Chloe ChamberlandWORDFENCE:9DE520911CA1E486094DD12FBF6BA033Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
40.1%
Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 17 |
| Patched | 26 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 35 |
| High Severity | 6 |
| Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 16 |
| Missing Authorization | 13 |
| Cross-Site Request Forgery (CSRF) | 8 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Reliance on Untrusted Inputs in a Security Decision | 1 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Use of Less Trusted Source | 1 |
| Improper Privilege Management | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rafshanzani Suhada | 6 |
| Abdi Pranata | 3 |
| Rio Darmawan | 3 |
| Rafie Muhammad | 3 |
| Mahesh Nagabhairava | 2 |
| Nguyen Xuan Chien | 2 |
| yuyuddn | 1 |
| Bob Matyas | 1 |
| Carlos David Garrido León | 1 |
| Skalucy | 1 |
| Nithissh S | 1 |
| Animesh Gaurav | 1 |
| Muhammad Daffa | 1 |
| konagash | 1 |
| Dipak Panchal | 1 |
| Bartłomiej Marek | 1 |
| Tomasz Swiadek | 1 |
| An Dang | 1 |
| Erwan LR | 1 |
| Mika | 1 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 1 |
| Dmitrii Ignatyev | 1 |
| Revan Arifio | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Category Slider for WooCommerce | woo-category-slider-grid |
| Collapse-O-Matic | jquery-collapse-o-matic |
| Cookies by JM | cookies-by-jm |
| DX-auto-save-images | dx-auto-save-images |
| DoLogin Security | dologin |
| ElementsKit Elementor addons | elementskit-lite |
| FTP Access | ftp-access |
| FV Flowplayer Video Player | fv-wordpress-flowplayer |
| Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | folders |
| Herd Effects – fake notifications and social proof plugin | mwp-herd-effect |
| Hide My WP Ghost – Security Plugin | hide-my-wp |
| Jupiter X Core | jupiterx-core |
| Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages | page-builder-add |
| Leyka | leyka |
| Lock User Account | lock-user-account |
| Master Addons for Elementor | master-addons |
| MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
| Min Max Control – Min Max Quantity & Step Control for WooCommerce | woo-min-max-quantity-step-control-single |
| Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | post-and-page-builder |
| Posts Like Dislike | posts-like-dislike |
| Premmerce User Roles | premmerce-user-roles |
| Push Notification for Post and BuddyPress | push-notification-for-post-and-buddypress |
| ReviewX – Multi-criteria Rating & Reviews for WooCommerce | reviewx |
| Royal Elementor Addons and Templates | royal-elementor-addons |
| Save as Image plugin by Pdfcrowd | save-as-image-by-pdfcrowd |
| Save as PDF plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
| Secure Admin IP | secure-admin-ip |
| Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management | simple-urls |
| Slimstat Analytics | wp-slimstat |
| Sticky Social Media Icons | sticky-social-media-icons |
| Translate WordPress with GTranslate | gtranslate |
| URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress | url-shortify |
| Vertical marquee plugin | vertical-marquee-plugin |
| Void Elementor Post Grid Addon for Elementor Page builder | void-elementor-post-grid-addon-for-elementor-page-builder |
| WP Adminify – WordPress Dashboard Customization | Custom Login |
| WP VK-付费内容插件(付费阅读/资料/工具软件资源管理) | wp-vk |
| gAppointments - Appointment booking addon for Gravity Forms | gAppointments |
| iThemes Sync | ithemes-sync |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
JupiterX Core <= 3.3.5 - Unauthenticated Arbitrary File Upload
Affected Software: Jupiter X Core CVE ID: CVE-2023-38388 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/980a9237-7dea-4058-a850-b849457b4fef>
JupiterX Core <= 3.3.8 - Unauthenticated Privilege Escalation
Affected Software: Jupiter X Core CVE ID: CVE-2023-38389 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b894473b-b2ed-475b-892e-603db609f88a>
Folders <= 2.9.2 - Authenticated (Author+) Arbitrary File Upload
Affected Software: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35afef52-350c-4b61-b9c0-3ae2572f81fb>
Premmerce User Roles <= 1.0.12 - Missing Authorization via role management functions
Affected Software: Premmerce User Roles CVE ID: CVE-2023-41130 CVSS Score: 8.3 (High) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f53cd4a3-a6db-42c2-b4d8-218071c4bcd4>
Master Addons for Elementor <= 2.0.3 - Missing Authorization
Affected Software: Master Addons for Elementor CVE ID: CVE-2023-40679 CVSS Score: 7.3 (High) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6150c355-1046-483e-aa8b-463c3752021d>
MasterStudy LMS <= 3.0.17 - Privilege Escalation
Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education CVE ID: CVE-2023-4278 CVSS Score: 7.3 (High) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/df00c8bc-8acd-4197-86fe-b88cb47d52c3>
Simple URLs <= 117 - Unauthenticated Cross-Site Scripting
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-40667 CVSS Score: 7.2 (High) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54c38be0-ffe7-4fa4-b5c9-cb717c11aed5>
URL Shortify <= 1.7.5 - Unauthenticated Stored Cross-Site Scripting via Referrer Header
Affected Software: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress CVE ID: CVE-2023-4294 CVSS Score: 7.2 (High) Researcher/s: Bartłomiej Marek, Tomasz Swiadek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b452283-9f0d-469b-b1b8-4bd253f9ea1d>
Collapse-O-Matic <= 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Collapse-O-Matic CVE ID: CVE-2023-40669 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa85abba-e13f-42cd-8f13-432ed375fb37>
Simple URLs <= 117 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-40674 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8147f63-91a5-457c-8259-8e4ddf5c67e4>
FTP Access <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: FTP Access CVE ID: CVE-2023-3510 CVSS Score: 6.1 (Medium) Researcher/s: Bob Matyas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a1e0d55-2894-450b-afaf-134a13512403>
gAppointments - Appointment booking addon for Gravity Forms <= 1.9.7 - Reflected Cross-Site Scripting
Affected Software: gAppointments - Appointment booking addon for Gravity Forms CVE ID: CVE-2023-2705 CVSS Score: 6.1 (Medium) Researcher/s: Carlos David Garrido León Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19983f79-b439-4bb0-8f29-8312f1ff9791>
Min Max Control <= 4.5 - Reflected Cross-Site Scripting
Affected Software: Min Max Control – Min Max Quantity & Step Control for WooCommerce CVE ID: CVE-2023-4270 CVSS Score: 6.1 (Medium) Researcher/s: Animesh Gaurav Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4240fcda-c61d-4888-8837-5012e5ba1f26>
Elements kit Elementor addons <= 2.9.1 - Missing Authorization
Affected Software: ElementsKit Elementor addons CVE ID: CVE-2023-39993 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ff589ec-756d-4183-8bb8-61dae9be7c5d>
FV Flowplayer Video Player <= 7.5.37.7212 - Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update
Affected Software: FV Flowplayer Video Player CVE ID: CVE-2023-4520 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c55ca7d4-6bc0-49c9-8ce0-50fff8775a76>
Void Elementor Post Grid Addon for Elementor Page builder <= 2.1.10 - Missing Authorization to Review Notice Dismissal
Affected Software: Void Elementor Post Grid Addon for Elementor Page builder CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b847857-5dc9-4793-b9d6-759f27377fe3>
Push Notification for Post and BuddyPress <= 1.63 - Missing Authorization to Unauthenticated Admin Notice Dismissal
Affected Software: Push Notification for Post and BuddyPress CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/228a3c72-fbb0-48bc-8066-6ca954a14421>
Hide My WP Ghost <= 5.0.25 - CAPTCHA Bypass in brute_math_authenticate
Affected Software: Hide My WP Ghost – Security Plugin CVE ID: CVE-2023-34001 CVSS Score: 5.3 (Medium) Researcher/s: konagash Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5618db77-fe74-4982-92b3-cec554640bde>
Posts Like Dislike <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Setting Reset
Affected Software: Posts Like Dislike CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8babc42a-c45c-423f-bd09-da7afb947691>
Secure Admin IP <= 2.0 - Missing Authorization via 'saveSettings'
Affected Software: Secure Admin IP CVE ID: CVE-2023-41133 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a0f38af7-7753-4dbe-a4fd-e9a01785dd13>
DoLogin Security <= 3.6 - IP Address Spoofing
Affected Software: DoLogin Security CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/def06edd-ea4f-4b49-9902-b179d40e4133>
Vertical Marquee Plugin <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Vertical marquee plugin CVE ID: CVE-2023-40677 CVSS Score: 4.4 (Medium) Researcher/s: yuyuddn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06c86c87-840c-4ca6-9582-98254194eb1b>
Cookies by JM <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Cookies by JM CVE ID: CVE-2023-40604 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3aa2a693-831b-44e7-b158-99fecf6506be>
Slimstat Analytics <= 5.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Slimstat Analytics CVE ID: CVE-2023-40676 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c14a863-2aed-4f65-a0e3-eb73e485ce85>
Save as PDF plugin by Pdfcrowd <= 2.16.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Affected Software: Save as PDF plugin by Pdfcrowd CVE ID: CVE-2023-40668 CVSS Score: 4.4 (Medium) Researcher/s: Mahesh Nagabhairava Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52056177-8604-48b9-ab50-d0dc1e13a3d5>
GTranslate <= 3.0.3 - Authenticated (Administrator+) Cross-Site Scripting via Multiple Parameters
Affected Software: Translate WordPress with GTranslate CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e24be91-6a58-42c3-84dd-4090da55b720>
WP Adminify <= 3.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders CVE ID: CVE-2023-4060 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ac72136-7911-4980-92b0-9bf18bed2201>
Save as Image plugin by Pdfcrowd <= 2.16.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Affected Software: Save as Image plugin by Pdfcrowd CVE ID: CVE-2023-40665 CVSS Score: 4.4 (Medium) Researcher/s: Mahesh Nagabhairava Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74b284b7-ec0a-42c1-82e5-0c8cb422c0c5>
Leyka <= 3.30.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Leyka CVE ID: CVE-2023-2995 CVSS Score: 4.4 (Medium) Researcher/s: An Dang Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95210ed8-4606-44fa-b823-b33e1d4a4ce0>
Landing Page Builder <= 1.5.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages CVE ID: CVE-2023-40675 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2e83cb5-3c10-45dc-b37e-4d47ebc6853d>
WP VK-付费内容插件 <= 1.3.3 - Cross-Site Request Forgery via AJions
Affected Software: WP VK-付费内容插件(付费阅读/资料/工具软件资源管理) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c6bc786-341a-4ab6-b86e-d21bb3dbf298>
iThemes Sync <= 2.1.13 - Cross-Site Request Forgery and Missing Authorization via 'hide_authenticate_notice'
Affected Software: iThemes Sync CVE ID: CVE-2023-40001 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f9229f2-e7dd-43c9-9c15-9b76c13e895b>
Simple URLs <= 117 - Missing Authorization via AJAX actions
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE-2023-40678 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/118e1a8c-a638-4571-9ce9-cf2cba4b9b06>
DX-auto-save-images <= 1.4.0 - Cross-Site Request Forgery
Affected Software: DX-auto-save-images CVE ID: CVE-2023-40671 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f2fb51b-984c-4b82-98d4-9a681a1855a7>
Royal Elementor Addons <= 1.3.75 - Cross-Site Request Forgery
Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2022-47175 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4809d513-69e8-4572-9549-9dba9f40cb80>
Sticky Social Media Icons <= 2.0 - Missing Authorization via ajax_request_handle
Affected Software: Sticky Social Media Icons CVE ID: CVE-2023-40672 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/58cfb328-40d0-4bea-a707-d5d6c1ce364a>
ReviewX <= 1.6.17 - Missing Authorization in rx_coupon_from_submit
Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce CVE ID: CVE-2023-40670 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a9f4fb7-92f5-4136-9ca3-cf7bf5c0b717>
Herd Effects <= 5.2.3 - Cross-Site Request Forgery to Effect Deletion
Affected Software: Herd Effects – fake notifications and social proof plugin CVE ID: CVE-2023-4318 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fd15c0b-cd3b-45e7-8379-b0e64e64d6b1>
Category Slider for WooCommerce <= 1.4.15 - Missing Authorization via notice dismissal functionality
Affected Software: Category Slider for WooCommerce CVE ID: CVE-2023-41132 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab1bd64b-8575-4ab4-bca5-8d5ce6f476d1>
Simple URLs <= 117 - Cross-Site Request Forgery via AJAX actions
Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf101b60-f12e-4326-8e39-96d6415a218d>
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.24.1 - Cross-Site Request Forgery via submitDefaultEditor
Affected Software: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor CVE ID: CVE-2023-25480 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf801042-5cd5-424f-a25a-858302285170>
Slimstat Analytics <= 5.0.5.1 - Missing Authorization via delete_pageview
Affected Software: Slimstat Analytics CVE ID: CVE-2023-33994 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbb8501e-7e8b-4ed6-8792-c685a69de982>
Lock User Account <= 1.0.3 - Cross-Site Request Forgery to Account Lock/Unlock
Affected Software: Lock User Account CVE ID: CVE-2023-4307 CVSS Score: 4.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d06f265c-c1c1-4316-9526-3392f6ee31da>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) appeared first on Wordfence.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
40.1%