Lucene search

K
wordfenceChloe ChamberlandWORDFENCE:952E0D673DF3C0C260EEE070C98C1954
HistoryJun 08, 2023 - 1:39 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023)

2023-06-0813:39:51
Chloe Chamberland
www.wordfence.com
75
wordfence
wordpress
vulnerabilities
researchers
firewall
rules
premium
care
response
cvss
severity
cwe
cross-site scripting
csrf
sql injection
authorization bypass

0.342 Low

EPSS

Percentile

97.1%

Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 68
Patched 48

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 3
Medium Severity 93
High Severity 16
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 36
Cross-Site Request Forgery (CSRF) 35
Missing Authorization 22
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 6
Improper Input Validation 2
Improper Authorization 2
Authorization Bypass Through User-Controlled Key 2
Authentication Bypass Using an Alternate Path or Channel 2
URL Redirection to Untrusted Site ('Open Redirect') 1
Improper Privilege Management 1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1
Insufficient Verification of Data Authenticity 1
Server-Side Request Forgery (SSRF) 1
Use of Less Trusted Source 1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1
Deserialization of Untrusted Data 1
Improper Control of Generation of Code ('Code Injection') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher) 22
Jonas Höbenreich 13
Mika 7
Rafie Muhammad 7
yuyudhn 6
LEE SE HYOUNG 6
thiennv 6
Alex Thomas
(Wordfence Vulnerability Researcher) 4
Yuki Haruma 3
Ramuel Gall
(Wordfence Vulnerability Researcher) 2
Dave Jong 2
Rafshanzani Suhada 2
Nguyen Xuan Chien 2
Rio Darmawan 2
Dongzhu Li 2
Emili Castells 2
Jerome Bruandet 2
Juampa Rodríguez 1
Le Hong Minh 1
Justiice 1
Skalucy 1
Elliot 1
40826d 1
Francesco Carlucci 1
konagash 1
TomS 1
Hamed 1
Le Ngoc Anh 1
Miguel Neto 1
TaeEun Lee 1
Vinay Kumar 1
Marco Wotschka
(Wordfence Vulnerability Researcher) 1
Taihei Shimamine 1
minhtuanact 1
Mateus Machado Tesser 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Ajax Pagination and Infinite Scroll malinky-ajax-pagination
B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More b2bking-wholesale-for-woocommerce
BBS e-Popup bbs-e-popup
Blog-in-Blog blog-in-blog
Brizy – Page Builder brizy
CRM Perks Forms – WordPress Form Builder crm-perks-forms
CRM and Lead Management by vcita crm-customer-relationship-management-by-vcita
Call Now Accessibility Button accessibility-help-button
Call Now Icon Animate call-now-icon-animate
Cart2Cart: Magento to WooCommerce Migration cart2cart-magento-to-woocommerce-migration
Change WooCommerce Add To Cart Button Text change-woocommerce-add-to-cart-button-text
Chilexpress woo oficial chilexpress-oficial
Complianz – GDPR/CCPA Cookie Consent complianz-gdpr
Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping advanced-free-flat-shipping-woocommerce
Constant Contact Forms constant-contact-forms
Contact Form Builder by vcita contact-form-with-a-meeting-scheduler-by-vcita
Contact Form and Calls To Action by vcita lead-capturing-call-to-actions-by-vcita
Custom Login Page Temporary Users
Directorist – WordPress Business Directory Plugin with Classified Ads Listings directorist
Disable WordPress Update Notifications and auto-update Email Notifications disable-update-notifications
Display post meta, term meta, comment meta, and user meta display-metadata
Donation Platform for WooCommerce: Fundraising & Donation Management wc-donation-platform
Download Monitor download-monitor
Dynamic QR Code Generator dynamic-qr-code-generator
Dynamic Visibility for Elementor dynamic-visibility-for-elementor
Event Registration Calendar By vcita event-registration-calendar-by-vcita
Extended Post Status extended-post-status
Favorites favorites
File Manager Advanced Shortcode WordPress file-manager-advanced-shortcode
Floating Action Button floating-action-button
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder formidable
GDPR Cookie Consent Notice Box cookie-consent-box
Google Fonts For WordPress free-google-fonts
Gravityforms gravityforms
Headless CMS headless-cms
Interactive Image Map Plugin – Draw Attention draw-attention
JS Job Manager js-jobs
Jetpack – WP Security, Backup, Speed, & Growth jetpack
Kanban Boards for WordPress kanban
Kebo Twitter Feed kebo-twitter-feed
LH Password Changer lh-password-changer
LWS Hide Login lws-hide-login
Login Configurator login-configurator
Nested Pages wp-nested-pages
Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita
Online Payments – Get Paid with PayPal, Square & Stripe paypal-payment-button-by-vcita
Page Builder with Image Map by AZEXO page-builder-by-azexo
Photo Gallery by 10Web – Mobile-Friendly Image Gallery photo-gallery
Quick/Bulk Order Form for WooCommerce woocommerce-bulk-order-form
ReviewX – Multi-criteria Rating & Reviews for WooCommerce reviewx
Social Media Share Buttons & Social Sharing Icons ultimate-social-media-icons
Social Share, Social Login and Social Comments Plugin – Super Socializer super-socializer
SpamReferrerBlock spamreferrerblock
TPG Redirect tpg-redirect
TS Webfonts for さくらのレンタルサーバ ts-webfonts-for-sakura
Telegram Bot & Channel telegram-bot
Tutor LMS – eLearning and online course solution tutor
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member
Uncanny Toolkit for LearnDash uncanny-learndash-toolkit
Unite Gallery Lite unite-gallery-lite
User Email Verification for WooCommerce woo-confirmation-email
VK Blocks vk-blocks
WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor
WP Directory Kit wpdirectorykit
WP ERP Complete HR solution with recruitment & job listings
WP Full Auto Tags Manager wp-full-auto-tags-manager
WP Hide Post wp-hide-post
WP Inventory Manager wp-inventory-manager
WP Report Post wp-report-post
WP User Switch wp-user-switch
WP-Cache.com wp-cachecom
WP-Cirrus wp-cirrus
WPC Smart Wishlist for WooCommerce woo-smart-wishlist
Web Directory Free web-directory-free
WooCommerce Box Office woocommerce-box-office
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce cartflows
Woocommerce Order address Print woocommerce-order-address-print
WordPress CRM, Email & Marketing Automation for WordPress Award Winner — Groundhogg
WordPress NextGen GalleryView wordpress-nextgen-galleryview
WordPress Online Booking and Scheduling Plugin – Bookly bookly-responsive-appointment-booking-tool
WordPress Social Login wordpress-social-login
Wordapp wordapp
Worthy – VG WORT Integration für WordPress wp-worthy
Yandex Metrica Counter counter-yandex-metrica
bbPress Toolkit bbp-toolkit
bbp style pack bbp-style-pack
premium-addons-pro premium-addons-pro
wpForo Forum wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
HashOne hashone
Viral viral
Viral News [viral-news](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Viral News>)

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Wordapp <= 1.5.0 - Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature

Affected Software: Wordapp CVE ID: CVE-2023-2987 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d&gt;


Tutor LMS <= 2.1.10 - Unauthenticated SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution CVE ID: CVE-2023-25700 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9dfee325-9001-4483-b3eb-846da0314529&gt;


Gravity Forms <= 2.7.3 - Unauthenticated PHP Object Injection

Affected Software: Gravityforms CVE ID: CVE-2023-28782 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc1e5fb7-92d0-4e7f-9b1b-15673e3b852a&gt;


File Manager Advanced Shortcode WordPress <= 2.3.2 - Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode

Affected Software: File Manager Advanced Shortcode WordPress CVE ID: CVE-2023-2068 CVSS Score: 9.8 (Critical) Researcher/s: Mateus Machado Tesser Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea40d06e-672c-42db-9378-d382de5838d4&gt;


Directorist <= 7.5.4 - Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings CVE ID: CVE-2023-1888 CVSS Score: 8.8 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7&gt;


Feather Login Page 1.0.7 - 1.1.1 - Cross-Site Request Forgery to Privilege Escalation

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha CVE ID: CVE-2023-2549 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12560b8e-9c47-4f7f-ac9c-d86f17914ba3&gt;


Tutor LMS <= 2.2.0 - Authenticated (Student+) SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution CVE ID: CVE-2023-25800 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a64b1ff-0d3f-42fa-bab2-4f31bb8f0476&gt;


ReviewX <= 1.6.13 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce CVE ID: CVE-2023-2833 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70e1d701-2cff-4793-9e4c-5b16a4038e8d&gt;


Tutor LMS <= 2.1.10 - Authenticated (Tutor Instructor+) SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution CVE ID: CVE-2023-25990 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d623512-ee99-4a73-a752-ecbb6ad96b63&gt;


wpForo Forum <= 2.1.7 - Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents

Affected Software: wpForo Forum CVE ID: CVE-2023-2249 CVSS Score: 8.8 (High) Researcher/s: Hamed Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb&gt;


Web Directory Free <= 1.6.7 - Authenticated (Contributor+) SQL Injection via post_id

Affected Software: Web Directory Free CVE ID: CVE-2023-2201 CVSS Score: 8.8 (High) Researcher/s: Marco Wotschka Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d831fa81-4714-4757-b75d-0a8f5edda910&gt;


WP User Switch <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie

Affected Software: WP User Switch CVE ID: CVE-2023-2546 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e89d912d-fa7a-4fb1-8872-95fa861c21ca&gt;


Feather Login Page 1.0.7 - 1.1.1 - Missing Authorization to Authentication Bypass and Privilege Escalation

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha CVE ID: CVE-2023-2545 CVSS Score: 8.1 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b2ab2178-7438-43ef-961e-b54d0d230f4a&gt;


User Email Verification for WooCommerce <= 3.5.0 - Authentication Bypass

Affected Software: User Email Verification for WooCommerce CVE ID: CVE-2023-2781 CVSS Score: 8.1 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f1e31357-7fbc-414b-a4f4-53fa5f2fc715&gt;


bbPress Toolkit <= 1.0.12 - Cross-Site Scripting

Affected Software: bbPress Toolkit CVE ID: CVE-2023-34032 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/11305d35-07d6-4c61-a0c7-035671229f07&gt;


Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita CVE ID: CVE-2023-2298 CVSS Score: 7.2 (High) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e6a0bf9-4767-4d4c-9a1e-adcb3c7719d9&gt;


WP Report Post <= 2.1.2 - Authenticated (Editor+) SQL Injection

Affected Software: WP Report Post CVE ID: CVE-2023-34168 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8dae13e5-cee7-4392-af71-7d466ba6f6c4&gt;


Groundhogg <= 2.7.10.3 - Authenticated (Administrator+) SQL Injection

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-34179 CVSS Score: 7.2 (High) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4f2554d-c047-4be2-a4e6-2ae51f077376&gt;


Blog-in-Blog <= 1.1.1 - Authenticated (Editor+) Local File Inclusion via Shortcode

Affected Software: Blog-in-Blog CVE ID: CVE-2023-2435 CVSS Score: 7.2 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d53161ad-cc5f-4433-b288-a8095cdfd7db&gt;


Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 - Missing Authorization via setToken

Affected Software: Cart2Cart: Magento to WooCommerce Migration CVE ID: CVE-2023-34379 CVSS Score: 7.1 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d9ab83f-6d0b-4fe4-a121-87b09dcc0953&gt;


Headless CMS <= 2.0.3 - Missing Authorization

Affected Software: Headless CMS CVE ID: CVE-2023-34186 CVSS Score: 6.5 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2d1414f5-e705-4fd4-847b-b46d2d20943b&gt;


Jetpack <= 12.1 - Authenticated (Author+) Arbitrary File Manipulation

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth CVE ID: CVE-2023-2996 CVSS Score: 6.5 (Medium) Researcher/s: Miguel Neto Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9dfca4cb-71dc-4b2d-bcf3-0ca9f88f88df&gt;


B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Price Modification

Affected Software: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More CVE ID: CVE-2023-3125 CVSS Score: 6.5 (Medium) Researcher/s: Jerome Bruandet Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3f2c4c3-73d6-4b3b-8eb3-c494f52dc183&gt;


Directorist <= 7.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings CVE ID: CVE-2023-1889 CVSS Score: 6.5 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b47edd57-cac7-463f-88cc-8922f1b34612&gt;


Uncanny Toolkit for LearnDash <= 3.6.4.3 - Missing Authorization via review-banner-visibility REST route

Affected Software: Uncanny Toolkit for LearnDash CVE ID: CVE-2023-34019 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cdaa7450-3b51-470d-8903-52fd1d4215a2&gt;


Formidable Forms <= 6.3 - Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9f060bd-029a-462e-b308-8366e82be383&gt;


Contact Form Builder by vcita <= 4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita CVE ID: CVE-2023-2300 CVSS Score: 6.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12ce97ba-8053-481f-bcd7-05d5e8292adb&gt;


Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software/s: Event Registration Calendar By vcita, Online Payments – Get Paid with PayPal, Square & Stripe CVE ID: CVE-2023-2406 CVSS Score: 6.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ab05954-9999-43ff-8e3c-a987e2da1956&gt;


Page Builder by AZEXO <= 1.27.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Page Builder with Image Map by AZEXO CVE ID: CVE-2023-3051 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24486605-9324-4f19-9ca3-340d006432db&gt;


WooCommerce Box Office <= 1.1.50 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Box Office CVE ID: CVE-2023-34004 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ebd05d5-a65d-49df-a865-882e9d17fc0f&gt;


Contact Form and Calls To Action by vcita <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form and Calls To Action by vcita CVE ID: CVE-2023-2302 CVSS Score: 6.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4dfc237a-9157-4da9-ba8f-9daf2ba4f20b&gt;


Favorites <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Favorites CVE ID: CVE-2023-2304 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5bd03cd0-34f0-491c-8247-79656eba32a8&gt;


Display post meta, term meta, comment meta, and user meta <= 0.4.1 - Authenticated(Contributor+) Stored Cross-Site Scripting

Affected Software: Display post meta, term meta, comment meta, and user meta CVE ID: CVE-2023-1661 CVSS Score: 6.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f90c0d8-ede6-4f24-870f-19e888238e93&gt;


CRM and Lead Management by vcita <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CRM and Lead Management by vcita CVE ID: CVE-2023-2404 CVSS Score: 6.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e26ccd06-22e0-4d91-a53a-df6ead8a8e3b&gt;


Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Post Creation/Modification/Deletion

Affected Software: Page Builder with Image Map by AZEXO CVE ID: CVE-2023-3052 CVSS Score: 6.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4e26035-ce4e-4b4b-aa3c-cd86b29b199a&gt;


Chilexpress woo oficial <= 1.2.9 - Reflected Cross-Site Scripting

Affected Software: Chilexpress woo oficial CVE ID: CVE-2023-34176 CVSS Score: 6.1 (Medium) Researcher/s: Le Hong Minh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0999a738-9fae-4043-99eb-ff222a7608fa&gt;


CRM and Lead Management by vcita <= 2.6.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: CRM and Lead Management by vcita CVE ID: CVE-2023-2405 CVSS Score: 6.1 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f75c6bf-1b93-49d5-b5fb-e59b4e67432f&gt;


Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software/s: Event Registration Calendar By vcita, Online Payments – Get Paid with PayPal, Square & Stripe CVE ID: CVE-2023-2407 CVSS Score: 6.1 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990b-f05cbbf8fb8e&gt;


Contact Form and Calls To Action by vcita <= 2.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita CVE ID: CVE-2023-2303 CVSS Score: 6.1 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2&gt;


Woocommerce Order address Print <= 3.2 - Reflected Cross-Site Scripting

Affected Software: Woocommerce Order address Print CVE ID: CVE-2023-34184 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2bbf4e86-308c-43f3-a54c-e1c6ee21260e&gt;


Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save

Affected Software: Page Builder with Image Map by AZEXO CVE ID: CVE-2023-3055 CVSS Score: 6.1 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2efeffa2-b21a-4aa1-93b0-51c775758ab1&gt;


bbp style pack <= 5.5.5 - Reflected Cross-Site Scripting

Affected Software: bbp style pack CVE ID: CVE-2023-33997 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49e82146-e8ad-4bc5-94a7-a4ae694b7039&gt;


Contact Form Builder by vcita <= 4.9.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita CVE ID: CVE-2023-2301 CVSS Score: 6.1 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61c39f5f-3b17-4e4d-824e-241159a73400&gt;


Social Share, Social Login and Social Comments <= 7.13.51 - Reflected Cross-Site Scripting

Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer CVE ID: CVE-2023-2779 CVSS Score: 6.1 (Medium) Researcher/s: 40826d Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6257739a-cd7c-4797-882a-016a01fe84b4&gt;


Dynamic QR Code Generator <= 0.0.5 - Reflected Cross-Site Scripting

Affected Software: Dynamic QR Code Generator CVE ID: CVE-2023-34022 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/65f30cd4-1d47-4ebe-a6de-acdb3a813c9c&gt;


WP Directory Kit <= 1.2.3 - Reflected Cross-Site Scripting via 'search'

Affected Software: WP Directory Kit CVE ID: CVE-2023-2835 CVSS Score: 6.1 (Medium) Researcher/s: Dongzhu Li Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/847f1c00-0e8f-4d38-84af-fe959e2efe5c&gt;


BBS e-Popup <= 2.4.5 - Reflected Cross-Site Scripting

Affected Software: BBS e-Popup CVE ID: CVE-2023-34174 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f715947-e379-4a05-9ab8-5d9e94ffc136&gt;


Premium Addons PRO <= 2.8.24 - Reflected Cross-Site Scripting

Affected Software: premium-addons-pro CVE ID: CVE-2023-34012 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9445a54c-06b9-400a-a8ae-a58f1b968196&gt;


Google Fonts For WordPress <= 3.0.0 - Reflected Cross-Site Scripting

Affected Software: Google Fonts For WordPress CVE ID: CVE-2023-34180 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94712f92-5045-420b-9d6d-59a4c031e998&gt;


Login Configurator <= 2.1 - Reflected Cross-Site Scripting

Affected Software: Login Configurator CVE ID: CVE-2023-34175 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b89a1265-6e26-498c-a2b4-da12d38463c9&gt;


WP ERP <= 1.12.3 - Reflected Cross-Site Scripting

Affected Software: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting CVE ID: CVE-2023-34008 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5863e9b-3f98-41ea-97ed-26563493cffd&gt;


Blog-in-Blog <= 1.1.1 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Blog-in-Blog CVE ID: CVE-2023-2436 CVSS Score: 5.5 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c6a88c3-18b7-470f-8014-373ead66dcfa&gt;


Quick/Bulk Order Form for WooCommerce <= 3.5.7 - Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Quick/Bulk Order Form for WooCommerce CVE ID: CVE-2023-34170 CVSS Score: 5.5 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/898af9aa-72c4-46a6-afc2-76dd17672fbc&gt;


Download Monitor <= 4.8.1 - Authenticated (Admin+) Server-Side Request Forgery

Affected Software: Download Monitor CVE ID: CVE-2023-31219 CVSS Score: 5.5 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a03f0780-796c-41a3-8f06-04f76e0da2da&gt;


JS Job Manager <= 2.0.0 - Cross-Site Request Forgery via multiple functions

Affected Software: JS Job Manager CVE ID: CVE-2023-31087 CVSS Score: 5.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0131921b-6f60-4da1-b5d9-d44a33d35cae&gt;


Groundhogg <= 2.7.10.3 - Cross-Site Request Forgery

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-34178 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/22506d45-40db-47c4-91b2-ab4f49703bf9&gt;


Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Settings Update and Media Upload

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita CVE ID: CVE-2023-2414 CVSS Score: 5.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5&gt;


Dynamic Visibility for Elementor <= 5.0.5 - Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification

Affected Software: Dynamic Visibility for Elementor CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e704333-ad88-42c9-b632-babc9d54cb13&gt;


Feather Login Page 1.0.7 - 1.1.1 - Missing Authorization to Non-Arbitrary User Deletion

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha CVE ID: CVE-2023-2547 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d58a6a4-de2c-485f-a8b0-7a7d144fbf3c&gt;


Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita CVE ID: CVE-2023-2415 CVSS Score: 5.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18&gt;


Worthy – VG WORT Integration für WordPress <= 1.6.5-6497609 - Cross-Site Request Forgery

Affected Software: Worthy – VG WORT Integration für WordPress CVE ID: CVE-2023-24417 CVSS Score: 5.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7717cd0f-6aac-4cb0-b27e-2517d5d7ecd9&gt;


Extended Post Status <= 1.0.19 - Missing Authorization via wp_insert_post_data

Affected Software: Extended Post Status CVE ID: CVE-2023-32094 CVSS Score: 5.4 (Medium) Researcher/s: TaeEun Lee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6369b41-d93f-4959-8fad-be69ef724b24&gt;


Change WooCommerce Add To Cart Button Text <= 1.3 - Missing Authorization via rexvs_settings_submit

Affected Software: Change WooCommerce Add To Cart Button Text CVE ID: CVE-2023-34376 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d47f5d90-dc7d-4500-a6e6-e585e4a5c11b&gt;


Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation

Affected Software: Page Builder with Image Map by AZEXO CVE ID: CVE-2023-3053 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd56cb73-1c40-44b1-b713-c0291832d988&gt;


WordPress Social Login <= 3.0.4 - Reflected Cross-Site Scripting

Affected Software: WordPress Social Login CVE ID: CVE-2023-34023 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e8b03deb-4134-4dde-8545-a14977a47209&gt;


Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Cross-Site Request Forgery to Account Logout

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita CVE ID: CVE-2023-2416 CVSS Score: 5.4 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8&gt;


Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization on REST-API

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita CVE ID: CVE-2023-2299 CVSS Score: 5.3 (Medium) Researcher/s: Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557&gt;


WooCommerce Box Office <= 1.1.51 - Missing Authorization

Affected Software: WooCommerce Box Office CVE ID: CVE-2023-34003 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8872eca8-4812-4f5f-b775-cbfab90ba2ca&gt;


Call Now Accessibility Button <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Call Now Accessibility Button CVE ID: CVE-2023-28933 CVSS Score: 4.4 (Medium) Researcher/s: Juampa Rodríguez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/04df6505-46c1-4e66-a363-4ccebacb5e42&gt;


Yandex Metrica Counter <= 1.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Yandex Metrica Counter CVE ID: CVE-2023-34173 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/173661aa-6895-41d6-8869-6abfd2eadf31&gt;


Unite Gallery Lite <= 1.7.60 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Unite Gallery Lite CVE ID: CVE-2023-34183 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/577d8986-edc5-445f-80cf-7a7f2cca9749&gt;


Download SpamReferrerBlock <= 2.22 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SpamReferrerBlock CVE ID: CVE-2023-34372 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/692e995d-cdfc-4ab8-8a8a-5423eb7f8d15&gt;


Telegram Bot & Channel <= 3.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Telegram Bot & Channel CVE ID: CVE-2023-34006 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6eb099c3-f6f6-4d9c-a9c7-fa1b81ce082e&gt;


Kanban Boards for WordPress <= 2.5.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Kanban Boards for WordPress CVE ID: CVE-2023-34368 CVSS Score: 4.4 (Medium) Researcher/s: TomS Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7fe3e55e-7286-4d12-b24f-fce69248a446&gt;


Call Now Icon Animate <= 0.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Call Now Icon Animate CVE ID: CVE-2023-34187 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/82f5e976-2564-4f8b-96d5-cfac9945737c&gt;


WordPress Social Login <= 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Social Login CVE ID: CVE-2023-34172 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc2c3bdb-65b9-4e0b-899f-bd08077bc8ba&gt;


Bulk Order Form for WooCommerce <= 3.5.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Quick/Bulk Order Form for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d549fcd5-6808-4d7d-bf1f-df8cfa458744&gt;


CRM Perks Forms <= 1.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: CRM Perks Forms – WordPress Form Builder CVE ID: CVE-2023-2836 CVSS Score: 4.4 (Medium) Researcher/s: Dongzhu Li Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de11636b-a051-4e76-bc26-ed76f66fe0df&gt;


GDPR Cookie Consent Notice Box <= 1.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: GDPR Cookie Consent Notice Box CVE ID: CVE-2023-32294 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f44b8e21-4bfd-487f-96f1-d264d335f54f&gt;


TS Webfonts for さくらのレンタルサーバ <= 3.1.0 - Cross-Site Request Forgery

Affected Software: TS Webfonts for さくらのレンタルサーバ CVE ID: CVE-2023-34169 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/025d576b-7342-4863-ac30-f1ff0205d638&gt;


NextGen GalleryView <= 0.5.5 - Cross-Site Request Forgery

Affected Software: WordPress NextGen GalleryView CVE ID: CVE-2023-34185 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/052ea3af-96d8-4e83-b4e7-3db30b556d0d&gt;


WP Report Post <= 2.1.2 - Cross-Site Request Forgery

Affected Software: WP Report Post CVE ID: CVE-2023-34171 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09e28b72-55c6-4f2f-b689-a8989945651b&gt;


Ajax Pagination and Infinite Scroll <= 2.0.1 - Cross-Site Request Forgery

Affected Software: Ajax Pagination and Infinite Scroll CVE ID: CVE-2023-34033 CVSS Score: 4.3 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0bc7f5dd-a1eb-442d-9913-e391208e7f26&gt;


VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update

Affected Software: VK Blocks CVE ID: CVE-2023-0583 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12a94f5b-bc30-4a65-b397-54488c836ec3&gt;


Floating Action Button <= <=1.2.1 - Cross-Site Request Forgery

Affected Software: Floating Action Button CVE ID: CVE-2023-31088 CVSS Score: 4.3 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14bf654e-c4f1-4267-811e-6d796c14834a&gt;


Photo Gallery <= 1.8.15 - Missing Authorization

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1534f67d-cf3f-4185-9aa6-01ae5dee4f26&gt;


Multiple Themes (Various Versions) - Missing Authorization to Arbitrary Plugin Activation

Affected Software/s: Viral News, HashOne, Viral CVE ID: CVE-2023-33923 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/154a838c-f8bb-4568-b066-a78264c75eea&gt;


Draw Attention <= 2.0.11 - Missing Authorization to Arbitrary Post Featured Image Modification

Affected Software: Interactive Image Map Plugin – Draw Attention CVE ID: CVE-2023-2764 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18530601-a294-448c-a1b2-c3995f9042ac&gt;


LH Password Changer <= 1.55 - Cross-Site Request Forgery

Affected Software: LH Password Changer CVE ID: CVE-2023-34182 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19d08a16-51c1-4255-b0e0-01307e1783ca&gt;


Social Media & Share Icons <= 2.8.1 - Missing Authorization via handle_installation

Affected Software: Social Media Share Buttons & Social Sharing Icons CVE ID: CVE-2023-34009 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1bfb5d34-738d-4842-be93-9668fceb3334&gt;


Advanced Flat rate shipping Woocommerce <= 1.6.4.4 - Cross-Site Request Forgery via enableDisable and deletePost

Affected Software: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping CVE ID: CVE-2023-34015 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/27b14c6e-44fe-4acb-8058-613f65b6baa4&gt;


Donation Platform for WooCommerce: Fundraising & Donation Management <= 1.2.9 - Cross-Site Request Forgery to Survey Submission

Affected Software: Donation Platform for WooCommerce: Fundraising & Donation Management CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c8602ed-6c0d-4357-93e6-bab1ab38ffb2&gt;


WP Hide Post <= 2.0.10 - Cross-Site Request Forgery via save_bulk_edit_data

Affected Software: WP Hide Post CVE ID: CVE-2023-34378 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c957f3f-fb98-49ff-b317-93b1accd0d47&gt;


WP Full Auto Tags Manager <= 2.2 - Cross-Site Request Forgery

Affected Software: WP Full Auto Tags Manager CVE ID: CVE-2023-34024 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5bf209b8-7c12-4fc3-af7f-4fd25777caab&gt;


WPC Smart Wishlist for WooCommerce <= 4.6.7 - Cross-Site Request Forgery via wishlist_add and wishlist_remove

Affected Software: WPC Smart Wishlist for WooCommerce CVE ID: CVE-2023-34386 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/655fc91d-5920-4214-8ef1-8191e2683f9d&gt;


Disable WordPress Update Notifications <= 2.3.3 - Cross-Site Request Forgery

Affected Software: Disable WordPress Update Notifications and auto-update Email Notifications CVE ID: CVE-2023-34029 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/658ba848-fbfe-4cee-b997-77bc4cae53dc&gt;


Uncanny Toolkit for LearnDash <= 3.6.4.3 - Open Redirect

Affected Software: Uncanny Toolkit for LearnDash CVE ID: CVE-2023-34020 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66e5a569-1dd5-40e9-8356-d7c82c8e30ed&gt;


WP-Cirrus <= 0.6.11 - Cross-Site Request Forgery

Affected Software: WP-Cirrus CVE ID: CVE-2023-34181 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/710aa0fd-34e2-4f0e-b354-0722d9692410&gt;


LWS Hide Login <= 2.1.5 - Cross-Site Request Forgery

Affected Software: LWS Hide Login CVE ID: CVE-2023-34025 CVSS Score: 4.3 (Medium) Researcher/s: konagash Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7678b80f-3184-4979-b1f4-25cd75836010&gt;


Constant Contact Forms <= 1.14.0 - Missing Authorization via constant_contact_optin_ajax_handler

Affected Software: Constant Contact Forms CVE ID: CVE-2023-34387 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/85b6262c-2576-4177-a683-44464dba0978&gt;


bbPress Toolkit <= 1.0.12 - Cross-Site Request Forgery

Affected Software: bbPress Toolkit CVE ID: CVE-2023-34031 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a9b2ec2-edbe-45c5-bd36-45a6101356d1&gt;


WP Inventory Manager <= 2.1.0.13 - Cross-Site Request Forgery via delete_item

Affected Software: WP Inventory Manager CVE ID: CVE-2023-34002 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95986a4d-94fb-4afe-ba1e-382d6f4c550f&gt;


Ultimate Member <= 2.6.0 - Cross-Site Request Forgery to Form Duplication

Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/97ced4ed-915b-4234-b59d-75db983f90e8&gt;


WOLF <= 1.0.7 - Cross-Site Request Forgery via create_profile

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional CVE ID: CVE-2023-34028 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98dffc17-ac45-4ccd-ae57-96b36bd02be3&gt;


Complianz | GDPR/CCPA Cookie Consent <= 6.4.5 - Cross-Site Request Forgery

Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a92d5176-4cf0-4a31-9dcc-a2dc3259d29b&gt;


VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update

Affected Software: VK Blocks CVE ID: CVE-2023-0584 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b90b7f6c-df7f-48a5-b283-cf5facbd71e5&gt;


B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Information Disclosure

Affected Software: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More CVE ID: CVE-2023-3126 CVSS Score: 4.3 (Medium) Researcher/s: Jerome Bruandet Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2e3ac14-1421-49f0-9c60-7f7d5c9d7654&gt;


Multiple Themes (Various Versions) - Cross-Site Request Forgery to Arbitrary Plugin Activation

Affected Software/s: Viral News, HashOne, Viral CVE ID: CVE-2023-33923 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3543a39-ad88-40be-93b8-36ec638db4bd&gt;


Kebo Twitter Feed <= 1.5.12 - Cross-Site Request Forgery via kebo_twitter_menu_render

Affected Software: Kebo Twitter Feed CVE ID: CVE-2023-34384 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d56aaa20-f40c-4f99-bc38-0b14fa39a175&gt;


SpamReferrerBlock <= 2.22 - Cross-Site Request Forgery

Affected Software: SpamReferrerBlock CVE ID: CVE-2023-34371 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d70e9d4e-2137-411b-bc01-28388a7b2519&gt;


TPG Redirect <= 1.0.6 - Cross-Site Request Forgery

Affected Software: TPG Redirect CVE ID: CVE-2023-32093 CVSS Score: 4.3 (Medium) Researcher/s: Taihei Shimamine Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d92b9c21-067b-41c3-a385-a65faa8dd0ae&gt;


WP-Cache.com <= 1.1.1 - Cross-Site Request Forgery

Affected Software: WP-Cache.com CVE ID: CVE-2023-34177 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9a28625-19e4-4696-bb51-7115368120d3&gt;


Bookly <= 21.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly CVE ID: CVE-2023-1159 CVSS Score: 4 (Medium) Researcher/s: Vinay Kumar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4cdf774-c93b-4b94-85ba-aa56bf401873&gt;


Nested Pages <= 3.2.3 - Missing Authorization to Authenticated (Editor+) Plugin Settings Reset

Affected Software: Nested Pages CVE ID: CVE-2023-2434 CVSS Score: 3.8 (Low) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd&gt;


Brizy Page Builder <= 2.4.18 - IP Address Spoofing to Protection Mechanism Bypass

Affected Software: Brizy – Page Builder CVE ID: CVE-2023-2897 CVSS Score: 3.7 (Low) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316&gt;


CartFlows <= 1.11.11 - Insecure Direct Object Reference to Arbitrary Post Deletion

Affected Software: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce CVE ID: CVE Unknown CVSS Score: 2.7 (Low) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b9002f6e-4345-4908-9cb8-9841a2458eb7&gt;


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023) appeared first on Wordfence.

0.342 Low

EPSS

Percentile

97.1%