Chloe ChamberlandWORDFENCE:69E1EB7BBDFD3ED9F7C42091B3887F36Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.022 Low
EPSS
Percentile
87.8%
Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 - Arbitrary File Upload in File Manager
- ReviewX <= 1.6.13 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
- WAF-RULE-600 - Data redacted while we work with the developer to ensure the vulnerability gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 26 |
| Patched | 64 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 67 |
| High Severity | 16 |
| Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 35 |
| Cross-Site Request Forgery (CSRF) | 23 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 11 |
| Missing Authorization | 6 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 2 |
| Deserialization of Untrusted Data | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 2 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Information Exposure | 1 |
| Improper Authorization | 1 |
| Creation of Emergent Resource | 1 |
| Client-Side Enforcement of Server-Side Security | 1 |
| Guessable CAPTCHA | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rafie Muhammad | 16 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 11 |
| Alex Thomas | |
| (Wordfence Vulnerability Researcher) | 6 |
| Rio Darmawan | 4 |
| Mika | 4 |
| yuyudhn | 3 |
| LEE SE HYOUNG | 3 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 3 |
| thiennv | 3 |
| Nguyen Xuan Chien | 3 |
| Chien Vuong | 2 |
| Hao Huynh | 2 |
| Skalucy | 2 |
| Erwan LR | 2 |
| Cat | 2 |
| Le Ngoc Anh | 2 |
| dc11 | 2 |
| WON JOON HWANG | 2 |
| Muhammad Daffa | 2 |
| Nguyen Anh Tien | 1 |
| Bob Matyas | 1 |
| Marco Frison | 1 |
| My Le | 1 |
| Nithissh S | 1 |
| Emili Castells | 1 |
| Yuki Haruma | 1 |
| NGO VAN TU | 1 |
| Abdi Pranata | 1 |
| MyungJu Kim | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI ChatBot | chatbot |
| Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
| BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | woo-bulk-editor |
| Bubble Menu – circle floating menu | bubble-menu |
| Button Generator – easily Button Builder | button-generation |
| Calculator Builder | calculator-builder |
| Conditional Menus | conditional-menus |
| Contact Form Entries – Contact Form 7, WPforms and more | contact-form-entries |
| Counter Box – WordPress plugin for countdown, timer, counter | counter-box |
| Custom Post Type Generator | custom-post-type-generator |
| Custom Twitter Feeds (Tweets Widget) | custom-twitter-feeds |
| Download Theme | download-theme |
| Duplicator Pro | duplicator-pro |
| Easy Admin Menu | easy-admin-menu |
| Easy Captcha | easy-captcha |
| Easy Google Maps | google-maps-easy |
| Elementor Website Builder – More than Just a Page Builder | elementor |
| EventPrime – Modern Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| File Renaming on Upload | file-renaming-on-upload |
| Flickr Justified Gallery | flickr-justified-gallery |
| Float menu – awesome floating side menu | float-menu |
| Floating button | profit-button |
| Front End Users | front-end-only-users |
| Go Pricing - WordPress Responsive Pricing Tables | go_pricing |
| Google Map Shortcode | google-map-shortcode |
| Herd Effects – fake notifications and social proof plugin | mwp-herd-effect |
| IP Metaboxes | ip-metaboxes |
| Integration for Contact Form 7 and Zoho CRM, Bigin | cf7-zoho |
| JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
| LearnDash WordPress Plugin | sfwd-lms |
| Leyka | leyka |
| MStore API | mstore-api |
| MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder | mailchimp-subscribe-sm |
| Multiple Page Generator Plugin – MPG | multiple-pages-generator-by-porthas |
| Novelist | novelist |
| OAuth Single Sign On – SSO (OAuth Client) | miniorange-login-with-eve-online-google-facebook |
| Popup Box – new WordPress popup plugin | popup-box |
| Product Gallery Slider for WooCommerce | woo-product-gallery-slider |
| Product Vendors | woocommerce-product-vendors |
| QuBot – Chatbot Builder with Templates | qubotchat |
| QueryWall: Plug'n Play Firewall | querywall |
| Recently Viewed Products | recently-viewed-products |
| Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) | responsive-tabs-for-wpbakery |
| SIS Handball | sis-handball |
| SKU Label Changer For WooCommerce | woo-sku-label-changer |
| Shopping Cart & eCommerce Store | wp-easycart |
| Side Menu Lite – add sticky fixed buttons | side-menu-lite |
| SlideOnline | slideonline |
| Slider Revolution | revslider |
| Sticky Buttons – floating buttons builder | sticky-buttons |
| SupportCandy – Helpdesk & Support Ticket System | supportcandy |
| This Day In History | this-day-in-history |
| Tutor LMS – eLearning and online course solution | tutor |
| UTM Tracker | utm-tracker |
| Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress | uncanny-automator |
| Unite Gallery Lite | unite-gallery-lite |
| Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | unlimited-elements-for-elementor |
| Upload Resume | resume-upload-form |
| User Activity Log | user-activity-log |
| Video Contest WordPress Plugin | video-contest |
| WIP Custom Login | wip-custom-login |
| WP Coder – add custom html, css and js code | wp-coder |
| WP Tiles | wp-tiles |
| WP-Hijri | wp-hijri |
| WP-Matomo Integration (WP-Piwik) | wp-piwik |
| WS Form LITE – Drag & Drop Contact Form Builder for WordPress | ws-form |
| WooCommerce Product Categories Selection Widget | woocommerce-product-category-selection-widget |
| WooCommerce Shipping & Tax | woocommerce-services |
| WordPress Backup & Migration | wp-migration-duplicator |
| WordPress File Upload | wp-file-upload |
| WordPress File Upload Pro | wordpress-file-upload-pro |
| Wow Skype Buttons | mwp-skype |
| Yoast SEO: Local | wpseo-local |
| YouTube Playlist Player | youtube-playlist-player |
| seo-by-rank-math-pro | seo-by-rank-math-pro |
| woocommerce-follow-up-emails | woocommerce-follow-up-emails |
| woocommerce-warranty | woocommerce-warranty |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should've already been notified if your site was affected by any of these vulnerabilities.
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 - Arbitrary File Upload in File Manager
Affected Software: Unlimited Elements For Elementor (Free Widgets, Addons, Templates) CVE ID: CVE-2023-31090 CVSS Score: 9.9 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a09102c-391e-4057-b883-3d2eef1671ce>
WooCommerce Follow-Up Emails <= 4.9.40 - Authenticated Arbitrary File Upload in Template Editing
Affected Software: woocommerce-follow-up-emails CVE ID: CVE-2023-33318 CVSS Score: 9.9 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a169934d-17ce-4d34-be00-c5ac0b488066>
Leyka <= 3.30 - Privilege Escalation via Admin Password Reset
Affected Software: Leyka CVE ID: CVE-2023-33327 CVSS Score: 9.8 (Critical) Researcher/s: Nguyen Anh Tien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0152bcc9-6d24-4475-848d-71fe88aa7e2a>
Recently Viewed Products <= 1.0.0 - Unauthenticated PHP Object Injection
Affected Software: Recently Viewed Products CVE ID: CVE-2023-34027 CVSS Score: 9.8 (Critical) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/46f31a60-0a0e-449d-a10a-3cafd0492a9c>
MStore API <= 3.9.1 - Authentication Bypass
Affected Software: MStore API CVE ID: CVE-2023-2734 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5881d16c-84e8-4610-8233-cfa5a94fe3f9>
MStore API <= 3.9.2 - Authentication Bypass
Affected Software: MStore API CVE ID: CVE-2023-2732 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f00761a7-fe24-49a3-b3e3-a471e05815c1>
LearnDash LMS <= 4.5.3 - Authenticated (Contributor+) SQL Injection
Affected Software: LearnDash WordPress Plugin CVE ID: CVE-2023-28777 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/40a57493-b99b-4e71-8603-e668c6283a5a>
Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) SQL Injection via shortcode
Affected Software: Contact Form Entries – Contact Form 7, WPforms and more CVE ID: CVE-2023-31212 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b475ada-3b31-40a3-9a81-5a7b1a1e190a>
OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 - Missing Authorization
Affected Software: OAuth Single Sign On – SSO (OAuth Client) CVE ID: CVE-2022-34155 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d166a77-d57b-4827-96ca-b8eb423861f0>
SupportCandy <= 3.1.6 - Authenticated (Subscriber+) SQL Injection
Affected Software: SupportCandy – Helpdesk & Support Ticket System CVE ID: CVE-2023-2719 CVSS Score: 8.8 (High) Researcher/s: dc11 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1d2b6bd-a75a-4a07-b2f0-8ec206d41211>
Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Subscriber+) PHP Object Injection
Affected Software: Go Pricing - WordPress Responsive Pricing Tables CVE ID: CVE-2023-2500 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7686b11-97a8-4f09-bbfa-d77120cc35b7>
Easy Captcha <= 1.0 - Missing Authorization via easy_captcha_update_settings
Affected Software: Easy Captcha CVE ID: CVE-2023-33324 CVSS Score: 7.5 (High) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8efe2ccf-33cb-4db3-bc3d-ead826adb7d0>
Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 - Authenticated (Admin+) SQL Injection
Affected Software: Integration for Contact Form 7 and Zoho CRM, Bigin CVE ID: CVE-2023-2527 CVSS Score: 7.2 (High) Researcher/s: Chien Vuong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b4e6dae-f38c-4f5b-ae1d-cf998946c675>
QueryWall <= 1.1.1 - Authenticated (Administrator+) SQL Injection
Affected Software: QueryWall: Plug'n Play Firewall CVE ID: CVE-2023-2492 CVSS Score: 7.2 (High) Researcher/s: Chien Vuong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/306c98ad-0d42-4ad5-b82a-bf4579865aa9>
Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: Slider Revolution CVE ID: CVE-2023-2359 CVSS Score: 7.2 (High) Researcher/s: Marco Frison Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4fa00dae-c51d-4586-81da-b568cd6d8124>
SupportCandy <= 3.1.6 - Authenticated (Admin+) SQL Injection
Affected Software: SupportCandy – Helpdesk & Support Ticket System CVE ID: CVE-2023-2805 CVSS Score: 7.2 (High) Researcher/s: dc11 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/75f01eb4-5d53-441d-9bee-e97857dadaf9>
SIS Handball <= 1.0.45 - Authenticated (Administrator+) SQL Injection via 'orderby'
Affected Software: SIS Handball CVE ID: CVE-2023-33924 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cabdc9db-2d1c-4390-a4b7-65648ef9f16a>
Multiple Page Generator Plugin – MPG <= 3.3.19 - Authenticated (Administrator+) SQL Injection in projects_list and total_projects
Affected Software: Multiple Page Generator Plugin – MPG CVE ID: CVE-2023-33927 CVSS Score: 7.2 (High) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d18d800b-647f-4706-9ec1-a8ea4e643965>
WooCommerce Follow-Up Emails <= 4.9.50 - Authenticated (Follow-up emails manager+) SQL Injection
Affected Software: woocommerce-follow-up-emails CVE ID: CVE-2023-33330 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc5276e2-e9de-4409-bbe0-4d0b37244367>
WooCommerce Product Vendors <= 2.1.76 - Authenticated (Vendor admin+) SQL Injection
Affected Software: Product Vendors CVE ID: CVE-2023-33331 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed8f8984-bea6-44aa-9bde-5b40b455767f>
WooCommerce Warranty Requests <= 2.1.6 - Reflected Cross-Site Scripting
Affected Software: woocommerce-warranty CVE ID: CVE-2023-33317 CVSS Score: 7.1 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1665fda6-005d-42ba-883d-2e3ad7abe0ba>
Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Improper Authorization to Arbitrary File Upload
Affected Software: Go Pricing - WordPress Responsive Pricing Tables CVE ID: CVE-2023-2496 CVSS Score: 7.1 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/477c6fa2-16a8-4461-b4d4-d087e13e3ca7>
User Activity Log <= 1.6.1 - Authenticated(Administrator+) SQL Injection via txtsearch
Affected Software: User Activity Log CVE ID: CVE Unknown CVSS Score: 6.6 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17a787da-5630-42ec-b5b0-47435db765a7>
WIP Custom Login <= 1.2.9 - Cross-Site Request Forgery via save_option
Affected Software: WIP Custom Login CVE ID: CVE-2023-33313 CVSS Score: 6.5 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/15b93e63-5ef2-4fb1-8c6b-28fcfab8e34d>
BEAR <= 1.1.3.1 - Cross-Site Request Forgery via Multiple Functions
Affected Software: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net CVE ID: CVE-2023-33314 CVSS Score: 6.5 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7e3818c-883f-4633-a460-a8c0446edffc>
WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_bulk_delete_product
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-2892 CVSS Score: 6.5 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de>
WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_delete_product
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-2891 CVSS Score: 6.5 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3>
Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Go Pricing - WordPress Responsive Pricing Tables CVE ID: CVE-2023-2498 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c3d4c96-63a7-4f3b-a9ac-095be241f840>
Google Map Shortcode <= 3.1.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Google Map Shortcode CVE ID: CVE-2023-2899 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f6656e2-35f5-41d8-a330-7904c296ba29>
Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode
Affected Software: Contact Form Entries – Contact Form 7, WPforms and more CVE ID: CVE-2023-33311 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51986a76-933b-4c25-af79-d0c3f9e1d513>
SlideOnline <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: SlideOnline CVE ID: CVE-2023-0489 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/778e2191-d764-44a1-9f52-9698e9183fd2>
Yoast SEO: Local <= 14.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Yoast SEO: Local CVE ID: CVE-2023-28785 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb6457ea-6353-4a69-ad72-cd5acd47ed8c>
Responsive Tabs For WPBakery Page Builder <= 1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) CVE ID: CVE-2023-0368 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d1c3ddae-046a-4080-ac2b-90fb89fbff7b>
Duplicator Pro <= 4.5.11 - Reflected Cross-Site Scripting
Affected Software: Duplicator Pro CVE ID: CVE-2023-33309 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1426bebe-d3c4-4f83-9b50-fae8c2373209>
EventPrime <= 2.8.6 - Reflected Cross-Site Scripting
Affected Software: EventPrime – Modern Events Calendar, Bookings and Tickets CVE ID: CVE-2023-33326 CVSS Score: 6.1 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/22479c6a-83ea-4c09-b192-4384ffbdcbf7>
WooCommerce Follow-Up Emails <= 4.9.40 - Reflected Cross-Site Scripting
Affected Software: woocommerce-follow-up-emails CVE ID: CVE-2023-33319 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4487391e-baa4-4320-a23d-b52a42e2de90>
This Day In History <= 3.10.1 - Reflected Cross-Site Scripting
Affected Software: This Day In History CVE ID: CVE-2023-34026 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b88a8a9-d3e1-4c21-a4e8-d9afa34d7a2e>
Conditional Menus <= 1.2.0 - Reflected Cross-Site Scripting
Affected Software: Conditional Menus CVE ID: CVE-2023-2654 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57d3506c-8db8-4e1b-9587-7f2bdb632890>
WP-Hijri <= 1.5.1 - Reflected Cross-Site Scripting
Affected Software: WP-Hijri CVE ID: CVE-2023-33320 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/67aaf9fa-e92b-42f2-94ac-f27c5d073002>
Multiple Wow-Company Plugins (Various Versions) – Reflected Cross-Site Scripting via 'page' parameter
Affected Software/s: Herd Effects – fake notifications and social proof plugin, Popup Box – new WordPress popup plugin, Wow Skype Buttons, Float menu – awesome floating side menu, Side Menu Lite – add sticky fixed buttons, Floating button, Sticky Buttons – floating buttons builder, Counter Box – WordPress plugin for countdown, timer, counter, Bubble Menu – circle floating menu, Calculator Builder, WP Coder – add custom html, css and js code, Button Generator – easily Button Builder CVE ID: CVE-2023-2362 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a95af34-559c-4644-9941-7bd1551aba33>
WooCommerce Product Categories Selection Widget <= 2.0 - Reflected Cross-Site Scripting
Affected Software: WooCommerce Product Categories Selection Widget CVE ID: CVE-2023-33925 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f68c70b-9fde-43a6-8a7c-00938aa0e109>
WooCommerce Product Vendors <= 2.1.76 - Reflected Cross-Site Scripting
Affected Software: Product Vendors CVE ID: CVE-2023-33332 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a93c0dd4-8341-438d-8730-470e9a230d97>
Rank Math SEO PRO <= 3.0.35 - Reflected Cross-Site Scripting
Affected Software: seo-by-rank-math-pro CVE ID: CVE-2023-32800 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4ec9001-c4aa-4db3-b7d7-29afa243f78a>
Leyka <= 3.30 - Reflected Cross-Site Scripting
Affected Software: Leyka CVE ID: CVE-2023-33325 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/baf54eb2-0b29-4718-a994-f722cefd7317>
Easy Captcha <= 1.0 - Reflected Cross-Site Scripting
Affected Software: Easy Captcha CVE ID: CVE-2023-33312 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cd73cf64-289d-4401-bef7-9a4398a85055>
Front End Users <= 3.2.25 - Unauthenticated Cross-Site Scripting
Affected Software: Front End Users CVE ID: CVE-2023-33322 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e076e054-6a0b-4c08-b0cc-bd3a5b0751e5>
IP Metaboxes <= 2.1.1 - Reflected Cross-Site Scripting
Affected Software: IP Metaboxes CVE ID: CVE-2023-30753 CVSS Score: 6.1 (Medium) Researcher/s: WON JOON HWANG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f611d609-97c5-4b77-9657-c8d9d10e786a>
WooCommerce Shipping & Tax <= 2.2.4 - Stored Cross-Site Scripting
Affected Software: WooCommerce Shipping & Tax CVE ID: CVE Unknown CVSS Score: 5.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57156ebc-2858-4295-ba08-57bcab6db229>
Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery via AJAX action
Affected Software: Easy Google Maps CVE ID: CVE-2023-2526 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4ea4ca00-185b-4f5d-9c5c-f81ba4edad05>
Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item
Affected Software: Elementor Website Builder – More than Just a Page Builder CVE ID: CVE-2023-33922 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/525cb51c-23f1-446f-a247-0f69ec5029d8>
IP Metaboxes <= 2.1.1 - Unauthenticated Stored Cross-Site Scripting
Affected Software: IP Metaboxes CVE ID: CVE-2023-30745 CVSS Score: 5.4 (Medium) Researcher/s: WON JOON HWANG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9163861b-735b-4007-97f7-8f9095d93ec9>
Uncanny Automator <= 4.14 - Cross-Site Request Forgery via update_automator_connect
Affected Software: Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bd0d8661-4725-41dd-88ce-8e94e285d5b8>
Tutor LMS <= 2.1.10 - Missing Authorization via multiple AJAX actions
Affected Software: Tutor LMS – eLearning and online course solution CVE ID: CVE-2023-25799 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf16617d-cec2-4943-bd20-7ade31878714>
Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery
Affected Software: Easy Google Maps CVE ID: CVE-2023-33926 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ee52c6c0-c69e-46c4-9e4b-94aa69c00737>
EventPrime <= 2.8.6 - Sensitive Information Exposure
Affected Software: EventPrime – Modern Events Calendar, Bookings and Tickets CVE ID: CVE-2023-33321 CVSS Score: 5.3 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1fdd0a4c-ce47-44bc-b9a5-a8f2af12da85>
Download Theme <= 1.0.9 - Cross-Site Request Forgery via dtwap_download()
Affected Software: Download Theme CVE ID: CVE-2022-38062 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50ca7cf8-bb47-42ea-badc-8bfe0328cbb0>
SKU Label Changer For WooCommerce <= 3.0 - Missing Authorization
Affected Software: SKU Label Changer For WooCommerce CVE ID: CVE-2023-29174 CVSS Score: 5.3 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/793594f7-6325-4561-ad74-a08aebc20c53>
Button Generator – easily Button Builder <= 2.3.5 - Cross-Site Request Forgery
Affected Software: Button Generator – easily Button Builder CVE ID: CVE-2023-25443 CVSS Score: 5.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af803612-96ae-41ee-8ad3-8f9319b147e8>
WS Form LITE <= 1.9.117 - CAPTCHA Bypass
Affected Software: WS Form LITE – Drag & Drop Contact Form Builder for WordPress CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d99f81ea-1e74-4b67-a6c5-3dbc7865a68a>
Upload Resume <= 1.2.0 - Captcha Bypass via resume_upload_form
Affected Software: Upload Resume CVE ID: CVE-2023-2751 CVSS Score: 5.3 (Medium) Researcher/s: MyungJu Kim Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc0acff9-6852-4ecb-84f9-98a15dd30fc6>
Unite Gallery Lite <= 1.7.59 - Authenticated(Administrator+) Local File Inclusion via 'view' parameter
Affected Software: Unite Gallery Lite CVE ID: CVE-2023-33310 CVSS Score: 5 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c2925c1-f5c6-45b9-bc61-96f325c0372f>
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal
Affected Software/s: WordPress File Upload, WordPress File Upload Pro CVE ID: CVE-2023-2688 CVSS Score: 4.9 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abd6eeac-0a7e-4762-809f-593cd85f303d>
Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Missing Authorization to Limited Privilege Granting
Affected Software: Go Pricing - WordPress Responsive Pricing Tables CVE ID: CVE-2023-2494 CVSS Score: 4.6 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5779914a-a168-4835-8aea-e0ab2b3be4f6>
AI ChatBot <= 4.5.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: AI ChatBot CVE ID: CVE-2023-2811 CVSS Score: 4.4 (Medium) Researcher/s: Hao Huynh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/114bd025-74c5-40a2-82e8-5947497fc836>
WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software/s: WordPress File Upload, WordPress File Upload Pro CVE ID: CVE-2023-2767 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/23334d94-e5b8-4c88-8765-02ad19e17248>
Custom Post Type Generator <= 2.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Affected Software: Custom Post Type Generator CVE ID: CVE-2023-33329 CVSS Score: 4.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/23a2b1ac-2183-48ae-8376-fb950fe83fd9>
QuBotChat <= 1.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: QuBot – Chatbot Builder with Templates CVE ID: CVE-2023-2401 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45f98c00-0bfd-405e-a6b3-581841d803de>
File Renaming on Upload <= 2.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: File Renaming on Upload CVE ID: CVE-2023-2684 CVSS Score: 4.4 (Medium) Researcher/s: Hao Huynh, My Le Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/550c3f56-d188-4be1-82cd-db076c09cf61>
WP-Piwik <= 1.0.27 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name
Affected Software: WP-Matomo Integration (WP-Piwik) CVE ID: CVE-2023-33211 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/68a520bb-261a-43f0-993d-de208035afe5>
Novelist <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields
Affected Software: Novelist CVE ID: CVE-2023-32958 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b8f64ed-abf8-4a8b-b32f-75afeaccea5c>
Video Contest WordPress Plugin <= 3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Video Contest WordPress Plugin CVE ID: CVE-2022-45827 CVSS Score: 4.4 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86079059-11c7-4545-b254-6bf524367b46>
MailChimp Subscribe Forms <= 4.0.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder CVE ID: CVE-2023-33328 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86f6e8b8-ebfd-4d9f-a285-9d0aa2e961ff>
AI ChatBot <= 4.5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: AI ChatBot CVE ID: CVE-2023-2811 CVSS Score: 4.4 (Medium) Researcher/s: NGO VAN TU Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9df97805-b425-49b1-86c1-e66213dacd2b>
Easy Admin Menu <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Easy Admin Menu CVE ID: CVE-2023-33929 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fefab999-12e0-4866-a5a2-60f8faa64f89>
WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_bulk_activate_product
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-2895 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0>
WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_duplicate_product
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-2896 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9>
WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_deactivate_product
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-2893 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f>
YouTube Playlist Player <= 4.6.4 - Cross-Site Request Forgery in ytpp_settings
Affected Software: YouTube Playlist Player CVE ID: CVE-2023-33931 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/39aed7e9-05c6-4251-b489-de7a33ed2c2e>
WooCommerce Follow-Up Emails <= 4.9.40 - Cross-Site Request Forgery
Affected Software: woocommerce-follow-up-emails CVE ID: CVE-2023-33316 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4fee61cd-7359-4193-8cf2-86e0527a8ef1>
WP Tiles <= 1.1.2 - Cross-Site Request Forgery
Affected Software: WP Tiles CVE ID: CVE-2023-25482 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52876909-3d2a-480d-9c47-39e96d088ff3>
Video Contest WordPress Plugin <= 3.2 - Cross-Site Request Forgery
Affected Software: Video Contest WordPress Plugin CVE ID: CVE-2022-45823 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/597fe53e-769e-4edd-b0b9-2bd2cff50da6>
Flickr Justified Gallery <= 3.5 - Cross-Site Request Forgery via fjgwpp_settings()
Affected Software: Flickr Justified Gallery CVE ID: CVE-2023-25473 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/76a1d39e-8d69-4507-b75c-d376a2122d15>
Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via delete_expired_used_coupon_code
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a1e51a99-f5d4-47d4-bead-00ca1f5f72c2>
Custom Twitter Feeds (Tweets Widget) <= 1.8.4 - Cross-Site Request Forgery
Affected Software: Custom Twitter Feeds (Tweets Widget) CVE ID: CVE-2022-33974 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5a5f8c2-3fd6-4d31-a3b5-60bdb8c18491>
WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_bulk_deactivate_product
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-2894 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a>
WordPress Backup & Migration <= 1.4.0 - Missing Authorization via wt_delete_schedule
Affected Software: WordPress Backup & Migration CVE ID: CVE-2023-33928 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ce978334-42e1-4334-a2d1-c3966339e4fc>
Product Gallery Slider for WooCommerce <= 2.2.8 - Cross-Site Request Forgery
Affected Software: Product Gallery Slider for WooCommerce CVE ID: CVE-2022-45372 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/df911497-8504-424e-8717-42d0bb6c90f1>
Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via ts_reset_tracking_setting
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e743e656-2dd9-43ed-a190-b03af7c75c54>
JetFormBuilder <= 3.0.6 - Cross-Site Request Fogery via 'do_admin_action'
Affected Software: JetFormBuilder — Dynamic Blocks Form Builder CVE ID: CVE-2023-33212 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f37c4b2c-6f41-46b5-8427-b1883b39322e>
UTM Tracker <= 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: UTM Tracker CVE ID: CVE-2023-23822 CVSS Score: 3.3 (Low) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/077ec165-edd3-4c2c-b1ea-01ca5b80f779>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023) appeared first on Wordfence.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.022 Low
EPSS
Percentile
87.8%