Chloe ChamberlandWORDFENCE:74B96F08D3DC8C3C19CD5F4C790DE23DWordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
49.8%
Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- MStore API <= 3.9.2 - Multiple Authentication Bypass
- WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
- TheGem < 5.8.1.1 - Missing Authorization
- BP Social Connect <= 1.5 - Authentication Bypass
- WAF-RULE-595 - Data redacted while we work with the developer to ensure this vulnerability gets patched.
- WAF-RULE-596 - Data redacted while we work with the developer to ensure this vulnerability gets patched.
- Woodmart Core <= 1.0.36 - Authentication Bypass to Privilege Escalation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 15 |
| Patched | 67 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 3 |
| Medium Severity | 68 |
| High Severity | 8 |
| Critical Severity | 3 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 35 |
| Cross-Site Request Forgery (CSRF) | 17 |
| Missing Authorization | 15 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 3 |
| Authentication Bypass Using an Alternate Path or Channel | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Acceptance of Extraneous Untrusted Data With Trusted Data | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Improper Authentication | 1 |
| Deserialization of Untrusted Data | 1 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rafie Muhammad | 16 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 12 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 10 |
| Erwan LR | 6 |
| Mika | 4 |
| Dave Jong | 3 |
| Emili Castells | 2 |
| Liam Gladdy | 2 |
| Prasanna V Balaji | 2 |
| LEE SE HYOUNG | 2 |
| yuyudhn | 2 |
| Le Ngoc Anh | 1 |
| John Blackbourn | 1 |
| LOURCODE | 1 |
| Jonas Höbenreich | 1 |
| Rio Darmawan | 1 |
| WPScanTeam | 1 |
| Muhammad Daffa | 1 |
| Nguyen Xuan Chien | 1 |
| konagash | 1 |
| thiennv | 1 |
| Jakub Zoczek | 1 |
| Nithissh S | 1 |
| Ramuel Gall | |
| (Wordfence Vulnerability Researcher) | 1 |
| Matt Rusnak | |
| (Wordfence Vulnerability Researcher) | 1 |
| Pavitra Tiwari | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable | ai-engine |
| AutomateWoo | automatewoo |
| BP Social Connect | bp-social-connect |
| Baidu Tongji generator | baidu-tongji-generator |
| Contact Form by Supsystic | contact-form-by-supsystic |
| ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages | convertkit |
| Cookie Monster | cookiemonster |
| Custom 404 Pro | custom-404-pro |
| Customize WordPress Emails and Alerts – Better Notifications for WP | bnfw |
| Drop Shadow Boxes | drop-shadow-boxes |
| Easing Slider | easing-slider |
| Easy Forms for Mailchimp | yikes-inc-easy-mailchimp-extender |
| Essential Addons for Elementor Pro | essential-addons-elementor |
| File Away | file-away |
| Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty | chaty |
| Jazz Popups | jazz-popups |
| MStore API | mstore-api |
| Multiple Page Generator Plugin – MPG | multiple-pages-generator-by-porthas |
| OTP Login Woocommerce & Gravity Forms | mobile-login-woocommerce |
| Performance Lab | performance-lab |
| Photo Gallery by Ays – Responsive Image Gallery | gallery-photo-gallery |
| PixelYourSite Pro – Your smart PIXEL (TAG) Manager | pixelyoursite-pro |
| PixelYourSite – Your smart PIXEL (TAG) Manager | pixelyoursite |
| Predictive Search | predictive-search |
| Predictive Search for WooCommerce | woocommerce-predictive-search |
| Quiz Maker | quiz-maker |
| RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
| Ricerca – advanced search | ricerca-smart-search |
| SEO Change Monitor – Track Website Changes | seo-change-monitor |
| Scripts n Styles | scripts-n-styles |
| Simple Page Ordering | simple-page-ordering |
| Smart App Banner | smart-app-banner |
| Stop Referrer Spam | stop-referrer-spam |
| Stop Spammers Security | Block Spam Users, Comments, Forms |
| Survey Maker – Best WordPress Survey Plugin | survey-maker |
| Ultimate Dashboard – Custom WordPress Dashboard | ultimate-dashboard |
| UpdraftPlus WordPress Backup Plugin | updraftplus |
| Video Gallery | video-slider-with-thumbnails |
| WP Activity Log | wp-security-audit-log |
| WP Activity Log Premium | wp-security-audit-log-premium |
| WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
| WP htaccess Control | wp-htaccess-control |
| Waiting: One-click countdowns | waiting |
| WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress | wesecur-security |
| WishSuite – Wishlist for WooCommerce | wishsuite |
| WooCommerce Bookings | woocommerce-bookings |
| WooCommerce Brands | woocommerce-brands |
| WooCommerce Composite Products | woocommerce-composite-products |
| WooCommerce Pre-Orders | woocommerce-pre-orders |
| WooCommerce Product Add-ons | woocommerce-product-addons |
| WooCommerce Ship to Multiple Addresses | woocommerce-shipping-multiple-addresses |
| WooDiscuz – WooCommerce Comments | woodiscuz-woocommerce-comments |
| WordPress | wordpress |
| WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg |
| Zotpress | zotpress |
| nuajik | nuajik-cdn |
| reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China | recaptcha-for-all |
| video carousel slider with lightbox | wp-responsive-video-gallery-with-lightbox |
| woocommerce-product-recommendations | woocommerce-product-recommendations |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Appzend | appzend |
| BuzzStore | buzzstore |
| Craft Blog | [craft-blog](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Craft Blog>) |
| Fitness Park | [fitness-park](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Fitness Park>) |
| Kathmag | kathmag |
| Kingcabs | kingcabs |
| Medical Heed | [medical-heed](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Medical Heed>) |
| MetroStore | metrostore |
| Online eStore | [online-estore](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Online eStore>) |
| SparkleStore | sparklestore |
| SpiderMag | spidermag |
Vulnerability Details
BP Social Connect <= 1.5 - Authentication Bypass
Affected Software: BP Social Connect CVE ID: CVE-2023-2704 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9>
RegistrationMagic <= 5.2.1.0 - Authentication Bypass
Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login CVE ID: CVE-2023-2499 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/87ec5542-b6e7-4b18-a3ec-c258e749d32e>
MStore API <= 3.9.0 - Authentication Bypass
Affected Software: MStore API CVE ID: CVE-2023-2733 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c726d8f0-7f2a-414b-9d73-a053921074d9>
SEO Change Monitor <= 1.2 - Authenticated (Subscriber+) SQL Injection
Affected Software: SEO Change Monitor – Track Website Changes CVE ID: CVE-2023-33209 CVSS Score: 8.8 (High) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4f19302-70a5-4132-b841-fba1dd86a0d3>
OTP Login Woocommerce & Gravity Forms <= 2.2 - Authentication Bypass to Privilege Escalation
Affected Software: OTP Login Woocommerce & Gravity Forms CVE ID: CVE-2023-2706 CVSS Score: 8.1 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1b7b653-496f-467a-9513-4be1891f38ae>
Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Privilege Escalation
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-2736 CVSS Score: 7.5 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9bf472f1-5980-48ee-aa10-aad19b6f2456>
Waiting: One-click countdowns <= 0.6.2 - Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Waiting: One-click countdowns CVE ID: CVE-2023-2757 CVSS Score: 7.4 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38cc5a39-6ec3-4ce9-b9ad-d4ca5dafe9a7>
Essential Addons for Elementor Pro <= 5.4.8 - Unauthenticated Server-Side Request Forgery
Affected Software: Essential Addons for Elementor Pro CVE ID: CVE-2023-32245 CVSS Score: 7.3 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1a193b7-21e5-4f57-aaa6-e55c79f8e957>
Multiple Page Generator Plugin <= 3.3.17 - Authenticated (Administrator+) SQL Injection
Affected Software: Multiple Page Generator Plugin – MPG CVE ID: CVE-2023-2607 CVSS Score: 7.2 (High) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1575f0ad-0a77-4047-844c-48db4c8b4e91>
WooCommerce Pre-Orders <= 1.9.0 - Unauthenticated Cross-Site Scripting
Affected Software: WooCommerce Pre-Orders CVE ID: CVE-2023-32802 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b93f66ac-5c9b-483a-a7ad-0a404d3935e0>
WooCommerce Product Add-ons <= 6.1.3 - Authenticated (Shop Manager+) PHP Object Injection
Affected Software: WooCommerce Product Add-ons CVE ID: CVE-2023-32795 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d77666b5-956d-420b-93ed-a15cdbfcced7>
Predictive Search <= 1.2.2 - Missing Authorization
Affected Software: Predictive Search CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/340e98bf-6484-4634-b2f8-e02f14de67de>
WordPress Core < 6.2.2 - Shortcode Execution in User Generated Content
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Liam Gladdy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e3a6fe2-6292-44ff-8925-a4aeb77c2a7f>
WordPress Core < 6.2.1 - Shortcode Execution in User Generated Content
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Liam Gladdy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6300c8c2-f539-46b2-9ee0-80bebbe4cad3>
Predictive Search <= 1.2.2 - Missing Authorization
Affected Software: Predictive Search CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca481a37-8c45-499c-bf68-3af6795af827>
Predictive Search <= 1.2.2 - Missing Authorization
Affected Software: Predictive Search CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d396e90b-c113-4534-8ce3-27bea3bd7296>
File Away <= 3.9.9.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: File Away CVE ID: CVE-2023-0431 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5f78dd75-d853-4b16-843e-e0c9c55a103c>
Drop Shadow Boxes <= 1.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Drop Shadow Boxes CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f2b4ac7-f888-408b-a77a-bd73ac8e967d>
WordPress Core < 6.2.1 - Insufficient Sanitization of Block Attributes
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/834c92ba-8b48-4ae3-9073-085e8f559762>
WooCommerce Brands <= 1.6.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: WooCommerce Brands CVE ID: CVE-2023-32746 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/accdcff0-f361-4632-b0b7-e55975adeebb>
WordPress Core < 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Jakub Zoczek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bba3eeeb-5e7e-4ec3-9db0-02c44585647a>
WooCommerce Pre-Orders <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: WooCommerce Pre-Orders CVE ID: CVE-2023-32793 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c3915c2f-400d-433d-bbc8-4d88258123dc>
WP SMS <= 6.1.4 - Reflected Cross-Site Scripting via 'delete_mobile'
Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID: CVE-2023-32742 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/04970416-06db-4339-ac22-34fde5a48f2a>
Survey Maker <= 3.4.6 - Reflected Cross-Site Scripting via 'page' parameter
Affected Software: Survey Maker – Best WordPress Survey Plugin CVE ID: CVE-2023-2572 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/15b57809-6062-48ca-8572-26032928cd16>
WooCommerce Composite Products <= 8.7.5 - Reflected Cross-Site Scripting
Affected Software: WooCommerce Composite Products CVE ID: CVE-2023-32801 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1d45bd32-d693-40e6-9b30-9e0b91eb4660>
Chaty <= 3.0.9 - Reflected Cross-Site Scripting
Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty CVE ID: CVE-2023-25019 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36741b46-57ac-402e-bfb1-8424c7e70598>
Easy Forms for Mailchimp <= 6.8.8 - Unauthenticated Cross-Site Scripting
Affected Software: Easy Forms for Mailchimp CVE ID: CVE-2023-23900 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4afb25d5-dce1-4a7a-8afe-0fc2a384b945>
UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage
Affected Software: UpdraftPlus WordPress Backup Plugin CVE ID: CVE-2023-32960 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/597f06ac-f9c7-4dcb-bb72-15ed7e9d8ac6>
Custom 404 Pro <= 3.8.1 - Reflected Cross-Site Scripting via 'page'
Affected Software: Custom 404 Pro CVE ID: CVE-2023-32740 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d90dad3-d7ef-4060-8328-fd551cee92e2>
Stop Spammers Security <= 2022.6 - Reflected Cross-Site Scripting
Affected Software: Stop Spammers Security | Block Spam Users, Comments, Forms CVE ID: CVE-2023-2489 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/889cb1d5-7f5c-4904-9b5f-cc8a505eb65c>
Video Gallery <= 1.0.10 - Reflected Cross-Site Scripting
Affected Software: Video Gallery CVE ID: CVE-2023-2708 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka, yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8cfbad9f-61ba-4216-9078-c1e7e809899a>
Jazz Popups <= 1.8.7 - Reflected Cross-Site Scripting via 'wpjazzpopup_switchonoff'
Affected Software: Jazz Popups CVE ID: CVE-2023-32965 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba8c5db5-48d4-4ce1-84b9-5743c7444a3a>
Photo Gallery by Ays <= 5.1.6 - Reflected Cross-Site Scripting
Affected Software: Photo Gallery by Ays – Responsive Image Gallery CVE ID: CVE-2023-2568 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca62b54e-dde6-440f-bed9-db320179269e>
ConvertKit <= 2.2.0 - Reflected Cross-Site Scripting
Affected Software: ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages CVE ID: CVE-2023-2337 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf3a16b6-7256-4fad-b3f2-d1d9d833f45e>
video carousel slider with lightbox <= 1.0.22 - Reflected Cross-Site Scripting
Affected Software: video carousel slider with lightbox CVE ID: CVE-2023-2710 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka, yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e88bb3a8-de24-46fb-a3e4-9ca3fdd4cca7>
Quiz Maker <= 6.4.2.6 - Reflected Cross-Site Scripting
Affected Software: Quiz Maker CVE ID: CVE-2023-2571 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f70d0bea-3ac2-4235-92a2-09458b85bddd>
Essential Addons for Elementor Pro <= 5.4.8 - Reflected Cross-Site Scripting
Affected Software: Essential Addons for Elementor Pro CVE ID: CVE-2023-32241 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8f86293-a32f-49a6-8c8c-d37354ab040a>
AutomateWoo <= 5.7.1 - Authenticated (Shop manager+) SQL Injection
Affected Software: AutomateWoo CVE ID: CVE-2023-32743 CVSS Score: 5.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9202cb4d-7fd4-444d-ab44-8f6d9e68d869>
Contact Form by Supsystic <= 1.7.24 - Cross-Site Request Forgery via AJAX action
Affected Software: Contact Form by Supsystic CVE ID: CVE-2023-2528 CVSS Score: 5.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c387b07-baf6-4c62-943e-4bd121160ceb>
Groundhogg <= 2.7.9.8 - Missing Authorization to Non-Arbitrary File Upload
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-2716 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c5bde0e-3138-4995-92ae-6deaf6b7be5b>
Zotpress <= 7.3.3 - Reflected Cross-Site Scripting
Affected Software: Zotpress CVE ID: CVE-2023-32961 CVSS Score: 5.4 (Medium) Researcher/s: LOURCODE Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/617dcc0e-e212-4da0-8918-e55e6b3895fa>
Simple Page Ordering <= 2.5.0 - Missing Authorization to Information Disclosure
Affected Software: Simple Page Ordering CVE ID: CVE-2023-32798 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77d8d29b-b730-46be-a354-7abfa83ac664>
Stop Referrer Spam <= 1.3.0 - Cross-Site Request Forgery via processParameters
Affected Software: Stop Referrer Spam CVE ID: CVE-2023-33207 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5deac61-031f-452a-a478-d5d0c7953817>
Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Disable All Plugins
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-2717 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af73240c-b711-4e91-9998-5f7e6a9a4fb9>
WordPress Core < 6.2.1 - Directory Traversal
Affected Software: WordPress CVE ID: CVE-2023-2745 CVSS Score: 5.4 (Medium) Researcher/s: Ramuel Gall, Matt Rusnak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f>
Smart App Banner <= 1.1.2 - Cross-Site Request Forgery via wsl_smart_app_banner_options
Affected Software: Smart App Banner CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f71453d9-8bbf-4546-b69f-e86cc41da9bd>
Multiple sparklewpthemes Themes (Various versions) - Cross-Site Request Forgery to Arbitrary Plugin Activation
Affected Software/s: Kathmag, Online eStore, SpiderMag, Medical Heed, Appzend, BuzzStore, Craft Blog, Fitness Park, Kingcabs, MetroStore, SparkleStore CVE ID: CVE-2023-32959 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/62e30cef-ce5d-4450-989e-f08f09b7638f>
WooCommerce Predictive Search <= 5.8.0 - Missing Authorization via multiple AJAX actions
Affected Software: Predictive Search for WooCommerce CVE ID: CVE-2023-32963 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ea2726a-a601-45ac-9f20-c34b82edf441>
Easing Slider <= 3.0.8 - Missing Authorization to Unauthenticated Settings Reset
Affected Software: Easing Slider CVE ID: CVE-2023-30490 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9e04a2f8-5071-4c85-b4f8-cb914ee509b5>
Multiple sparklewpthemes Themes (Various versions) - Missing Authorization to Arbitrary Plugin Activation
Affected Software/s: Kathmag, Online eStore, SpiderMag, Medical Heed, Appzend, BuzzStore, Craft Blog, Fitness Park, Kingcabs, MetroStore, SparkleStore CVE ID: CVE-2023-32959 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c37bfdeb-2d0c-4ace-94cc-b85c16985994>
WooCommerce Predictive Search <= 5.8.0 - Cross-Site Request Forgery via multiple AJAX actions
Affected Software: Predictive Search for WooCommerce CVE ID: CVE-2023-32963 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc428f4b-fe82-419a-aee3-38f0bb582506>
Groundhogg <= 2.7.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-2735 CVSS Score: 4.9 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4938206e-2ea4-47ed-a307-87cf67dd74a4>
WooDiscuz – WooCommerce Comments <= 2.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WooDiscuz – WooCommerce Comments CVE ID: CVE-2023-33216 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01bd8a24-5580-4b16-94b3-c231d5fe7a01>
Chaty <= 3.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3baa0543-cdfb-4699-97ca-eaa83c2494a1>
Cookie Monster <= 1.51 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Cookie Monster CVE ID: CVE-2023-33208 CVSS Score: 4.4 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f040075-83a0-4c9a-8d93-99aa36606b31>
PixelYourSite <= 9.3.6 and PixelYourSite Pro <= 9.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software/s: PixelYourSite Pro – Your smart PIXEL (TAG) Manager, PixelYourSite – Your smart PIXEL (TAG) Manager CVE ID: CVE-2023-2584 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ebf1e83-50b8-4f56-ba76-10100375edda>
WP htaccess Control <= 3.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP htaccess Control CVE ID: CVE-2023-25462 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6741b770-79d3-4797-8f8f-4ca83fde4705>
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: WPScanTeam Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6d8f59b0-da92-43aa-990d-5271aa40d6b4>
WishSuite <= 1.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WishSuite – Wishlist for WooCommerce CVE ID: CVE-2023-32962 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b515782a-d7ec-41a6-92f8-91823f2c0dcf>
Stop Spammers Security <= 2022.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Stop Spammers Security | Block Spam Users, Comments, Forms CVE ID: CVE-2023-2489 CVSS Score: 4.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c83df43e-286d-4695-9c37-bee2870fd3b5>
WeSecur Security <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress CVE ID: CVE-2023-24390 CVSS Score: 4.4 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d732ea2d-c763-4735-b541-6c5fd5167cb4>
Ultimate Dashboard <= 3.7.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Affected Software: Ultimate Dashboard – Custom WordPress Dashboard CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5103e60-771f-46cf-b432-21d131e30bcc>
nuajik CDN <= 0.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: nuajik CVE ID: CVE-2023-33210 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fcf09793-1277-41a0-9ce4-b85b13721729>
WordPress Core < 6.2.1 - Cross-Site Request Forgery
Affected Software: WordPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: John Blackbourn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0da1cc3b-5d6b-4ca0-9d8a-31c63ab5b9c9>
WooCommerce Ship to Multiple Addresses <= 3.8.3 - Insecure Direct Object Reference
Affected Software: WooCommerce Ship to Multiple Addresses CVE ID: CVE-2023-32799 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/163328e9-2918-4bc0-8bbc-90d7e992754d>
Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-2715 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24747507-8f24-499e-a257-d379dc171e18>
Groundhogg <= 2.7.9.8 - Missing Authorization to Update License
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-2714 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/29700844-b41d-4f10-90a7-06c8574d8d2a>
WooCommerce Bookings <= 1.15.78 - Insecure Direct Object Reference
Affected Software: WooCommerce Bookings CVE ID: CVE-2023-32747 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b365fb8-7a93-4306-b2b1-ce47dc19457a>
Ricerca smart and advanced search <= 1.0.15 - Cross-Site Request Forgery
Affected Software: Ricerca – advanced search CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2fefcc8c-3864-4764-86e7-678d8604fd67>
WP Activity Log Premium <= 4.5.0 - Cross-Site Request Forgery via ajax_switch_db
Affected Software: WP Activity Log Premium CVE ID: CVE-2023-2285 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4c659f6d-e02b-42ab-ba02-eb9b00602ad4>
AutomateWoo <= 5.7.1 - Cross-Site Request Forgery
Affected Software: AutomateWoo CVE ID: CVE-2023-32745 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/540de1b8-eb1f-4f9d-b45c-d3d5f11b642d>
reCAPTCHA for all <= 1.22 - Missing Authorization via recaptcha_for_all_image_select
Affected Software: reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China CVE ID: CVE-2023-32599 CVSS Score: 4.3 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66585943-cb70-4296-af66-5b786d1bafb9>
WP Activity Log Premium <= 4.5.0 - Missing Authorization via ajax_switch_db
Affected Software: WP Activity Log Premium CVE ID: CVE-2023-2284 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6e29fd6b-462a-42be-9a2a-b6717b20a937>
Performance Lab <= 2.2.0 - Cross-Site Request Forgery via dismiss-wp-pointer
Affected Software: Performance Lab CVE ID: CVE-2022-47174 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f1e3586-99f7-4cac-bbb2-1a6406c4f8a4>
Better Notifications for WP <= 1.9.2 - Cross-Site Request Forgery via handle_actions
Affected Software: Customize WordPress Emails and Alerts – Better Notifications for WP CVE ID: CVE-2023-32964 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ddabda2-1e27-4b87-b643-b0166112a890>
WooCommerce Product Recommendations < 2.3.0 - Cross-Site Request Forgery
Affected Software: woocommerce-product-recommendations CVE ID: CVE-2023-32744 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/826fe5a8-3290-4f70-b9bb-8bd4aec3634c>
WooCommerce Product Add-ons <= 6.1.3 - Cross-Site Request Forgery
Affected Software: WooCommerce Product Add-ons CVE ID: CVE-2023-32794 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b5bd3852-c1a5-4d7d-b4fb-59911fba4873>
WP Activity Log <= 4.5.0 - Cross-Site Request Forgery via ajax_run_cleanup
Affected Software/s: WP Activity Log, WP Activity Log Premium CVE ID: CVE-2023-2286 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e2008e0b-32c6-46fb-93b9-2b0004f478e8>
WP Activity Log <= 4.5.0 - Missing Capabilities Check to User Enumeration
Affected Software/s: WP Activity Log, WP Activity Log Premium CVE ID: CVE-2023-2261 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f51f0919-498e-4f86-a933-1b7f2c4a10a4>
Scripts n Styles <= 3.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Scripts n Styles CVE ID: CVE-2023-31236 CVSS Score: 3.3 (Low) Researcher/s: konagash Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a86d8f97-54dc-4c6b-92c0-05a8625cc073>
Baidu Tongji generator <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Baidu Tongji generator CVE ID: CVE-2023-31233 CVSS Score: 3.3 (Low) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e2b9b6f4-6ee7-498d-9693-a5ae5f7f4719>
Multiple Page Generator Plugin <= 3.3.17 - Cross-Site Request Forgery to SQL Injection
Affected Software: Multiple Page Generator Plugin – MPG CVE ID: CVE-2023-2608 CVSS Score: 3.1 (Low) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d900584c-0f58-4abc-92ff-841f898d02fc>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023) appeared first on Wordfence.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
49.8%