Chloe ChamberlandWORDFENCE:37FA2D86CE0D7B25674690C6C832BE97Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.057 Low
EPSS
Percentile
92.4%
Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Form Maker by 10Web <= 1.15.19 - Unauthenticated Arbitrary File Upload
- Media Library Assistant <= 3.09 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 44 |
| Patched | 63 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 2 |
| Medium Severity | 89 |
| High Severity | 11 |
| Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 35 |
| Cross-Site Request Forgery (CSRF) | 31 |
| Missing Authorization | 24 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Deserialization of Untrusted Data | 2 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 2 |
| External Control of File Name or Path | 1 |
| Improper Input Validation | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Improper Privilege Management | 1 |
| Improper Neutralization of Formula Elements in a CSV File | 1 |
| Improper Encoding or Escaping of Output | 1 |
| Information Exposure | 1 |
| Improper Authorization | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rio Darmawan | 11 |
| Mika | 10 |
| Abdi Pranata | 10 |
| Rafshanzani Suhada | 7 |
| thiennv | 5 |
| yuyudhn | 4 |
| Rafie Muhammad | 4 |
| LEE SE HYOUNG | 3 |
| Le Ngoc Anh | 3 |
| NGÔ THIÊN AN | 3 |
| Nguyen Xuan Chien | 3 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 2 |
| Revan Arifio | 2 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 2 |
| Skalucy | 2 |
| Elliot | 2 |
| FearZzZz | 2 |
| qilin_99 | 2 |
| Pepitoh | 1 |
| Shuning Xu | 1 |
| deokhunKim | 1 |
| DoYeon Park | 1 |
| spacecroupier | 1 |
| Nguyen Anh Tien | 1 |
| Debangshu Kundu | 1 |
| Arpeet Rathi | 1 |
| Ravi Dharmawan | 1 |
| Theodoros Malachias | 1 |
| Alexander Concha | 1 |
| Pedro José Navas Pérez | 1 |
| Alex Sanford | 1 |
| emad | 1 |
| Emili Castells | 1 |
| Pavitra Tiwari | 1 |
| Alex Concha | 1 |
| László Radnai | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AcyMailing – Newsletter & mailing automation for WordPress | acymailing |
| All in One B2B for WooCommerce | all-in-one-b2b-for-woocommerce |
| Analytify – Google Analytics Dashboard For WordPress (GA4 made easy) | wp-analytify |
| Auto Amazon Links – Amazon Associates Affiliate Plugin | amazon-auto-links |
| Automatic YouTube Gallery | automatic-youtube-gallery |
| Back To The Top Button | back-to-the-top-button |
| BackupBliss – Backup Migration Staging | backup-backup |
| BitPay Checkout for WooCommerce | bitpay-checkout-for-woocommerce |
| Bulk NoIndex & NoFollow Toolkit | bulk-noindex-nofollow-toolkit-by-mad-fish |
| CP Blocks | cp-blocks |
| Carousel Slider | carousel-slider |
| Click To Tweet | click-to-tweet |
| Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms | fluentform |
| Cookie Notice & Consent | cookie-notice-consent |
| Customizable WordPress Gallery Plugin – Modula Image Gallery | modula-best-grid-gallery |
| Directorist – WordPress Business Directory Plugin with Classified Ads Listings | directorist |
| Duplicate Post Page Menu & Custom Post Type | duplicate-post-page-menu-custom-post-type |
| EWWW Image Optimizer | ewww-image-optimizer |
| Easy Form by AYS | easy-form |
| Easy WP Cleaner | easy-wp-cleaner |
| Email posts to subscribers | email-posts-to-subscribers |
| EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
| Export Import Menus | export-import-menus |
| Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
| Goods Catalog | goods-catalog |
| Hide admin notices – Admin Notification Center | wp-admin-notification-center |
| Insert Estimated Reading Time | insert-estimated-reading-time |
| Laposta Signup Basic | laposta-signup-basic |
| Laposta Signup Embed | laposta-signup-embed |
| Leadster | leadster-marketing-conversacional |
| Live News | live-news-lite |
| Locations | locations |
| MailMunch – Grow your Email List | mailmunch |
| Media Library Assistant | media-library-assistant |
| My Account Page Editor | my-account-page-editor |
| MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce | mycryptocheckout |
| Notice Bar | notice-bar |
| Order Delivery Date for WP e-Commerce | order-delivery-date |
| Outbound Link Manager | outbound-link-manager |
| POEditor | poeditor |
| Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
| PeproDev CF7 Database | pepro-cf7-database |
| Poll Maker – Best WordPress Poll Plugin | poll-maker |
| Premium Starter Templates | astra-pro-sites |
| RSVPMaker | rsvpmaker |
| Realbig For WordPress | realbig-media |
| Regpack | regpack |
| Rescue Shortcodes | rescue-shortcodes |
| Restrict – membership, site, content and user access restrictions for WordPress | restricted-content |
| SAML Single Sign On – SSO Login Standard | miniorange-saml-20-single-sign-on |
| SIS Handball | sis-handball |
| SendPress Newsletters | sendpress |
| Simple Download Counter | simple-download-counter |
| Simple Membership | simple-membership |
| Slider Pro | sliderpro |
| Social Share, Social Login and Social Comments Plugin – Super Socializer | super-socializer |
| Staff / Employee Business Directory for Active Directory | ldap-ad-staff-employee-directory-search |
| StagTools | stagtools |
| Starter Templates — Elementor, WordPress & Beaver Builder Templates | astra-sites |
| Stock Quotes List | stock-quotes-list |
| Sunshine Photo Cart | sunshine-photo-cart |
| Swifty Bar, sticky bar by WPGens | swifty-bar |
| TelSender – Сontact form 7, Events, Wpforms and wooccommerce to telegram bot | telsender |
| Tilda Publishing | tilda-publishing |
| Travel Map | travelmap-blog |
| UniConsent CMP for GDPR CPRA GPP TCF | uniconsent-cmp |
| Use Memcached | use-memcached |
| User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | userfeedback-lite |
| User Submitted Posts – Enable Users to Submit Posts from the Front End | user-submitted-posts |
| VS Contact Form | very-simple-contact-form |
| WP Accessibility Helper (WAH) | wp-accessibility-helper |
| WP Crowdfunding | wp-crowdfunding |
| WP Custom Post Template | wp-custom-post-template |
| WP Directory Kit | wpdirectorykit |
| WP Gallery Metabox | wp-gallery-metabox |
| WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts | wedevs-project-manager |
| WP iCal Availability | wp-ical-availability |
| WP-dTree | wp-dtree-30 |
| WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables | wrc-pricing-tables |
| WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets | wiser-notify |
| WooCommerce PensoPay | woo-pensopay |
| Woocommerce Support System | wc-support-system |
| WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds | another-wordpress-classifieds-plugin |
| WordPress File Sharing Plugin | user-private-files |
| WordPress Social Login | wordpress-social-login |
| iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc | ifolders |
| rtMedia for WordPress, BuddyPress and bbPress | buddypress-media |
| wordpress publish post email notification | publish-post-email-notification |
| wpCentral | wp-central |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Attorney | attorney |
| Flatsome | flatsome |
| Raise Mag | [raise-mag](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Raise Mag>) |
| Wishful Blog | [wishful-blog](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Wishful Blog>) |
| Woodmart | woodmart |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Media Library Assistant <= 3.09 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Affected Software: Media Library Assistant CVE ID: CVE-2023-4634 CVSS Score: 9.8 (Critical) Researcher/s: Pepitoh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf>
RSVPMaker <= 10.6.6 - Unauthenticated PHP Object Injection
Affected Software: RSVPMaker CVE ID: CVE-2023-25054 CVSS Score: 9.8 (Critical) Researcher/s: Ravi Dharmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/647cc71d-4d3a-4722-b498-baaee2450809>
All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation
Affected Software: All in One B2B for WooCommerce CVE ID: CVE-2023-4703 CVSS Score: 9.8 (Critical) Researcher/s: Alexander Concha Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aab3016d-5834-4b4a-a206-0b626884b335>
Flatsome <= 3.17.5 - Unauthenticated PHP Object Injection
Affected Software: Flatsome CVE ID: CVE-2023-40555 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfc4863a-1b8c-4b13-9df1-18f221b40b26>
Form Maker by 10Web <= 1.15.19 - Unauthenticated Arbitrary File Upload
Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE ID: CVE Unknown CVSS Score: 9.8 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c691d129-35db-4de8-a28e-5e77347e2280>
WP Project Manager <= 2.6.0 - Authenticated (Subscriber+) SQL Injection
Affected Software: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts CVE ID: CVE-2023-34383 CVSS Score: 8.8 (High) Researcher/s: Theodoros Malachias Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/79dabaa6-d907-4fa6-bc6f-f28f39578256>
Export Import Menus <= 1.8.0 - Authenticated (Contributor+) Arbitrary File Upload
Affected Software: Export Import Menus CVE ID: CVE-2023-34385 CVSS Score: 8.8 (High) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d74efb03-4a1c-4163-bd79-ef17975a609e>
My Account Page Editor <= 1.3.1 - Authenticated (Subscriber+) Arbitrary File Upload
Affected Software: My Account Page Editor CVE ID: CVE-2023-4536 CVSS Score: 8.8 (High) Researcher/s: Alex Concha Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f87b6987-8896-4edf-9b14-8582426adeb0>
ProfilePress <= 4.13.2 - Limited Privilege Escalation via 'acceptable_defined_roles'
Affected Software: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress CVE ID: CVE Unknown CVSS Score: 7.3 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b2840ee-3b48-415e-9bed-d34d0b6e36d7>
Woocommerce Support System <= 1.2.0 - Missing Authorization
Affected Software: Woocommerce Support System CVE ID: CVE-2023-41686 CVSS Score: 7.3 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8004a306-4c8f-40e9-accc-a12d65b5f2f9>
Woocommerce Support System <= 1.2.0 - Authenticated (Administrator+) SQL Injection via 'orderby'
Affected Software: Woocommerce Support System CVE ID: CVE-2023-41685 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/efab7ec7-7143-4556-8d68-4a7e34f46e9e>
Travel Map <= 1.0.1 - Unauthenticated Cross-Site Scripting
Affected Software: Travel Map CVE ID: CVE-2023-41860 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f04a742-56be-42e9-9080-2131c6e98325>
Click To Tweet <= 2.0.14 - Unauthenticated Cross-Site Scripting
Affected Software: Click To Tweet CVE ID: CVE-2023-41856 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b5031140-9a48-43da-b946-00ce9c70258b>
PeproDev CF7 Database <= 1.7.0 - Unauthenticated Stored Cross-Site Scripting via form submission
Affected Software: PeproDev CF7 Database CVE ID: CVE-2023-41863 CVSS Score: 7.2 (High) Researcher/s: FearZzZz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c7a7df90-a542-48cf-a58e-bcbddc978df2>
Simple Membership <= 4.3.5 - Reflected Cross-Site Scripting
Affected Software: Simple Membership CVE ID: CVE-2023-4719 CVSS Score: 7.2 (High) Researcher/s: FearZzZz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4b10172-7e54-4ff8-9fbb-41d160ce49e4>
User Feedback <= 1.0.7 - Unauthenticated Stored Cross-Site Scripting
Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds CVE ID: CVE-2023-39308 CVSS Score: 7.2 (High) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f9e45bc2-6db6-49cd-8a4a-58489a8ddac2>
All in One B2B for WooCommerce <= 1.0.3 - Cross-Site Request Forgery
Affected Software: All in One B2B for WooCommerce CVE ID: CVE-2023-3547 CVSS Score: 6.5 (Medium) Researcher/s: Alex Sanford Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bd53bc57-b10e-47a7-8c10-96bf1f1e82a5>
Auto Amazon Links <= 5.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via style
Affected Software: Auto Amazon Links – Amazon Associates Affiliate Plugin CVE ID: CVE-2023-4482 CVSS Score: 6.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/11ffb8a1-55d2-44c5-bcd2-ba866b94e8bc>
Goods Catalog <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Goods Catalog CVE ID: CVE-2023-41687 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/21542a9e-efa2-4655-b076-d282e3678fdf>
Rescue Shortcodes <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Rescue Shortcodes CVE ID: CVE-2023-41728 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a11e7c9-f565-4a8c-895f-425c6654b5a9>
Starter Templates <= 3.2.4 - Authenticated (Contributor+) Server-Side Request Forgery
Affected Software/s: Starter Templates — Elementor, WordPress & Beaver Builder Templates, Premium Starter Templates CVE ID: CVE-2023-41804 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6e0bdbba-2b67-42b9-8c26-115d472aed0e>
Simple Download Counter <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Simple Download Counter CVE ID: CVE-2023-4838 CVSS Score: 6.4 (Medium) Researcher/s: NGÔ THIÊN AN Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa5f7f2a-c7b7-4339-a608-51fd684c18bf>
User Submitted Posts <= 20230901 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End CVE ID: CVE-2023-41696 CVSS Score: 6.4 (Medium) Researcher/s: NGÔ THIÊN AN Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7fca965-86f8-4ee4-a9d6-cb18fe5f098e>
WordPress Social Login <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: WordPress Social Login CVE ID: CVE-2023-4773 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b987822d-2b1b-4f79-988b-4bd731864b63>
User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20230811 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End CVE ID: CVE-2023-4779 CVSS Score: 6.4 (Medium) Researcher/s: NGÔ THIÊN AN Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d21ca709-183f-4dd1-849c-f1b2a4f7ec43>
Notice Bar <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Notice Bar CVE ID: CVE-2023-41847 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/defc5b5a-243d-4564-a9f8-3ecf3538129b>
Locations <= 4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Locations CVE ID: CVE-2023-41797 CVSS Score: 6.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fe10acf6-2649-4e85-abd1-b6840169eb41>
Attorney <= 3 - Reflected Cross-Site Scripting
Affected Software: Attorney CVE ID: CVE-2023-41692 CVSS Score: 6.1 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/026443b6-4ab5-4f31-8a8d-2019097bde4c>
Restrict <= 2.2.4 - Reflected Cross-Site Scripting
Affected Software: Restrict – membership, site, content and user access restrictions for WordPress CVE ID: CVE-2023-41861 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/62029ce5-ab97-4594-93e6-469ef5692320>
WooCommerce PensoPay <= 6.3.1 - Reflected Cross-Site Scripting via 'pensopay_action'
Affected Software: WooCommerce PensoPay CVE ID: CVE-2023-41691 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6845b506-3d38-47f6-9348-d7931e65707a>
WoodMart <= 7.2.4 - Reflected Cross-Site Scripting
Affected Software: Woodmart CVE ID: CVE-2023-41872 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fc92b8f-6794-461a-b6b6-598de21f5e2d>
AcyMailing SMTP Newsletter <= 8.6.2 - Reflected Cross-Site Scripting
Affected Software: AcyMailing – Newsletter & mailing automation for WordPress CVE ID: CVE-2023-41867 CVSS Score: 6.1 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f82ec7c-72a0-4c3b-8041-c6ad080a48f1>
Stagtools <= 2.3.7 - Reflected Cross-Site Scripting
Affected Software: StagTools CVE ID: CVE-2023-41868 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca09ce0d-3989-420d-9457-f0acd709cc6b>
Poll Maker <= 4.7.0 - Reflected Cross-Site Scripting
Affected Software: Poll Maker – Best WordPress Poll Plugin CVE ID: CVE-2023-41871 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/faad9cf7-5d83-4ade-b121-c38fb0de78a5>
Wishful Blog <= 2.0.1 & Raise Mag <= 1.0.7 - Unauthenticated Cross-Site Scripting
Affected Software/s: Raise Mag, Wishful Blog CVE ID: CVE-2023-28621 CVSS Score: 6.1 (Medium) Researcher/s: László Radnai Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb33f779-d045-48dd-babe-8b1fab903124>
Stock Quotes List <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Stock Quotes List CVE ID: CVE-2023-41666 CVSS Score: 5.4 (Medium) Researcher/s: deokhunKim Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1dffbb2d-69d1-495c-8c96-64c5fd878fcd>
Tilda Publishing <= 0.3.21 - Missing Authorization
Affected Software: Tilda Publishing CVE ID: CVE-2023-31234 CVSS Score: 5.4 (Medium) Researcher/s: spacecroupier Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a992bb2-67b9-48db-a536-c3af79e93af4>
Staff / Employee Business Directory for Active Directory <= 1.2.1 - Insufficient Escaping of Stored LDAP Values
Affected Software: Staff / Employee Business Directory for Active Directory CVE ID: CVE-2023-4757 CVSS Score: 5.4 (Medium) Researcher/s: Pedro José Navas Pérez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1355e9f-fa3a-439a-a13f-49b10dd4473a>
Easy WP Cleaner <= 1.9 - Cross-Site Request Forgery
Affected Software: Easy WP Cleaner CVE ID: CVE-2023-41697 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4c2689d-be51-4907-b624-c85da39f545d>
Contact Form for Plugin by Fluent Forms <= 5.0.8 - Insecure Direct Object Reference
Affected Software: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms CVE ID: CVE-2023-41952 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/20f31e48-0dbb-498a-a400-681cacea7c9c>
Sunshine Photo Cart <= 3.0.5 - Insecure Direct Object Reference to Order Manipulation
Affected Software: Sunshine Photo Cart CVE ID: CVE-2023-41796 CVSS Score: 5.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2eae7c33-2347-4b34-8b5f-7f4a6ee3e9c1>
TelSender <= 1.14.7 - Missing Authorization
Affected Software: TelSender – Сontact form 7, Events, Wpforms and wooccommerce to telegram bot CVE ID: CVE-2023-41683 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/39193ebd-005a-4497-9939-99947323a1a0>
WP Directory Kit <= 1.2.6 - Missing Authorization
Affected Software: WP Directory Kit CVE ID: CVE-2023-41875 CVSS Score: 5.3 (Medium) Researcher/s: Debangshu Kundu, Arpeet Rathi Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60083262-198d-4a7d-bb0a-717a744e20f9>
Email posts to subscribers <= 6.2 - Missing Authorization to Sensitive Information Exposure
Affected Software: Email posts to subscribers CVE ID: CVE-2023-41735 CVSS Score: 5.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7730d670-d270-4755-bc9a-550498a28edb>
WRC Pricing Tables <= 2.3.7 - Missing Authorization
Affected Software: WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables CVE ID: CVE-2023-32293 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/823dc422-12f4-4f7d-a305-2e4db18bafdf>
WiserNotify Social Proof <= 2.5 - Missing Authorization
Affected Software: WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets CVE ID: CVE-2023-41690 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86055b1b-23a6-4e33-8818-0af58c8e6383>
EWWW Image Optimizer <= 7.2.0 - Sensitive Information Exposure
Affected Software: EWWW Image Optimizer CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7d08bfd-9861-4e21-a696-25b00233ad94>
VS Contact Form <= 13.9 - Missing Authorization
Affected Software: VS Contact Form CVE ID: CVE-2023-41862 CVSS Score: 5.3 (Medium) Researcher/s: qilin_99 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3f665b8-fbd5-4100-baf6-3fa99332a5dc>
BitPay Checkout for WooCommerce <= 4.1.0 - Missing Authorization
Affected Software: BitPay Checkout for WooCommerce CVE ID: CVE-2023-41803 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea489c69-d4d9-4e05-8cac-25fd17d48506>
UniConsent Cookie Consent CMP for GDPR / CCPA <= 1.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: UniConsent CMP for GDPR CPRA GPP TCF CVE ID: CVE-2023-41800 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19c9cf3e-553b-4cbd-9f2c-803e188a2581>
WordPress File Sharing Plugin <= 2.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: WordPress File Sharing Plugin CVE ID: CVE-2023-4636 CVSS Score: 4.4 (Medium) Researcher/s: Shuning Xu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1df04293-87e9-4ab4-975d-54d36a993ab0>
Insert Estimated Reading Time <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Insert Estimated Reading Time CVE ID: CVE-2023-41734 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45426cdd-2721-4959-8f0b-13025f775d62>
Cookie Notice & Consent 1.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Cookie Notice & Consent CVE ID: CVE-2023-41948 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/489dc156-b8cb-4e08-a847-73a891398d5c>
SendPress Newsletters <= 1.22.3.31 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: SendPress Newsletters CVE ID: CVE-2023-41729 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d173077-06c4-4a23-a664-0be8516053ec>
Swifty Bar, sticky bar by WPGens <= 1.2.10 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Swifty Bar, sticky bar by WPGens CVE ID: CVE-2023-41737 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66c90387-af23-48fc-94da-708b9c223fe3>
wordpress publish post email notification <= 1.0.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: wordpress publish post email notification CVE ID: CVE-2023-41731 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/705d11b1-0924-46ae-a6e6-8fab16a4df00>
iFolders <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc CVE ID: CVE-2023-41949 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1f957ce-7bb0-4701-8b2a-522211c408d8>
Order Delivery Date for WP e-Commerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Order Delivery Date for WP e-Commerce CVE ID: CVE-2023-41859 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d74f5813-cf7a-4ffb-9306-56f29b3a7d04>
Email posts to subscribers <= 6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Email posts to subscribers CVE ID: CVE-2023-41736 CVSS Score: 4.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e818a5db-acb7-4b16-80b1-939904e93791>
Back To The Top Button <= 2.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Back To The Top Button CVE ID: CVE-2023-41733 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed8cd92a-c791-4781-a7bc-9b2a4d559d7d>
Regpack <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Regpack CVE ID: CVE-2023-41855 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3cdc0ba-d28f-488c-a703-f9d880f0582e>
Backup Migration <= 1.2.9 - Cross-Site Request Forgery
Affected Software: BackupBliss – Backup Migration Staging CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/00274313-9079-4877-b72e-310e312aa814>
Automatic YouTube Gallery <= 2.3.3 - Missing Authorization via AJAX actions
Affected Software: Automatic YouTube Gallery CVE ID: CVE-2023-41866 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a58d45b-c91b-4141-992e-336650d7252b>
rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 - Missing Authorization via export_settings
Affected Software: rtMedia for WordPress, BuddyPress and bbPress CVE ID: CVE-2023-41951 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0cb5df54-a6a7-4c2e-8df0-5d050218622e>
Super Socializer <= 7.13.54 - Missing Authorization
Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer CVE ID: CVE-2023-41802 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/101dd211-c3eb-4d27-9194-841bc2a968e6>
Laposta Signup Embed <= 1.1.0 - Missing Authorization
Affected Software: Laposta Signup Embed CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12b81441-d22c-4211-a8da-811182de622d>
CP Blocks <= 1.0.20 - Cross-Site Request Forgery to Settings Update
Affected Software: CP Blocks CVE ID: CVE-2023-41732 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35cd1788-1756-4d03-8f6f-e5e4153e3f4f>
Leadster <= 1.1.2 - Cross-Site Request Forgery
Affected Software: Leadster CVE ID: CVE-2023-41668 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/361216af-b939-4ac1-ae06-97552d283670>
EmbedPress <= 3.8.3 - Cross-Site Request Forgery
Affected Software: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36ba23ea-7e79-4048-8030-7ed6b2ff45a6>
Live News <= 1.06 - Cross-Site Request Forgery
Affected Software: Live News CVE ID: CVE-2023-41669 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ee59570-85c3-4394-bebb-c3f49c08be67>
WP Gallery Metabox <= 1.0.0 - Cross-Site Request Forgery
Affected Software: WP Gallery Metabox CVE ID: CVE-2023-41876 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/46c4b7f7-e3e6-46b8-b959-07775db8bb6c>
wpCentral <= 1.5.7 - Cross-Site Request Forgery
Affected Software: wpCentral CVE ID: CVE-2023-41854 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49d03254-7399-4a5d-9ce9-7d4736b8b2ee>
Laposta Signup Embed <= 1.1.0 - Cross-Site Request Forgery
Affected Software: Laposta Signup Embed CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4c0cbf44-f6b4-408d-9a96-98f45d890822>
POEditor <= 0.9.4 - Cross-Site Request Forgery
Affected Software: POEditor CVE ID: CVE-2023-32091 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e81e947-4892-4028-8a09-6a048bf6a572>
Carousel Slider <= 2.2.2 - Missing Authorization
Affected Software: Carousel Slider CVE ID: CVE-2023-41848 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5465eaab-03c0-438a-8553-c1f8b06b82bc>
SIS Handball <= 1.0.45 - Cross-Site Request Forgery
Affected Software: SIS Handball CVE ID: CVE-2023-41684 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5973afaa-5a64-4db1-8e32-3b39d1367eb8>
Bulk NoIndex & NoFollow Toolkit <= 1.5 - Missing Authorization
Affected Software: Bulk NoIndex & NoFollow Toolkit CVE ID: CVE-2023-41688 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5cb79fbc-705a-4fb4-b441-7fe7ab6dea10>
rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 - Missing Authorization to Settings Update
Affected Software: rtMedia for WordPress, BuddyPress and bbPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5dfc145e-d2d4-4137-a5c6-dec2ebb41876>
WP-dTree <= 4.4.5 - Cross-Site Request Forgery
Affected Software: WP-dTree CVE ID: CVE-2023-41667 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61808624-b2c7-4e86-b5a1-56f32fca9eaa>
Realbig <= 1.0.2 - Cross-Site Request Forgery
Affected Software: Realbig For WordPress CVE ID: CVE-2023-41694 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70ae0f3e-75a8-41c7-91c0-52d672809835>
Order Delivery Date for WP e-Commerce <= 1.2 - Cross-Site Request Forgery
Affected Software: Order Delivery Date for WP e-Commerce CVE ID: CVE-2023-41858 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74a74817-30ff-42ec-9bd4-7d0638d6643c>
Click To Tweet <= 2.0.14 - Missing Authorization
Affected Software: Click To Tweet CVE ID: CVE-2023-41857 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f765327-3872-46cc-a4f9-40219bf0dd99>
Outbound Link Manager <= 1.2 - Cross-Site Request Forgery
Affected Software: Outbound Link Manager CVE ID: CVE-2023-41850 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8dfc0d5e-bdc4-4f71-8aa3-0a4fbd7ef37d>
Analytify Dashboard <= 5.1.0 - Missing Authorization to Opt-In
Affected Software: Analytify – Google Analytics Dashboard For WordPress (GA4 made easy) CVE ID: CVE-2023-41695 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/970b3a0f-c1cc-4d85-8271-a523ccdbcc39>
AWP Classifieds <= 4.3 - Cross-Site Request Forgery
Affected Software: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds CVE ID: CVE-2023-41801 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b06a1b66-9057-4f16-878c-4fa66489f0ff>
Use Memcached <= 1.0.5 - Cross-Site Request Forgery
Affected Software: Use Memcached CVE ID: CVE-2023-41670 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b63f4de2-32e1-4c5e-a64d-fb66d2e2b3a8>
WP Custom Post Template <= 1.0 - Cross-Site Request Forgery
Affected Software: WP Custom Post Template CVE ID: CVE-2023-41851 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b796b514-b6ca-4a22-9340-df02fec97075>
Laposta Signup Basic <= 1.4.1 - Missing Authorization
Affected Software: Laposta Signup Basic CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7e417c2-bf9c-4c88-be2b-9c2324897b07>
WP Accessibility Helper (WAH) <= 0.6.2.4 - Missing Authorization via AJAX action
Affected Software: WP Accessibility Helper (WAH) CVE ID: CVE-2023-41869 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b97b84a8-cf4e-4648-8d58-b81a71b7988c>
Hide admin notices – Admin Notification Center <= 2.3.2 - Cross-Site Request Forgery
Affected Software: Hide admin notices – Admin Notification Center CVE ID: CVE-2023-41672 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b98c5623-15fe-4937-9a0e-770aa0ab06f3>
WP iCal Availability <= 1.0.3 - Cross-Site Request Forgery
Affected Software: WP iCal Availability CVE ID: CVE-2023-41853 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc3f1d4e-84f7-4878-8b06-10444caa7dcf>
Super Socializer <= 7.13.54 - Cross-Site Request Forgery
Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer CVE ID: CVE-2023-41802 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc6cfad1-d23a-4a96-9d6c-841b6d795a01>
rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 - Missing Authorization to Sensitive Information Exposure
Affected Software: rtMedia for WordPress, BuddyPress and bbPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be837a77-9b25-43af-aaba-94a8aa59e7e3>
SAML SP Single Sign On <= 5.0.4 - Missing Authorization to notice dismissal
Affected Software: SAML Single Sign On – SSO Login Standard CVE ID: CVE-2023-41873 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c3114906-fac1-42b9-9ba1-0a5d44c2fb3a>
WP Crowdfunding <= 2.1.4 - Missing Authorization via settings_reset
Affected Software: WP Crowdfunding CVE ID: CVE-2023-41870 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cddf4aa1-5c7d-4aa1-9384-1c352f0c6da9>
Laposta Signup Basic <= 1.4.1 - Cross-Site Request Forgery
Affected Software: Laposta Signup Basic CVE ID: CVE-2023-41950 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1ba4b18-ff46-45ef-b7d4-0a314cf2d74c>
Duplicate Post Page Menu & Custom Post Type <= 2.3.1 - Missing Authorization to Post Duplication
Affected Software: Duplicate Post Page Menu & Custom Post Type CVE ID: CVE-2023-4792 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d6bb08e8-9ef5-41db-a111-c377a5dfae77>
ProfilePress <= 4.13.1 Cross-Site Request Forgery via 'admin_notice'
Affected Software: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress CVE ID: CVE-2023-41953 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e103f59a-00fa-4d4c-b4fc-834754886d49>
WP Crowdfunding <= 2.1.5 - Cross-Site Request Forgery
Affected Software: WP Crowdfunding CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4dc8f18-d990-4e41-8bf8-dfa9de4c0f6e>
MyCryptoCheckout <= 2.125 - Cross-Site Request Forgery
Affected Software: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce CVE ID: CVE-2023-41693 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5575725-99ba-4499-93e5-f7648c82ac52>
Starter Templates <= 3.2.5 - Incorrect Authorization
Affected Software/s: Starter Templates — Elementor, WordPress & Beaver Builder Templates, Premium Starter Templates CVE ID: CVE-2023-41805 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ebd78e52-f20d-42be-8f68-3d09d5abf837>
Easy Form by AYS <= 1.3.8 - Cross-Site Request Forgery
Affected Software: Easy Form by AYS CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ee595f48-b72f-4569-a248-7dbd0b9152ae>
MailMunch – Grow your Email List <= 3.1.2 - Cross-Site Request Forgery
Affected Software: MailMunch – Grow your Email List CVE ID: CVE-2023-41852 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f6409626-c8cb-412c-aff3-cbb2da212e5d>
Slider Pro <= 4.8.6 - Missing Authorization via AJAX actions
Affected Software: Slider Pro CVE ID: CVE-2023-41865 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f813cb1a-5922-48a5-a026-66ec9aaac294>
SendPress Newsletters <= 1.22.3.31 - Cross-Site Request Forgery
Affected Software: SendPress Newsletters CVE ID: CVE-2023-41730 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb70339c-0f1a-4acc-af7a-8a0320fdfe71>
Directorist <= 7.7.1 - CSV Injection
Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings CVE ID: CVE-2023-41798 CVSS Score: 3.8 (Low) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab233ceb-270c-4694-9cf9-2de8ddfcbbfd>
Modula <= 2.7.4 - Incomplete Authorization via 'save_image' and 'save_images'
Affected Software: Customizable WordPress Gallery Plugin – Modula Image Gallery CVE ID: CVE Unknown CVSS Score: 2.2 (Low) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f029bd86-d979-45d1-97fe-75c43fb71148>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023) appeared first on Wordfence.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.057 Low
EPSS
Percentile
92.4%