Chloe ChamberlandWORDFENCE:573FC9A6646CCAE4578C4E9749DCFCD4Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)
Did you know we're running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 122 vulnerabilities disclosed in 110 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- SlimStat Analytics <= 5.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting
- WAF-RULE-670 - data redacted while we work with the developer on a patch.
- WAF-RULE-671 - data redacted while we work with the developer on a patch.
- WAF-RULE-672 - data redacted while we work with the developer on a patch.
- WAF-RULE-674 - data redacted while we work with the developer on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 32 |
| Patched | 90 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 104 |
| High Severity | 12 |
| Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 34 |
| Missing Authorization | 29 |
| Cross-Site Request Forgery (CSRF) | 24 |
| Information Exposure | 9 |
| Deserialization of Untrusted Data | 5 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 4 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 3 |
| Improper Authorization | 3 |
| Improper Access Control | 3 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Authentication Bypass by Spoofing | 1 |
| Improper Input Validation | 1 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| URL Redirection to Untrusted Site ('Open Redirect') | 1 |
| Client-Side Enforcement of Server-Side Security | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Francesco Carlucci | 12 |
| Yudistira Arya | 8 |
| NgΓ΄ ThiΓͺn An (ancorn_) | 7 |
| Nguyen Xuan Chien | 7 |
| Abdi Pranata | 6 |
| Dmitrii Ignatyev | 5 |
| Mika | 5 |
| Lucio SΓ‘ | 4 |
| Abu Hurayra (HurayraIIT) | 4 |
| emad | 3 |
| Webbernaut | 3 |
| Karl Emil Nikka | 3 |
| Dhabaleshwar Das | 3 |
| Huynh Tien Si | 2 |
| resecured.io | 2 |
| Krzysztof ZajΔ c | 2 |
| Dave Jong | 2 |
| Muhammad Daffa | 2 |
| Akbar Kustirama | 2 |
| Revan Arifio | 1 |
| Joshua Martinelle | 1 |
| Dimas Maulana | 1 |
| IstvΓ‘n MΓ‘rton | |
| (Wordfence Vulnerability Researcher) | 1 |
| Yuhang Liu | 1 |
| Sean Murphy | 1 |
| Le Ngoc Anh | 1 |
| Skalucy | 1 |
| Bob Matyas | 1 |
| Steven Julian | 1 |
| wpdabh | 1 |
| Vulzap | 1 |
| stealthcopter | 1 |
| Nathaniel Oh (0x4n3) | 1 |
| Jeongwoo-Lee(Roronoa) | 1 |
| 0x9567b | 1 |
| Elliot | 1 |
| Friday | 1 |
| isacaya | 1 |
| LVT-tholv2k | 1 |
| thiennv | 1 |
| Joshua Chan | 1 |
| Faizal Abroni | 1 |
| Marc-Alexandre Montpas | 1 |
| Savphill | 1 |
| Sh | 1 |
| Richard Telleng (stueotue) | 1 |
| Debangshu Kundu | 1 |
| Arpeet Rathi | 1 |
| kauenavarro | 1 |
| Daniel Ruf | 1 |
| Rob Stevens | 1 |
| Rafie Muhammad | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| A no-code page builder for beautiful performance-based content | setka-editor |
| ACF Photo Gallery Field | navz-photo-gallery |
| ARMember β Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
| Accessibility | accessibility |
| Active Products Tables for WooCommerce. Professional products tables for WooCommerce store | profit-products-tables-for-woocommerce |
| Add Customer for WooCommerce | add-customer-for-woocommerce |
| Advanced iFrame | advanced-iframe |
| Affiliates Manager | affiliates-manager |
| Anonymous Restricted Content | anonymous-restricted-content |
| Auto Listings β Car Listings & Car Dealership Plugin for WordPress | auto-listings |
| BEAR β Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | woo-bulk-editor |
| Beds24 Online Booking | beds24-online-booking |
| Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo | biteship |
| BizPrint β Print WooCommerce Order Receipts, Invoices, Labels & More. | print-google-cloud-print-gcp-woocommerce |
| Booking Calendar | Appointment Booking |
| CC BMI Calculator | cc-bmi-calculator |
| CP Media Player β Audio Player and Video Player | audio-and-video-player |
| Calculated Fields Form | calculated-fields-form |
| CalculatorPro Calculators | calculatorpro-calculators |
| Chartify β WordPress Chart Plugin | chart-builder |
| Cincopa video and media plug-in | video-playlist-and-gallery-plugin |
| Click To Tweet | click-to-tweet |
| Cookie Information | Free GDPR Consent Solution |
| Custom Order Numbers for WooCommerce | custom-order-numbers-for-woocommerce |
| Custom Order Status for WooCommerce | custom-order-statuses-woocommerce |
| Database for Contact Form 7, WPforms, Elementor forms | contact-form-entries |
| Debug | debug |
| Don't Muck My Markup | dont-muck-my-markup |
| ERE Recently Viewed β Essential Real Estate Add-On | ere-recently-viewed |
| Easy Digital Downloads β Sell Digital Files (eCommerce Store & Payments Made Easy) | easy-digital-downloads |
| Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) | bdthemes-element-pack-lite |
| Email Before Download | email-before-download |
| Essential Addons for Elementor β Best Elementor Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
| Event Manager and Tickets Selling Plugin for WooCommerce β WpEvently β WordPress Plugin | mage-eventpress |
| EventON Pro | eventon |
| EventPrime β Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| FG Drupal to WordPress | fg-drupal-to-wp |
| FG Joomla to WordPress | fg-joomla-to-wordpress |
| FG PrestaShop to WooCommerce | fg-prestashop-to-woocommerce |
| Fatal Error Notify | fatal-error-notify |
| Feed Them Social β Page, Post, Video, and Photo Galleries | feed-them-social |
| Five Star Restaurant Reviews | good-reviews-wp |
| Form builder to get in touch with visitors, grow your email list and collect payments β Happyforms | happyforms |
| GDPR Data Request Form | gdpr-data-request-form |
| Happy Addons for Elementor | happy-elementor-addons |
| Heateor Social Login WordPress | heateor-social-login |
| Html5 Video Player | UNKNOWN-CVE-2023-6485-1 |
| Icons Font Loader | icons-font-loader |
| Instant Images β One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels | instant-images |
| JTRT Responsive Tables | jtrt-responsive-tables |
| JetBackup β WP Backup, Migrate & Restore | backup |
| Kikote β Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce | map-location-picker-at-checkout-for-woocommerce |
| Knowledge Base for Documentation, FAQs with AI Assistance | echo-knowledge-base |
| LearnDash LMS | sfwd-lms |
| Load More Anything | ajax-load-more-anything |
| MW WP Form | mw-wp-form |
| MapPress Maps for WordPress | mappress-google-maps-for-wordpress |
| Mighty Addons for Elementor | mighty-addons |
| MultiVendorX Marketplace β WooCommerce MultiVendor Marketplace Solution | dc-woocommerce-multi-vendor |
| NEX-Forms β Ultimate Form Builder β Contact forms and much more | nex-forms-express-wp-form-builder |
| Ninja Forms Contact Form β The Drag and Drop Form Builder for WordPress | ninja-forms |
| OWL Carousel β WordPress Owl Carousel Slider | lgx-owl-carousel |
| Orbit Fox by ThemeIsle | themeisle-companion |
| Order Delivery Date for WP e-Commerce | order-delivery-date |
| PDF Flipbook, 3D Flipbook β DearFlip | 3d-flipbook-dflip-lite |
| PT Sign Ups β Beautiful volunteer sign ups and management made easy | ptoffice-sign-ups |
| Page Builder: Pagelayer β Drag and Drop website builder | pagelayer |
| Page Restrict | pagerestrict |
| Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress | wp-user-avatar |
| Persian Fonts | persian-fonts |
| PilotPress | pilotpress |
| Popup More Popups, Lightboxes, and more popup modules | popup-more |
| PopupAlly | popupally |
| Post Thumbnail Editor | post-thumbnail-editor |
| PowerPack Pro for Elementor | powerpack-elements |
| Premium Addons for Elementor | premium-addons-for-elementor |
| ProductX β WooCommerce Builder & Gutenberg WooCommerce Blocks | product-blocks |
| Professional Social Sharing Buttons, Icons & Related Posts β Shareaholic | shareaholic |
| PropertyHive | propertyhive |
| Quicksand Post Filter jQuery Plugin | quicksand-jquery-post-filter |
| RSS Aggregator by Feedzy β Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | feedzy-rss-feeds |
| Relevanssi β A Better Search (Pro) | relevanssi-premium |
| Restrict Usernames Emails Characters | restrict-usernames-emails-characters |
| SEO Plugin by Squirrly SEO | squirrly-seo |
| SP Project & Document Manager | sp-client-document-manager |
| Scheduling Plugin β Online Booking for WordPress | calendar-booking |
| Scroll Triggered Box | dreamgrow-scroll-triggered-box |
| SiteOrigin Widgets Bundle | so-widgets-bundle |
| SlimStat Analytics | wp-slimstat |
| Starbox β the Author Box for Humans | starbox |
| Structured Content (JSON-LD) #wpsc | structured-content |
| TablePress β Tables in WordPress made easy | tablepress |
| The Plus Addons for Elementor | the-plus-addons-for-elementor-page-builder |
| Total Upkeep β WordPress Backup Plugin plus Restore & Migrate by BoldGrid | boldgrid-backup |
| Ultra Companion β Companion plugin for WPoperation Themes | ultra-companion |
| User Activity Tracking and Log | user-activity-tracking-and-log |
| UserPro - Community and User Profile WordPress Plugin | userpro |
| W3SPEEDSTER | w3speedster-wp |
| WOLF β WordPress Posts Bulk Editor and Manager Professional | bulk-editor |
| WP Dummy Content Generator | wp-dummy-content-generator |
| WP Hotel Booking | wp-hotel-booking |
| WP STAGING WordPress Backup Plugin β Migration Backup Restore | wp-staging |
| WP Visitor Statistics (Real Time Traffic) | wp-stats-manager |
| WP-CFM | wp-cfm |
| Website Builder by SeedProd β Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode | coming-soon |
| WooCommerce Box Office | woocommerce-box-office |
| WooCommerce Conversion Tracking | woocommerce-conversion-tracking |
| Woostify Sites Library | woostify-sites-library |
| WordPress Review & Structure Data Schema Plugin β Review Schema | review-schema |
| WordPress Toolbar | wordpress-toolbar |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldβve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Knowledge Base for Documentation, FAQs with AI Assistance <= 11.30.2 - Unauthenticated PHP Object Injection in is_article_recently_viewed
Affected Software: Knowledge Base for Documentation, FAQs with AI Assistance CVE ID: CVE-2024-24842 CVSS Score: 9.8 (Critical) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41cfe1d7-2fab-413c-80e5-40d77133d229>
ProductX β WooCommerce Builder & Gutenberg WooCommerce Blocks <= 3.1.4 - PHP Object Injection via wopb_wishlist and wopb_compare
Affected Software: ProductX β WooCommerce Builder & Gutenberg WooCommerce Blocks CVE ID: CVE-2024-23512 CVSS Score: 9.8 (Critical) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/470285d6-b309-409c-b2c3-8766a0cf9e98>
ERE Recently Viewed <= 1.3 - Unauthenticated PHP Object Injection
Affected Software: ERE Recently Viewed β Essential Real Estate Add-On CVE ID: CVE-2024-24797 CVSS Score: 9.8 (Critical) Researcher/s: Yudistira Arya Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7332fe2e-9bef-42b7-946e-4a2ee812ca26>
JetBackup <= 2.0.9.7 - Sensitive Information Exposure via Directory Listing
Affected Software: JetBackup β WP Backup, Migrate & Restore CVE ID: CVE-2023-7165 CVSS Score: 9.8 (Critical) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd978ac0-42f2-4746-9430-37458375b588>
Quicksand Post Filter jQuery Plugin <= 3.1.1 - Missing Authorization via quicksand_admin_ajax
Affected Software: Quicksand Post Filter jQuery Plugin CVE ID: CVE-2024-24850 CVSS Score: 9.1 (Critical) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c6f3b765-396f-422f-864d-a48bee8c69cb>
Instant Images <= 6.1.0 - Authenticated (Author+) Arbitrary Options Update
Affected Software: Instant Images β One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels CVE ID: CVE-2024-0869 CVSS Score: 8.8 (High) Researcher/s: Sean Murphy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17941fbb-c5da-4f5c-a617-3792eb4ef395>
Cookie Information | Free GDPR Consent Solution <= 2.0.22 - Authenticated (Subscriber+) Arbitrary Options Update
Affected Software: Cookie Information | Free GDPR Consent Solution CVE ID: CVE-2023-6700 CVSS Score: 8.8 (High) Researcher/s: Lucio SΓ‘ Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567>
Event Manager and Tickets Selling Plugin for WooCommerce β WpEvently <= 4.1.1 - Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save
Affected Software: Event Manager and Tickets Selling Plugin for WooCommerce β WpEvently β WordPress Plugin CVE ID: CVE-2024-24796 CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50812a8b-7d49-41fa-ba50-47d07a4b6caa>
SP Project & Document Manager <= 4.69 - Authenticated (Contributor+) SQL Injection via Shortcode
Affected Software: SP Project & Document Manager CVE ID: CVE-2024-24868 CVSS Score: 8.8 (High) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fcdeba37-ba65-400d-9c07-36503a03e857>
MultiVendorX Marketplace <= 4.1.2 - Missing Authorization
Affected Software: MultiVendorX Marketplace β WooCommerce MultiVendor Marketplace Solution CVE ID: CVE-2024-24703 CVSS Score: 8.6 (High) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/26e07115-efee-4db5-ba24-25a063286e90>
TablePress <= 2.2.4 - Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files
Affected Software: TablePress β Tables in WordPress made easy CVE ID: CVE-2024-23825 CVSS Score: 8.5 (High) Researcher/s: isacaya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8de52b68-c273-4561-98b0-e51afd6cd47b>
Website Builder by SeedProd β Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 - Missing Authorization via seedprod_lite_new_lpage
Affected Software: Website Builder by SeedProd β Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode CVE ID: CVE-2024-1072 CVSS Score: 8.2 (High) Researcher/s: Lucio SΓ‘ Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb>
Woostify Sites Library
Affected Software: Woostify Sites Library CVE ID: CVE-2023-6279 CVSS Score: 8.1 (High) Researcher/s: Krzysztof ZajΔ c Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/977ab23a-06b2-4f54-a2c2-3be2316eaceb>
PropertyHive <= 2.0.5 - Unauthenticated PHP Object Injection via propertyhive_currency
Affected Software: PropertyHive CVE ID: CVE-2024-23513 CVSS Score: 8.1 (High) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d8ee82cf-916c-41e9-82d2-f25cc7a632ae>
Total Upkeep <= 1.15.8 - Improper Authorization to Unauthenticated Arbitrary File Download
Affected Software: Total Upkeep β WordPress Backup Plugin plus Restore & Migrate by BoldGrid CVE ID: CVE-2024-24869 CVSS Score: 7.5 (High) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/159e14fc-0512-421a-8bbe-d16c0b04ddf9>
PowerPack Pro for Elementor <= 2.10.6 - Missing Authorization to Settings Reset
Affected Software: PowerPack Pro for Elementor CVE ID: CVE-2024-24844 CVSS Score: 7.5 (High) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/883e1f3c-7e47-4522-ae8c-a9a6b4160be2>
Contact Form Entries <= 1.3.2 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: Database for Contact Form 7, WPforms, Elementor forms CVE ID: CVE-2024-1069 CVSS Score: 7.2 (High) Researcher/s: IstvΓ‘n MΓ‘rton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/120313be-9f98-4448-9f5d-a77186a6ff08>
Icons Font Loader <= 1.1.4 - Authenticated(Administrator+) Arbitrary File Upload
Affected Software: Icons Font Loader CVE ID: CVE-2024-24714 CVSS Score: 6.6 (Medium) Researcher/s: Vulzap Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/37426991-7778-4dc4-8cae-2725584fb8b8>
HTML5 Video Player <= 2.5.24 - Unauthenticated SQL Injection via id
Affected Software: Html5 Video Player CVE ID: CVE-2024-1061 CVSS Score: 6.5 (Medium) Researcher/s: Joshua Martinelle Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0abd2533-5cb3-4568-8ad2-f2852ab3a8db>
Quicksand Post Filter jQuery Plugin <= 3.1.1 - Cross-Site Request Forgery via renderAdmin
Affected Software: Quicksand Post Filter jQuery Plugin CVE ID: CVE-2024-24849 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4dd63ea6-7821-42b8-9b52-e721a8b2382d>
Order Delivery Date for WP e-Commerce <= 1.2 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Order Delivery Date for WP e-Commerce CVE ID: CVE-2024-0678 CVSS Score: 6.5 (Medium) Researcher/s: Krzysztof ZajΔ c Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71fb90b6-a484-4a70-a9dc-795cbf2e275e>
WP Hotel Booking <= 2.0.9.2 - Improper Authorization on Multiple REST API Routes
Affected Software: WP Hotel Booking CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86f15e94-6ca7-4eb2-8a38-b4add9251dab>
Starbox <= 3.4.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Display Name and Social Settings
Affected Software: Starbox β the Author Box for Humans CVE ID: CVE-2024-0256 CVSS Score: 6.4 (Medium) Researcher/s: Lucio SΓ‘ Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0eafe473-9177-47c4-aa1e-2350cb827447>
Heateor Social Login <= 1.1.30 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Heateor Social Login WordPress CVE ID: CVE-2024-24712 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a3ebfba-7523-48a4-a315-4395be2cebef>
Advanced iFrame <= 2023.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Advanced iFrame CVE ID: CVE-2023-7069 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b>
Five Star Restaurant Reviews <= 2.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Review URL
Affected Software: Five Star Restaurant Reviews CVE ID: CVE-2024-24838 CVSS Score: 6.4 (Medium) Researcher/s: Steven Julian Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2fe44e46-dfbf-4286-889c-606280d62218>
SlimStat Analytics <= 5.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: SlimStat Analytics CVE ID: CVE-2024-1073 CVSS Score: 6.4 (Medium) Researcher/s: Lucio SΓ‘ Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33cba63c-4629-48fd-850f-f68dad626a67>
Ultra Companion <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Ultra Companion β Companion plugin for WPoperation Themes CVE ID: CVE-2024-24803 CVSS Score: 6.4 (Medium) Researcher/s: wpdabh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3639d0a6-6d9f-4f3e-bb25-85d4eb40b547>
OWL Carousel <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: OWL Carousel β WordPress Owl Carousel Slider CVE ID: CVE-2024-24801 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/511957c0-e4c3-4a50-b604-3b604d52d32f>
SiteOrigin Widgets Bundle <= 1.58.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: SiteOrigin Widgets Bundle CVE ID: CVE-2024-0961 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f7c164f-2f78-4857-94b9-077c2dea13df>
Scheduling Plugin β Online Booking for WordPress <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Scheduling Plugin β Online Booking for WordPress CVE ID: CVE-2024-23517 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71a0aa95-f2a9-4537-a8d1-d78336e36125>
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress <= 4.14.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress CVE ID: CVE-2024-1046 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7911c774-3fb0-4d6c-a847-101e5ad8637a>
Click To Tweet <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Click To Tweet CVE ID: CVE-2024-23514 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7eee591c-2676-479c-ab15-96da10f51ae0>
Essential Addons for Elementor β Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Essential Addons for Elementor β Best Elementor Templates, Widgets, Kits & WooCommerce Builders CVE ID: CVE-2024-0954 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/875db71d-c799-40b9-95e1-74d53046b0a9>
Structured Content <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode
Affected Software: Structured Content (JSON-LD) #wpsc CVE ID: CVE-2024-24839 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a013106b-4e2a-4dd9-a0ab-7e6c91e715dd>
Auto Listings <= 2.6.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Auto Listings β Car Listings & Car Dealership Plugin for WordPress CVE ID: CVE-2024-24713 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1a97776-03c7-403d-b803-023647b9d0f2>
Calculated Fields Form <= 1.2.52 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Calculated Fields Form CVE ID: CVE-2024-0963 CVSS Score: 6.4 (Medium) Researcher/s: Richard Telleng (stueotue) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d870ff8d-ea4b-4777-9892-0d9982182b9f>
The Plus Addons for Elementor <= 5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: The Plus Addons for Elementor CVE ID: CVE-2024-23511 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e66b5c12-3acb-41f7-ae5f-8a9130053e45>
CC BMI Calculator <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: CC BMI Calculator CVE ID: CVE-2024-23516 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed0e7717-d9ac-4333-8e79-fc030a410dab>
GDPR Data Request Form <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: GDPR Data Request Form CVE ID: CVE-2024-24836 CVSS Score: 6.4 (Medium) Researcher/s: NgΓ΄ ThiΓͺn An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f0b8fd44-75af-4fb8-bcc1-94cb5fc9e4eb>
Premium Addons for Elementor <= 4.10.16 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Premium Addons for Elementor CVE ID: CVE-2024-24831 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7222c7e-939a-4666-9d01-f715d2827954>
MapPress <= 2.88.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Map Settings
Affected Software: MapPress Maps for WordPress CVE ID: CVE-2023-7225 CVSS Score: 6.4 (Medium) Researcher/s: Akbar Kustirama Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fce76126-0cfd-464f-b644-45d4301e958d>
CalculatorPro Calculators <= 1.1.7 - Reflected Cross-Site Scripting via CP_preview_calc
Affected Software: CalculatorPro Calculators CVE ID: CVE-2024-24847 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0de79672-f0ba-42d3-a44a-01b93801d7de>
Mighty Addons for Elementor <= 1.9.3 - Reflected Cross-Site Scripting
Affected Software: Mighty Addons for Elementor CVE ID: CVE-2024-24846 CVSS Score: 6.1 (Medium) Researcher/s: Yudistira Arya Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/484d8d14-049d-4fd5-adb8-ad9942bba794>
Biteship <= 2.2.24 - Reflected Cross-Site Scripting via biteship_error and biteship_message
Affected Software: Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo CVE ID: CVE-2024-24866 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a0247ba6-d193-4b7d-969d-0cd239c57faa>
PT Sign Ups <= 1.0.4 - Unauthenticated Stored Cross-Site Scripting
Affected Software: PT Sign Ups β Beautiful volunteer sign ups and management made easy CVE ID: CVE-2024-24848 CVSS Score: 6.1 (Medium) Researcher/s: Faizal Abroni Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b751191b-35a8-4331-ac3f-f6090221c65f>
EventON <= 4.4.0 - Reflected Cross-Site Scripting
Affected Software: EventON Pro CVE ID: CVE-2023-7200 CVSS Score: 6.1 (Medium) Researcher/s: kauenavarro Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e0d5b1a5-0078-402b-b834-8091bfc02dd5>
PowerPack Pro for Elementor < 2.10.8 - Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting
Affected Software: PowerPack Pro for Elementor CVE ID: CVE-2024-24843 CVSS Score: 6.1 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e68bbee2-1c1a-4751-988e-dde423f8aab3>
Ninja Forms Contact Form <= 3.7.1 - Unauthenticated Second Order SQL Injection
Affected Software: Ninja Forms Contact Form β The Drag and Drop Form Builder for WordPress CVE ID: CVE-2024-0685 CVSS Score: 5.9 (Medium) Researcher/s: stealthcopter Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3cb73d5d-ca4a-4103-866d-f7bb369a8ce4>
Easy Digital Downloads <= 3.2.6 - Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options
Affected Software: Easy Digital Downloads β Sell Digital Files (eCommerce Store & Payments Made Easy) CVE ID: CVE-2024-0659 CVSS Score: 5.5 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ec207cd-cae5-4950-bbc8-d28f108b4ae7>
BEAR <= 1.1.4 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options
Affected Software: BEAR β Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net CVE ID: CVE-2024-24834 CVSS Score: 5.5 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/32682598-ad1c-4aa1-bdf2-a7966a4d1dbe>
Scroll Triggered Box <= 2.3 - Authenticated (Editor+) Stored Cross-Site Scripting
Affected Software: Scroll Triggered Box CVE ID: CVE-2024-24865 CVSS Score: 5.5 (Medium) Researcher/s: Savphill Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b92c3d68-2e3e-4500-8da9-f89373126445>
MW WP Form <= 5.0.6 - Authenticated (Editor+) Stored Cross-Site Scripting
Affected Software: MW WP Form CVE ID: CVE-2024-24804 CVSS Score: 5.5 (Medium) Researcher/s: Huynh Tien Si Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f2126761-cbff-4d46-a6df-4566d15216d7>
Accessibility <= 1.0.6 - Cross-Site Request Forgery
Affected Software: Accessibility CVE ID: CVE-2024-24705 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/432effd4-5c94-4ef9-bc19-b4eacd082264>
PilotPress <= 2.0.29 - Authenticated(Subscriber+) Missing Authorization via multiple AJAX functions
Affected Software: PilotPress CVE ID: CVE-2024-23524 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a8d121d-434d-4445-874f-d3cf6b6e7233>
WOLF β WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 - Cross-Site Request Forgery
Affected Software: WOLF β WordPress Posts Bulk Editor and Manager Professional CVE ID: CVE-2024-0790 CVSS Score: 5.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c48f94b-d193-429a-9383-628ae12bfdf3>
Load More Anything <= 3.3.3 - Missing Authorization to Plugin Settings Modification
Affected Software: Load More Anything CVE ID: CVE-2024-24704 CVSS Score: 5.4 (Medium) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/797554c9-7008-451a-8e8d-3242a207347e>
PDF Flipbook, 3D Flipbook β DearFlip <= 2.2.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: PDF Flipbook, 3D Flipbook β DearFlip CVE ID: CVE-2024-0895 CVSS Score: 5.4 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92e37b28-1a17-417a-b40f-cb4bbe6ec759>
Happyforms <= 1.25.10 - Missing Authorization
Affected Software: Form builder to get in touch with visitors, grow your email list and collect payments β Happyforms CVE ID: CVE-2024-23521 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0578c49e-f820-42dd-bd53-f4a281843e69>
User Activity Tracking and Log <= 4.1.3 - IP Spoofing
Affected Software: User Activity Tracking and Log CVE ID: CVE-2024-0970 CVSS Score: 5.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e2268fc-5f29-4c69-9585-81240354ae77>
EventPrime <= 3.3.9 - Improper Input Validation via save_event_booking
Affected Software: EventPrime β Events Calendar, Bookings and Tickets CVE ID: CVE-2024-24832 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17cbcf67-f10d-41bc-acf7-98e5d99b50af>
NEX-Forms β Ultimate Form Builder β Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()
Affected Software: NEX-Forms β Ultimate Form Builder β Contact forms and much more CVE ID: CVE-2024-0907 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/26bd4058-ef00-48c8-8ab5-01535f0238a4>
WP Dummy Content Generator <= 3.1.2 - Missing Authorization
Affected Software: WP Dummy Content Generator CVE ID: CVE-2024-24805 CVSS Score: 5.3 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3b44d23c-4872-491f-8a91-b0feb888ac54>
BEAR <= 1.1.4 - Missing Authorization via Several Functions
Affected Software: BEAR β Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net CVE ID: CVE-2024-24835 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/411b7889-c2c6-48cb-967d-091585705e17>
BizPrint <= 4.5.1 - Missing Authorization in showTemplatePreview
Affected Software: BizPrint β Print WooCommerce Order Receipts, Invoices, Labels & More. CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4fc76e1c-546f-4ecd-bd3b-a6f21b2c65bf>
NEX-Forms β Ultimate Form Builder β Contact forms and much more <= 8.5.6 - Missing Authorization via set_starred()
Affected Software: NEX-Forms β Ultimate Form Builder β Contact forms and much more CVE ID: CVE-2024-1129 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53db0f72-3353-42bb-ad75-4c5aa32d7939>
Relevanssi Pro < 2.25 - Unauthenticated Sensitive Information Exposure
Affected Software: Relevanssi β A Better Search (Pro) CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/550872c8-3663-48fa-ab3f-f90351f3e169>
Orbit Fox by ThemeIsle <= 2.10.28 - Missing Authorization
Affected Software: Orbit Fox by ThemeIsle CVE ID: CVE-2024-1047 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d>
LearnDash LMS <= 4.10.1 - Sensitive Information Exposure via API
Affected Software: LearnDash LMS CVE ID: CVE-2024-1210 CVSS Score: 5.3 (Medium) Researcher/s: Karl Emil Nikka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61ca5ab6-5fe9-4313-9b0d-8736663d0e89>
LearnDash LMS <= 4.10.1 - Sensitive Information Exposure via assignments
Affected Software: LearnDash LMS CVE ID: CVE-2024-1209 CVSS Score: 5.3 (Medium) Researcher/s: Karl Emil Nikka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7191955e-0db1-4ad1-878b-74f90ca59c91>
PropertyHive <= 2.0.6 - Missing Authorization via activate_pro_feature
Affected Software: PropertyHive CVE ID: CVE-2024-24718 CVSS Score: 5.3 (Medium) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/84d55f24-c4de-4574-b0cc-cc1b4935d281>
LearnDash LMS <= 4.10.2 - Sensitive Information Exposure via API
Affected Software: LearnDash LMS CVE ID: CVE-2024-1208 CVSS Score: 5.3 (Medium) Researcher/s: Karl Emil Nikka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae735117-e68b-448e-ad41-258d1be3aebc>
Post Thumbnail Editor <= 2.4.8 - Sensitive Information Exposure
Affected Software: Post Thumbnail Editor CVE ID: CVE-2024-24845 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b102af8f-2bc3-4548-9a90-d1280b058173>
UserPro <= 5.1.6 - Disabled Membership Registration Bypass
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2024-0701 CVSS Score: 5.3 (Medium) Researcher/s: Rob Stevens Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea070d9c-c04c-432f-a110-47b9eaa67614>
ARMember <= 4.0.24 - Improper Access Control to Sensitive Information Exposure via REST API
Affected Software: ARMember β Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2024-0969 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea4e6718-4e1e-44ce-8463-860f0d3d80f5>
NEX-Forms β Ultimate Form Builder β Contact forms and much more <= 8.5.6 - Missing Authorization via set_read()
Affected Software: NEX-Forms β Ultimate Form Builder β Contact forms and much more CVE ID: CVE-2024-1130 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f2c3b646-d865-4425-bc8f-00b3555a3d74>
WP Visitor Statistics (Real Time Traffic) <= 6.9.4 - Sensitive Information Exposure via Log File
Affected Software: WP Visitor Statistics (Real Time Traffic) CVE ID: CVE-2024-24867 CVSS Score: 5.3 (Medium) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f2d69d59-390d-4f3c-96ba-487707cac7a6>
Anonymous Restricted Content <= 1.6.2 - Protection Mechanism Bypass
Affected Software: Anonymous Restricted Content CVE ID: CVE-2024-0909 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f478ff7c-7193-4c59-a84f-c7cafff9b6c0>
Email Before Download <= 6.9.7 - Cross-Site Request Forgery
Affected Software: Email Before Download CVE ID: CVE-2024-23519 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa918a65-0021-4c32-9f6d-d978926c3ef3>
WP STAGING WordPress Backup Plugin < 3.2.0 - Sensitive Information Exposure via cache files
Affected Software: WP STAGING WordPress Backup Plugin β Migration Backup Restore CVE ID: CVE-2023-7204 CVSS Score: 5.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fe8816d8-1687-4a3c-9f2a-23f21d679cc5>
BookIt <=2.4.0 - Price Bypass
Affected Software: Booking Calendar | Appointment Booking | BookIt CVE ID: CVE-2024-24715 CVSS Score: 4.9 (Medium) Researcher/s: Debangshu Kundu, Arpeet Rathi Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9938c7d-ef0d-45a2-900f-ac8bda9ce75a>
Popup More <= 2.2.4 - Authenticated (Admin+) Directory Traversal to Limited Local File Inclusion
Affected Software: Popup More Popups, Lightboxes, and more popup modules CVE ID: CVE-2024-0844 CVSS Score: 4.7 (Medium) Researcher/s: 0x9567b Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7894a19c-b873-4c5b-8c82-6656cc306ee2>
Restrict Usernames Emails Characters <= 3.1.3 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Restrict Usernames Emails Characters CVE ID: CVE-2023-6165 CVSS Score: 4.4 (Medium) Researcher/s: Yuhang Liu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12532f84-bc76-4968-a01f-f879ab41b901>
Persian Fonts <= 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Persian Fonts CVE ID: CVE-2023-7167 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a427b26-4a0d-4351-8a8b-ec5da1345ebd>
Chartify <= 2.0.6 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Chartify β WordPress Chart Plugin CVE ID: CVE-2023-47526 CVSS Score: 4.4 (Medium) Researcher/s: Jeongwoo-Lee(Roronoa) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49d0315e-fcb2-4232-8797-0421cf5d3cd8>
SEO Plugin by Squirrly SEO <= 12.3.15 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Affected Software: SEO Plugin by Squirrly SEO CVE ID: CVE-2024-0597 CVSS Score: 4.4 (Medium) Researcher/s: Akbar Kustirama Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a61a8d8b-f22f-4a16-95f6-6cf52cf545ad>
Pagelayer <= 1.7.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code
Affected Software: Page Builder: Pagelayer β Drag and Drop website builder CVE ID: CVE-2023-5124 CVSS Score: 4.4 (Medium) Researcher/s: Marc-Alexandre Montpas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b8bd08d0-5c78-40a8-abc1-de387908df9d>
Add Customer for WooCommerce <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Add Customer for WooCommerce CVE ID: CVE-2024-24841 CVSS Score: 4.4 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba08695e-009e-434a-9db0-06aa1dd6d57a>
Beds24 Online Booking <= 2.0.23 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Beds24 Online Booking CVE ID: CVE-2024-24717 CVSS Score: 4.4 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca5bc2af-394b-4fc1-b6c3-ed9ff0a5959a>
Fatal Error Notify <= 1.5.2 - Cross-Site Request Forgery to Test Error Email Sending
Affected Software: Fatal Error Notify CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08b75cac-7b1d-4bed-a1b7-bd1e872f2b4f>
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 - Missing Authorization
Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store CVE ID: CVE-2024-0797 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a94841f-b1dd-44f4-b7a1-65a9fdf7b18d>
WOLF β WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.1 - Missing Authorization
Affected Software: WOLF β WordPress Posts Bulk Editor and Manager Professional CVE ID: CVE-2024-0791 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/13c66a8f-b35f-4943-8880-0799b0d150f7>
Element Pack Elementor Addons <= 5.4.11 - Missing Authorization via bdt_duplicate_as_draft
Affected Software: Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) CVE ID: CVE-2024-24840 CVSS Score: 4.3 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/164a1e09-e967-450c-8938-84c18ebf267d>
Happy Addons for Elementor <= 3.10.1 - Missing Authorization via add_row_actions
Affected Software: Happy Addons for Elementor CVE ID: CVE-2024-24833 CVSS Score: 4.3 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b25df18-dd9a-4b24-8187-283d5f3f334e>
Post Video Players <= 1.158 - Cross-Site Request Forgery via cincopa_mp_mt_options_page
Affected Software: Cincopa video and media plug-in CVE ID: CVE-2024-23515 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/285d2b85-cdd0-4447-8cdc-b641751e4a5f>
Affiliates Manager <= 2.9.34 - Cross-Site Request Forgery
Affected Software: Affiliates Manager CVE ID: CVE-2024-0859 CVSS Score: 4.3 (Medium) Researcher/s: Nathaniel Oh (0x4n3) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/433a03c2-09fd-4ce6-843b-55ad09f4b4f7>
WooCommerce Conversion Tracking <= 2.0.11 - Missing Authorization via wcct_install_happy_addons
Affected Software: WooCommerce Conversion Tracking CVE ID: CVE-2024-24711 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4775ef21-01d6-4c5a-9e3e-f9b6e093fc7f>
BizPrint <= 4.5.1 - Cross-Site Request Forgery in Printer Management
Affected Software: BizPrint β Print WooCommerce Order Receipts, Invoices, Labels & More. CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/487a131e-4911-42d6-bfd7-fc697c89552d>
Fatal Error Notify <= 1.5.2 - Missing Authorization to Test Error Email Sending
Affected Software: Fatal Error Notify CVE ID: CVE-2023-7202 CVSS Score: 4.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50499cd6-0e27-494a-892c-5ca827d4433b>
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store <= 1.0.6.1 - Cross-Site Request Forgery
Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store CVE ID: CVE-2024-0796 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5069fbc4-b3c4-4c0b-892c-2c83f35dc2fe>
Shareaholic <= 9.7.11 - Missing Authorization via accept_terms_of_service
Affected Software: Professional Social Sharing Buttons, Icons & Related Posts β Shareaholic CVE ID: CVE-2024-24709 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5cde239c-20bf-41fa-b7d6-e21b14dcbc22>
Setka Editor <= 2.1.20 - Cross-Site Request Forgery via handleRequest
Affected Software: A no-code page builder for beautiful performance-based content CVE ID: CVE-2024-24701 CVSS Score: 4.3 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7058306f-ec20-4722-aaa1-552a75945a1e>
Location Picker at Checkout for WooCommerce <= 1.8.9 - Missing Authorization via checkout_map_rules_order_ajax_handler
Affected Software: Kikote β Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce CVE ID: CVE-2024-24719 CVSS Score: 4.3 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7394be7e-9a1f-4c85-ac2d-cace39def330>
FG Drupal to WordPress <= 3.67.0 - Cross-Site Request Forgery via ajax_importer
Affected Software/s: FG Joomla to WordPress, FG PrestaShop to WooCommerce, FG Drupal to WordPress CVE ID: CVE-2024-24837 CVSS Score: 4.3 (Medium) Researcher/s: Friday Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7dc34ff1-1b7e-4974-907a-745911df5dc8>
Orbit Fox by ThemeIsle <= 2.10.29 - Cross-Site Request Forgery
Affected Software: Orbit Fox by ThemeIsle CVE ID: CVE-2024-1162 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88f6a24f-f14a-4d0a-be5a-f8c84910b4fc>
JTRT Responsive Tables <= 4.1.9 - Cross-Site Request Forgery
Affected Software: JTRT Responsive Tables CVE ID: CVE-2024-24802 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89ca9214-145e-43c6-a642-7c371f635332>
Page Restrict <= 2.5.5 - Cross-Site Request Forgery via pr_admin_page
Affected Software: Page Restrict CVE ID: CVE-2024-24702 CVSS Score: 4.3 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/956984d4-4f8b-4e20-8002-4e9809b3872c>
WP-CFM <= 1.7.8 - Cross-Site Request Forgery via multiple AJAX functions
Affected Software: WP-CFM CVE ID: CVE-2024-24706 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9790c592-1445-4f9d-987e-ae5ab49c4dcd>
RSS Aggregator by Feedzy β Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.1 - Missing Authorization
Affected Software: RSS Aggregator by Feedzy β Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID: CVE-2024-1092 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98053141-fe97-4bd4-b820-b6cca3426109>
Custom Order Numbers for WooCommerce <= 1.6.0 - Cross-Site Request Forgery to Notice Dismissal
Affected Software: Custom Order Numbers for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/981908d3-e1e7-4093-a2ee-69aa50127731>
PopupAlly <= 2.1.0 - Cross-Site Request Forgery via optin_submit_callback
Affected Software: PopupAlly CVE ID: CVE-2024-23520 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6bef410-8706-4440-b50f-08824ef754f6>
Debug <= 1.10 - Cross-Site Request Forgery
Affected Software: Debug CVE ID: CVE-2024-24798 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa7276bb-6a9b-4cbd-8333-14c4dfac4108>
Custom Order Status for WooCommerce <= 2.3.0 - Cross-Site Request Forgery
Affected Software: Custom Order Status for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab2a4903-2c69-48da-bd4a-79b39b78806c>
WordPress Review & Structure Data Schema Plugin β Review Schema <= 2.1.14 - Missing Authorization to Arbitrary Review Update
Affected Software: WordPress Review & Structure Data Schema Plugin β Review Schema CVE ID: CVE-2024-0836 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7039206-a25a-4aa0-87e2-be11dd1f12eb>
Starbox β the Author Box for Humans <= 3.4.7 - Insecure Direct Object Reference
Affected Software: Starbox β the Author Box for Humans CVE ID: CVE-2024-0366 CVSS Score: 4.3 (Medium) Researcher/s: Sh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67>
CP Media Player <= 1.1.3 - Cross-Site Request Forgery to Player Deletion and Duplication
Affected Software: CP Media Player β Audio Player and Video Player CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ced380a5-04a6-40c1-a731-0d3b929e4428>
Don't Muck My Markup <= 1.8 - Cross-Site Request Forgery
Affected Software: Don't Muck My Markup CVE ID: CVE-2024-23510 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1390c22-3c8d-47f1-b225-1bcbc215832a>
W3SPEEDSTER <= 7.19 - Cross-Site Request Forgery via launch
Affected Software: W3SPEEDSTER CVE ID: CVE-2024-24708 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e358355e-097c-4a6d-a21a-3d08098efff0>
WordPress Toolbar Plugin <= 2.2.6 - Open Redirect via wptbto
Affected Software: WordPress Toolbar CVE ID: CVE-2023-6389 CVSS Score: 4.3 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e88a45e5-f882-419e-b0b0-612912666693>
ACF Photo Gallery Field <= 2.6 - Missing Authorization
Affected Software: ACF Photo Gallery Field CVE ID: CVE-2024-23518 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f557ddf1-cee3-498c-87bc-fa81bf574591>
WooCommerce Box Office <= 1.2.2 - Missing Authorization
Affected Software: WooCommerce Box Office CVE ID: CVE-2024-24799 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff2097a9-fe7a-48f3-be9c-dc0caef74262>
Feed Them Social <= 4.2.0 - Cross-Site Request Forgery via review_nag_check
Affected Software: Feed Them Social β Page, Post, Video, and Photo Galleries CVE ID: CVE-2024-24710 CVSS Score: 3.5 (Low) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e86152a6-cd8d-4466-bcc5-830413500e12>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfenceβs highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024) appeared first on Wordfence.
Related
9.5 High
AI Score
Confidence
High
0.012 Low
EPSS
Percentile
85.0%