Chloe ChamberlandWORDFENCE:4269AA06A62C02BCC9CAD72DF95DDB82Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
37.1%
Note: We accidentally sent out an email for this report with last weeks subject line. Due to the subject line not being very different week to week for this report, we opted to just leave it as is and not send a follow-up email. We apologize for this error on our part!
Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-618 - Information redacted while we work with the developer to ensure this gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 16 |
| Patched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 52 |
| High Severity | 17 |
| Critical Severity | 0 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 25 |
| Cross-Site Request Forgery (CSRF) | 14 |
| Missing Authorization | 14 |
| Server-Side Request Forgery (SSRF) | 3 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 3 |
| Information Exposure | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Unprotected Storage of Credentials | 1 |
| Incorrect Authorization | 1 |
| Use of Less Trusted Source | 1 |
| URL Redirection to Untrusted Site ('Open Redirect') | 1 |
| Incorrect Privilege Assignment | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rafie Muhammad | 8 |
| Mika | 6 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 5 |
| LEE SE HYOUNG | 3 |
| Erwan LR | 3 |
| Phd | 3 |
| Alex Thomas | |
| (Wordfence Vulnerability Researcher) | 3 |
| Abdi Pranata | 3 |
| Yuki Haruma | 2 |
| emad | 2 |
| Nguyen Xuan Chien | 2 |
| Le Hong Minh | 2 |
| Dave Jong | 2 |
| Andreas Damen | 1 |
| yuyudhn | 1 |
| Fariq Fadillah Gusti Insani | 1 |
| Nithissh S | 1 |
| Ullash Raj | 1 |
| Emili Castells | 1 |
| Rafshanzani Suhada | 1 |
| Bob Matyas | 1 |
| Ravi Dharmawan | 1 |
| Paul Goodchild | 1 |
| Skalucy | 1 |
| Cat | 1 |
| WPScanTeam | 1 |
| Kindaichi Hiro | 1 |
| Shreya Pohekar | 1 |
| Rio Darmawan | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
| All-In-One Security (AIOS) – Security and Firewall | all-in-one-wp-security-and-firewall |
| Art Direction | art-direction |
| Authors List | authors-list |
| BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin | bookingpress-appointment-booking |
| BuddyPress Builder for Elementor – BuddyBuilder | stax-buddy-builder |
| Buy Me a Coffee – Button and Widget Plugin | buymeacoffee |
| Checkout with Zelle on Woocommerce | wc-zelle |
| Coming Soon Chop Chop | cc-coming-soon |
| Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms | fluentform |
| Custom Field For WP Job Manager | custom-field-for-wp-job-manager |
| Custom Fields for WooCommerce | addify-custom-fields-for-woocommerce |
| Custom Registration Forms Builder for WooCommerce | addify-custom-registration-forms-builder |
| DirectoryPress – Business Directory And Classified Ad Listing | directorypress |
| Dovetail | dovetail |
| Drag & Drop Sales Funnel Builder for WordPress – WPFunnels | wpfunnels |
| Export and Import Users and Customers | users-customers-import-export-for-wp-woocommerce |
| Falang multilanguage for WordPress | falang |
| Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
| Grid Kit Premium | grid-kit-premium |
| HTTP Headers | http-headers |
| IP2Location Country Blocker | ip2location-country-blocker |
| Image Watermark for WooCommerce | addify-image-watermark-for-woocommerce |
| Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site | integrate-google-drive |
| Integration for Contact Form 7 and Salesforce | cf7-salesforce |
| JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
| KB Support – WordPress Help Desk | kb-support |
| MF Gig Calendar | mf-gig-calendar |
| Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking | mail-control |
| MailArchiver | mailarchiver |
| Media Library Assistant | media-library-assistant |
| OptiMonk: Popups, Personalization & A/B Testing | exit-intent-popups-by-optimonk |
| POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress | post-smtp |
| Premium Addons Pro for Elementor | premium-addons-pro |
| Price Calculator for WooCommerce | addify-price-calculator-for-woocommerce |
| Product Dynamic Pricing and Discounts for WooCommerce | addify-product-dynamic-pricing-and-discounts |
| Radio Forge Muses Player with Skins | radio-forge |
| Replace Word | replace-word |
| School Management System – WPSchoolPress | wpschoolpress |
| Short URL | shorten-url |
| Shortcode IMDB | shortcode-imdb |
| Social Media Icons Widget | spoontalk-social-media-icons-widget |
| Social Share, Social Login and Social Comments Plugin – Super Socializer | super-socializer |
| Spectra – WordPress Gutenberg Blocks | ultimate-addons-for-gutenberg |
| Terms descriptions | terms-descriptions |
| Twittee Text Tweet | twittee-text-tweet |
| User Activity Log | user-activity-log |
| Variation Images Gallery for WooCommerce | woo-product-variation-gallery |
| Variation Swatches for WooCommerce | woo-product-variation-swatches |
| WP Default Feature Image | wp-default-feature-image |
| WP Social AutoConnect | wp-fb-autoconnect |
| WP Testimonials | testimonial-widgets |
| WPAdmin AWS CDN | aws-cdn-by-wpadmin |
| WooCommerce Abandoned Cart Recovery | addify-abandoned-cart-recovery |
| WooCommerce Advanced Free Gifts | addify-free-gifts-woocommerce |
| WooCommerce Checkout Field Manager | addify-checkout-fields-manager |
| WooCommerce Custom Order Number | addify-custom-order-number |
| WooCommerce Gift Registry | addify-gift-registry-for-woocommerce |
| WooCommerce GoCardless Gateway | woocommerce-gateway-gocardless |
| WooCommerce Order Approval | addify-order-approval-woocommerce |
| WooCommerce Order Tracking | addify-order-tracking-for-woocommerce |
| WooCommerce Pre-Orders | woocommerce-pre-orders |
| WooCommerce Product Labels and Stickets | addify-product-labels-and-stickers |
| WooCommerce Product Stock Alert | woocommerce-product-stock-alert |
| WooCommerce Ship to Multiple Addresses | woocommerce-shipping-multiple-addresses |
| WooCommerce Warranty Requests | woocommerce-warranty |
| Zippy | zippy |
| cartflows-pro | cartflows-pro |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| RealHomes | realhomes |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
JetFormBuilder <= 3.0.8 - Authenticated (Author+) Privilege Escalation
Affected Software: JetFormBuilder — Dynamic Blocks Form Builder CVE ID: CVE-2023-37866 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9d58191-769c-4632-a086-4dbce9bfb6ad>
Spectra <= 2.6.6 - Authenticated (Contributor+) Server-Side Request Forgery in import_wpforms
Affected Software: Spectra – WordPress Gutenberg Blocks CVE ID: CVE-2023-36679 CVSS Score: 8.5 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5886128e-e72f-4d84-8c17-1ed4a0fcc17e>
User Activity Log <= 1.6.2 - Unauthenticated SQL Injection via username
Affected Software: User Activity Log CVE ID: CVE Unknown CVSS Score: 8.1 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8483196e-f476-41e5-a988-bcd8a9952a64>
Checkout with Zelle on Woocommerce <= 3.1 - Missing Authorization
Affected Software: Checkout with Zelle on Woocommerce CVE ID: CVE-2023-37969 CVSS Score: 7.3 (High) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2ad5544a-6694-41e4-940f-fa96daf4b41d>
Integrate Google Drive <= 1.1.99 - Missing Authorization via REST API Endpoints
Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site CVE ID: CVE-2023-32117 CVSS Score: 7.3 (High) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fe8b2c8-3bb1-463a-a64c-15d7bcc29985>
Buy Me a Coffee – Button and Widget Plugin <= 3.7 - Missing Authorization
Affected Software: Buy Me a Coffee – Button and Widget Plugin CVE ID: CVE-2023-2078 CVSS Score: 7.3 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1c218c6-1599-4dc9-846f-e0ef74821488>
RealHomes <= 4.0.2 - Missing Authorization
Affected Software: RealHomes CVE ID: CVE-2023-37885 CVSS Score: 7.3 (High) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d918b6ae-a72c-48dc-885b-19be49d578dc>
DirectoryPress <= 3.6.2 - Missing Authorization
Affected Software: DirectoryPress – Business Directory And Classified Ad Listing CVE ID: CVE-2023-37967 CVSS Score: 7.3 (High) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f75f83bf-3c86-44e9-b535-cd721061ee93>
Export and Import Users and Customers <= 2.4.1 - Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
Affected Software: Export and Import Users and Customers CVE ID: CVE-2023-3459 CVSS Score: 7.2 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47337214-9cc3-4b12-bb71-9acbab3649b7>
User Activity Log <= 1.6.2 - Authenticated (Administrator+) SQL Injection
Affected Software: User Activity Log CVE ID: CVE-2023-37966 CVSS Score: 7.2 (High) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64be6e85-00c9-49f5-9ee2-08dbe434a848>
Post SMTP <= 2.5.7 - Unauthenticated Stored Cross-Site Scripting via Email
Affected Software: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress CVE ID: CVE-2023-3082 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ecd0fa6-4fdb-4780-9560-0bb126800685>
Mail Control <= 0.2.8 - Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking CVE ID: CVE-2023-3158 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77537eb8-1c84-4702-aba1-727b0de1c3e1>
FluentForm <= 4.3.25 - Authenticated (Administrator+) SQL Injection
Affected Software: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms CVE ID: CVE-2023-24410 CVSS Score: 7.2 (High) Researcher/s: Ravi Dharmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/954e7509-3ebf-429a-8c65-9825ea190d53>
Radio Forge Muses Player with Skins <= 2.5 - Reflected Cross-Site Scripting
Affected Software: Radio Forge Muses Player with Skins CVE ID: CVE-2023-37976 CVSS Score: 7.2 (High) Researcher/s: Le Hong Minh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad20ddd2-33d0-4d49-bca0-ea2a829da6c8>
MailArchiver <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: MailArchiver CVE ID: CVE-2023-3136 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ce330cae-c2f8-42f3-822b-ca24bf46e433>
Buy Me a Coffee – Button and Widget Plugin <= 3.7 - Cross-Site Request Forgery
Affected Software: Buy Me a Coffee – Button and Widget Plugin CVE ID: CVE-2023-2079 CVSS Score: 7.1 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6309258e-e4fc-4edf-a771-2d82a9a85a5c>
Integration for Contact Form 7 and Salesforce <= 1.3.3 - Open Redirect
Affected Software: Integration for Contact Form 7 and Salesforce CVE ID: CVE-2023-37982 CVSS Score: 7.1 (High) Researcher/s: Le Hong Minh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e64a688c-c150-4b10-81ef-bbe7f6dd1b8e>
Zippy <= 1.6.2 - Missing Authorization via adminInit
Affected Software: Zippy CVE ID: CVE-2023-34381 CVSS Score: 6.5 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ffb078c-2a92-4682-aaa9-c519e28e7e18>
Download IP2Location Country Blocker <= 2.29.1 - Bypass via IP Spoofing
Affected Software: IP2Location Country Blocker CVE ID: CVE-2023-37865 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/814fd060-8781-46ad-86e6-e2b75a7fffc0>
WooCommerce GoCardless Gateway <= 2.5.6 - Unauthenticated Insecure Direct Object Reference
Affected Software: WooCommerce GoCardless Gateway CVE ID: CVE-2023-37871 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa174135-d7aa-44f1-8924-44313fc70a75>
Art Direction <= 0.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Art Direction CVE ID: CVE-2023-37983 CVSS Score: 6.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31a145d5-3c0c-436f-a1ee-afff14ef2140>
Super Socializer <= 7.13.53 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/755454cc-b1a8-4a38-9e73-c47a6ef562a2>
MF Gig Calendar <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via event_title and event_time
Affected Software: MF Gig Calendar CVE ID: CVE-2023-37970 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93029d39-adaa-4cf6-9081-28c9e84ec2e5>
Spectra <= 2.6.6 - Authenticated (Contributor+) Server-Side Request Forgery in template_importer
Affected Software: Spectra – WordPress Gutenberg Blocks CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b139260b-7741-4e35-b23f-896f23719739>
Buy Me a Coffee – Button and Widget Plugin <= 3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Buy Me a Coffee – Button and Widget Plugin CVE ID: CVE-2023-2082 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed9f8948-085b-4ac5-befd-c70085aa23cd>
WooCommerce Warranty Requests <= 2.1.9 - Missing Authorization
Affected Software: WooCommerce Warranty Requests CVE ID: CVE-2023-37870 CVSS Score: 6.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59b09f36-79e8-4f14-b970-a7994d193782>
WooCommerce Ship to Multiple Addresses <= 3.8.5 - Missing Authorization
Affected Software: WooCommerce Ship to Multiple Addresses CVE ID: CVE-2023-37872 CVSS Score: 6.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b32c517-ef6b-4cc9-8316-6289676d8222>
RealHomes <= 4.0.2 - Missing Authorization
Affected Software: RealHomes CVE ID: CVE-2023-37886 CVSS Score: 6.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3ee6004-03d1-4216-b22e-0aadc1f4d9de>
Forminator <= 1.24.1 - Reflected Cross-Site Scripting
Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE-2023-3134 CVSS Score: 6.1 (Medium) Researcher/s: Andreas Damen Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/00272fe2-52aa-4183-8b57-6b51ad57c657>
Shortcode IMDB <= 6.0.8 - Cross-Site Request Forgery
Affected Software: Shortcode IMDB CVE ID: CVE-2023-37892 CVSS Score: 6.1 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/088e0d77-06bf-4420-88fb-2c6f8051ece5>
Authors List <= 2.0.2 - Reflected Cross-Site Scripting via al_id
Affected Software: Authors List CVE ID: CVE-2023-37981 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09f590ad-c99a-4577-a709-98c88d3acc87>
Grid Kit Premium < 2.2.0 - Reflected Cross-Site Scripting
Affected Software: Grid Kit Premium CVE ID: CVE-2023-3292 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b3029c6-3a0f-4c83-8faf-f74d03852278>
WPFunnels <= 2.7.16 - Reflected Cross-Site Scripting
Affected Software: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels CVE ID: CVE-2023-37977 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c1464ab-217e-4c66-94f8-49376755dba7>
Media Library Assistant <= 3.07 - Reflected Cross-Site Scripting
Affected Software: Media Library Assistant CVE ID: CVE-2023-34010 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/639009f6-9877-45a9-b9f3-7256bc6f3360>
Variation Swatches for WooCommerce <= 2.3.7 - Reflected Cross-Site Scripting
Affected Software: Variation Swatches for WooCommerce CVE ID: CVE-2023-37975 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72a0df23-38cd-4926-9099-8eb652e05a15>
CartFlows Pro <= 1.11.11 - Reflected Cross-Site Scripting
Affected Software: cartflows-pro CVE ID: CVE-2023-36686 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/85ba90ae-8144-42f0-90db-e7f2638fec47>
Coming Soon Chop Chop <= 2.2.4 - Reflected Cross-Site Scripting
Affected Software: Coming Soon Chop Chop CVE ID: CVE-2023-37893 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ae4ffe1-ecb6-4bde-8ac4-baeea82a0299>
Variation Images Gallery for WooCommerce <= 2.3.3 - Reflected Cross-Site Scripting via style
Affected Software: Variation Images Gallery for WooCommerce CVE ID: CVE-2023-37894 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aaf7107c-1e9f-4020-aed3-a6a687a0cf6c>
Terms Descriptions <= 3.4.4 - Reflected Cross-Site Scripting via term_search
Affected Software: Terms descriptions CVE ID: CVE-2023-28779 CVSS Score: 6.1 (Medium) Researcher/s: Kindaichi Hiro Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d6a44d36-43e6-4785-b2bc-0b4b98d847e7>
Twittee Text Tweet <= 1.0.8 - Reflected Cross-Site Scripting
Affected Software: Twittee Text Tweet CVE ID: CVE-2023-0602 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e16d8d28-e1e5-46ab-a64c-1da07747559e>
All In One WP Security 5.1.9 - Plaintext Storage of Credentials
Affected Software: All-In-One Security (AIOS) – Security and Firewall CVE ID: CVE Unknown CVSS Score: 5.9 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02066dcd-1f2f-4ed3-b1f4-7ea8711918e8>
HTTP Headers <= 1.18.11 - Server-Side Request Forgery
Affected Software: HTTP Headers CVE ID: CVE-2023-37978 CVSS Score: 5.5 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/69971673-e317-452c-8c54-97de006a214f>
WooCommerce Product Stock Alert <= 2.0.1 - Missing Authorization via API
Affected Software: WooCommerce Product Stock Alert CVE ID: CVE-2023-37971 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09bdfade-85d0-4922-a83a-3e213adfa4ed>
WPSchoolPress <= 2.2.3 - Missing Authorization
Affected Software: School Management System – WPSchoolPress CVE ID: CVE-2023-37887 CVSS Score: 5.4 (Medium) Researcher/s: Fariq Fadillah Gusti Insani Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1410d37a-fa8d-41e1-bed7-1c1436b52a83>
WPFunnels <= 2.7.15 - Insecure Direct Object Reference
Affected Software: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50b26952-bf59-4236-93b4-6b4928609c15>
KB Support <= 1.5.88 - Missing Authorization to Sensitive Data Exposure
Affected Software: KB Support – WordPress Help Desk CVE ID: CVE-2023-37890 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b24fe1d-1b21-4f8f-b66e-6df3bfc0e180>
Falang multilanguage <= 1.3.39 - Cross-Site Request Forgery via add_language
Affected Software: Falang multilanguage for WordPress CVE ID: CVE-2023-37968 CVSS Score: 5.4 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ac10b30d-1fe3-46f4-a4fc-fa2acd7f9db4>
Premium Addons PRO <= 2.9.0 - Missing Authorization
Affected Software: Premium Addons Pro for Elementor CVE ID: CVE-2023-37869 CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/df6e5aee-e79d-4c3f-a0c4-47436ae7c1da>
WP-FB-AutoConnect <= 4.6.1 - Cross-Site Request Forgery via jfb_admin_page
Affected Software: WP Social AutoConnect CVE ID: CVE-2023-37974 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eab1fe39-dda2-49c9-9c76-c1127626a85c>
WooCommerce Product Stock Alert <= 2.0.1 - Information Disclosure
Affected Software: WooCommerce Product Stock Alert CVE ID: CVE-2023-37972 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91e1a199-f062-4555-ae7b-ed8732686303>
BookingPress <= 1.0.64 - Unauthenticated Sensitive Information Exposure
Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin CVE ID: CVE-2023-36507 CVSS Score: 5.3 (Medium) Researcher/s: Paul Goodchild Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a720ad0e-6194-4df4-951e-e818518e79b5>
Premium Addons PRO <= 2.9.0 - Sensitive Information Exposure
Affected Software: Premium Addons Pro for Elementor CVE ID: CVE-2023-37868 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f1fa1999-685c-4b68-927d-617abf9143d7>
WP Default Feature Image <= 1.0.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP Default Feature Image CVE ID: CVE-2023-25488 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/380024dc-ed2a-4a7b-b5f8-47879ad2d659>
Dovetail <= 1.2.13 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Dovetail CVE ID: CVE-2023-25984 CVSS Score: 4.4 (Medium) Researcher/s: Ullash Raj Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52983bf6-908a-4287-b89e-cd09b4c48efe>
Short URL <= 1.6.4 - Authenticated(Admin+) Stored Cross-Site Scripting
Affected Software: Short URL CVE ID: CVE-2023-3130 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/814fcd67-9788-4392-8910-7a2bc8782fd8>
WooCommerce Ship to Multiple Addresses <= 3.8.5 - Reflected Cross-Site Scripting
Affected Software: WooCommerce Ship to Multiple Addresses CVE ID: CVE-2023-37873 CVSS Score: 4.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0ac43ba-cc49-4688-9efa-585551f3c40c>
Custom Field For WP Job Manager <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Custom Field For WP Job Manager CVE ID: CVE-2023-37980 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e651766b-705d-415d-90bc-8b4f4418222c>
HTTP Headers <= 1.18.11 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: HTTP Headers CVE ID: CVE-2023-37874 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fed4dd54-7a7e-483b-a623-3cf3392572b8>
WooCommerce Pre-Orders <= 2.0.2 - Cross-Site Request Forgery to Order Cancellation
Affected Software: WooCommerce Pre-Orders CVE ID: CVE-2023-3507 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14e6e06c-edc0-44ef-ba07-50fcfc4fd7b1>
BuddyBuilder - BuddyPress Builder for Elementor <= 1.7.3 - Cross-Site Request Forgery
Affected Software: BuddyPress Builder for Elementor – BuddyBuilder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/23924342-3b1d-4360-bd87-104091283e35>
WP Testimonials <= 1.4.2 - Cross-Site Request Forgery to Widget Deletion
Affected Software: WP Testimonials CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ff59aa5-a2f2-4fe1-a0b6-d9b07b0fdb1a>
KB Support <= 1.5.88 - Missing Authorization to Authenticated (Subscriber+) User Data Retrieval
Affected Software: KB Support – WordPress Help Desk CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/55bb3620-c182-46c4-bc22-8526cf410cdb>
Replace Word <= 2.1 - Cross-Site Request Forgery
Affected Software: Replace Word CVE ID: CVE-2023-37973 CVSS Score: 4.3 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/75ddf732-ddb2-47ba-884a-477fcc6595b4>
WPAdmin AWS CDN <= 2.0.13 - Cross-Site Request Forgery
Affected Software: WPAdmin AWS CDN CVE ID: CVE-2023-37889 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b039c23-51d4-422a-a57b-59abaeca682c>
Social Media Icons Widget <= 1.6 - Cross-Site Request Forgery
Affected Software: Social Media Icons Widget CVE ID: CVE-2023-25036 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8bb5abff-d762-459a-b96c-5cbbb9f5a22e>
ARMember <= 4.0.5 - Cross-Site Request Forgery
Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2022-47424 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae865f91-4c2a-4a6b-84a8-bd45c1febdb1>
Exit Popups & Onsite Retargeting by OptiMonk <= 2.0.4 - Cross-Site Request Forgery
Affected Software: OptiMonk: Popups, Personalization & A/B Testing CVE ID: CVE-2023-37891 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfa8328b-5932-4396-b0ef-e16a7ec3b365>
Multiple Addify Plugins <= (Various Versions) - Cross-Site Request Forgery
Affected Software/s: Custom Registration Forms Builder for WooCommerce, Custom Fields for WooCommerce, WooCommerce Product Labels and Stickets, Product Dynamic Pricing and Discounts for WooCommerce, WooCommerce Abandoned Cart Recovery, WooCommerce Checkout Field Manager, WooCommerce Order Tracking, WooCommerce Advanced Free Gifts, Image Watermark for WooCommerce, WooCommerce Gift Registry, WooCommerce Order Approval, Price Calculator for WooCommerce, WooCommerce Custom Order Number CVE ID: CVE-2022-4888 CVSS Score: 4.3 (Medium) Researcher/s: WPScanTeam Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8065d25-2ded-4021-a53d-204242db0915>
WooCommerce Pre-Orders <= 2.0.2 - Cross-Site Request Forgery
Affected Software: WooCommerce Pre-Orders CVE ID: CVE-2023-3508 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1436ca4-933b-426a-987d-c5cbbc29353b>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023) appeared first on Wordfence.
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
37.1%