Chloe ChamberlandWORDFENCE:875375BE57DD0C4CC5049391989C1D3CWordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 39 |
| Patched | 76 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 3 |
| Medium Severity | 90 |
| High Severity | 18 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 33 |
| Cross-Site Request Forgery (CSRF) | 26 |
| Missing Authorization | 21 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 7 |
| Unrestricted Upload of File with Dangerous Type | 5 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 4 |
| Information Exposure | 3 |
| Protection Mechanism Failure | 2 |
| Improper Authorization | 2 |
| Guessable CAPTCHA | 2 |
| Improper Privilege Management | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 1 |
| Improper Control of Generation of Code ('Code Injection') | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Exposure of Sensitive Data Through Data Queries | 1 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| URL Redirection to Untrusted Site ('Open Redirect') | 1 |
| Unverified Password Change | 1 |
| Incorrect Privilege Assignment | 1 |
| Use of Less Trusted Source | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| István Márton | |
| (Wordfence Vulnerability Researcher) | 14 |
| Rafie Muhammad | 10 |
| Nguyen Xuan Chien | 9 |
| Abdi Pranata | 7 |
| Dave Jong | 6 |
| Mika | 4 |
| Dmitrii Ignatyev | 4 |
| Dimas Maulana | 3 |
| Joshua Chan | 3 |
| Jesse McNeil | 3 |
| thiennv | 3 |
| Ngô Thiên An (ancorn_) | 2 |
| Donato Di Pasquale | 2 |
| Francesco Marano | 2 |
| Dateoljo of BoB 12th | 2 |
| Abu Hurayra (HurayraIIT) | 2 |
| Arvandy | 2 |
| qilin_99 | 2 |
| Skalucy | 2 |
| lttn | 1 |
| Joost Grunwald | 1 |
| Bob Matyas | 1 |
| SeungYongLee | 1 |
| Tien fromVNPT-VCI | 1 |
| DoYeon Park (p6rkdoye0n) | 1 |
| Le Ngoc Anh | 1 |
| Vladislav Pokrovsky (ΞX.MI) | 1 |
| Song Hyun Bae | 1 |
| resecured.io | 1 |
| Naveen Muthusamy | 1 |
| Luqman Hakim Y | 1 |
| minhtuanact | 1 |
| Muhammad Daffa | 1 |
| Myungju Kim | 1 |
| Francesco Carlucci | 1 |
| Huynh Tien Si | 1 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 1 |
| Phd | 1 |
| Alex Sanford | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI ChatBot | chatbot |
| ARI Stream Quiz – WordPress Quizzes Builder | ari-stream-quiz |
| Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
| Accept Stripe Payments | stripe-payments |
| Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) | wp-analytify |
| Auto Affiliate Links | wp-auto-affiliate-links |
| Autocomplete Location field Contact Form 7 | autocomplete-location-field-contact-form-7 |
| Availability Calendar | availability-calendar |
| Awesome Support – WordPress HelpDesk & Support Plugin | awesome-support |
| BackWPup – WordPress Backup Plugin | backwpup |
| BlossomThemes Email Newsletter | blossomthemes-email-newsletter |
| Booster for WooCommerce | woocommerce-jetpack |
| Bootstrap Shortcodes Ultimate | bs-shortcode-ultimate |
| Broken Link Checker for YouTube | broken-link-checker-for-youtube |
| Bulk Comment Remove | bulk-comment-remove |
| Captcha Code | captcha-code-authentication |
| CataBlog | catablog |
Chatbot for WordPress  |
collectchat |
| Community by PeepSo – Social Network, Membership, Registration, User Profiles | peepso-core |
| Consensu.io | Conformidade e Consentimento de Cookies para LGPD |
| Contact Form Email | contact-form-to-email |
| Contact Form to Any API | contact-form-to-any-api |
| Debug Log Manager | debug-log-manager |
| Display Custom Post | display-custom-post |
| Drop Shadow Boxes | drop-shadow-boxes |
| Easy Social Feed – Social Photos Gallery – Post Feed – Like Box | easy-facebook-likebox |
| Easy Social Icons | easy-social-icons |
| EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
| Events Manager | events-manager |
| Export any WordPress data to XML/CSV | wp-all-export |
| Fast Custom Social Share by CodeBard | fast-custom-social-share-by-codebard |
| File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager |
| Floating Action Button | floating-action-button |
| Frontier Post | frontier-post |
| Grab & Save | save-grab |
| HUSKY – Products Filter for WooCommerce Professional | woocommerce-products-filter |
| Hide login page, Hide wp admin – stop attack on login page | hide-login-page |
| Import Spreadsheets from Microsoft Excel | import-spreadsheets-from-microsoft-excel |
| Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages | page-builder-add |
| League Table | league-table-lite |
| License Manager for WooCommerce | license-manager-for-woocommerce |
| Link Whisper Free | link-whisper |
| Login Lockdown – Protect Login Form | login-lockdown |
| Mail Bank – #1 Mail SMTP Plugin for WordPress | wp-mail-bank |
| Maspik – Spam Blacklist | contact-forms-anti-spam |
| MyBookTable Bookstore by Stormhill Media | mybooktable |
| Parallax Image | parallax-image |
| Parcel Pro | woo-parcel-pro |
| PayTR Taksit Tablosu – WooCommerce | paytr-taksit-tablosu-woocommerce |
| Perfmatters | perfmatters |
| Porto Theme - Functionality | porto-functionality |
| Post Meta Data Manager | post-meta-data-manager |
| Preloader for Website | preloader-for-website |
| Quttera Web Malware Scanner | quttera-web-malware-scanner |
| Salon booking system | salon-booking-system |
| Seraphinite Post .DOCX Source | seraphinite-post-docx-source |
| Simple Testimonials Showcase | simple-testimonials-showcase |
| Simply Exclude | simply-exclude |
| SpiderVPlayer | player |
| Super Progressive Web Apps | super-progressive-web-apps |
| Tainacan | tainacan |
| Taxonomy filter | taxonomy-filter |
| Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More | gs-team-members |
| TextMe SMS | textme-sms-integration |
| The Events Calendar | the-events-calendar |
| Theme Editor | theme-editor |
| Theme My Login 2fa | tml-2fa |
| TriPay Payment Gateway | tripay-payment-gateway |
| UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping | wc-multishipping |
| UserPro - Community and User Profile WordPress Plugin | userpro |
| Video PopUp | video-popup |
| WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors | wc-vendors |
| WCFM Marketplace – Best Multivendor Marketplace for WooCommerce | wc-multivendor-marketplace |
| WP ALL Export Pro | wp-all-export-pro |
| WP Child Theme Generator | wp-child-theme-generator |
| WP Githuber MD – WordPress Markdown Editor | wp-githuber-md |
| WP Mail Log | wp-mail-log |
| WP Roadmap – Product Feedback Board | wp-roadmap |
| Widgets for Google Reviews | wp-reviews-plugin-for-google |
| WordPress Gallery Plugin – NextGEN Gallery | nextgen-gallery |
| WordPress Job Board and Recruitment Plugin – JobWP | jobwp |
| WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout | gs-pinterest-portfolio |
| Yoast SEO | wordpress-seo |
| eDoc Employee Job Application – Best WordPress Job Manager for Employees | edoc-employee-application |
| myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin | mycred |
| salient-core | salient-core |
| wpForo Forum | wpforo |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Enfold - Responsive Multi-Purpose Theme | [enfold](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Enfold - Responsive Multi-Purpose Theme>) |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
UserPro <= 5.1.1 - Authentication Bypass to Administrator
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2437 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3cf9f38-c20e-40dc-a7a1-65b0c6ba7925>
UserPro <= 5.1.1 - Insecure Password Reset Mechanism
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2449 CVSS Score: 9.8 (Critical) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de9be7bc-4f8a-4393-8ebb-1b1f141b7585>
Porto Theme - Functionality <= 2.11.1 - Unauthenticated SQL Injection
Affected Software: Porto Theme - Functionality CVE ID: CVE-2023-48738 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fabc7ad3-1d20-493f-aacb-1832d33d8e14>
WP Child Theme Generator <= 1.0.8 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: WP Child Theme Generator CVE ID: CVE-2023-47873 CVSS Score: 9.1 (Critical) Researcher/s: Dateoljo of BoB 12th Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49fcd2cb-d880-4152-a736-33fd90f07083>
UserPro <= 5.1.1 - Cross-Site Request Forgery to Privilege Escalation
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2440 CVSS Score: 8.8 (High) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73600498-f55c-4b8e-a625-4f292e58e0ee>
WP Githuber MD <= 1.16.2 - Authenticated (Author+) Arbitrary File Upload
Affected Software: WP Githuber MD – WordPress Markdown Editor CVE ID: CVE-2023-47846 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6fda35d-8b82-4a7a-8db6-21dc38a841f4>
Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Cross-Site Request Forgery to Remote Code Execution
Affected Software/s: WP ALL Export Pro, Export any WordPress data to XML/CSV CVE ID: CVE-2023-5882 CVSS Score: 8.8 (High) Researcher/s: Donato Di Pasquale, Francesco Marano Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b70e8bce-1793-40f0-bdb1-100cf5f431e9>
Link Whisper Free <= 0.6.5 - Authenticated (Contributor+) SQL Injection
Affected Software: Link Whisper Free CVE ID: CVE-2023-47852 CVSS Score: 8.8 (High) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5e26a56-bba0-4204-bcb7-c5ec123a9b2d>
UserPro <= 5.1.4 - Authenticated (Subscriber+) Privilege Escalation
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-6009 CVSS Score: 8.8 (High) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e8bed9c0-dae3-405e-a946-5f28a3c30851>
UserPro <= 5.1.0 - Cross-Site Request Forgery to PHP Object Injection
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2497 CVSS Score: 8.8 (High) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fbb601ce-a884-4894-af13-dab14885c7eb>
Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Cross-Site Request Forgery to PHAR Deserialization
Affected Software/s: WP ALL Export Pro, Export any WordPress data to XML/CSV CVE ID: CVE-2023-5886 CVSS Score: 8.8 (High) Researcher/s: Alex Sanford Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fdc18341-135b-4522-a9db-510e4c4d9704>
BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal
Affected Software: BackWPup – WordPress Backup Plugin CVE ID: CVE-2023-5504 CVSS Score: 8.7 (High) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e830fe1e-1171-46da-8ee7-0a6654153f18>
WordPress Job Board and Recruitment Plugin – JobWP <= 2.1 - Sensitive Information Exposure
Affected Software: WordPress Job Board and Recruitment Plugin – JobWP CVE ID: CVE-2023-48288 CVSS Score: 7.5 (High) Researcher/s: Myungju Kim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c73dbc40-ba54-4836-9bb1-a35f95d5a077>
UserPro <= 5.1.1 - Missing Authorization via multiple functions
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-6007 CVSS Score: 7.3 (High) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c4f8798-c0f9-4d05-808e-375864a0ad95>
License Manager for WooCommerce <= 2.2.10 - Authenticated (Administrator+) SQL Injection
Affected Software: License Manager for WooCommerce CVE ID: CVE-2023-48742 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09597618-8695-4631-8c3b-4e7580d58c86>
Login Lockdown <= 2.06 - Authenticated (Administrator+) SQL Injection
Affected Software: Login Lockdown – Protect Login Form CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09773141-883b-40e3-bd20-d3115c02e023>
WP Mail Log <= 1.1.2 - Authenticated (Editor+) SQL Injection via id
Affected Software: WP Mail Log CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/099cc754-6a56-498f-848a-a242733e7fb0>
Salon booking system < 8.7 - Authenticated (Editor+) Privilege Escalation
Affected Software: Salon booking system CVE ID: CVE-2023-48319 CVSS Score: 7.2 (High) Researcher/s: lttn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0cac7f96-eb64-427d-9a95-b8bf1c675af0>
CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Upload
Affected Software: CataBlog CVE ID: CVE-2023-47842 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18d1ba80-ddf6-4076-bc78-78647b964bcf>
WC Vendors Marketplace <= 2.4.7 - Authenticated (Shop manager+) SQL Injection via search dates
Affected Software: WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors CVE ID: CVE-2023-48327 CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64f879af-aa8f-4edf-8369-ca032603d529>
Theme Editor <= 2.7.1 - Authenticated (Administrator+) Arbitrary File Upload
Affected Software: Theme Editor CVE ID: CVE-2023-6091 CVSS Score: 7.2 (High) Researcher/s: Dateoljo of BoB 12th Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6ede290-a6c4-4c13-872b-60c9601d39db>
ChatBot <= 4.7.8 - Authenticated (Administrator+) SQL Injection
Affected Software: AI ChatBot CVE ID: CVE-2023-48741 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db1bb11d-4752-42d0-b538-2d2a4c827226>
Quttera Web Malware Scanner <= 3.4.1.48 - Authenticated (Administrator+) Directory Traversal via ShowFile
Affected Software: Quttera Web Malware Scanner CVE ID: CVE-2023-6222 CVSS Score: 6.8 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9992d0d-7c6e-4184-8f48-1515d50cc028>
Widgets for Google Reviews <= 11.0.2 - Authenticated (Editor+) Arbitrary File Upload
Affected Software: Widgets for Google Reviews CVE ID: CVE-2023-48275 CVSS Score: 6.6 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/504c0132-530b-4184-b19a-97e68df79b48>
UserPro <= 5.1.1 - Sensitive Information Disclosure via Shortcode
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2446 CVSS Score: 6.5 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4072ba5f-6385-4fa3-85b6-89dac7b60a92>
UserPro <= 5.1.4 - Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2448 CVSS Score: 6.5 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7cbe9175-4a6f-4eb6-8d31-9a9fda9b4f40>
CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Deletion
Affected Software: CataBlog CVE ID: CVE-2023-47843 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8794854d-e931-4a85-b767-2ab81bfcb780>
Contact Form to Any API <= 1.1.6 - Missing Authorization via delete_cf7_records()
Affected Software: Contact Form to Any API CVE ID: CVE-2023-47871 CVSS Score: 6.5 (Medium) Researcher/s: Arvandy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4a7c647-4c57-499a-8e46-ca273985bd6d>
Display Custom Post <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Display Custom Post CVE ID: CVE-2023-48317 CVSS Score: 6.4 (Medium) Researcher/s: Tien fromVNPT-VCI Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18531eed-3150-424c-970c-5975afe7546a>
Bootstrap Shortcodes Ultimate <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Bootstrap Shortcodes Ultimate CVE ID: CVE-2023-47851 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e93efec-371c-4050-b24b-e5e978059549>
Salient Core <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: salient-core CVE ID: CVE-2023-48749 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/316ffb37-47fe-47c4-8a81-5794fa12ce33>
Export any WordPress data to XML/CSV < 1.4.1 & WP ALL Export Pro < 1.8.6 - Authenticated (Admin+) Remote Code Execution
Affected Software/s: WP ALL Export Pro, Export any WordPress data to XML/CSV CVE ID: CVE-2023-4724 CVSS Score: 6.4 (Medium) Researcher/s: Donato Di Pasquale, Francesco Marano Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/43f976ee-cba7-4f5d-b9c6-a6f66c0011d2>
EventPrime – Modern Events Calendar, Bookings and Tickets <= 3.3.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: EventPrime – Events Calendar, Bookings and Tickets CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5124be64-6679-4dc5-8117-55c73ae91489>
Parallax Image <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Parallax Image CVE ID: CVE-2023-47854 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/55cd02d1-7b06-427b-840b-3ced73ad4a74>
wpForo Forum <= 2.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: wpForo Forum CVE ID: CVE-2023-47872 CVSS Score: 6.4 (Medium) Researcher/s: Jesse McNeil Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5607a60e-a04a-4d28-bb04-bdacf8e97c56>
Video PopUp <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Video PopUp CVE ID: CVE-2023-4962 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89>
Community by PeepSo <= 6.2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles CVE ID: CVE-2023-47850 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/826e7e0a-79b1-4828-8eeb-159ef3cc2c65>
Easy Social Icons <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Affected Software: Easy Social Icons CVE ID: CVE-2023-48336 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab888ee1-bdc2-4b8b-9b16-a7d146f123df>
Drop Shadow Boxes <= 1.7.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Drop Shadow Boxes CVE ID: CVE-2023-5469 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c0b3911c-a960-4f28-b289-389b26282741>
GS Team Members <= 2.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c146f89c-5df3-4aaf-b880-0ce6016dfb6d>
myCred <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin CVE ID: CVE-2023-47853 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4067e03-427c-4b03-a250-0354572ae361>
Perfmatters < 2.2.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Perfmatters CVE ID: CVE-2023-47877 CVSS Score: 6.4 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc4a7efd-f4f4-44a7-bd55-a6ae3a1d3521>
Import Spreadsheets from Microsoft Excel <= 10.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Import Spreadsheets from Microsoft Excel CVE ID: CVE-2023-48289 CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d337e39c-3a3d-4465-bc40-77f0b27aeab2>
WCFM Marketplace <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce CVE ID: CVE-2023-4960 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f99e9f01-cc98-4af5-bb95-f56f6a550e96>
UserPro <= 5.1.1 - Cross-Site Request Forgery via multiple functions
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-6008 CVSS Score: 6.3 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed6e2b9e-3d70-4c07-a779-45164816b89c>
UserPro <= 5.1.1 - Cross-Site Request Forgery to Sensitive Information Exposure
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2447 CVSS Score: 6.1 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0372efe4-b5be-4601-be43-5c12332ea1a5>
Enfold <= 5.6.4 - Reflected Cross-Site Scripting
Affected Software: Enfold - Responsive Multi-Purpose Theme CVE ID: CVE-2023-38400 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/100b700f-8812-48be-8a04-28f60a57b35f>
Grab & Save <= 1.0.4 - Reflected Cross-Site Scripting
Affected Software: Grab & Save CVE ID: CVE-2023-47844 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2baab094-5ece-41a2-821a-b594a2c2327e>
Simply Exclude <= 2.0.6.6 - Reflected Cross-Site Scripting
Affected Software: Simply Exclude CVE ID: CVE-2023-48743 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f9a3883-9755-4de8-9d60-113238b3c0ac>
Perfmatters <= 2.1.6 - Reflected Cross-Site Scripting
Affected Software: Perfmatters CVE ID: CVE-2023-47876 CVSS Score: 6.1 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/612fb73f-e488-453f-a2a4-32969f91122b>
UserPro <= 5.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via userpro_save_userdata
Affected Software: UserPro - Community and User Profile WordPress Plugin CVE ID: CVE-2023-2438 CVSS Score: 6.1 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d30adc5-27a5-4549-84fc-b930f27f03e5>
Tainacan <= 0.20.4 - Reflected Cross-Site Scripting
Affected Software: Tainacan CVE ID: CVE-2023-47848 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f192811-378b-422d-8086-9a957b464bb7>
Events Manager <= 6.4.5 - Reflected Cross-Site Scripting
Affected Software: Events Manager CVE ID: CVE-2023-48326 CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9053cf91-0af1-44f8-9fdf-7ecbd457545b>
Salient Core <= 2.0.2 - Reflected Cross-Site Scripting
Affected Software: salient-core CVE ID: CVE-2023-48748 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1ae1b28-ea9e-4446-8b03-b5a8eaac1042>
eDoc Employee Job Application <= 1.13 - Reflected Cross-Site Scripting
Affected Software: eDoc Employee Job Application – Best WordPress Job Manager for Employees CVE ID: CVE-2023-48322 CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbfbd7c2-7a46-4292-9173-f90298a7fcc4>
Maspik – Spam blacklist <= 0.9.2 - Unauthenticated Stored Cross-Site Scripting via efas_add_to_log
Affected Software: Maspik – Spam Blacklist CVE ID: CVE-2023-48272 CVSS Score: 6.1 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e8db52ce-fbc3-4fe1-b9b4-cb2ce7d88a67>
Community by PeepSo <= 6.2.6.0 - Reflected Cross-Site Scripting
Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles CVE ID: CVE-2023-48746 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fda1be79-ba45-4e8f-bfc3-355f9cdbad82>
Yoast SEO <= 21.0 - Authenticated (Seo Manager+) Stored Cross-Site Scripting
Affected Software: Yoast SEO CVE ID: CVE-2023-40680 CVSS Score: 5.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/385a82ff-50ad-4787-845b-fb5f639f6466>
Theme My Login 2FA < 1.2 - 2FA Bypass via Brute Force
Affected Software: Theme My Login 2fa CVE ID: CVE-2023-6272 CVSS Score: 5.4 (Medium) Researcher/s: Joost Grunwald Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1398e296-9b20-4f8e-85f2-896888abc67e>
Porto Theme - Functionality <= 2.11.1 - Missing Authorization
Affected Software: Porto Theme - Functionality CVE ID: CVE-2023-48739 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e1300be-07e3-44b6-9ced-a16825274d22>
BlossomThemes Email Newsletter <= 2.2.4 - Missing Authorization
Affected Software: BlossomThemes Email Newsletter CVE ID: CVE-2023-47849 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1e98b763-29b9-435d-a436-d4df64234b4d>
Quttera Web Malware Scanner <= 3.4.1.48 - Sensitive Data Exposure
Affected Software: Quttera Web Malware Scanner CVE ID: CVE-2023-6065 CVSS Score: 5.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2163af55-1ea4-4c60-b9f0-baf99297c6bc>
Accept Stripe Payments <= 2.0.79 - Unauthenticated Content Injection
Affected Software: Accept Stripe Payments CVE ID: CVE-2023-48285 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f499d5e-eb27-4611-af27-ac9fd6a9f044>
Accept Stripe Payments <= 2.0.79 - Insecure Direct Object Reference
Affected Software: Accept Stripe Payments CVE ID: CVE-2023-48286 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44d14692-d90a-45f9-afb4-0666ce4b3397>
Preloader for Website <= 1.2.2 - Missing Authorization via plwao_register_settings()
Affected Software: Preloader for Website CVE ID: CVE-2023-48273 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5cfc38c0-f940-4c4d-ba7b-0d772146ea2d>
Hide login page <= 1.1.7 - Login Page Disclosure
Affected Software: Hide login page, Hide wp admin – stop attack on login page CVE ID: CVE-2023-48335 CVSS Score: 5.3 (Medium) Researcher/s: Naveen Muthusamy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6d3cff57-ea8a-4082-bc05-d62b9d92f0e6>
The Events Calendar <= 6.2.8 - Information Disclosure
Affected Software: The Events Calendar CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8291fd89-aea1-4f7b-abd8-dee8438c3ed5>
PayTR Taksit Tablosu <= 1.3.1 - Missing Authorization
Affected Software: PayTR Taksit Tablosu – WooCommerce CVE ID: CVE-2023-47847 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8bfefe86-b25e-4ffe-9beb-28dc22a99d62>
Perfmatters <= 2.1.6 - Missing Authorization
Affected Software: Perfmatters CVE ID: CVE-2023-47874 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b078e446-61e7-4ce1-b9a9-480ccc388c72>
Captcha Code <= 2.8 - Captcha Bypass
Affected Software: Captcha Code CVE ID: CVE-2023-48745 CVSS Score: 5.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1dd3845-a88d-41aa-acf4-66fd1a6819ff>
Contact Form Email <= 1.3.41 - Captcha Bypass
Affected Software: Contact Form Email CVE ID: CVE-2023-48318 CVSS Score: 5.3 (Medium) Researcher/s: qilin_99 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b637ebfd-c273-428b-985c-6f5b6a03f263>
Super Progressive Web Apps <= 2.2.21 - Missing Authorization
Affected Software: Super Progressive Web Apps CVE ID: CVE-2023-48277 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d36e869a-5bd4-4f59-8e28-01fa586024c5>
Maspik – Spam blacklist <= 0.10.1 - Bypass
Affected Software: Maspik – Spam Blacklist CVE ID: CVE-2023-48271 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3a8273e-2439-4138-941e-379d130e0c74>
Consensu.io <= 1.0.2 - Missing Authorization via update_config_db()
Affected Software: Consensu.io | Conformidade e Consentimento de Cookies para LGPD CVE ID: CVE-2023-48280 CVSS Score: 5.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc1963cc-7e9e-4998-8338-c3e83b70d441>
Autocomplete Location field Contact Form 7 <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Autocomplete Location field Contact Form 7 CVE ID: CVE-2023-5005 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/13fd7509-6d61-4eb0-9f85-cc40e074b819>
Video Player <= 1.5.22 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: SpiderVPlayer CVE ID: CVE-2023-48320 CVSS Score: 4.4 (Medium) Researcher/s: SeungYongLee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1627ec2a-f91d-4ed7-acb8-a3fb63b45731>
WP Roadmap <= 1.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP Roadmap – Product Feedback Board CVE ID: CVE-2023-41128 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24fc2554-375a-4216-91bf-41921cc4b436>
Fast Custom Social Share by CodeBard <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Fast Custom Social Share by CodeBard CVE ID: CVE-2023-48329 CVSS Score: 4.4 (Medium) Researcher/s: Song Hyun Bae Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3eece451-65a3-4c9d-a8eb-05f6f3e2d1d5>
TriPay Payment Gateway <= 3.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: TriPay Payment Gateway CVE ID: CVE-2023-48737 CVSS Score: 4.4 (Medium) Researcher/s: Luqman Hakim Y Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/946add6f-4cd5-4c55-9399-a782140f217c>
Chatbot for WordPress <= 2.3.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Chatbot for WordPress CVE ID: CVE-2023-5691 CVSS Score: 4.4 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dfd67329-11b1-4f00-a422-bb4833a3181d>
Booster for WooCommerce <= 7.1.2 - Missing Authorization to Product Creation/Modification
Affected Software: Booster for WooCommerce CVE ID: CVE-2023-48747 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/00ec2f57-48ee-49ea-ae8f-e7b24bf4535c>
MyBookTable Bookstore <= 3.3.3 - Cross-Site Request Forgery
Affected Software: MyBookTable Bookstore by Stormhill Media CVE ID: CVE-2023-48331 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02b336ce-be41-4343-9817-0437bd2685c2>
Auto Affiliate Links <= 6.4.2.5 - Cross-Site Request Forgery
Affected Software: Auto Affiliate Links CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17453fa5-af14-477b-9b3d-b245511ad8ce>
Frontier Post <= 6.1 - Cross-Site Request Forgery
Affected Software: Frontier Post CVE ID: CVE-2023-6137 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24ef5844-93d6-4ba3-bd0a-b8837bbd7baf>
Mail Bank - #1 Mail SMTP Plugin for WordPress <= 4.0.14 - Missing Authorization
Affected Software: Mail Bank – #1 Mail SMTP Plugin for WordPress CVE ID: CVE-2023-48332 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31a3a3c1-be0e-46d5-9fa3-563febc5569b>
NextGEN Gallery <= 3.37 - Cross-Site Request Forgery
Affected Software: WordPress Gallery Plugin – NextGEN Gallery CVE ID: CVE-2023-48328 CVSS Score: 4.3 (Medium) Researcher/s: Vladislav Pokrovsky (ΞX.MI) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3354b925-2e4a-4ee5-b436-2c1a502b1725>
Debug Log Manager <= 2.2.1 - Missing Authorization
Affected Software: Debug Log Manager CVE ID: CVE-2023-6136 CVSS Score: 4.3 (Medium) Researcher/s: Dmitrii Ignatyev, Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33a54cae-0fa3-4c25-bf81-8423f5e01e84>
wpForo Forum <= 2.2.5 - Cross-Site Request Forgery via logout()
Affected Software: wpForo Forum CVE ID: CVE-2023-47870 CVSS Score: 4.3 (Medium) Researcher/s: Jesse McNeil Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3bce40ee-c378-4a44-9c5d-d83151975309>
GS Pins for Pinterest Lite <= 1.8.0 - Missing Authorization via _update_shortcode
Affected Software: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f81003b-8214-4fa3-960f-81b166623de9>
Bulk Comment Remove <= 2 - Cross-Site Request Forgery via brc_admin()
Affected Software: Bulk Comment Remove CVE ID: CVE-2023-48330 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/42303b60-cbb5-4176-94f9-b2ed29f59cc8>
Floating Action Button <= 1.2.1 - Cross-Site Request Forgery
Affected Software: Floating Action Button CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/42b2d840-4e8b-4027-ab3b-78b17c9ed9aa>
Availability Calendar <= 1.2.6 - Cross-Site Request Forgery via add_availability_calendar_create_admin_page()
Affected Software: Availability Calendar CVE ID: CVE-2023-48744 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b13388b-19f9-4f5c-9599-efd6ccf978c8>
WCMultiShipping <= 2.3.5 - Missing Authorization to Log Export
Affected Software: UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping CVE ID: CVE-2023-48274 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b19657c-3e95-42cf-8d1a-64fa50b3b82b>
Awesome Support <= 6.1.4 - Missing Authorization via wpas_edit_reply_ajax()
Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin CVE ID: CVE-2023-48324 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4dec91d7-19cf-480d-871c-427cd1e691a6>
Awesome Support <= 6.1.4 - Cross-Site Request Forgery via wpas_edit_reply_ajax()
Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin CVE ID: CVE-2023-48323 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/579b887a-4140-4e12-9a9a-ba52d212b8a2>
wpForo Forum <= 2.2.5 - Missing Authorization
Affected Software: wpForo Forum CVE ID: CVE-2023-47869 CVSS Score: 4.3 (Medium) Researcher/s: Jesse McNeil Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71078aaf-9803-4b46-bc94-dbcb43745629>
Grab & Save <= 1.0.4 - Cross-Site Request Forgery
Affected Software: Grab & Save CVE ID: CVE-2023-47845 CVSS Score: 4.3 (Medium) Researcher/s: Dimas Maulana Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7cd4b1da-faee-4c4e-b323-e77c4c033149>
Perfmatters <= 2.1.6 - Cross-Site Request Forgery
Affected Software: Perfmatters CVE ID: CVE-2023-47875 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95f5b4df-5214-4f36-8dd5-a1a816fbc3db>
Broken Link Checker for YouTube <= 1.3 - Cross-Site Request Forgery via plugin_settings_page()
Affected Software: Broken Link Checker for YouTube CVE ID: CVE-2023-48281 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9993d84e-7337-4eda-af3c-039b6d8c8fe6>
TextMe SMS <= 1.15.20 - Missing Authorization via tetxme_update_option_page()
Affected Software: TextMe SMS CVE ID: CVE-2023-48287 CVSS Score: 4.3 (Medium) Researcher/s: Arvandy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fb4ad52-a0b2-4645-bf0d-132b4ce8a0a1>
Easy Social Feed <= 6.5.1 - Missing Authorization via hide_free_sidebar()
Affected Software: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box CVE ID: CVE-2023-48740 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4ffb3ef-9d77-463f-92c4-4bc799ac16aa>
Simple Testimonials Showcase <= 1.1.5 - Cross-Site Request Forgery
Affected Software: Simple Testimonials Showcase CVE ID: CVE-2023-48283 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6008237-e4a8-4757-ae14-ac20c6f1b0af>
ARI Stream Quiz <= 1.2.32 - Cross-Site Request Forgery
Affected Software: ARI Stream Quiz – WordPress Quizzes Builder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b758c8a7-6220-4b54-af88-7933a530b5ba>
Landing Page Builder <= 1.5.1.5 - Open Redirect
Affected Software: Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages CVE ID: CVE-2023-48325 CVSS Score: 4.3 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1a4d8a3-5553-4b1c-b0f8-d6a372de3692>
HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 - Missing Authorization via woof_meta_get_keys()
Affected Software: HUSKY – Products Filter for WooCommerce Professional CVE ID: CVE-2023-40334 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d00edaf1-2a97-4000-afd9-432ca8fa3df4>
Post Meta Data Manager <= 1.2.1 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion
Affected Software: Post Meta Data Manager CVE ID: CVE-2023-5776 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d49b8c44-4dad-4990-a8a8-116b424a7dfa>
Analytify Dashboard <= 5.1.1 - Cross-Site Request Forgery
Affected Software: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) CVE ID: CVE-2023-47841 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7362f3f-c5d9-4ba0-b9c3-282c58861e2f>
Booster for WooCommerce <= 7.1.1 - Missing Authorization to Authenticated (Subscriber+) Order Information Disclosure
Affected Software: Booster for WooCommerce CVE ID: CVE-2023-48333 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d94661c1-2d70-4943-9452-b51a76116ebb>
WooCommerce Parcel Pro <= 1.6.11 - Cross-Site Request Forgery
Affected Software: Parcel Pro CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dbf54852-f3fe-4c9e-9348-44a73f9a8131>
Seraphinite Post .DOCX Source <= 2.16.6 - Cross-Site Request Forgery
Affected Software: Seraphinite Post .DOCX Source CVE ID: CVE-2023-48279 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dfcc2ab2-504d-4151-9435-618e317ce95c>
Taxonomy filter <= 2.2.9 - Cross-Site Request Forgery via taxonomy_filter_save_main_settings()
Affected Software: Taxonomy filter CVE ID: CVE-2023-48282 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e74ff260-48af-4fc2-80d8-1ff2403f8f33>
League Table <= 1.13 - Cross-Site Request Forgery
Affected Software: League Table CVE ID: CVE-2023-48334 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef7ec175-cee5-4559-909d-ee689158d67c>
Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_preview_emails
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE Unknown CVSS Score: 3.7 (Low) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4edbfeee-b668-4a85-a030-c15d6583dc82>
Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_delete_expired_used_coupon_code
Affected Software: Abandoned Cart Lite for WooCommerce CVE ID: CVE Unknown CVSS Score: 3.1 (Low) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52d1f9a3-243e-4e2c-a752-f40b6d275121>
File Manager <= 6.3 - Authenticated (Admin+) Arbitrary OS File Access via Path Traversal
Affected Software: File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager CVE ID: CVE-2023-5907 CVSS Score: 2.2 (Low) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/640b1800-3b59-4b06-a803-08cb76d62d99>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023) appeared first on Wordfence.
Related
10 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.1%