7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
40.1%
Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Patch Status | Number of Vulnerabilities |
---|---|
Unpatched | 17 |
Patched | 26 |
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 0 |
Medium Severity | 35 |
High Severity | 6 |
Critical Severity | 2 |
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 16 |
Missing Authorization | 13 |
Cross-Site Request Forgery (CSRF) | 8 |
Unrestricted Upload of File with Dangerous Type | 2 |
Reliance on Untrusted Inputs in a Security Decision | 1 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Use of Less Trusted Source | 1 |
Improper Privilege Management | 1 |
Researcher Name | Number of Vulnerabilities |
---|---|
Rafshanzani Suhada | 6 |
Abdi Pranata | 3 |
Rio Darmawan | 3 |
Rafie Muhammad | 3 |
Mahesh Nagabhairava | 2 |
Nguyen Xuan Chien | 2 |
yuyuddn | 1 |
Bob Matyas | 1 |
Carlos David Garrido León | 1 |
Skalucy | 1 |
Nithissh S | 1 |
Animesh Gaurav | 1 |
Muhammad Daffa | 1 |
konagash | 1 |
Dipak Panchal | 1 |
Bartłomiej Marek | 1 |
Tomasz Swiadek | 1 |
An Dang | 1 |
Erwan LR | 1 |
Mika | 1 |
Lana Codes | |
(Wordfence Vulnerability Researcher) | 1 |
Dmitrii Ignatyev | 1 |
Revan Arifio | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
Software Name | Software Slug |
---|---|
Category Slider for WooCommerce | woo-category-slider-grid |
Collapse-O-Matic | jquery-collapse-o-matic |
Cookies by JM | cookies-by-jm |
DX-auto-save-images | dx-auto-save-images |
DoLogin Security | dologin |
ElementsKit Elementor addons | elementskit-lite |
FTP Access | ftp-access |
FV Flowplayer Video Player | fv-wordpress-flowplayer |
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | folders |
Herd Effects – fake notifications and social proof plugin | mwp-herd-effect |
Hide My WP Ghost – Security Plugin | hide-my-wp |
Jupiter X Core | jupiterx-core |
Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages | page-builder-add |
Leyka | leyka |
Lock User Account | lock-user-account |
Master Addons for Elementor | master-addons |
MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
Min Max Control – Min Max Quantity & Step Control for WooCommerce | woo-min-max-quantity-step-control-single |
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | post-and-page-builder |
Posts Like Dislike | posts-like-dislike |
Premmerce User Roles | premmerce-user-roles |
Push Notification for Post and BuddyPress | push-notification-for-post-and-buddypress |
ReviewX – Multi-criteria Rating & Reviews for WooCommerce | reviewx |
Royal Elementor Addons and Templates | royal-elementor-addons |
Save as Image plugin by Pdfcrowd | save-as-image-by-pdfcrowd |
Save as PDF plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
Secure Admin IP | secure-admin-ip |
Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management | simple-urls |
Slimstat Analytics | wp-slimstat |
Sticky Social Media Icons | sticky-social-media-icons |
Translate WordPress with GTranslate | gtranslate |
URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress | url-shortify |
Vertical marquee plugin | vertical-marquee-plugin |
Void Elementor Post Grid Addon for Elementor Page builder | void-elementor-post-grid-addon-for-elementor-page-builder |
WP Adminify – WordPress Dashboard Customization | Custom Login |
WP VK-付费内容插件(付费阅读/资料/工具软件资源管理) | wp-vk |
gAppointments - Appointment booking addon for Gravity Forms | gAppointments |
iThemes Sync | ithemes-sync |
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Affected Software: Jupiter X Core CVE ID: CVE-2023-38388 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/980a9237-7dea-4058-a850-b849457b4fef>
Affected Software: Jupiter X Core CVE ID: CVE-2023-38389 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b894473b-b2ed-475b-892e-603db609f88a>
Affected Software: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35afef52-350c-4b61-b9c0-3ae2572f81fb>
Affected Software: Premmerce User Roles CVE ID: CVE-2023-41130 CVSS Score: 8.3 (High) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f53cd4a3-a6db-42c2-b4d8-218071c4bcd4>
Affected Software: Master Addons for Elementor CVE ID: CVE-2023-40679 CVSS Score: 7.3 (High) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6150c355-1046-483e-aa8b-463c3752021d>
Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education CVE ID: CVE-2023-4278 CVSS Score: 7.3 (High) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/df00c8bc-8acd-4197-86fe-b88cb47d52c3>
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-40667 CVSS Score: 7.2 (High) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54c38be0-ffe7-4fa4-b5c9-cb717c11aed5>
Affected Software: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress CVE ID: CVE-2023-4294 CVSS Score: 7.2 (High) Researcher/s: Bartłomiej Marek, Tomasz Swiadek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b452283-9f0d-469b-b1b8-4bd253f9ea1d>
Affected Software: Collapse-O-Matic CVE ID: CVE-2023-40669 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa85abba-e13f-42cd-8f13-432ed375fb37>
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-40674 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8147f63-91a5-457c-8259-8e4ddf5c67e4>
Affected Software: FTP Access CVE ID: CVE-2023-3510 CVSS Score: 6.1 (Medium) Researcher/s: Bob Matyas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a1e0d55-2894-450b-afaf-134a13512403>
Affected Software: gAppointments - Appointment booking addon for Gravity Forms CVE ID: CVE-2023-2705 CVSS Score: 6.1 (Medium) Researcher/s: Carlos David Garrido León Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19983f79-b439-4bb0-8f29-8312f1ff9791>
Affected Software: Min Max Control – Min Max Quantity & Step Control for WooCommerce CVE ID: CVE-2023-4270 CVSS Score: 6.1 (Medium) Researcher/s: Animesh Gaurav Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4240fcda-c61d-4888-8837-5012e5ba1f26>
Affected Software: ElementsKit Elementor addons CVE ID: CVE-2023-39993 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ff589ec-756d-4183-8bb8-61dae9be7c5d>
Affected Software: FV Flowplayer Video Player CVE ID: CVE-2023-4520 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c55ca7d4-6bc0-49c9-8ce0-50fff8775a76>
Affected Software: Void Elementor Post Grid Addon for Elementor Page builder CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b847857-5dc9-4793-b9d6-759f27377fe3>
Affected Software: Push Notification for Post and BuddyPress CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/228a3c72-fbb0-48bc-8066-6ca954a14421>
Affected Software: Hide My WP Ghost – Security Plugin CVE ID: CVE-2023-34001 CVSS Score: 5.3 (Medium) Researcher/s: konagash Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5618db77-fe74-4982-92b3-cec554640bde>
Affected Software: Posts Like Dislike CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8babc42a-c45c-423f-bd09-da7afb947691>
Affected Software: Secure Admin IP CVE ID: CVE-2023-41133 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a0f38af7-7753-4dbe-a4fd-e9a01785dd13>
Affected Software: DoLogin Security CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/def06edd-ea4f-4b49-9902-b179d40e4133>
Affected Software: Vertical marquee plugin CVE ID: CVE-2023-40677 CVSS Score: 4.4 (Medium) Researcher/s: yuyuddn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06c86c87-840c-4ca6-9582-98254194eb1b>
Affected Software: Cookies by JM CVE ID: CVE-2023-40604 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3aa2a693-831b-44e7-b158-99fecf6506be>
Affected Software: Slimstat Analytics CVE ID: CVE-2023-40676 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c14a863-2aed-4f65-a0e3-eb73e485ce85>
Affected Software: Save as PDF plugin by Pdfcrowd CVE ID: CVE-2023-40668 CVSS Score: 4.4 (Medium) Researcher/s: Mahesh Nagabhairava Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52056177-8604-48b9-ab50-d0dc1e13a3d5>
Affected Software: Translate WordPress with GTranslate CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e24be91-6a58-42c3-84dd-4090da55b720>
Affected Software: WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders CVE ID: CVE-2023-4060 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ac72136-7911-4980-92b0-9bf18bed2201>
Affected Software: Save as Image plugin by Pdfcrowd CVE ID: CVE-2023-40665 CVSS Score: 4.4 (Medium) Researcher/s: Mahesh Nagabhairava Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74b284b7-ec0a-42c1-82e5-0c8cb422c0c5>
Affected Software: Leyka CVE ID: CVE-2023-2995 CVSS Score: 4.4 (Medium) Researcher/s: An Dang Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95210ed8-4606-44fa-b823-b33e1d4a4ce0>
Affected Software: Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages CVE ID: CVE-2023-40675 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2e83cb5-3c10-45dc-b37e-4d47ebc6853d>
Affected Software: WP VK-付费内容插件(付费阅读/资料/工具软件资源管理) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c6bc786-341a-4ab6-b86e-d21bb3dbf298>
Affected Software: iThemes Sync CVE ID: CVE-2023-40001 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f9229f2-e7dd-43c9-9c15-9b76c13e895b>
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-40678 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/118e1a8c-a638-4571-9ce9-cf2cba4b9b06>
Affected Software: DX-auto-save-images CVE ID: CVE-2023-40671 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f2fb51b-984c-4b82-98d4-9a681a1855a7>
Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2022-47175 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4809d513-69e8-4572-9549-9dba9f40cb80>
Affected Software: Sticky Social Media Icons CVE ID: CVE-2023-40672 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/58cfb328-40d0-4bea-a707-d5d6c1ce364a>
Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce CVE ID: CVE-2023-40670 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a9f4fb7-92f5-4136-9ca3-cf7bf5c0b717>
Affected Software: Herd Effects – fake notifications and social proof plugin CVE ID: CVE-2023-4318 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fd15c0b-cd3b-45e7-8379-b0e64e64d6b1>
Affected Software: Category Slider for WooCommerce CVE ID: CVE-2023-41132 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab1bd64b-8575-4ab4-bca5-8d5ce6f476d1>
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf101b60-f12e-4326-8e39-96d6415a218d>
Affected Software: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor CVE ID: CVE-2023-25480 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf801042-5cd5-424f-a25a-858302285170>
Affected Software: Slimstat Analytics CVE ID: CVE-2023-33994 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbb8501e-7e8b-4ed6-8792-c685a69de982>
Affected Software: Lock User Account CVE ID: CVE-2023-4307 CVSS Score: 4.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d06f265c-c1c1-4316-9526-3392f6ee31da>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) appeared first on Wordfence.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
40.1%