Lucene search

K
wordfenceChloe ChamberlandWORDFENCE:816A14B73D4323528E6EB1BC5763EE95
HistoryMay 18, 2023 - 12:45 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)

2023-05-1812:45:54
Chloe Chamberland
www.wordfence.com
88
wordpress
vulnerability report
firewall rules
essential addons for elementor
cvss severity
cross-site scripting
sql injection
csrf
security
patched vulnerabilities

0.097 Low

EPSS

Percentile

94.8%

Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 47
Patched 92

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 119
High Severity 13
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 64
Cross-Site Request Forgery (CSRF) 31
Missing Authorization 23
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8
Deserialization of Untrusted Data 2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2
URL Redirection to Untrusted Site ('Open Redirect') 2
Use of Less Trusted Source 1
Incorrect Authorization 1
Unrestricted Upload of File with Dangerous Type 1
Improper Authorization 1
Authorization Bypass Through User-Controlled Key 1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1
Unverified Password Change 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
Wordfence Vulnerability Researcher 14
Rafie Muhammad 12
minhtuanact 7
thiennv 6
Dave Jong 5
Mika 5
apple502j 4
Rio Darmawan 4
Abdi Pranata 4
yuyudhn 4
Marco Wotschka
Wordfence Vulnerability Researcher 4
Taihei Shimamine 4
Alex Thomas
Wordfence Vulnerability Researcher 4
Pavak Tiwari 3
Lokesh Dachepalli 3
Darius Sveikauskas 2
OZ1NG (TOOR, LISA) 2
Justiice 2
konagash 2
Jonas Höbenreich 2
Yash Kanchhal 2
Nguyen Xuan Chien 2
Chloe Chamberland
Wordfence Vulnerability Researcher 2
Yuki Haruma 1
Taurus Omar 1
Nguyen Anh Tien 1
Ilyase Dehy 1
Aymane Mazguiti 1
Emili Castells 1
LEE SE HYOUNG 1
rezaduty 1
Le Ngoc Anh 1
Monkey Wrench Inc. 1
deokhunKim 1
Simone Onofri 1
Donato Onofri 1
Skalucy 1
Badromance 1337 1
Johan Kragt 1
Felipe Restrepo Rodriguez 1
WPScanTeam 1
Erwan LR 1
Mahesh Nagabhairava 1
rSolutions Security Team 1
easyBug 1
Shuya Ota 1
TEAM WEBoB of BoB 11th 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
10Web Social Post Feed wd-facebook-feed
Active Directory Integration / LDAP Integration ldap-login-for-intranet-sites
Add Posts to Pages add-posts-to-pages
Announcement & Notification Banner – Bulletin bulletin-announcements
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection stopbadbots
Block Referer Spam block-referer-spam
Booking Ultra Pro Appointments Booking Calendar Plugin booking-ultra-pro
Brands for WooCommerce brands-for-woocommerce
Button button
CALL ME NOW lokalyze-call-now
CM On Demand Search And Replace cm-on-demand-search-and-replace
Column-Matic column-matic
Community by PeepSo – Social Network, Membership, Registration, User Profiles peepso-core
Complianz – GDPR/CCPA Cookie Consent complianz-gdpr
Custom Base Terms custom-base-terms
Custom Field Suite custom-field-suite
DBargain d-bargain
DevBuddy Twitter Feed devbuddy-twitter-feed
Directorist – WordPress Business Directory Plugin with Classified Ads Listings directorist
Don8 don8
Donations Made Easy – Smart Donations smart-donations
Download Manager download-manager
Download Monitor download-monitor
Dyslexiefont Free dyslexiefont
Easy Form by AYS easy-form
Easy Hide Login easy-hide-login
Elementor Website Builder elementor
Essential Addons for Elementor essential-addons-for-elementor-lite
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) google-analytics-dashboard-for-wp
Featured Image Pro Post Grid featured-image-pro
Forget About Shortcode Buttons forget-about-shortcode-buttons
Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors notifyvisitors-lead-form
Frontend Post WordPress Plugin – AccessPress Anonymous Post accesspress-anonymous-post
GTmetrix for WordPress gtmetrix-for-wordpress
Get your number get-your-number
GiveWP – Donation Plugin and Fundraising Platform give
Google Site Verification plugin using Meta Tag google-site-verification-using-meta-tag
Hide My WP Ghost – Security Plugin hide-my-wp
Hostel hostel
Hyphenator hyphenator
Injection Guard injection-guard
LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress letterpress
Link Whisper Free link-whisper
Locatoraid Store Locator locatoraid
MW WP Form mw-wp-form
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder mailchimp-subscribe-sm
Manager for Icomoon manager-for-icomoon
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) google-analytics-for-wordpress
My WP Customize Admin/Frontend my-wp
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue mailin
Order Your Posts Manually order-your-posts-manually
Owl Carousel owl-carousel
Pinterest RSS Widget pinterest-rss-widget
Portfolio Gallery – Responsive Image Gallery gallery-portfolio
Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions buddyforms
Post Snippets – Custom WordPress Code Snippets Customizer post-snippets
Post State Tags post-state-tags
Pricing Table Builder – AP Pricing Tables Lite ap-pricing-tables-lite
Pro Mime Types pro-mime-types
Product page shipping calculator for WooCommerce product-page-shipping-calculator-for-woocommerce
QuBot – Chatbot Builder with Templates qubotchat
Quick Page/Post Redirect Plugin quick-pagepost-redirect-plugin
Radio Station by netmix® – Manage and play your Show Schedule in WordPress! radio-station
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager
Restaurant Menu – Food Ordering System – Table Reservation menu-ordering-reservations
SALERT – Fake Sales Notification WooCommerce salert
SEO by 10Web seo-by-10web
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization shortpixel-adaptive-images
Simple Calendar – Google Calendar Plugin google-calendar-events
Slimstat Analytics wp-slimstat
Snow Monkey Forms snow-monkey-forms
SoundCloud Is Gold soundcloud-is-gold
Sunny Search fast-search-powered-by-solr
Team Circle Image Slider With Lightbox circle-image-slider-with-lightbox
Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7
VK All in One Expansion Unit vk-all-in-one-expansion-unit
VK Blocks vk-blocks
VK Blocks Pro vk-blocks-pro
WCP Contact Form wcp-contact-form
WP Abstracts wp-abstracts-manuscripts-manager
WP All Backup wp-all-backup
WP Category Post List Widget wp-category-posts-list
WP Chinese Conversion wp-chinese-conversion
WP Multi Store Locator wp-multi-store-locator
WP Reactions Lite wp-reactions-lite
WP Register Profile With Shortcode wp-register-profile-with-shortcode
WP Replicate Post wp-replicate-post
WP Responsive Tabs horizontal vertical and accordion Tabs responsive-horizontal-vertical-and-accordion-tabs
WP-Chatbot for Messenger wp-chatbot
WPCS – WordPress Currency Switcher Professional currency-switcher
Web Stories for WordPress UNKNOWN-CVE-2023-1979-1
Whydonate – FREE Donate button – Crowdfunding – Fundraising wp-whydonate
Wise Chat wise-chat
Woo Custom Emails woo-custom-emails
Woodmart Core woodmart-core
WordPress Online Booking and Scheduling Plugin – Bookly bookly-responsive-appointment-booking-tool
YITH WooCommerce Gift Cards Premium yith-woocommerce-gift-cards-premium
Yoast SEO Premium wordpress-seo-premium
Yoast SEO: Local wpseo-local
Zero Spam for WordPress zero-spam
eBecas ebecas
iframe popup iframe-popup
itemprop WP for SERP/SEO Rich snippets itempropwp
weebotLite weebotlite
wordpress vertical image slider plugin wp-vertical-image-slider

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Divi Divi
Woodmart woodmart

Vulnerability Details

Woodmart Core <= 1.0.36 - Missing Authorization to Privilege Escalation

Affected Software: Woodmart Core CVE ID: CVE-2023-32244 CVSS Score: 9.8 (Critical) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60f043e9-7947-4fff-a9a8-94a1f421db7c&gt;


Manager for Icomoon <= 2.0 - Unauthenticated Arbitrary File Upload via 'upload'

Affected Software: Manager for Icomoon CVE ID: CVE-2023-29386 CVSS Score: 9.8 (Critical) Researcher/s: deokhunKim Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/854ab1f3-5f7c-40a4-85a5-db4e20dc72cc&gt;


Essential Addons for Elementor <= 5.7.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation

Affected Software: Essential Addons for Elementor CVE ID: CVE-2023-32243 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e988d042-147c-4782-b728-71f5a50cecd8&gt;


Woodmart Core <= 1.0.36 - PHP Object Injection

Affected Software: Woodmart Core CVE ID: CVE-2023-32242 CVSS Score: 9.8 (Critical) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef79e5a8-8bac-42b3-a064-6eea597701c9&gt;


Ultimate Addons for Contact Form 7 <= 3.1.23 - Unauthenticated SQL Injection via form_id

Affected Software: Ultimate Addons for Contact Form 7 CVE ID: CVE-2022-47586 CVSS Score: 9.8 (Critical) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f10e5eef-1ccf-4f98-b0e9-5ed05b3881a6&gt;


WP Replicate Post <= 4.0.2 - Authenticated (Contributor+) SQL Injection

Affected Software: WP Replicate Post CVE ID: CVE-2023-2237 CVSS Score: 8.8 (High) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/916e6f8b-cb29-4062-9a05-0337cfdb382a&gt;


Bookly <= 21.7.1 - Arbitrary File Deletion

Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly CVE ID: CVE-2023-26526 CVSS Score: 8.1 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5a7609bf-5b20-440c-9984-eeb26962ada8&gt;


Booking Ultra Pro <= 1.1.4 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Booking Ultra Pro Appointments Booking Calendar Plugin CVE ID: CVE-2023-32511 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01370a71-2611-4826-b08b-485839ca606a&gt;


Zero Spam for WordPress <= 5.4.4 - Authenticated(Administrator+) SQL Injection

Affected Software: Zero Spam for WordPress CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/03d8b8e7-5702-42d4-8cd9-ae3ff1a74a7e&gt;


Active Directory Integration / LDAP Integration <= 4.1.4 - Authenticated (Administrator+) SQL Injection

Affected Software: Active Directory Integration / LDAP Integration CVE ID: CVE-2023-2484 CVSS Score: 7.2 (High) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3eedc57b-79cc-4569-b6d6-676a22aa1e06&gt;


Slimstat Analytics <= 5.0.4 - Authenticated (Administrator+) SQL Injection

Affected Software: Slimstat Analytics CVE ID: CVE-2022-45373 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6334b02e-ffab-49f9-969b-d015c2babc29&gt;


Order Your Posts Manually <= 2.2.5 - Authenticated (Administrator+) SQL Injection via 'sortdata'

Affected Software: Order Your Posts Manually CVE ID: CVE-2023-32508 CVSS Score: 7.2 (High) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66da0ad7-18a3-42b9-b59a-5927c6bc836b&gt;


AP Pricing Tables Lite <= 1.1.6 - Authenticated (Admin+) SQL Injection

Affected Software: Pricing Table Builder – AP Pricing Tables Lite CVE ID: CVE-2023-0900 CVSS Score: 7.2 (High) Researcher/s: Simone Onofri, Donato Onofri Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/869e57f8-7524-497a-8d24-bb9f2ee3898b&gt;


WP Chinese Conversion <= 1.1.16 - Unauthenticated Stored Cross-Site Scripting

Affected Software: WP Chinese Conversion CVE ID: CVE-2023-32518 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95c47c7b-df83-43ee-9091-136b6622e88c&gt;


Zero Spam <= 5.4.4 - Authenticated (Administrator+) SQL Injection

Affected Software: Zero Spam for WordPress CVE ID: CVE-2023-32121 CVSS Score: 7.2 (High) Researcher/s: OZ1NG (TOOR, LISA) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7576dd9-198b-49a7-950e-fc301e4bc5f8&gt;


QuBotChat <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting

Affected Software: QuBot – Chatbot Builder with Templates CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd27aeb9-4257-4b15-8f14-8a8c89522c32&gt;


Directorist <= 7.5.3 - Authenticated (Administrator+) Local File Inclusion

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings CVE ID: CVE-2023-2252 CVSS Score: 7.2 (High) Researcher/s: rSolutions Security Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e571ded0-ea7a-40ec-b90b-c5009b463d87&gt;


Booking Ultra Pro <= 1.1.4 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Booking Ultra Pro Appointments Booking Calendar Plugin CVE ID: CVE-2023-32236 CVSS Score: 7.2 (High) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd8fb3e9-34eb-4b37-9a7e-00309a1ca81d&gt;


GiveWP <= 2.25.3 - Authenticated (Admin+) PHP Object Injection

Affected Software: GiveWP – Donation Plugin and Fundraising Platform CVE ID: CVE-2023-32513 CVSS Score: 6.6 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7fa8c406-e64d-4093-a102-436ecfb7dd76&gt;


RegistrationMagic <= 5.2.0.5 - Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login CVE ID: CVE-2023-2548 CVSS Score: 6.6 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfbc406b-49af-419e-adeb-0510794b7e3f&gt;


YITH WooCommerce Gift Cards Premium <= 3.23.1 - Missing Authorization

Affected Software: YITH WooCommerce Gift Cards Premium CVE ID: CVE-2022-44633 CVSS Score: 6.5 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1e77760b-4e61-462c-9245-0e40f161d565&gt;


Portfolio Gallery – Responsive Image Gallery <= 1.4.5 - Missing Authorization to Arbitrary Gallery Deletion

Affected Software: Portfolio Gallery – Responsive Image Gallery CVE ID: CVE-2023-32585 CVSS Score: 6.5 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a4e66e0-85a6-4e9f-8ed7-b7ee8e75aae6&gt;


Hide My WP Ghost – Security Plugin <= 5.0.18 - IP Address Spoofing to Protection Mechanism Bypass

Affected Software: Hide My WP Ghost – Security Plugin CVE ID: CVE-2022-4537 CVSS Score: 6.5 (Medium) Researcher/s: rezaduty Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba&gt;


Pro Mime Types - Manage file media types <= 1.0.7 - Cross-Site Request Forgery via pmt_settings_section_callback_tab_1

Affected Software: Pro Mime Types CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f68ac2b8-33dc-4cc2-b0f3-8777450e39f9&gt;


VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Post

Affected Software/s: VK Blocks Pro, VK Blocks CVE ID: CVE-2023-27925 CVSS Score: 6.4 (Medium) Researcher/s: apple502j Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/03d05c74-da50-4175-86f5-f39a89dbffd4&gt;


Add Posts to Pages <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Add Posts to Pages CVE ID: CVE-2023-23826 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/139b081d-17b1-4e1f-9d22-cf3f9de123f5&gt;


WP Category Post List Widget <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Category Post List Widget CVE ID: CVE-2023-23828 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/15d61530-5ef9-4dce-8ace-6d8cc07c7b5e&gt;


VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in CTA Post

Affected Software: VK All in One Expansion Unit CVE ID: CVE-2023-28367 CVSS Score: 6.4 (Medium) Researcher/s: apple502j Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1da39f3d-512c-49e0-89cb-672783e5ca4e&gt;


Pinterest RSS Widget <= 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Pinterest RSS Widget CVE ID: CVE-2023-23877 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ec186b0-72f0-4017-ad24-1c82247a23ec&gt;


Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions CVE ID: CVE-2023-25981 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/20793de1-468f-4b9d-8e1f-b05dc204c0fb&gt;


VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in Profile Setting

Affected Software: VK All in One Expansion Unit CVE ID: CVE-2023-27926 CVSS Score: 6.4 (Medium) Researcher/s: apple502j Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/40c5dd26-6063-4ab2-a370-464e84d806b7&gt;


SALERT <= 1.2.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: SALERT – Fake Sales Notification WooCommerce CVE ID: CVE-2023-32118 CVSS Score: 6.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6748841a-0984-4840-90ba-0eeff8564198&gt;


ExactMetrics <= 7.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) CVE ID: CVE-2023-23880 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/687c86af-915e-4028-910e-ab83bcd86a1a&gt;


Brands for WooCommerce <= 3.7.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Brands for WooCommerce CVE ID: CVE-2023-23667 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b6dc426-7066-46fb-886a-0bf005829abf&gt;


Owl Carousel <= 0.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Owl Carousel CVE ID: CVE-2023-23829 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92bcdbd9-1f41-4990-9bea-587fb0e7355a&gt;


Download Manager <= 3.2.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Download Manager CVE ID: CVE-2023-2305 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a66bc196-e5f8-46b4-a81c-c888eb64021c&gt;


WP Multi Store Locator <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Multi Store Locator CVE ID: CVE-2023-0152 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b9da31ff-4173-4aee-a3a6-8eebaa0d71ab&gt;


WPCS – WordPress Currency Switcher Professional <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WPCS – WordPress Currency Switcher Professional CVE ID: CVE-2023-2558 CVSS Score: 6.4 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be054481-89b4-47d8-ad06-8622edea367f&gt;


Divi <= 4.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Divi CVE ID: CVE-2023-29099 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c01cbc25-bdf7-4525-8c7b-194bd0aeb32b&gt;


Google Analytics by Monster Insights <= 8.14.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) CVE ID: CVE-2023-23999 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c87a80ad-27bf-404d-8adf-9acc91354515&gt;


VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Tag Edit

Affected Software/s: VK Blocks Pro, VK Blocks CVE ID: CVE-2023-27923 CVSS Score: 6.4 (Medium) Researcher/s: apple502j Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e01f5bd8-de0f-48aa-8007-61a0ebd0ebf3&gt;


Locatoraid Store Locator <= 3.9.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Locatoraid Store Locator CVE ID: CVE-2023-32576 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e40cba5c-455c-44ba-bba2-c825697b837a&gt;


WoodMart <= 7.2.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Woodmart CVE ID: CVE-2023-32239 CVSS Score: 6.4 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f9a60c4e-a524-4a99-858a-14787f37d60c&gt;


Announcement & Notification Banner – Bulletin <= 3.7.0 - Cross-Site Request Forgery

Affected Software: Announcement & Notification Banner – Bulletin CVE ID: CVE-2023-2067 CVSS Score: 6.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b808450f-0ebf-4c49-a9e3-f1c1f2b1f632&gt;


Announcement & Notification Banner – Bulletin <= 3.6.0 - Missing Authorization Checks

Affected Software: Announcement & Notification Banner – Bulletin CVE ID: CVE-2023-2066 CVSS Score: 6.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d242a466-0611-4e64-8145-29f64100e62b&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via ajax_script_save

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1034f0f4-52e4-4f4c-81fc-51b4720f306a&gt;


Featured Image Pro Post Grid <= 5.14 - Reflected Cross-Site Scripting via page

Affected Software: Featured Image Pro Post Grid CVE ID: CVE-2023-32598 CVSS Score: 6.1 (Medium) Researcher/s: OZ1NG (TOOR, LISA) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1efb9215-542b-46a1-b358-f3d27339a920&gt;


Team Circle Image Slider With Lightbox <= 1.0.17 - Reflected Cross-Site Scripting

Affected Software: Team Circle Image Slider With Lightbox CVE ID: CVE-2023-2604 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2627ac2b-25a8-480d-ac83-ee0ca323b3a1&gt;


Radio Station <= 2.4.0.9 - Reflected Cross-Site Scripting

Affected Software: Radio Station by netmix® – Manage and play your Show Schedule in WordPress! CVE ID: CVE-2023-32499 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36b2992d-4d1b-456d-94a0-54794ba59435&gt;


WP Abstracts <= 2.6.1 - Reflected Cross-Site Scripting

Affected Software: WP Abstracts CVE ID: CVE-2023-29385 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/495df695-864e-4a77-bcd1-d1845c55a6c9&gt;


wordpress vertical image slider plugin <= 1.2.16 - Reflected Cross-Site Scripting

Affected Software: wordpress vertical image slider plugin CVE ID: CVE-2023-24413 CVSS Score: 6.1 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59c40a86-ea1c-4015-ac47-2b7b91cc3519&gt;


Menu - Ordering - Reservations <= 2.3.6 - Reflected Cross-Site Scripting via 'redirect'

Affected Software: Restaurant Menu – Food Ordering System – Table Reservation CVE ID: CVE-2023-32516 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/640f0b06-9af2-4b79-8f87-97f93b2c51c0&gt;


Donations Made Easy – Smart Donations <= 4.0.12 - Reflected Cross-Site Scripting

Affected Software: Donations Made Easy – Smart Donations CVE ID: CVE-2023-32603 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7cce2f9f-5f47-4e10-a846-0aab4bcad616&gt;


Slimstat Analytics <= 5.0.4 - Reflected Cross-Site Scripting

Affected Software: Slimstat Analytics CVE ID: CVE-2022-45366 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/875c6474-5bf3-4556-b529-299cd2f65afe&gt;


Order Your Posts Manually <= 2.2.5 - Reflected Cross-Site Scripting via '_user_request'

Affected Software: Order Your Posts Manually CVE ID: CVE-2023-32510 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8d98a961-bef3-4bce-b493-410eee688bc6&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via ajax_script_add

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ef8f39e-6e5d-4ef6-a81d-0b2be3506ec1&gt;


MailChimp Subscribe Forms <= 4.0.9.1 - Open Redirect

Affected Software: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder CVE ID: CVE-2023-32517 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aba1ca3a-a937-400b-b175-2ca4e67a107d&gt;


GTmetrix for WordPress <= 0.4.6 - Reflected Cross-Site Scripting via 'report_id' and 'event_id'

Affected Software: GTmetrix for WordPress CVE ID: CVE-2023-32503 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abe50539-f6a9-476a-a408-4f94f7f31fcc&gt;


Yoast SEO: Local <= 14.8 - Reflected Cross-Site Scripting

Affected Software: Yoast SEO: Local CVE ID: CVE-2023-32300 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b239185f-c368-4768-8f6a-ef9bc593929d&gt;


Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 - Reflected Cross-Site Scripting via 'lang'

Affected Software: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6ad08fb-d029-4f84-818c-911ae2d97f33&gt;


10Web Social Post Feed <= 1.2.8 - Reflected Cross-Site Scripting

Affected Software: 10Web Social Post Feed CVE ID: CVE-2023-2503 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db959eaf-300c-4ecd-ac15-216a17ec5a50&gt;


WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 - Reflected Cross-Site Scripting

Affected Software: WP Responsive Tabs horizontal vertical and accordion Tabs CVE ID: CVE-2023-24409 CVSS Score: 6.1 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de331d1d-b2f8-4cc6-a998-779595eca70c&gt;


Post State Tags <= 2.0.6 - Cross-Site Request Forgery to Settings Reset

Affected Software: Post State Tags CVE ID: CVE-2023-32588 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a938325-45f5-455b-b2b7-e19e6e22cd0c&gt;


WP-Chatbot for Messenger <= 4.7 - Missing Authorization

Affected Software: WP-Chatbot for Messenger CVE ID: CVE-2023-32581 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/432df51f-2855-4bf2-8be1-77a893e3aa29&gt;


Hyphenator <= 5.1.5 - Cross-Site Request Forgery to Settings Update

Affected Software: Hyphenator CVE ID: CVE-2023-32594 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b87f741-4115-4ded-8dff-dc36cfdf1df1&gt;


ShortPixel Adaptive Images <= 3.7.1 - Cross-Site Request Forgery via shortpixel_ai_handle_page_action

Affected Software: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization CVE ID: CVE-2023-32512 CVSS Score: 5.4 (Medium) Researcher/s: konagash Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94ed918c-8f6f-4e1f-ab1d-e16632831951&gt;


Elementor <= 3.13.1 - Missing Authorization to Settings Update

Affected Software: Elementor Website Builder CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b66e2537-f187-4237-b248-f8a361f9cb00&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via ajax_delete_snapshot

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1c106e8-9642-4294-90fd-6838cc551b90&gt;


Order Your Posts Manually <= 2.2.5 - Reflected Cross-Site Scripting via 'cat_id'

Affected Software: Order Your Posts Manually CVE ID: CVE-2023-32509 CVSS Score: 5.4 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d5688bb7-cd2d-42c6-b8cf-d908448ccfc1&gt;


Download Monitor <= 4.7.60 - Sensitive Information Exposure via REST API

Affected Software: Download Monitor CVE ID: CVE-2022-45354 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ddf67d69-f362-4380-a396-300c7edbd9f3&gt;


WP All Backup <= 2.4.3 - Cross-Site Request Forgery to Backup Storage Modification

Affected Software: WP All Backup CVE ID: CVE-2023-32583 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e087817e-9edb-4c93-96c6-e8d8e99d4d9b&gt;


WCP Contact Form <= 3.1.0 - Missing Authorization

Affected Software: WCP Contact Form CVE ID: CVE-2023-32519 CVSS Score: 5.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f9844b47-427a-4f2f-9f42-00adcbcf133c&gt;


WCP Contact Form <= 3.1.0 - Missing Authorization via downloadCsv

Affected Software: WCP Contact Form CVE ID: CVE-2023-32520 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17a4bd5c-0cd3-46e4-b6ee-edf87f0e92ca&gt;


Link Whisper Free <= 0.6.3 - Missing Authorization via init()

Affected Software: Link Whisper Free CVE ID: CVE-2023-32506 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/29b09367-6a27-4024-a71c-233aaee6c310&gt;


Woo Custom Emails <= 2.2 - Missing Authorization to Unauthenticated Settings Change

Affected Software: Woo Custom Emails CVE ID: CVE-2023-32507 CVSS Score: 5.3 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ee1660e-10c0-447b-8562-c3af07997f56&gt;


Snow Monkey Forms <= 5.0.6 - Directory Traversal via 'view' REST endpiont

Affected Software: Snow Monkey Forms CVE ID: CVE-2023-28413 CVSS Score: 5.3 (Medium) Researcher/s: Monkey Wrench Inc. Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/83d935fc-7d7b-4c25-97f8-d3fe35307c7a&gt;


Injection Guard <= 1.2.1 - Missing Authorization to Whitelist Update

Affected Software: Injection Guard CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Darius Sveikauskas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9c41797-b256-47de-a783-18df36dd2234&gt;


Yoast SEO Premium <= 20.4 - Missing Authorization to Zapier Key Reset

Affected Software: Yoast SEO Premium CVE ID: CVE-2023-28775 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c54770f1-1409-4208-a4ab-0ff3dbc3835d&gt;


MW WP Form <= 4.4.2 - Directory Traversal via _file_upload

Affected Software: MW WP Form CVE ID: CVE-2023-28409 CVSS Score: 5.3 (Medium) Researcher/s: Shuya Ota Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7adeee0-30ff-4759-b42e-1ac2dea5a8a4&gt;


WP Register Profile With Shortcode <= 3.5.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Register Profile With Shortcode CVE ID: CVE-2023-23818 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c20f87e-3670-444c-aa8a-28988dfe2fd9&gt;


Post Snippets <= 4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'snippet_content'

Affected Software: Post Snippets – Custom WordPress Code Snippets Customizer CVE ID: CVE-2023-25459 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0d10f5cd-d449-46f1-a347-f45a1db65999&gt;


SEO By 10Web <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: SEO by 10Web CVE ID: CVE-2023-2224 CVSS Score: 4.4 (Medium) Researcher/s: Taurus Omar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a850176-973c-49aa-a420-e379223b6dc3&gt;


iframe popup <= 3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: iframe popup CVE ID: CVE-2023-24394 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1d2c6f19-025e-4c17-b5d9-4bbddbaf66d1&gt;


Get Your Number <= 1.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Get your number CVE ID: CVE-2023-2634 CVSS Score: 4.4 (Medium) Researcher/s: Ilyase Dehy, Aymane Mazguiti Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2fb9dc9f-1ba5-4a2c-bead-3c3a6deb61b1&gt;


eBecas <= 3.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: eBecas CVE ID: CVE-2023-32584 CVSS Score: 4.4 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33770bfd-c481-4e18-838b-89a5fb5b15f0&gt;


Product page shipping calculator for WooCommerce <= 1.3.25 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: Product page shipping calculator for WooCommerce CVE ID: CVE-2023-32575 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3663b35d-13ac-4d65-80bd-5800ed74f759&gt;


StopBadBots <= 7.31 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection CVE ID: CVE-2023-32496 CVSS Score: 4.4 (Medium) Researcher/s: Taihei Shimamine Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38e536a5-b538-498c-b19d-adda36f76164&gt;


itemprop WP for SERP/SEO Rich snippets <= 3.5.201706131 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: itemprop WP for SERP/SEO Rich snippets CVE ID: CVE-2023-23819 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5975a107-8083-4f9e-b2b2-8c6ae1ac8f39&gt;


weebotLite <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: weebotLite CVE ID: CVE-2023-32596 CVSS Score: 4.4 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66518929-d5e7-4b4d-a04c-a96ad0df308c&gt;


My WP Customize Admin/Frontend <= 1.21.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: My WP Customize Admin/Frontend CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6a830fb8-de5f-40c7-bb6c-464ed916b440&gt;


Easy Hide Login <= 1.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Hide Login CVE ID: CVE-2023-32505 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/745cf98c-ad3a-4ec9-9ee8-ae817d5d7358&gt;


Easy Form by AYS <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Form by AYS CVE ID: CVE-2023-32498 CVSS Score: 4.4 (Medium) Researcher/s: Taihei Shimamine Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/765b09ef-dd6d-4c4e-a381-7bb0dc8d6652&gt;


DevBuddy Twitter Feed <= 4.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: DevBuddy Twitter Feed CVE ID: CVE-2023-32577 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92a20a1f-6403-4561-acd8-5b076fe2999f&gt;


Button <= 1.1.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Button CVE ID: CVE-2023-23871 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9905517f-236c-4e98-8026-8d54bf64c7c9&gt;


Custom Field Suite <= 2.6.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom Field Suite CVE ID: CVE-2023-32515 CVSS Score: 4.4 (Medium) Researcher/s: Taihei Shimamine Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a15946b-c4df-43e8-9e1d-7a8367cfda6b&gt;


Column-Matic <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Column-Matic CVE ID: CVE-2023-32578 CVSS Score: 4.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9dc640c8-3740-4770-b729-fb45ecec2b45&gt;


Don8 <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Don8 CVE ID: CVE-2023-32582 CVSS Score: 4.4 (Medium) Researcher/s: Yash Kanchhal Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9b2b094-9a2d-4c73-be5f-b2a6f3da9233&gt;


Sunny Search <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Sunny Search CVE ID: CVE-2023-32595 CVSS Score: 4.4 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b977e3f8-46e7-4294-ab5c-e42e81c900e0&gt;


Hostel <= 1.1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Hostel CVE ID: CVE-2023-0545 CVSS Score: 4.4 (Medium) Researcher/s: Felipe Restrepo Rodriguez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bb98b2ee-5c51-453f-9e55-52027237e732&gt;


Quick Page/Post Redirect <= 5.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Quick Page/Post Redirect Plugin CVE ID: CVE-2023-25063 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be841d6b-e3b6-46d2-aba8-fee20c21e933&gt;


LetterPress <= 1.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress CVE ID: CVE-2023-27415 CVSS Score: 4.4 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3f9e624-c176-403c-a3c5-7bd11027ebe5&gt;


NotifyVisitors <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors CVE ID: CVE-2023-27426 CVSS Score: 4.4 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dad9b612-5575-4e64-a1b3-52a2cf3f05a7&gt;


DBargain <= 3.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: DBargain CVE ID: CVE-2023-32591 CVSS Score: 4.4 (Medium) Researcher/s: Mahesh Nagabhairava Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3ab817c-3677-4251-adaf-f340bf4c5336&gt;


Custom Base Terms <= 1.0.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'base'

Affected Software: Custom Base Terms CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6292935-a67e-4b59-9b3c-0b71365193b7&gt;


CALL ME NOW <= 3.0 - Cross-Site Request Forgery

Affected Software: CALL ME NOW CVE ID: CVE-2023-32602 CVSS Score: 4.3 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/05828bdc-74aa-4477-9178-f8cc6a34da42&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via maybe_install_suggested_plugins

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07300429-c445-4d2a-90aa-5072a17f8113&gt;


WoodMart <= 7.2.1 - Missing Authorization

Affected Software: Woodmart CVE ID: CVE-2023-32240 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e0e0c15-caf6-4166-a365-a2a73cd9ebc4&gt;


Soundcloud Is Gold <= 2.5.1 - Missing Authorization to Soundcloud User Add

Affected Software: SoundCloud Is Gold CVE ID: CVE-2023-32586 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14b2fa77-dc51-47b4-913a-9129f95ba766&gt;


Injection Guard <= 1.2.1 - Cross-Site Request Forgery to Whitelist Update

Affected Software: Injection Guard CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Darius Sveikauskas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a6bc58f-9cf3-4d3f-a10e-0ccde0b890a3&gt;


Forget About Shortcode Buttons <= 2.1.2 - Missing Authorization via fasc_buttons

Affected Software: Forget About Shortcode Buttons CVE ID: CVE-2023-32579 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/212dd123-42d4-4dd2-a2e2-bf0c43e805bf&gt;


Simple Calendar <= 3.1.43 - Cross-Site Request Forgery to Transient Cache Clearing

Affected Software: Simple Calendar – Google Calendar Plugin CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/248b74d3-5228-473d-a79a-743566898606&gt;


Wise Chat <= 3.1.3 - Cross-Site Request Forgery

Affected Software: Wise Chat CVE ID: CVE-2023-32504 CVSS Score: 4.3 (Medium) Researcher/s: Justiice Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a9ed6f2-3def-420c-b6d5-6343fcd7b147&gt;


Easy Hide Login <= 1.0.8 - Cross-Site Request Forgery

Affected Software: Easy Hide Login CVE ID: CVE-2023-31075 CVSS Score: 4.3 (Medium) Researcher/s: konagash Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/42fff63c-62ec-466e-9a05-60d76f80039e&gt;


Injection Guard <= 1.2.1 - Cross-Site Request Forgery via ig_update

Affected Software: Injection Guard CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a5c4bef-f871-4e6b-9b6e-85079f1233a2&gt;


WP Reactions Lite <= 1.3.8 - Cross-Site Request Forgery via AJAX action

Affected Software: WP Reactions Lite CVE ID: CVE-2023-32587 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/558b4b31-fd4f-4265-bddc-baf484d48fc5&gt;


Injection Guard <= 1.2.1 - Missing Authorization via ig_update

Affected Software: Injection Guard CVE ID: CVE-2023-32574 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c6a9cfc-0b30-456e-bac5-4ad79cd08dce&gt;


Web Stories for WordPress <= 1.31.0 - Insufficient Authorization

Affected Software: Web Stories for WordPress CVE ID: CVE-2023-1979 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63f2e02c-baa4-446c-bf1c-96ce099ad02e&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via ajax_create_pages

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74f92bd4-c752-4620-b506-d7588ff2e586&gt;


Yoast SEO: Local <= 14.8 - Cross-Site Request Forgery

Affected Software: Yoast SEO: Local CVE ID: CVE-2023-28780 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d536acc-b297-4acd-97e2-87eae2e2b95a&gt;


Community by PeepSo <= 6.0.9.0 - Cross-Site Request Forgery to Field Duplication

Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles CVE ID: CVE-2023-32092 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a8ac15a-9f9b-4bb8-81a4-1fdd11670a07&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via ajax_edit_item

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8edaf5ce-6a26-44cc-b4d8-e3b0ccfa9c11&gt;


Sunny Search <= 1.0.2 - Cross-Site Request Forgery to Settings Update

Affected Software: Sunny Search CVE ID: CVE-2023-32592 CVSS Score: 4.3 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f1902e7-66e9-417f-97ba-4db766cf29f1&gt;


Booking Ultra Pro <= 1.1.4 - Missing Authorization via save_fields_settings

Affected Software: Booking Ultra Pro Appointments Booking Calendar Plugin CVE ID: CVE-2023-32601 CVSS Score: 4.3 (Medium) Researcher/s: Badromance 1337 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1c0f8f3-22fe-4139-93bb-0e9bacf9dafb&gt;


Download Manager <= 3.2.70 - Insufficient Authorization to Information Disclosure

Affected Software: Download Manager CVE ID: CVE-2023-1524 CVSS Score: 4.3 (Medium) Researcher/s: Johan Kragt Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b48bc632-c825-48e0-8766-3ac59e5b87c6&gt;


Pro Mime Types <= 1.0.7 - Cross-Site Request Forgery

Affected Software: Pro Mime Types CVE ID: CVE-2023-32502 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7db3d45-2b96-4ba4-b258-08ee5e0b947b&gt;


WPCS – WordPress Currency Switcher Professional <= 1.1.9 - Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion

Affected Software: WPCS – WordPress Currency Switcher Professional CVE ID: CVE-2023-2556 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc44c95e-9ca0-46d0-8315-72612ef3f855&gt;


SALERT <= 1.2.1 - Missing Authorization via salert_save_settings_with_ajax()

Affected Software: SALERT – Fake Sales Notification WooCommerce CVE ID: CVE-2023-32126 CVSS Score: 4.3 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9e45ae8-e5b5-460b-80f8-de562ae7c56a&gt;


AccessPress Anonymous Post <= 2.8.4 - Authenticated (Contributor+) Arbitrary Redirect

Affected Software: Frontend Post WordPress Plugin – AccessPress Anonymous Post CVE ID: CVE-2022-4946 CVSS Score: 4.3 (Medium) Researcher/s: WPScanTeam Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc727156-28dc-4b0a-b777-52a1bbc72f79&gt;


WPCS – WordPress Currency Switcher Professional <= 1.1.9 - Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing

Affected Software: WPCS – WordPress Currency Switcher Professional CVE ID: CVE-2023-2557 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4c79242-5c89-40c0-abcc-c112f7a64a74&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via run_sync

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d5c704f9-4fcb-455e-a1c7-f48d47b12dec&gt;


Dyslexiefont Free <= 1.0.0 - Cross-Site Request Forgery

Affected Software: Dyslexiefont Free CVE ID: CVE-2023-32589 CVSS Score: 4.3 (Medium) Researcher/s: Yash Kanchhal Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d75f6c80-ffbf-47a5-9180-5153b705cb28&gt;


WPCS – WordPress Currency Switcher Professional <= 1.1.9 - Missing Authorization to Custom Drop-Down Currency Switcher Creation

Affected Software: WPCS – WordPress Currency Switcher Professional CVE ID: CVE-2023-2555 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd6b5d6d-5f5b-4b38-a25a-02cc1c041d37&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via cmplz_duplicate_cookiebanner

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e7b81559-93a2-4e50-b213-0e22eea8a219&gt;


Whydonate – FREE Donate button <= 3.12.13 - Cross-Site Request Forgery

Affected Software: Whydonate – FREE Donate button – Crowdfunding – Fundraising CVE ID: CVE-2023-29238 CVSS Score: 4.3 (Medium) Researcher/s: easyBug Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec1461a9-4504-4e60-9e38-a7257666e699&gt;


Google Site Verification plugin using Meta Tag <= 1.2 - Cross-Site Request Forgery

Affected Software: Google Site Verification plugin using Meta Tag CVE ID: CVE-2023-32514 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ecfdd114-b7bb-45bf-84df-a92f10b2fd81&gt;


Complianz - GDPR/CCPA Cookie Consent <= 6.4.4 - Cross-Site Request Forgery via cmplz_delete_cookiebanner

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f55af49e-82c8-462b-8c0b-a25e966a27af&gt;


CM On Demand Search And Replace <= 1.3.0 - Cross-Site Request Forgery

Affected Software: CM On Demand Search And Replace CVE ID: CVE-2023-28749 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fde1157b-5b99-4e9c-9c51-ebaa0eddfd73&gt;


Block Referer Spam <= 1.1.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Block Referer Spam CVE ID: CVE-2023-32497 CVSS Score: 3.3 (Low) Researcher/s: Taihei Shimamine Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd97fba9-513b-46e1-9613-2f64c4272f34&gt;


Active Directory Integration / LDAP Integration <= 4.1.4 - Cross-Site Request Forgery to SQL Injection

Affected Software: Active Directory Integration / LDAP Integration CVE ID: CVE-2023-2599 CVSS Score: 3.1 (Low) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74089b16-76fa-4654-9007-3f0c2e894894&gt;


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023) appeared first on Wordfence.

0.097 Low

EPSS

Percentile

94.8%