Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:7B78A614C8D2798665AAAED1EB6EE9E4
HistoryNov 02, 2023 - 6:40 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023)

2023-11-0218:40:49
Chloe Chamberland
www.wordfence.com
50
wordpress
vulnerability
report
plugins
themes
researchers
security tools
firewall
rules
patched
unpatched
severity
cwe

9.9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.8%

JSON

Last week, there were 109 vulnerabilities disclosed in 102 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 59
Patched 50

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 92
High Severity 14
Critical Severity 3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 42
Missing Authorization 24
Cross-Site Request Forgery (CSRF) 22
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 7
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 3
URL Redirection to Untrusted Site ('Open Redirect') 3
Deserialization of Untrusted Data 2
Improper Authentication 1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1
Guessable CAPTCHA 1
Improper Access Control 1
Protection Mechanism Failure 1
Authorization Bypass Through User-Controlled Key 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher) 25
Nguyen Xuan Chien 10
Mika 8
Abdi Pranata 7
Skalucy 3
Dmitrii Ignatyev 3
qilin_99 3
Abu Hurayra 2
Muhammad Daffa 2
thiennv 2
Jonas Höbenreich 2
LEE SE HYOUNG 2
Ala Arfaoui 2
Francesco Carlucci 2
Revan Arifio 1
Le Ngoc Anh 1
Rio Darmawan 1
Enrico Marcolini 1
Claudio Marchesini 1
Florian Hauser 1
emad 1
Vaishnav Rajeevan 1
Tien from VNPT-VCI 1
Nithissh S 1
Abhijith A 1
Nicolas Surribas 1
konagash 1
Elliot 1
GiongfNef 1
TP Cyber Security 1
Erwan LR 1
Krzysztof Zając 1
Emili Castells 1
SeungYongLee 1
NGÔ THIÊN AN 1
Hamoud Al Helmani 1
Jerome Bruandet 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
10Web Booster – Website speed optimization, Cache & Page Speed optimizer tenweb-speed-optimizer
404 Solution 404-solution
Accordion accordions-wp
Admin and Site Enhancements (ASE) admin-site-enhancements
Advanced Menu Widget advanced-menu-widget
All-In-One Security (AIOS) – Security and Firewall all-in-one-wp-security-and-firewall
Alter alter
Animated Counters animated-counters
Article analytics article-analytics
Auto Excerpt everywhere auto-excerpt-everywhere
Auto Limit Posts Reloaded auto-limit-posts-reloaded
Autolinks Manager daext-autolinks-manager
BSK PDF Manager bsk-pdf-manager
Bellows Accordion Menu bellows-accordion-menu
Bonus for Woo bonus-for-woo
Booking calendar, Appointment Booking System booking-calendar
Buzzsprout Podcasting buzzsprout-podcasting
CallRail Phone Call Tracking callrail-phone-call-tracking
Category SEO Meta Tags category-seo-meta-tags
CloudNet360 cloudnet-sync
Convertful – Your Ultimate On-Site Conversion Tool convertful
Cookie Bar cookie-bar
Current Menu Item for Custom Post Types current-menu-item-for-custom-post-types
Custom Header Images custom-header-images
Custom Login Page Temporary Users
Custom My Account for Woocommerce custom-my-account-for-woocommerce
DeepL API translation plugin wpdeepl
Deeper Comments deeper-comments
Delete Me delete-me
DoLogin Security dologin
EasyRecipe easyrecipe
Export WP Page to Static HTML/CSS export-wp-page-to-static-html
FLOWFACT WP Connector flowfact-wp-connector
FareHarbor for WordPress fareharbor
Fathom Analytics for WP fathom-analytics
FeedFocal feedfocal
GD Security Headers gd-security-headers
Generate Dummy Posts generate-dummy-posts
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers rafflepress
Google Maps made Simple wp-gmappity-easy-google-maps
Grid Plus – Unlimited grid layout grid-plus
Group Chat & Video Chat by AtomChat atomchat
ICS Calendar ics-calendar
ImageLinks Interactive Image Builder for WordPress imagelinks-interactive-image-builder-lite
Interactive Image Map Plugin – Draw Attention draw-attention
KD Coming Soon kd-coming-soon
LiteSpeed Cache litespeed-cache
Live Chat with Facebook Messenger wp-facebook-messenger
Magic Embeds wp-embed-facebook
Mail logging – WP Mail Catcher wp-mail-catcher
Mediabay – Media Library Folders mediabay-lite
Medialist media-list
MomentoPress for Momento360 cmyee-momentopress
My Shortcodes my-shortcodes
Neon text neon-text
News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) blog-designer-pack
Ni WooCommerce Sales Report ni-woocommerce-sales-report
Original texts Yandex WebMaster original-texts-yandex-webmaster
PHP to Page php-to-page
Parcel Pro woo-parcel-pro
Post Meta Data Manager post-meta-data-manager
Pre-Orders for WooCommerce pre-orders-for-woocommerce
Product Recommendation Quiz for eCommerce product-recommendation-quiz-for-ecommerce
PubyDoc – Data Tables and Charts pubydoc-data-tables-and-charts
Quill Forms The Best Typeform Alternative
Related Products for WooCommerce woo-related-products-refresh-on-reload
Remove Add to Cart WooCommerce remove-add-to-cart-woocommerce
Reusable Text Blocks reusable-text-blocks
SAHU TikTok Pixel for E-Commerce sahu-tiktok-pixel
Seraphinite Accelerator seraphinite-accelerator
Shortcode Menu shortcode-menu
Simple Shortcodes smpl-shortcodes
Simple User Listing simple-user-listing
Slick Popup: Contact Form 7 Popup Plugin slick-popup
Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More woocommerce-exporter
TK Google Fonts GDPR Compliant tk-google-fonts
Thumbnail Slider With Lightbox wp-responsive-slider-with-lightbox
Thumbnail carousel slider wp-responsive-thumbnail-slider
User Avatar user-avatar
VK Blocks vk-blocks
VK Filter Search vk-filter-search
Very Simple Google Maps very-simple-google-maps
WCP OpenWeather wcp-openweather
WDContactFormBuilder contact-form-builder
WDSocialWidgets spider-facebook
WP EXtra wp-extra
WP Font Awesome wp-font-awesome
WP Glossary wp-glossary
WP Helper Premium wp-helper-lite
WP Post Popup wp-post-modal
WP Simple Galleries wp-simple-galleries
WP Word Count wp-word-count
WP iCal Availability wp-ical-availability
WPPizza – A Restaurant Plugin wppizza
Weather Atlas Widget weather-atlas
WordPress CRM, Email & Marketing Automation for WordPress Award Winner — Groundhogg
WordPress CTA – WordPress Call To Action, Sticky CTA, Floating Buttons, Floating Tab Plugin easy-sticky-sidebar
WordPress Knowledge base & Documentation Plugin – WP Knowledgebase wp-knowledgebase
WordPress Simple HTML Sitemap wp-simple-html-sitemap
YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons
YOP Poll yop-poll
kk Star Ratings kk-star-ratings

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

PHP to Page <= 0.3 - Authenticated (Subscriber+) Local File Inclusion to Remote Code Execution via Shortcode

Affected Software: PHP to Page CVE ID: CVE-2023-5199 CVSS Score: 9.9 (Critical) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/83e5a0dc-fc51-4565-945f-190cf9175874&gt;

Article Analytics <= 1.0 - Unauthenticated SQL Injection

Affected Software: Article analytics CVE ID: CVE-2023-5640 CVSS Score: 9.8 (Critical) Researcher/s: Nicolas Surribas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6abbdecd-782a-44a2-981a-ae6caa50dd6a&gt;

Thumbnail Slider With Lightbox <= 1.0 - Cross-Site Request Forgery to Arbitrary File Upload

Affected Software: Thumbnail Slider With Lightbox CVE ID: CVE-2023-5820 CVSS Score: 9.6 (Critical) Researcher/s: Ala Arfaoui Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e51e1cd2-6de9-4820-8bba-1c6b5053e2c1&gt;

WP Simple Galleries <= 1.34 - Authenticated (Contributor+) PHP Object Injection

Affected Software: WP Simple Galleries CVE ID: CVE-2023-5583 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0dc8f7cf-d8be-4229-b823-3bd9bc9f6eda&gt;

Google Maps made Simple <= 0.6 - Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: Google Maps made Simple CVE ID: CVE-2023-5315 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/262db9aa-0db5-48cd-a85b-3e6302e88a42&gt;

WP EXtra <= 6.2 - Missing Authorization to .htaccess File Modification

Affected Software: WP EXtra CVE ID: CVE-2023-5311 CVSS Score: 8.8 (High) Researcher/s: GiongfNef Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/87e3dd5e-0d77-4d78-8171-0beaf9482699&gt;

Post Meta Data Manager <=1.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Affected Software: Post Meta Data Manager CVE ID: CVE-2023-5425 CVSS Score: 8.8 (High) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7f4e710-99a2-49df-a513-725e1daaa18a&gt;

Deeper Comments <= 2.1.1 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Options Update

Affected Software: Deeper Comments CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Jerome Bruandet Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f1cbe675-4c0f-430a-b2db-85ba8605d172&gt;

KD Coming Soon <= 1.7 - Unauthenticated PHP Object Injection via cetitle

Affected Software: KD Coming Soon CVE ID: CVE-2023-46615 CVSS Score: 8.1 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f831d48-733a-4e79-8559-92b03b8d0356&gt;

News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Remote Code Execution via Local File Inclusion

Affected Software: News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) CVE ID: CVE-2023-5815 CVSS Score: 8.1 (High) Researcher/s: Florian Hauser Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f2bdf11-401a-48af-b1dc-aeeb40b9a384&gt;

Admin and Site Enhancements (ASE) <= 5.7.1 - Password Protection Mode Security Feature Bypass

Affected Software: Admin and Site Enhancements (ASE) CVE ID: CVE-2023-46630 CVSS Score: 7.5 (High) Researcher/s: Abu Hurayra Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0abad47f-a806-4cdd-a11f-015b997b5e86&gt;

Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion

Affected Software: Post Meta Data Manager CVE ID: CVE-2023-5426 CVSS Score: 7.5 (High) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d6a7f882-4582-4b08-9597-329d140ad782&gt;

404 Solution <= 2.33.2 - Authenticated (Administrator+) SQL Injection via orderby

Affected Software: 404 Solution CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14958861-305e-4a9b-b428-de204cd6781e&gt;

ImageLinks <= 1.5.4 - Authenticated (Admin+) SQL Injection

Affected Software: ImageLinks Interactive Image Builder for WordPress CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f678700-f266-4740-a98d-19f8e9734563&gt;

GD Security Headers <= 1.7 - Authenticated (Admin+) SQL Injection

Affected Software: GD Security Headers CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b556bb3b-0fea-48a9-a893-3ad015559f3d&gt;

Booking Calendar WpDevArt <= 3.2.11 - Authenticated (Admin+) SQL Injection

Affected Software: Booking calendar, Appointment Booking System CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/caa39613-aaf3-4e47-8866-8fda1f7fc15b&gt;

Mail logging - WP Mail Catcher <= 2.1.3 - Authenticated (Admin+) SQL Injection

Affected Software: Mail logging – WP Mail Catcher CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3ebbf7f-61f2-403f-8131-8cedeb13c2d4&gt;

ICS Calendar <= 10.12.0.1 - Authenticated(Contributor+) Directory Traversal via _url_get_contents

Affected Software: ICS Calendar CVE ID: CVE-2023-46784 CVSS Score: 6.5 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f18a1c5-a0b7-49f9-acc1-5604304fd72f&gt;

WordPress CTA <= 1.5.6 - Missing Authorization via Multiple AJAX Actions

Affected Software: WordPress CTA – WordPress Call To Action, Sticky CTA, Floating Buttons, Floating Tab Plugin CVE ID: CVE-2023-46644 CVSS Score: 6.5 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a65a1f25-04e5-4ca3-9b2d-1b78254a8871&gt;

DoLogin Security <= 3.7.1 - Missing Authorization via REST Endpoints

Affected Software: DoLogin Security CVE ID: CVE-2023-46608 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af93f4f5-4c6d-4178-b7f7-c66c341bde87&gt;

10Web Booster <= 2.24.14 - Unauthenticated Arbitrary Option Deletion

Affected Software: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4d9c659-ec6a-43ca-b484-02afd06f3c13&gt;

Product Recommendation Quiz for eCommerce <= 2.1.0 - Missing Authorization in prq_set_token

Affected Software: Product Recommendation Quiz for eCommerce CVE ID: CVE-2023-46631 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f10ae2b6-1580-418c-9cf7-e75ed71bb309&gt;

VK Filter Search <= 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: VK Filter Search CVE ID: CVE-2023-5705 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/012946d4-82ce-48b9-9b9a-1fc49846dca6&gt;

VK Blocks <= 1.63.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block

Affected Software: VK Blocks CVE ID: CVE-2023-5706 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/05dd7c96-7880-44a8-a06f-037bc627fd8d&gt;

LiteSpeed Cache <= 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: LiteSpeed Cache CVE ID: CVE-2023-4372 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/27026f0f-c85e-4409-9973-4b9cb8a90da5&gt;

Animated Counters <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Animated Counters CVE ID: CVE-2023-5774 CVSS Score: 6.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33c2756d-c300-479f-b3aa-8f22c3a70278&gt;

CallRail Phone Call Tracking <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: CallRail Phone Call Tracking CVE ID: CVE-2023-5051 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35def866-7460-4cad-8d86-7b9e4905cbe4&gt;

FareHarbor for WordPress <= 3.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: FareHarbor for WordPress CVE ID: CVE-2023-5252 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/42ad6fef-4280-45db-a3e2-6d7522751fa7&gt;

Shortcode Menu <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Shortcode Menu CVE ID: CVE-2023-5565 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/438b9c13-4059-4671-ab4a-07a8cf6f6122&gt;

Medialist <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Medialist CVE ID: CVE-2023-46640 CVSS Score: 6.4 (Medium) Researcher/s: Tien from VNPT-VCI Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45c7f8fb-3fd0-425f-89a1-8971f67d5755&gt;

Bellows Accordion Menu <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Bellows Accordion Menu CVE ID: CVE-2023-5164 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50283a4f-ea59-488a-bab0-dd6bc5718556&gt;

WP Font Awesome <= 1.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Font Awesome CVE ID: CVE-2023-5127 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59ee0b56-c11f-4951-aac0-8344200e4484&gt;

Advanced Menu Widget <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced Menu Widget CVE ID: CVE-2023-5085 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5da2dac6-940c-419e-853f-6cfd5d53d427&gt;

BSK PDF Manager <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BSK PDF Manager CVE ID: CVE-2023-5110 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60de55c6-e4fa-453e-84bd-309f2887e3cb&gt;

WDContactFormBuilder <= 1.0.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WDContactFormBuilder CVE ID: CVE-2023-5048 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7152253a-7bb8-4b5c-bffd-86e46df54b7e&gt;

Magic Embeds <= 3.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Magic Embeds CVE ID: CVE-2023-4799 CVSS Score: 6.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88ade7a7-da31-4752-b100-40dae81735b0&gt;

Simple Shortcodes <= 1.0.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Simple Shortcodes CVE ID: CVE-2023-5566 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a153d6b2-e3fd-42db-90ba-d899a07d60c1&gt;

Grid Plus <= 1.3.2 - Authenticated (Subscriber+) Local File Inclusion via Shortcode

Affected Software: Grid Plus – Unlimited grid layout CVE ID: CVE-2023-5250 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6407792-2c76-4149-a9f9-d53002135bec&gt;

Giveaways and Contests by RafflePress <= 1.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers CVE ID: CVE-2023-5049 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6d663a9-3185-4c36-b9d1-878297965379&gt;

Accordion <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Accordion CVE ID: CVE-2023-5666 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a8ada876-4a8b-494f-9132-d88a71b42c44&gt;

Related Products for WooCommerce <= 3.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Related Products for WooCommerce CVE ID: CVE-2023-5234 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a98498b8-9397-42e9-9c99-a576975c9ac9&gt;

Live Chat with Facebook Messenger <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Live Chat with Facebook Messenger CVE ID: CVE-2023-5740 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa32a790-242f-4142-9f4d-e1b2a07045bb&gt;

Buzzsprout Podcasting <= 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Buzzsprout Podcasting CVE ID: CVE-2023-5335 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be7f8b73-801d-46e8-81c1-8bb0bb576700&gt;

Weather Atlas Widget <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Weather Atlas Widget CVE ID: CVE-2023-5163 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2324caa-f804-4f76-9d08-8951fbee4669&gt;

MomentoPress for Momento360 <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: MomentoPress for Momento360 CVE ID: CVE-2023-46782 CVSS Score: 6.4 (Medium) Researcher/s: NGÔ THIÊN AN Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e0fdee40-9d60-4657-9e2b-42d548dea1c0&gt;

Pre-Orders for WooCommerce <= 1.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Pre-Orders for WooCommerce CVE ID: CVE-2023-46783 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eb2776d8-1e2f-46fb-9d3b-693c8fa115b3&gt;

Neon text <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Neon text CVE ID: CVE-2023-5817 CVSS Score: 6.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f9998485-e272-48fc-b2f1-9e30158d0d16&gt;

Very Simple Google Maps <= 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Very Simple Google Maps CVE ID: CVE-2023-5744 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fca7837c-ad24-44ce-b073-7df3f8bc4300&gt;

Draw Attention <= 2.0.15 - Improper Access Control via register_cpt

Affected Software: Interactive Image Map Plugin – Draw Attention CVE ID: CVE-2023-46616 CVSS Score: 6.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d635669-ee85-4fb5-8238-3edb3bbb8fb4&gt;

WP Simple HTML Sitemap <= 2.1 - Reflected Cross-Site Scripting via id

Affected Software: WordPress Simple HTML Sitemap CVE ID: CVE-2023-46627 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/26e52072-9465-4b56-9794-f17861b7c70c&gt;

Bonus for Woo <= 5.8.2 - Reflected Cross-Site Scripting

Affected Software: Bonus for Woo CVE ID: CVE-2023-5140 CVSS Score: 6.1 (Medium) Researcher/s: Enrico Marcolini, Claudio Marchesini Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b959b65-16ad-45f9-9ad9-dfc97bda571e&gt;

Download CloudNet360 <= 3.2.0 - Reflected Cross-Site Scripting

Affected Software: CloudNet360 CVE ID: CVE-2023-46643 CVSS Score: 6.1 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54b88702-ec41-414b-87f1-1859b130a713&gt;

User Avatar <= 1.4.11 - Unauthenticated Cross-Site Scripting

Affected Software: User Avatar CVE ID: CVE-2023-46621 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6903e37e-5251-47bb-8023-755821af4689&gt;

WooCommerce - Store Exporter <= 2.7.2 - Reflected Cross-Site Scripting via 'filter'

Affected Software: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/947286b0-347f-47ab-885a-7805b50f0be8&gt;

Seraphinite Accelerator <= 2.20.28 - Reflected Cross-Site Scripting via 'rt'

Affected Software: Seraphinite Accelerator CVE ID: CVE-2023-5609 CVSS Score: 6.1 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9dc90b13-2f36-45bc-991c-f1927ae9253d&gt;

FLOWFACT WP Connector <= 2.1.7 - Reflected Cross-Site Scripting

Affected Software: FLOWFACT WP Connector CVE ID: CVE-2023-46626 CVSS Score: 6.1 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4b61b5b-e5e8-41d4-bf37-d9427a204ea6&gt;

Simple User Listing <= 1.9.2 - Reflected Cross-Site Scripting via as

Affected Software: Simple User Listing CVE ID: CVE-2023-32298 CVSS Score: 6.1 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c7035903-d598-4db3-ba77-6e836229c5de&gt;

WPPizza <= 3.18.2 - Reflected Cross-Site Scripting

Affected Software: WPPizza – A Restaurant Plugin CVE ID: CVE-2023-46622 CVSS Score: 6.1 (Medium) Researcher/s: SeungYongLee Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ccfdb5f5-8417-44a3-a27c-157a9619c68b&gt;

Reusable Text Blocks <= 1.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

Affected Software: Reusable Text Blocks CVE ID: CVE-2023-5745 CVSS Score: 5.5 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0d627ee7-1175-4621-a477-1e9ec2d05eee&gt;

My Shortcodes <= 2.3 - Missing Authorization via Multiple AJAX Actions

Affected Software: My Shortcodes CVE ID: CVE-2023-46632 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a931496-f130-4910-9116-6c2c4df760f5&gt;

Quill Forms <= 3.3.0 - Cross-Site Request Forgery

Affected Software: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress CVE ID: CVE-2023-46610 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ea4617a-6211-4f8d-ab51-10ca509aaacf&gt;

Seraphinite Accelerator <= 2.20.28 - Arbitrary Redirect via 'redir'

Affected Software: Seraphinite Accelerator CVE ID: CVE-2023-5610 CVSS Score: 5.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d6dd532-008b-4ce9-beca-baf5b3678a0b&gt;

Spider Facebook <= 1.0.15 - Cross-Site Request Forgery

Affected Software: WDSocialWidgets CVE ID: CVE-2023-46619 CVSS Score: 5.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a94accad-27c7-462b-b26f-0dde2036a7ba&gt;

Quill Forms <= 3.3.0 - Missing Authorization

Affected Software: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress CVE ID: CVE-2023-46610 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6846688-5716-4b22-8a1d-b96b230b0742&gt;

Grid Plus <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Grid Layout Add/Update/Delete

Affected Software: Grid Plus – Unlimited grid layout CVE ID: CVE-2023-5251 CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2d34c84-473c-49f8-b55c-c869b5479974&gt;

Alter <= 1.0 - Cross-Site Request Forgery

Affected Software: Alter CVE ID: CVE-2023-46780 CVSS Score: 5.4 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e58a45c4-06cb-4b2b-97f2-a614fc230942&gt;

kk Star Ratings <= 5.4.5 - Missing Authorization

Affected Software: kk Star Ratings CVE ID: CVE-2023-46639 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1af442f7-b57c-47bd-9733-5e6bb5c89443&gt;

AtomChat <= 1.1.4 - Missing Authorization via credits REST API Endpoint

Affected Software: Group Chat & Video Chat by AtomChat CVE ID: CVE-2023-46606 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/21f917a4-efee-421b-98b1-a9b18c7527d2&gt;

YOP Poll <= 6.5.28 - Reusable Captcha via validateImage

Affected Software: YOP Poll CVE ID: CVE-2023-46611 CVSS Score: 5.3 (Medium) Researcher/s: qilin_99 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33f8f75d-c57e-456c-a48a-82fa668adb1c&gt;

FeedFocal <= 1.2.1 - Missing Authorization via feedfocal_api_setup REST function

Affected Software: FeedFocal CVE ID: CVE-2023-46609 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/489fe6ac-5437-44a2-93dc-00e75eefbc45&gt;

Convertful – Your Ultimate On-Site Conversion Tool <= 2.5 - Missing Authorization via add_woo_coupon

Affected Software: Convertful – Your Ultimate On-Site Conversion Tool CVE ID: CVE-2023-46605 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e8c311e-7cf2-4aaf-8059-30f872475ee5&gt;

All In One WP Security <= 5.2.4 - Protection Bypass of Renamed Login Page via URL Encoding

Affected Software: All-In-One Security (AIOS) – Security and Firewall CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63fc381e-ce72-4c90-bb35-daba520be40d&gt;

Generate Dummy Posts <= 1.0.0 - Missing Authorization

Affected Software: Generate Dummy Posts CVE ID: CVE-2023-46637 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6d797f36-f485-4049-83f0-01d0cb409a92&gt;

YITH WooCommerce Product Add-Ons <= 4.2.0 - Missing Authorization

Affected Software: YITH WooCommerce Product Add-Ons CVE ID: CVE-2023-46635 CVSS Score: 5.3 (Medium) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e95773c-b968-47b3-8ae7-9a8d3389666c&gt;

Glossary <= 3.1.2 - Missing Authorization

Affected Software: WP Glossary CVE ID: CVE-2023-46633 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fca34e4e-3324-4942-854b-a4511f88af8b&gt;

Delete Me <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Delete Me CVE ID: CVE-2023-5126 CVSS Score: 4.9 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a5123a7-8eb4-481e-88fe-6310be37a077&gt;

Parcel Pro <= 1.6.8 - Open Redirect via 'redirect'

Affected Software: Parcel Pro CVE ID: CVE-2023-46624 CVSS Score: 4.7 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95d4fbf6-e21a-48db-bfb3-32fc9116afa0&gt;

SAHU TikTok Pixel for E-Commerce <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SAHU TikTok Pixel for E-Commerce CVE ID: CVE-2023-46642 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/28cddb4c-32a1-4ea9-936d-5ec7ffd84753&gt;

PubyDoc <= 2.0.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: PubyDoc – Data Tables and Charts CVE ID: CVE-2023-4970 CVSS Score: 4.4 (Medium) Researcher/s: Vaishnav Rajeevan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3badf9b8-7558-4a46-9eb2-cd119a77c903&gt;

Slick Popup: Contact Form 7 Popup Plugin <= 1.7.14 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Slick Popup: Contact Form 7 Popup Plugin CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54019f42-488d-484f-b34e-2b5bd5b0a1dd&gt;

WP Post Popup <= 3.7.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Post Popup CVE ID: CVE-2023-4808 CVSS Score: 4.4 (Medium) Researcher/s: Abhijith A Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5fe46da6-add5-42d4-a2db-7a8bada2968c&gt;

Cookie Bar <= 2.0 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Cookie Bar CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/80afca9d-8f9c-412f-b2dd-f0078ec8173c&gt;

Fathom Analytics <= 3.0.7 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Fathom Analytics for WP CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3343d96-ca52-46a6-b464-cd2e5375d10f&gt;

Groundhogg <= 2.7.11.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via Task Data

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-40681 CVSS Score: 4.4 (Medium) Researcher/s: Hamoud Al Helmani Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/edafc213-a95f-483e-ac5f-d5b56817d046&gt;

TK Google Fonts GDPR Compliant <= 2.2.11 - Missing Authorization to Font Deletion

Affected Software: TK Google Fonts GDPR Compliant CVE ID: CVE-2023-5823 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0bc772a6-95a1-4420-bd97-1778002e2168&gt;

Custom Header Images <= 1.2.1 - Cross-Site Request Forgery

Affected Software: Custom Header Images CVE ID: CVE-2023-46636 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0beaa7ce-40aa-429e-80fd-d04e75489b92&gt;

Autolinks Manager <= 1.10.04 - Cross-Site Request Forgery

Affected Software: Autolinks Manager CVE ID: CVE-2023-46625 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2ec5d29e-43e2-4cd3-8164-94b01fab4d64&gt;

Auto Excerpt everywhere <= 1.5 - Cross-Site Request Forgery

Affected Software: Auto Excerpt everywhere CVE ID: CVE-2023-46776 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/32647c44-389a-4a6d-a32b-e19a35bc2aeb&gt;

EasyRecipe <= 3.5.3251 - Cross-Site Request Forgery

Affected Software: EasyRecipe CVE ID: CVE-2023-46779 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35906df7-5eaf-494a-8184-48e2ca22301e&gt;

Mediabay <= 1.6 - Missing Authorization via AJAC actions

Affected Software: Mediabay – Media Library Folders CVE ID: CVE-2023-46612 CVSS Score: 4.3 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3a923f58-f6c7-47ee-87f6-27453b39d1cf&gt;

Remove Add to Cart WooCommerce <= 1.4.4 - Cross-Site Request Forgery to Settings Modification

Affected Software: Remove Add to Cart WooCommerce CVE ID: CVE-2023-46629 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4938c1be-2356-4a9c-9795-108a2d5a6cc7&gt;

WP Word Count <= 3.2.4 - Missing Authorization via calculate_statistics

Affected Software: WP Word Count CVE ID: CVE-2023-46628 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/55dfd822-9034-4982-bfe7-eb86119e1f07&gt;

WP Helper Premium <= 4.5.1 - Cross-Site Request Forgery via whp_fields

Affected Software: WP Helper Premium CVE ID: CVE-2023-46614 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73e2c5bd-c81d-48ee-a5fc-346dd820d0a4&gt;

TK Google Fonts GDPR Compliant <= 2.2.11 - Missing Authorization to Font Addition

Affected Software: TK Google Fonts GDPR Compliant CVE ID: CVE-2023-5823 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7546b0b7-8081-4762-9e20-76dfb3c8a8a7&gt;

Export WP Page to Static HTML/CSS <= 2.1.9 - Cross-Site Request Forgery via Multiple AJAX Actions

Affected Software: Export WP Page to Static HTML/CSS CVE ID: CVE-2023-31077 CVSS Score: 4.3 (Medium) Researcher/s: konagash Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7781e20b-c258-4bfd-9050-75a50a335628&gt;

Ni WooCommerce Sales Report <= 3.7.2 - Missing Authorization via ajax_sales_order

Affected Software: Ni WooCommerce Sales Report CVE ID: CVE-2023-32299 CVSS Score: 4.3 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b509887-6d32-4e7f-bdff-fd4f6c76f6f2&gt;

WP EXtra <= 6.2 - Missing Authorization to Arbitrary Email Sending

Affected Software: WP EXtra CVE ID: CVE-2023-5314 CVSS Score: 4.3 (Medium) Researcher/s: TP Cyber Security Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93c10a58-c5f2-440b-a88e-5314143fdd90&gt;

Original texts Yandex WebMaster <= 1.18 - Cross-Site Request Forgery

Affected Software: Original texts Yandex WebMaster CVE ID: CVE-2023-46775 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9c500fc-0d85-41b1-a2b8-9c8ba372a6e3&gt;

WP Knowledgebase <= 1.3.4 - Cross-Site Request Forgery

Affected Software: WordPress Knowledge base & Documentation Plugin – WP Knowledgebase CVE ID: CVE-2023-5802 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa5ee133-e38a-4dfe-975c-f194aa6e90b8&gt;

Feather Login Page <= 1.1.3 - Cross-Site Request Forgery

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha CVE ID: CVE-2023-46777 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1a85bc2-0b00-4635-86f6-26e96cc0616e&gt;

DeepL Pro API translation <= 2.3.7.1 - Cross-Site Request Forgery via wpdeepl_prune_logs

Affected Software: DeepL API translation plugin CVE ID: CVE-2023-46620 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b60cb1af-c9f3-4cea-9699-d66a52eb87eb&gt;

Thumbnail carousel slider <= 1.0 - Cross-Site Request Forgery to Mass Slider Deletion

Affected Software: Thumbnail carousel slider CVE ID: CVE-2023-5821 CVSS Score: 4.3 (Medium) Researcher/s: Ala Arfaoui Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bde75c5a-b0b7-4f26-91e9-dd4816e276c9&gt;

WP iCal Availability <= 1.0.3 - Missing Authorization

Affected Software: WP iCal Availability CVE ID: CVE-2023-46607 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c38ac30d-95dc-415e-8ea6-507ed87d34db&gt;

Seraphinite Accelerator (Base, cache only) <= 2.20.31 - Cross-Site Request Forgery

Affected Software: Seraphinite Accelerator CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2b32fdc-b73f-48e5-88bf-e836ec2f791f&gt;

WCP OpenWeather <= 2.5.0 - Cross-Site Request Forgery

Affected Software: WCP OpenWeather CVE ID: CVE-2023-46638 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d5b573e2-373f-41bc-8d9a-ea42e908ac4e&gt;

Current Menu Item for Custom Post Types <= 1.5 - Cross-Site Request Forgery

Affected Software: Current Menu Item for Custom Post Types CVE ID: CVE-2023-46781 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d75f1475-fa81-4eed-87da-0a0fa48ac082&gt;

Category SEO Meta Tags <= 2.5 - Cross-Site Request Forgery via csmt_admin_options

Affected Software: Category SEO Meta Tags CVE ID: CVE-2023-46618 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de6048e7-75c6-44b1-bc68-e36dce936c78&gt;

Custom My Account for Woocommerce <= 2.1 - Cross-Site Request Forgery

Affected Software: Custom My Account for Woocommerce CVE ID: CVE-2023-46634 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd00c5cc-1a28-4d94-815d-46219ce0e0e9&gt;

Auto Limit Posts Reloaded <= 2.5 - Cross-Site Request Forgery

Affected Software: Auto Limit Posts Reloaded CVE ID: CVE-2023-46778 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fedf20b2-6c21-4c91-8f79-9cac334a1313&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023) appeared first on Wordfence.

Related

wpvulndb 54
nvd 34
prion 39
cvelist 31
cve 36
osv 2
vulnrichment 1
wpexploit 2
wpvulndb
wpvulndb
YITH WooCommerce Product Add-Ons < 4.2.1 - Missing Authorization
2023-11-23 00:00:00
DoLogin Security <= 3.7.1 - Missing Authorization via REST Endpoints
2023-11-23 00:00:00
My Shortcodes <= 2.3 - Missing Authorization via Multiple AJAX Actions
2023-11-23 00:00:00
nvd
nvd
CVE-2023-40681
2023-10-31 10:15:08
CVE-2023-46626
2023-11-08 16:15:10
CVE-2023-46782
2023-11-06 10:15:07
prion
prion
Cross site request forgery (csrf)
2023-11-06 12:15:00
Cross site request forgery (csrf)
2023-11-13 01:15:00
Cross site scripting
2023-11-06 10:15:00
cvelist
cvelist
CVE-2023-46777 WordPress Feather Login Page Plugin <= 1.1.3 is vulnerable to Cross Site Request Forgery (CSRF)
2023-11-06 11:06:58
CVE-2023-46780 WordPress Alter Plugin <= 1.0 is vulnerable to Cross Site Request Forgery (CSRF)
2023-11-06 11:15:41
CVE-2023-46625 WordPress Autolinks Manager Plugin <= 1.10.04 is vulnerable to Cross Site Request Forgery (CSRF)
2023-11-13 00:33:23
cve
cve
CVE-2023-46622
2023-10-31 10:15:08
CVE-2023-46625
2023-11-13 01:15:08
CVE-2023-46621
2023-11-08 16:15:10
osv
osv
CVE-2023-46636
2023-11-13 01:15:08
CVE-2023-32298
2023-11-08 16:15:08
vulnrichment
vulnrichment
CVE-2023-46630 WordPress Admin and Site Enhancements (ASE) plugin <= 5.7.1 - Password Protected View Bypass Vulnerability vulnerability
2024-06-04 09:29:46
wpexploit
wpexploit
Article Analytics <= 1.0 - Unauthenticated SQL injection
2023-10-27 00:00:00
PubyDoc <= 2.0.6 - Admin+ Stored XSS
2023-10-27 00:00:00

9.9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.8%

JSON
Related for WORDFENCE:7B78A614C8D2798665AAAED1EB6EE9E4
wpvulndb54nvd34prion39cvelist31cve36osv2vulnrichment1wpexploit2