya Multipurpose Pro <= 1.0.8 - Reflected Cross-Site Scripting

Affected Software: Arya Multipurpose Pro CVE ID: CVE-2023-41237 CVSS Score: 6.1 (Medium) Researcher/s: László Radnai Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/22cfbaa1-5412-4944-899c-7ae41d017384&gt;

Social Media & Share Icons <= 2.8.3 - Reflected Cross-Site Scripting

Affected Software: Social Media Share Buttons & Social Sharing Icons CVE ID: CVE-2023-41238 CVSS Score: 6.1 (Medium) Researcher/s: FearZzZz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3a8998db-ffc2-40b2-a191-09380984adac&gt;

URL Shortener by MyThemeShop <= 1.0.17 - Reflected Cross-Site Scripting via 'page'

Affected Software: URL Shortener by MyThemeShop CVE ID: CVE-2023-30472 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52c2837e-8947-4ce9-bda5-e0c2f831fb36&gt;

Sermon'e – Sermons Online <= 1.0.0 - Reflected Cross-Site Scripting

Affected Software: Sermon'e – Sermons Online CVE ID: CVE-2023-41653 CVSS Score: 6.1 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c17678e-6598-4e80-b121-beae822b9f81&gt;

WP-dTree <= 4.4.5 - Reflected Cross-Site Scripting

Affected Software: WP-dTree CVE ID: CVE-2023-41662 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c01da54-fbbe-42f9-a76e-8e823027d62a&gt;

Everest News Pro <= 1.1.7 - Reflected Cross-Site Scripting

Affected Software: Everest News Pro CVE ID: CVE-2023-41235 CVSS Score: 6.1 (Medium) Researcher/s: László Radnai Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bb967453-59d6-4b03-8c75-1906b99bff80&gt;

Bridge Core <= 3.0.9 - Reflected Cross-Site Scripting

Affected Software: Bridge Core CVE ID: CVE-2023-40333 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc698c40-4a2b-4dab-93f0-647e4db79d2c&gt;

Ditty <= 3.1.24 - Reflected Cross-Site Scripting

Affected Software: Ditty – Responsive News Tickers, Sliders, and Lists CVE ID: CVE-2023-4148 CVSS Score: 6.1 (Medium) Researcher/s: Animesh Gaurav Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cabf7aae-0673-4358-a2df-0ca22c8432b5&gt;

Happy Elementor Addons Pro <= 2.8.0 - Reflected Cross-Site Scripting

Affected Software: Happy Addons for Elementor Pro CVE ID: CVE-2023-41236 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d536d3a8-9ac5-4ea9-8c65-16ad8b3a7106&gt;

Ultimate Addons for Contact Form 7 <= 3.1.32 - Reflected Cross-Site Scripting via 'page'

Affected Software: Ultimate Addons for Contact Form 7 CVE ID: CVE-2023-30493 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d857324c-94c9-471a-9da8-0b8c9bb50262&gt;

Order Tracking Pro <= 3.3.6 - Reflected Cross-Site Scripting

Affected Software: Order Tracking – WordPress Status Tracking Plugin CVE ID: CVE-2023-4471 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed64d0ff-4f49-4c18-86ec-2c6fbd559d2e&gt;

WP Bannerize Pro <= 1.6.9 - Reflected Cross-Site Scripting

Affected Software: WP Bannerize Pro CVE ID: CVE-2023-41663 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/edc35f8c-f916-433e-9d3f-4992e8c9d7cd&gt;

WP Search Analytics <= 1.4.7 - Reflected Cross-Site Scripting via 'render_stats_page'

Affected Software: WP Search Analytics CVE ID: CVE-2023-30471 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f6433a17-0017-46a9-a8e6-4d4a4a55f2db&gt;

PowerPress <= 11.0.6 - Authenticated (Contributor+) Server-Side Request Forgery via wp_ajax_powerpress_media_info

Affected Software: PowerPress Podcasting plugin by Blubrry CVE ID: CVE-2023-41239 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/031c31b2-6e27-47bb-9f63-2bbaa1edbbb2&gt;

Site Reviews <= 6.10.2 - Missing Authorization

Affected Software: Site Reviews CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1accc41e-41d2-49e3-a80a-6b95b02cb42e&gt;

Responsive Gallery Grid <= 2.3.10 - Cross-Site Request Forgery

Affected Software: Responsive Gallery Grid CVE ID: CVE-2023-41659 CVSS Score: 5.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3abe2de8-9127-4ef0-9194-cf331b20868a&gt;

LuckyWP Scripts Control <= 1.2.1 - Missing Authorization via multiple AJAX actions

Affected Software: LuckyWP Scripts Control CVE ID: CVE-2023-29239 CVSS Score: 5.4 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ed93c5c-38bb-4e84-8fe8-03dd75b4d9f3&gt;

Maintenance Switch <= 1.5.2 - Cross-Site Request Forgery via 'admin_action_request'

Affected Software: Maintenance Switch CVE ID: CVE-2023-29235 CVSS Score: 5.4 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f14f19d-95b3-474b-a2ea-d846c85644cd&gt;

Simple 301 Redirects <= 2.0.7 - Cross-Site Request Forgery via 'clicked'

Affected Software: Simple 301 Redirects by BetterLinks CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9945c85b-a97a-4ad0-9d0a-69faf157563a&gt;

Surfer <= 1.1.2.298 - Missing Authorization

Affected Software: Surfer – WordPress Plugin CVE ID: CVE-2023-35037 CVSS Score: 5.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c06f9f6d-3cd0-4700-834b-435a99983453&gt;

Pricing Deals for WooCommerce <= 2.0.3.2 - Missing Authorization via vtprd_ajax_clone_rule

Affected Software: Pricing Deals for WooCommerce CVE ID: CVE-2023-41240 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1101bfe6-2075-4f44-933b-6d9f372100a2&gt;

Ovic Product Bundle <= 1.1.2 - Missing Authorization

Affected Software: Ovic Product Bundle CVE ID: CVE-2023-41649 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5657ffe2-7d04-4834-bcec-ab6afaeda7df&gt;

Multiple ServMask Plugins <= (Various Versions) - Missing Authorization to Access Token Update

Affected Software/s: All-in-One WP Migration Dropbox Extension, All-in-One WP Migration OneDrive Extension, All-in-One WP Migration Google Drive Extension, All-in-One WP Migration Box Extension CVE ID: CVE-2023-40004 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86bb44f0-142d-4c4e-8fc5-a50526118130&gt;

Localize Remote Images <= 1.0.9 - Cross-Site Request Forgery via admin menu

Affected Software: Localize Remote Images CVE ID: CVE-2023-41244 CVSS Score: 5.3 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab96123e-17aa-461f-b460-e8eba82c78e1&gt;

Multi-column Tag Map <= 17.0.26 - Missing Authorization

Affected Software: Multi-column Tag Map CVE ID: CVE-2023-41651 CVSS Score: 5.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2a60cb2-fe7d-4c51-9995-5cb4682d9d26&gt;

Activity Log <= 2.8.7 - IP Address Spoofing

Affected Software: Activity Log CVE ID: CVE-2023-4281 CVSS Score: 5.3 (Medium) Researcher/s: Bartłomiej Marek, Tomasz Swiadek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de821236-f878-46a4-9265-bcf6e8661910&gt;

Order Tracking Pro <= 3.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Order Tracking – WordPress Status Tracking Plugin CVE ID: CVE-2023-4500 CVSS Score: 4.7 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/81f9a4c6-971f-4f6d-8bb1-e97bf75cf8d3&gt;

GuruWalk Affiliates <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: GuruWalk Affiliates CVE ID: CVE-2023-27622 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b2714f7-9877-4d3d-a692-70fbf8584728&gt;

SureCart <= 2.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WordPress Ecommerce For Creating Fast Online Stores – By SureCart CVE ID: CVE-2023-41241 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/416c13ff-15ae-4ba4-8a95-7c07bec75c22&gt;

Smarty for WordPress <= 3.1.35 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Smarty for WordPress CVE ID: CVE-2023-41661 CVSS Score: 4.4 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/498a10a1-8da6-4309-833f-950f6442d5ae&gt;

WP GoToWebinar <= 14.45 - Authenticated (Administrator+) Cross-Site Scripting

Affected Software: WP GoToWebinar CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a7b32f5-5d27-4f5a-89f3-abf4f8da79e4&gt;

HollerBox <= 2.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox CVE ID: CVE-2023-41657 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c76871e-b774-4284-ad00-f8ef7f6df389&gt;

Popup Builder <= 4.1.15 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Popup Builder – Create highly converting, mobile friendly marketing popups. CVE ID: CVE-2023-3226 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f97af51-1532-4034-8b2a-8356b65cb617&gt;

Snap Pixel <= 1.5.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Snap Pixel CVE ID: CVE-2023-41242 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c37686f8-6bd7-4c06-b80a-7d6849bbc7b0&gt;

Easy Coming Soon <= 2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Easy Coming Soon CVE ID: CVE-2023-25483 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e46139c8-dd7e-4904-81b2-283952cea9b5&gt;

Popup Box <= 3.7.1 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Popup box CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6dbbb52-4202-4d69-837f-c7d5ca06fab5&gt;

WP Users Media <= 4.2.3 - Cross-Site Request Forgery in wpusme_save_settings

Affected Software: WP Users Media CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Zlrqh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07a82335-d738-4c14-b385-04843f12e4ef&gt;

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

Affected Software: Metform Elementor Contact Form Builder CVE ID: CVE-2023-0689 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/356cf06e-16e7-438b-83b5-c8a52a21f903&gt;

Social Share Boost <= 4.5 - Cross-Site Request Forgery via 'syntatical_settings_content'

Affected Software: Social Share Boost CVE ID: CVE-2023-25033 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53a265b8-e34c-4683-a653-4b4b2410e9de&gt;

Better Elementor Addons <= 1.3.5 - Missing Authorization

Affected Software: Better Elementor Addons CVE ID: CVE-2023-41656 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5a628eef-937c-4391-afac-22128ec5b51c&gt;

WP Users Media <= 4.2.3 - Missing Authorization via wpusme_save_settings

Affected Software: WP Users Media CVE ID: CVE-2023-27428 CVSS Score: 4.3 (Medium) Researcher/s: Zlrqh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e125188-4aff-4c64-b4ec-a363db2431b7&gt;

WP Super Minify <= 1.5.1 - Cross-Site Request Forgery via 'wpsmy_admin_options'

Affected Software: WP Super Minify CVE ID: CVE-2023-27615 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af59fcf6-4435-45f0-8904-ff520ea86157&gt;

Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 - Cross-Site Request Forgery

Affected Software: Remove/hide Author, Date, Category Like Entry-Meta CVE ID: CVE-2023-41650 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cd0abdf2-24da-4e87-825b-0796af6c3ccd&gt;

MakeStories (for Google Web Stories) <= 2.8.0 - Cross-Site Request Forgery via 'ms_set_options'

Affected Software: MakeStories (for Google Web Stories) CVE ID: CVE-2023-27448 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9f7130d-883a-4db4-9edf-f5526724de11&gt;

AffiliateWP <= 2.14.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation

Affected Software: AffiliateWP CVE ID: CVE-2023-4600 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2&gt;

authLdap <= 2.5.8 - Cross-Site Request Forgery

Affected Software: authLdap CVE ID: CVE-2023-41654 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eddce6e0-2ea7-4980-97a7-857b2e1e3b69&gt;

WP Migration Plugin DB & Files – WP Synchro <= 1.9.1 - Cross-Site Request Forgery

Affected Software: WP Synchro – WordPress Migration Plugin for Database & Files CVE ID: CVE-2023-41660 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f1b6f041-5ea6-48ca-9ca7-4ce96cbfa275&gt;

authLdap <= 2.5.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: authLdap CVE ID: CVE-2023-41655 CVSS Score: 3.3 (Low) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b91ad8b-79ec-4ef7-bb39-edb06309da5e&gt;

FileOrganizer <= 1.0.2 - Authenticated (Admin+) Arbitrary File Access

Affected Software: FileOrganizer – Manage WordPress and Website Files CVE ID: CVE-2023-3664 CVSS Score: 2.7 (Low) Researcher/s: Dmitrii Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/11c9124d-80e0-435d-9eb4-901c4f481a6f&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) appeared first on Wordfence.

Related

wpvulndb 43
cve 38
prion 32
cvelist 38
nvd 38
vulnrichment 3
openvas 3
wpexploit 2
osv 2
wpvulndb
wpvulndb
LuckyWP Scripts Control <= 1.2.1 - Missing Authorization via multiple AJAX actions
2023-11-23 00:00:00
Better Elementor Addons <= 1.3.6 - Missing Authorization
2023-11-23 00:00:00
Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 - Settings Update via CSRF
2023-10-10 00:00:00
cve
cve
CVE-2023-41650
2023-10-06 15:15:13
CVE-2023-40333
2023-09-27 15:19:03
CVE-2023-41665
2024-05-17 07:15:59
prion
prion
Cross site scripting
2023-09-29 14:15:00
Sql injection
2023-11-03 12:15:00
Cross site scripting
2023-09-27 15:18:00
cvelist
cvelist
CVE-2023-41661 WordPress Smarty for WordPress Plugin <= 3.1.35 is vulnerable to Cross Site Scripting (XSS)
2023-09-29 13:36:29
CVE-2023-40004 Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins
2024-06-19 12:03:07
CVE-2023-30471 WordPress WP Search Analytics Plugin <= 1.4.7 is vulnerable to Cross Site Scripting (XSS)
2023-09-27 07:57:00
nvd
nvd
CVE-2023-30472
2023-09-27 15:18:51
CVE-2023-41660
2023-10-09 14:15:10
CVE-2023-41662
2023-09-29 14:15:10
vulnrichment
vulnrichment
CVE-2023-41651 WordPress Multi-column Tag Map plugin <= 17.0.26 - Broken Access Control vulnerability
2024-05-08 08:56:58
CVE-2023-41665 WordPress GiveWP plugin <= 2.33.0 - GiveWP Manager+ Privilege Escalation vulnerability
2024-05-17 06:53:56
CVE-2023-41240 WordPress Pricing Deals for WooCommercePricing Deals for WooCommerce plugin <= 2.0.3.2 - Broken Access Control vulnerability
2024-06-12 09:49:24
openvas
openvas
WordPress Social Media Share Buttons & Social Sharing Icons Plugin < 2.8.4 XSS Vulnerability
2023-10-05 00:00:00
WordPress Slimstat Analytics Plugin < 5.0.10 XSS Vulnerability
2023-08-31 00:00:00
WordPress Popup Builder Plugin < 4.2.0 XSS Vulnerability
2023-09-26 00:00:00
wpexploit
wpexploit
Multiple Plugins from ServMask - Unauthenticated Access Token Update
2023-08-31 00:00:00
Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting
2023-08-30 00:00:00
osv
osv
CVE-2023-41653
2023-09-27 15:19:30
CVE-2023-41661
2023-09-29 14:15:10

0.085 Low

EPSS

Percentile

94.5%

JSON
Related for WORDFENCE:36831DE4E2F315D8A98899008AE59677
wpvulndb43cve38prion32cvelist38nvd38vulnrichment3openvas3wpexploit2osv2