Lucene search

Chloe ChamberlandWORDFENCE:B2BBFA00DF86BF8E854E701CB8C57F1F

HistoryJan 05, 2024 - 1:20 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023)

2024-01-0513:20:47

Chloe Chamberland

www.wordfence.com

wordfence

wordpress

vulnerabilities

plugins

themes

researchers

api

cli scanner

webhooks

firewall

directory traversal

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

74.6%

JSON

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Over the last two weeks, there were 263 vulnerabilities disclosed in 217 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 42 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Two Weeks

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Directory Traversal via HTTP Headers

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	43
Patched	220

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	212
High Severity	30
Critical Severity	20

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	77
Missing Authorization	51
Cross-Site Request Forgery (CSRF)	47
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	30
Unrestricted Upload of File with Dangerous Type	9
Deserialization of Untrusted Data	7
Information Exposure Through Log Files	7
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	5
Information Exposure	4
Protection Mechanism Failure	3
Authorization Bypass Through User-Controlled Key	3
Server-Side Request Forgery (SSRF)	2
URL Redirection to Untrusted Site ('Open Redirect')	2
Storage of Sensitive Data in a Mechanism without Access Control	2
Weak Password Recovery Mechanism for Forgotten Password	2
Improper Input Validation	2
Improper Privilege Management	1
Reliance on IP Address for Authentication	1
External Control of File Name or Path	1
Information Exposure Through Debug Information	1
Use of Less Trusted Source	1
Improper Authentication	1
Improper Authorization	1
Improper Access Control	1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')	1
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	61
Brandon James Roldan (tomorrowisnew)	24
Muhammad Daffa	23
Ngô Thiên An (ancorn_)	16
LVT-tholv2k	14
emad	11
Abdi Pranata	10
Joshua Chan	10
Nguyen Xuan Chien	9
Abu Hurayra (HurayraIIT)	9
Mika	6
Skalucy	6
Dave Jong	6
thiennv	5
resecured.io	5
Revan Arifio	5
Huynh Tien Si	3
wpdabh	3
Le Ngoc Anh	3
Dmitrii Ignatyev	3
DoYeon Park (p6rkdoye0n)	3
Hiroho Shimada	2
Kyle Sanchez	2
Hung -mov Nguyen	2
Webbernaut	2
Nguyen Anh Tien	2
Jeongwoo-Lee(Roronoa)	2
Elliot	1
István Márton
(Wordfence Vulnerability Researcher)	1
Taihei Shimamine	1
Rein Daelman (trein)	1
Robert DeVore	1
Marc-Alexandre Montpas	1
Vladislav Pokrovsky (ΞX.MI)	1
Yuchen Ji	1
Fariq Fadillah Gusti Insani (fariqfgi)	1
Yudistira Arya	1
Lucio Sá	1
Francesco Carlucci	1
Benmalek Aymen (centaurus)	1
Nex Team	1
Françoa Taffarel	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
404 Solution	404-solution
AI Power: Complete AI Pack – Powered by GPT-4	gpt3-ai-content-generator
AMP for WP – Accelerated Mobile Pages	accelerated-mobile-pages
ARI Stream Quiz – WordPress Quizzes Builder	ari-stream-quiz
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
Accredible Certificates & Open Badges	accredible-certificates
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store	profit-products-tables-for-woocommerce
Add Any Extension to Pages	add-any-extension-to-pages
Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More	advanced-access-manager
Advanced Category Template	advanced-category-template
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms	advanced-form-integration
Affiliates Manager	affiliates-manager
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements	mystickyelements
Apollo13 Framework Extensions	apollo13-framework-extensions
Appointment & Event Booking Calendar Plugin – Webba Booking	webba-booking-lite
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments
Author Box, Guest Author and Co-Authors for Your Posts – Molongui	molongui-authorship
Auto Amazon Links – Amazon Associates Affiliate Plugin	amazon-auto-links
Awesome Support – WordPress HelpDesk & Support Plugin	awesome-support
BERTHA AI. Your AI co-pilot for WordPress and Chrome	bertha-ai-free
Back Button Widget	back-button-widget
Backup Migration	backup-backup
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Block IPs for Gravity Forms	gf-block-ips
Booking Calendar	Appointment Booking
Booking Manager	booking-manager
Booking for Appointments and Events Calendar – Amelia	ameliabooking
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin	bookingpress-appointment-booking
Booster Elite for WooCommerce	booster-elite-for-woocommerce
Branda – White Label WordPress, Custom Login Page Customizer	branda-white-labeling
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content	brave-popup-builder
BuddyPress	buddypress
Build App Online	build-app-online
BulkGate SMS Plugin for WooCommerce	woosms-sms-module-for-woocommerce
Business Directory Plugin – Easy Listing Directories for WordPress	business-directory-plugin
CBX Bookmark & Favorite	cbxwpbookmark
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
CSS & JavaScript Toolbox	css-javascript-toolbox
CURCY – Multi Currency for WooCommerce	UNKNOWN-CVE-2023-50831-1
Calculated Fields Form	calculated-fields-form
Checkout Mestres WP	checkout-mestres-wp
Clockwork SMS Notfications	mediaburst-email-to-sms
Clone	wp-clone-by-wp-academy
Colibri Page Builder	colibri-page-builder
Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce	enhanced-e-commerce-for-woocommerce-store
Crowdsignal Dashboard – Polls, Surveys & more	polldaddy
Currency Converter Widget – Exchange Rates	currency-converter-widget
Custom 404 Pro	custom-404-pro
Custom Post Carousels with Owl	dd-post-carousel
Custom Twitter Feeds – A Tweets Widget or X Feed Widget	custom-twitter-feeds
Customer Reviews for WooCommerce	customer-reviews-woocommerce
Customize My Account for WooCommerce	customize-my-account-for-woocommerce
Dan's Embedder for Google Calendar	dans-gcal
Database Cleaner: Clean, Optimize & Repair	database-cleaner
Defender Security – Malware Scanner, Login Security & Firewall	defender-security
Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan	antihacker
Doofinder WP & WooCommerce Search	doofinder-for-woocommerce
Duplicator – WordPress Migration & Backup Plugin	duplicator
Dynamic Content for Elementor	dynamic-content-for-elementor
E2Pdf – Export To Pdf Tool for WordPress	e2pdf
Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)	easy-digital-downloads
Easy PayPal & Stripe Buy Now Button	wp-ecommerce-paypal
Easy Video Player	easy-video-player
Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress	plugins-on-steroids
Enable Media Replace	enable-media-replace
EnvíaloSimple: Email Marketing y Newsletters	envialosimple-email-marketing-y-newsletters-gratis
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Event Monster – Event Management, Tickets Booking, Upcoming Event	event-monster
Events Shortcodes For The Events Calendar	template-events-calendar
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin	everest-backup
Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!	everest-forms
Export Media URLs	export-media-urls
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
FastDup – Fastest WordPress Migration & Duplicator	fastdup
Floating Button	floating-button
Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin	fluent-support
Form plugin for WordPress – Zoho Forms	zoho-forms
Frontend Admin by DynamiApps	acf-frontend-form-element
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits	funnel-builder
FunnelKit Checkout	woofunnels-aero-checkout
GEO my WordPress	geo-my-wp
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory	geodirectory
Google Photos Gallery with Shortcodes	google-picasa-albums-viewer
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
HTML Forms	html-forms
HUSKY – Products Filter for WooCommerce Professional	woocommerce-products-filter
Happy Addons for Elementor	happy-elementor-addons
HashBar – WordPress Notification Bar	hashbar-wp-notification-bar
Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building	icegram
If-So Dynamic Content Personalization	if-so
Image Optimizer, Resizer and CDN – Sirv	sirv
Image Source Control Lite – Show Image Credits and Captions	image-source-control-isc
Impreza – WordPress Website and WooCommerce Builder	impreza
Inline Image Upload for BBPress	image-upload-for-bbpress
Insert or Embed Articulate Content into WordPress	insert-or-embed-articulate-content-into-wordpress
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site	integrate-google-drive
JS Help Desk – Best Help Desk & Support Plugin	js-support-ticket
JSM file_get_contents() Shortcode	wp-file-get-contents
JVM Gutenberg Rich Text Icons	jvm-rich-text-icons
Job Manager & Career – Manage job board listings, and recruitments	job-manager-career
LA-Studio Element Kit for Elementor	lastudio-element-kit
Limit Login Attempts Reloaded	limit-login-attempts-reloaded
Loan Repayment Calculator and Application Form	quick-interest-slider
Local Delivery Drivers for WooCommerce	local-delivery-drivers-for-woocommerce
Login Lockdown – Protect Login Form	login-lockdown
Login as User or Customer	login-as-customer-or-user
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation	gs-logo-slider
MC4WP: Mailchimp for WordPress	mailchimp-for-wp
MF Gig Calendar	mf-gig-calendar
MStore API	mstore-api
Mail logging – WP Mail Catcher	wp-mail-catcher
Malware Scanner	miniorange-malware-protection
Media File Renamer: Rename Files (Manual, Auto & AI)	media-file-renamer
Menu Image, Icons made easy	menu-image
Metform Elementor Contact Form Builder	metform
Most And Least Read Posts Widget	most-and-least-read-posts-widget
Multi Step Form	multi-step-form
MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution	dc-woocommerce-multi-vendor
My Agile Privacy – The only GDPR solution for WordPress that you can truly trust	myagileprivacy
NEX-Forms – Ultimate Form Builder – Contact forms and much more	nex-forms-express-wp-form-builder
New User Approve	new-user-approve
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images	nitropack
Page Generator	page-generator
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
Pay with Vipps for WooCommerce	woo-vipps
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Piotnet Forms	piotnetforms
Poll Maker – Best WordPress Poll Plugin	poll-maker
Pre* Party Resource Hints	pre-party-browser-hints
Product Catalog Simple	post-type-x
Product Code for WooCommerce	product-code-for-woocommerce
Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces	best-woocommerce-feed
Product Filter by WBW	woo-product-filter
Product Table by WBW	woo-product-tables
Product Vendors	woocommerce-product-vendors
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Rate my Post – WP Rating System	rate-my-post
Recipe Maker For Your Food Blog from Zip Recipes	zip-recipes
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit	wp-marketing-automations
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Rencontre – Dating Site	rencontre
Republish Old Posts	republish-old-posts
Restaurant Reservations	nd-restaurant-reservations
Rise Blocks – A Complete Gutenberg Page Builder	rise-blocks
Schema & Structured Data for WP & AMP	schema-and-structured-data-for-wp
Send Users Email	send-users-email
Sensei LMS – Online Courses, Quizzes, & Learning	sensei-lms
Seos Contact Form	seos-contact-form
Simple Counter	abwp-simple-counter
Simple Job Board	simple-job-board
Simple Membership	simple-membership
Simple Staff List	simple-staff-list
Slider by Soliloquy – Responsive Image Slider for WordPress	soliloquy-lite
Spam protection, Anti-Spam, FireWall by CleanTalk	cleantalk-spam-protect
Split Test For Elementor	split-test-for-elementor
Squirrly SEO - Advanced Pack	squirrly-seo-pack
Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons	sticky-chat-widget
Stock Ticker	stock-ticker
Store Locator WordPress	agile-store-locator
Strong Testimonials	strong-testimonials
Stylish Price List – Price Table Builder & QR Code Restaurant Menu	stylish-price-list
SureFeedback Client Site	projecthuddle-child-site
TerraClassifieds – Simple Classifieds Plugin	terraclassifieds
Theme per user	theme-per-user
Themify Icons	themify-icons
Thrive Automator	thrive-automator
Ultimate Addons for Beaver Builder	bb-ultimate-addon
Ultimate Addons for WPBakery	Ultimate_VC_Addons
Ultimate Dashboard – Custom WordPress Dashboard	ultimate-dashboard
Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin	uncanny-automator
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds	userfeedback-lite
Verge3D Publishing and E-Commerce	verge3d
WP Adminify – WordPress Dashboard Customization	Custom Login
WP Affiliate Disclosure	wp-affiliate-disclosure
WP Chat App	wp-whatsapp
WP Crowdfunding	wp-crowdfunding
WP Edit Username	wp-edit-username
WP Frontend Profile	wp-front-end-profile
WP Go Maps (formerly WP Google Maps)	wp-google-maps
WP Job Portal – A Complete Job Board	wp-job-portal
WP MLM SOFTWARE PLUGIN	wp-mlm
WP Mail Log	wp-mail-log
WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce	wp-optin-wheel
WP Remote Site Search	wp-remote-site-search
WP Review Slider	wp-facebook-reviews
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
WP Simple Booking Calendar	wp-simple-booking-calendar
WP Stripe Checkout	wp-stripe-checkout
WP Tabs – Responsive Tabs Plugin for WordPress	wp-expand-tabs-free
WP User Profile Avatar	wp-user-profile-avatar
WPC Product Bundles for WooCommerce	woo-product-bundle
WPCS – WordPress Currency Switcher Professional	currency-switcher
WS Form LITE – Drag & Drop Contact Form Builder for WordPress	ws-form
Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings	WebinarIgnition
Welcart e-Commerce	usc-e-shop
White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard	white-label
WooCommerce Easy Duplicate Product	woo-easy-duplicate-product
WooCommerce Menu Extension	woocommerce-menu-extension
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more	woo-pdf-invoice-builder
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels	print-invoices-packing-slip-labels-for-woocommerce
WooCommerce Per Product Shipping	woocommerce-shipping-per-product
WooCommerce Ship to Multiple Addresses	woocommerce-shipping-multiple-addresses
WooCommerce Stripe Payment Gateway	woocommerce-gateway-stripe
WooCommerce Warranty Requests	woocommerce-warranty
WooPayments – Fully Integrated Solution Built and Supported by Woo	woocommerce-payments
Woocommerce Shipping Canada Post	woocommerce-shipping-canada-post
WordPress Infinite Scroll – Ajax Load More	ajax-load-more
WordPress.com Editing Toolkit	full-site-editing
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons
ZeroBounce Email Verification & Validation	zerobounce
eCommerce Product Catalog Plugin for WordPress	ecommerce-product-catalog
iframe	iframe
iframe Shortcode	iframe-shortcode
uncode-core	uncode-core
weForms – Easy Drag & Drop Contact Form Builder For WordPress	weforms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
BuddyBoss Theme	[buddyboss-theme](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/BuddyBoss Theme>)
Divi	Divi
TheGem	thegem

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

BERTHA AI Plugin <= 1.11.10.7 - Unauthenticated Arbitrary File Upload

Affected Software: BERTHA AI. Your AI co-pilot for WordPress and Chrome CVE ID: CVE-2023-51419 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b4630f7-74db-46c4-bf86-f1ff64be3463>

WebinarIgnition <= 3.05.0 - Missing Authorization to Unauthenticated Privilege Escalation

Affected Software: Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition CVE ID: CVE-2023-51424 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24517dc6-4995-48ee-9b02-5c7c29d359f6>

Piotnet Forms Plugin <= 1.0.25 - Unauthenticated Arbitrary File Upload

Affected Software: Piotnet Forms CVE ID: CVE-2023-51412 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f52298b-344b-4561-b1bf-93bea95a3e53>

WP Clone <= 2.4.2 - Sensitive Information Exposure

Affected Software: Clone CVE ID: CVE-2023-6750 CVSS Score: 9.8 (Critical) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44a921e7-cce3-4347-968d-76dab243fcd6>

Rencontre – Dating Site <= 3.10.1 - Unauthenticated Arbitrary File Upload

Affected Software: Rencontre – Dating Site CVE ID: CVE-2023-51468 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59be1fc7-2854-404d-8e9d-dd9bd26e6a2c>

Login as User or Customer (User Switching) <= 3.8 - Authentication Bypass

Affected Software: Login as User or Customer CVE ID: CVE-2023-51484 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b07ea6a-511d-44ab-b0b7-5124702ad47d>

Build App Online <= 1.0.19 - Account Takeover via Weak Password Reset Mechanism

Affected Software: Build App Online CVE ID: CVE-2023-51478 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/743e40f6-dde3-4d8f-938e-b2a0dcdfb901>

Frontend Admin by DynamiApps Plugin <= 3.18.3 - Unauthenticated Arbitrary File Upload

Affected Software: Frontend Admin by DynamiApps CVE ID: CVE-2023-51411 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7815322d-a240-4855-b458-60caa3cec96c>

JS Help Desk <= 2.8.1 - Unauthenticated SQL Injection via email and trackingid

Affected Software: JS Help Desk – Best Help Desk & Support Plugin CVE ID: CVE-2023-50839 CVSS Score: 9.8 (Critical) Researcher/s: Fariq Fadillah Gusti Insani (fariqfgi) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a3e89cc-56cb-42d7-b4f6-bfc7ca0e03e6>

Checkout Mestres WP <= 7.1.9.6 - Authentication Bypass via Password Reset

Affected Software: Checkout Mestres WP CVE ID: CVE-2023-51472 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ad16d1e-e778-4cb4-a15d-ddb906f27762>

Checkout Mestres WP <= 7.1.9.6 - Missing Authorization to Unauthenticated Arbitrary Options Update

Affected Software: Checkout Mestres WP CVE ID: CVE-2023-51471 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a52bf70-667b-400f-8912-75fae20a3f5b>

WP Frontend Profile <= 1.3.1 - Unauthenticated Privilege Escalation

Affected Software: WP Frontend Profile CVE ID: CVE-2023-51483 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91de6cf4-e5df-4130-bb96-92b89717a678>

WP MLM Unilevel <= 4.0 - Unauthenticated Privilege Escalation

Affected Software: WP MLM SOFTWARE PLUGIN CVE ID: CVE-2023-51476 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abcc1ed6-1871-4e8c-9469-c44dbfca5a17>

TerraClassifieds <= 2.0.3 Unauthenticated Arbitrary File Upload

Affected Software: TerraClassifieds – Simple Classifieds Plugin CVE ID: CVE-2023-51473 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0399b60-6e40-4f35-985f-845a32f69d64>

Rencontre – Dating Site <= 3.10.1 - Privilege Escalation

Affected Software: Rencontre – Dating Site CVE ID: CVE-2023-51425 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1278291-9fef-40f5-a432-d96f4bed31fe>

WP MLM <= 4.0 - Unauthenticated Arbitrary File Upload

Affected Software: WP MLM SOFTWARE PLUGIN CVE ID: CVE-2023-51475 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3451ed9-9a9a-443f-b1ce-dcd07bd3e6ce>

Theme per user <= 1.0.1 - Unauthenticated PHP Object Injection

Affected Software: Theme per user CVE ID: CVE-2023-52181 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc7e6844-23e2-4523-8261-21d4cba87db3>

Active Products Tables for WooCommerce <= 1.0.6 - Unauthenticated PHP Object Injection

Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store CVE ID: CVE-2023-51505 CVSS Score: 9.8 (Critical) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5519d4e-84b5-4901-b55c-a0a919f4b6c9>

Checkout Mestres WP <= 7.1.9.6 - Unauthenticated SQL Injection

Affected Software: Checkout Mestres WP CVE ID: CVE-2023-51469 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e068573d-bc3e-48de-b4e7-6a0666086ac3>

WebinarIgnition <= 3.05.0 - Unauthenticated SQL Injection

Affected Software: Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition CVE ID: CVE-2023-51423 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4ea6044-bf7b-469d-89ec-a9b89ef5715e>

Recipe Maker For Your Food Blog from Zip Recipes <= 8.1.0 - Authenticated(Contributor+) SQL Injection

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes CVE ID: CVE-2023-52180 CVSS Score: 8.8 (High) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01ab2ed8-ff2f-41ac-bbbd-d8878fd067d6>

WP Mail Log Plugin <= 1.1.2 - Authenticated(Contributor+) Arbitrary File Upload

Affected Software: WP Mail Log CVE ID: CVE-2023-51410 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0542f8bf-8fb1-4c47-89b7-106a6feacca1>

Ultimate Addons for Beaver Builder <= 1.35.14 - Authenticated(Contributor+) Privilege Escalation

Affected Software: Ultimate Addons for Beaver Builder CVE ID: CVE-2023-51398 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b29048e-cf06-463c-82e0-f1d973e50232>

ARI Stream Quiz <= 1.3.0 - Authenticated (Contributor+) PHP Object Injection

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder CVE ID: CVE-2023-52182 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36ad7fe2-0dc9-427d-811b-8fb1fdb78579>

TerraClassifieds <= 2.0.3 - Cross-Site Request Forgery

Affected Software: TerraClassifieds – Simple Classifieds Plugin CVE ID: CVE-2023-51474 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a6e5f89-ebc0-413a-a76e-3cf4339430ba>

Verge3D <= 4.5.2 - Authenticated(Subscriber+) Arbitrary File Upload

Affected Software: Verge3D Publishing and E-Commerce CVE ID: CVE-2023-51421 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71dd864f-1975-4cee-be26-0cdb0d54be95>

Rencontre – Dating Site <= 3.11.1 - Authenticated (Subscriber+) PHP Object Injection

Affected Software: Rencontre – Dating Site CVE ID: CVE-2023-51470 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/722c35e5-4084-46a4-a3d4-c73f8e7a1882>

MF Gig Calendar <=1.2.1 - Authenticated(Contributor+) SQL Injection

Affected Software: MF Gig Calendar CVE ID: CVE-2023-50842 CVSS Score: 8.8 (High) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d977636-a509-4f32-9ad3-762720fdb433>

Job Manager & Career – Manage job board listings, and recruitments <= 1.4.4 - Cross-Site Request Forgery to PHP Object Injection

Affected Software: Job Manager & Career – Manage job board listings, and recruitments CVE ID: CVE-2023-51545 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8558cd96-3b2a-4282-950b-6d9753698291>

Booking Manager <= 2.1.5 - Authenticated(Contributor+) SQL Injection via Shortcode

Affected Software: Booking Manager CVE ID: CVE-2023-50840 CVSS Score: 8.8 (High) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9829ec10-ad37-4345-b4d6-cd0429b2d8f7>

JVM rich text icons <= 1.2.6 - Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion

Affected Software: JVM Gutenberg Rich Text Icons CVE ID: CVE-2023-51418 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3e54f9b-db12-42ef-a0fa-2d40c0f7908c>

Uncode Core <= 2.8.8 - Privilege Escalation

Affected Software: uncode-core CVE ID: CVE-2023-51515 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bb5e6767-d0a9-4ac4-816f-6fb57b1e5f9b>

Events Shortcodes & Templates For The Events Calendar <= 2.3.1 - Authenticated (Contributor+) SQL Injection via shortcode

Affected Software: Events Shortcodes For The Events Calendar CVE ID: CVE-2023-52142 CVSS Score: 8.8 (High) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1d9ee9f-d8d0-4a9d-b414-bc79c4255b4e>

ARMember <= 4.0.10 - Authenticated(Subscriber+) Privilege Escalation

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2023-51356 CVSS Score: 8.8 (High) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c681d1ac-a5d0-43f2-a1e4-0684cd56a3b8>

JVM rich text icons <= 1.2.3 - Authenticated(Subscriber+) Arbitrary File Upload

Affected Software: JVM Gutenberg Rich Text Icons CVE ID: CVE-2023-51417 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca064db0-2718-4521-9467-335b59208858>

BookingPress <= 1.0.72 - Authenticated (Contributor+) SQL Injection

Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin CVE ID: CVE-2023-50841 CVSS Score: 8.8 (High) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e1a3cc98-3bee-4d52-a4bf-2a1a284b9311>

Build App Online <= 1.0.19 - Missing Authorization Authenticated(Subscriber+) Arbitrary Options Update

Affected Software: Build App Online CVE ID: CVE-2023-51479 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3551218-e272-4c96-94fe-9db0aee0d4f4>

Most And Least Read Posts Widget <=2.5.16 - Authenticated(Contributor+) SQL Injection via Widget settings

Affected Software: Most And Least Read Posts Widget CVE ID: CVE-2023-52133 CVSS Score: 8.8 (High) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9fa55cc-c686-43e4-a028-dd2721d2db85>

Uncode Core <= 2.8.8 - Authenticated (Subscriber+) Arbitrary File Deletion

Affected Software: uncode-core CVE ID: CVE-2023-51500 CVSS Score: 8.1 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74ab025d-4e76-46e5-b8f8-963eeea5b802>

Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir

Affected Software: Backup Migration CVE ID: CVE-2023-6971 CVSS Score: 8.1 (High) Researcher/s: Hiroho Shimada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427>

Backup Migration <= 1.3.9 - Unauthenticated Path Traversal to Arbitrary File Deletion

Affected Software: Backup Migration CVE ID: CVE-2023-6972 CVSS Score: 7.5 (High) Researcher/s: Hiroho Shimada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c>

Everest Backup <= 2.1.9 - Sensitive Information Exposure via Log File

Affected Software: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin CVE ID: CVE-2023-52185 CVSS Score: 7.5 (High) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31a54705-99e8-4e41-bf57-9365ab387228>

WP Stripe Checkout <= 1.2.2.37 - Sensitive Information Exposure via Debug Log

Affected Software: WP Stripe Checkout CVE ID: CVE-2023-52143 CVSS Score: 7.5 (High) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f244b8e-94ae-4d95-83a7-53b826e98656>

WC Marketplace <= 4.0.23 - Missing Authorization via mvx_save_dashpages

Affected Software: MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution CVE ID: CVE-2023-51355 CVSS Score: 7.5 (High) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6cdc0096-8e21-4b82-b9d0-961f48907a09>

WebinarIgnition <= 3.05.0 - Authenticated(Subscriber+) PHP Object Injection

Affected Software: Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition CVE ID: CVE-2023-51422 CVSS Score: 7.5 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa4244d3-a611-416d-8159-2f6a8cf61b30>

Local Delivery Drivers for WooCommerce <= 1.9.0 - Missing Authorization to Driver Account Takeover

Affected Software: Local Delivery Drivers for WooCommerce CVE ID: CVE-2023-51481 CVSS Score: 7.3 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/99f4f1dc-13a9-4fa0-bdb1-77a0d416c80f>

Custom 404 Pro <= 3.10.0 - Unauthenticated Stored Cross-Site Scripting via logging

Affected Software: Custom 404 Pro CVE ID: CVE-2023-51540 CVSS Score: 7.2 (High) Researcher/s: Kyle Sanchez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1106e7b2-eac7-459d-8eb3-fe84c76f3b67>

WooCommerce PDF Invoices <= 4.2.1 - Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import

Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels CVE ID: CVE-2023-51546 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7927edf2-b092-4b56-83aa-038f99ea658e>

Welcart e-Commerce <= 2.9.3 - Authenticated(Editor+) SQL Injection

Affected Software: Welcart e-Commerce CVE ID: CVE-2023-50847 CVSS Score: 7.2 (High) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a328643a-ab12-427e-9bcd-2d40738afb61>

Backup Migration <= 1.3.9 - Authenticated (Admin+) OS Command Injection via url

Affected Software: Backup Migration CVE ID: CVE-2023-7002 CVSS Score: 7.2 (High) Researcher/s: Françoa Taffarel Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc49db10-988d-42bd-a9cf-9a86f4c79568>

Clockwork SMS Notfications <= 3.0.4 - Authenticated(Administrator+) SQL Injection

Affected Software: Clockwork SMS Notfications CVE ID: CVE-2023-50843 CVSS Score: 6.6 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08fb51d6-30c1-4a48-b626-a8c6f203ac83>

Media File Renamer <= 5.7.7 - Authenticated(Administrator+) Remote Code Execution

Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI) CVE ID: CVE-2023-50897 CVSS Score: 6.6 (Medium) Researcher/s: Taihei Shimamine Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/32b2b8e9-aa49-4cc3-97b7-249695969461>

E2Pdf <= 1.20.23 - Authenticated(Administrator+) SQL Injection

Affected Software: E2Pdf – Export To Pdf Tool for WordPress CVE ID: CVE-2023-50849 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f0ed355-b5c8-4143-b391-7436d67ba0de>

404 Solution <= 2.34.0 - Authenticated(Administrator+) SQL Injection

Affected Software: 404 Solution CVE ID: CVE-2023-50848 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/477d3d7a-6028-4dd3-b713-6098bfe32832>

Mail logging – WP Mail Catcher <= 2.1.3 - Authenticated(Administrator+) SQL Injection

Affected Software: Mail logging – WP Mail Catcher CVE ID: CVE-2023-50844 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47aed582-efb6-4caf-a65b-57995907ecaa>

WP Adminify <= 3.1.6 - Authenticated(Administrator+) SQL Injection

Affected Software: WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders CVE ID: CVE-2023-52132 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/555dce5e-9868-464a-9cb4-67644cc6a61c>

Page Generator <= 1.7.1 - Authenticated(Administrator+) SQL Injection

Affected Software: Page Generator CVE ID: CVE-2023-52131 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73ea7672-4e3f-4a26-a59e-043c2cd10a7a>

Simply Schedule Appointments <= 1.6.5.27 - Authenticated(Administrator+) SQL Injection

Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin CVE ID: CVE-2023-50851 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/775d4ba7-7198-493c-bae0-7f3f78741b90>

Pre* Party Resource Hints <= 1.8.18 - Authenticated(Administrator+) SQL Injection

Affected Software: Pre* Party Resource Hints CVE ID: CVE-2023-50855 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c043945-d327-4f26-98b4-99ac5b4761f1>

Login Lockdown – Protect Login Form <= 2.06 - Authenticated(Administrator+) SQL Injection

Affected Software: Login Lockdown – Protect Login Form CVE ID: CVE-2023-50837 CVSS Score: 6.6 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c9d088c-e71a-4e73-a7e3-d99f3511e519>

YITH WooCommerce Product Add-Ons <= 4.3.0 - Authenticated(Shop Manager+) PHP Object Injection

Affected Software: YITH WooCommerce Product Add-Ons CVE ID: CVE-2023-49777 CVSS Score: 6.6 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7edd06d9-3897-4644-a77e-e58ab6d14c95>

Fluent Support <= 1.7.6 - Authenticated(Administrator+) SQL Injection

Affected Software: Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin CVE ID: CVE-2023-51547 CVSS Score: 6.6 (Medium) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8909dafa-3383-405e-a264-f0770e6714a4>

Automation By Autonami <= 2.6.1 - Authenticated(Administrator+) SQL Injection

Affected Software: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit CVE ID: CVE-2023-50857 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8af44af4-ea56-4686-ad35-5bcdd98ba2cc>

Store Locator WordPress <= 1.4.14 - Authenticated(Administrator+) Directory Traversal to Arbitrary File Deletion

Affected Software: Store Locator WordPress CVE ID: CVE-2023-50885 CVSS Score: 6.6 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8cb5c386-eee3-4e88-a827-766a4901f432>

Squirrly SEO - Advanced Pack <= 2.3.8 - Authenticated(Administrator+) SQL Injection

Affected Software: Squirrly SEO - Advanced Pack CVE ID: CVE-2023-50854 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ce4204f-3ee3-4877-8e9d-123d01ae80f5>

GEO my WordPress <= 4.0.2 - Authenticated(Administrator+) SQL Injection

Affected Software: GEO my WordPress CVE ID: CVE-2023-52134 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94f118c3-d470-43c4-a61a-1ec998694880>

RegistrationMagic Plugin <= 5.2.4.5 - Authenticated(Administrator+) SQL Injection

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login CVE ID: CVE-2023-50846 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9b378df7-b182-4a56-a7fa-3228c06f960f>

WS Form LITE <= 1.9.170 - Authenticated(Administrator+) SQL Injection

Affected Software: WS Form LITE – Drag & Drop Contact Form Builder for WordPress CVE ID: CVE-2023-52135 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3171015-227d-420a-ba3a-e6e2dc17ba8c>

GeoDirectory <= 2.3.28 - Authenticated(Administrator+) SQL Injection

Affected Software: GeoDirectory – WordPress Business Directory Plugin, or Classified Directory CVE ID: CVE-2023-50845 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3d48aca-3db5-4585-bd71-5548f3b36ea1>

Funnel Builder for WordPress by FunnelKit <= 2.14.3 - Authenticated(Administrator+) SQL Injection

Affected Software: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits CVE ID: CVE-2023-50856 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf172a41-31dc-4864-9385-53decdc70aeb>

Advanced Form Integration <= 1.75.0 - Authenticated(Administrator+) SQL Injection

Affected Software: Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms CVE ID: CVE-2023-50853 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5782b71-3234-4e53-9b26-225472f604c5>

BookIt <= 2.4.3 - Authenticated(Administrator+) SQL Injection

Affected Software: Booking Calendar | Appointment Booking | BookIt CVE ID: CVE-2023-50852 CVSS Score: 6.6 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4e97c01-7e8a-41b7-90ad-029d8c5fd37c>

EnvíaloSimple <= 2.1 Unauthenticated PHP Object Injection

Affected Software: EnvíaloSimple: Email Marketing y Newsletters CVE ID: CVE-2023-51414 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/13245eab-9a72-44d7-bbcd-a0d3e2879814>

WooCommerce Stripe Payment Gateway <= 7.6.1 - Insecure Direct Object Reference via update_payment_intent_ajax

Affected Software: WooCommerce Stripe Payment Gateway CVE ID: CVE-2023-51502 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ee04e4d-4385-4854-9bfe-1b957ca13963>

Affiliates Manager <= 2.9.31 - Cross-Site Request Forgery via multiple AJAX actions

Affected Software: Affiliates Manager CVE ID: CVE-2023-52130 CVSS Score: 6.5 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/756b5e3e-46fa-483e-945a-86166e79d989>

FunnelKit Checkout <= 3.10.3 - Unauthenticated Arbitrary Content Deletion

Affected Software: FunnelKit Checkout CVE ID: CVE-2023-51672 CVSS Score: 6.5 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9d07faf-cc88-4233-a552-55e3376a2fc4>

Piotnet Forms <= 1.0.25 - Missing Authorization via multiple AJAX actions

Affected Software: Piotnet Forms CVE ID: CVE-2023-51413 CVSS Score: 6.5 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f119c6c2-cd4e-415a-b717-2bfc90ed729e>

weForms <= 1.6.18 - Missing Authorization via export_form_entries

Affected Software: weForms – Easy Drag & Drop Contact Form Builder For WordPress CVE ID: CVE-2023-51524 CVSS Score: 6.5 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f2b7258e-c594-415a-a872-d5b28397e40d>

Sensei LMS <= 4.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Sensei LMS – Online Courses, Quizzes, & Learning CVE ID: CVE-2023-50875 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/031995fb-48c4-4f56-8b64-d66a47b2fbe9>

Schema & Structured Data for WP & AMP <= 1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Schema & Structured Data for WP & AMP CVE ID: CVE-2023-51677 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0752b4f3-b9f0-4c39-8e4c-2db188600087>

Product Code for WooCommerce <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Product Code for WooCommerce CVE ID: CVE-2023-51669 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0be84866-2a49-42da-b498-962fc1bcb811>

Icegram <= 3.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message

Affected Software: Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building CVE ID: CVE-2023-51532 CVSS Score: 6.4 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0feeca6b-b611-44d3-90a6-569e4d2ccf5a>

Insert or Embed Articulate Content into WordPress <= 4.3000000021 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Insert or Embed Articulate Content into WordPress CVE ID: CVE-2023-50824 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/128d3046-94a0-465c-9225-a3ce652f5282>

WooCommerce Menu Extension <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Menu Extension CVE ID: CVE-2023-50834 CVSS Score: 6.4 (Medium) Researcher/s: wpdabh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/173c8c8a-a015-4522-b957-1805f520a77d>

Active Products Tables for WooCommerce <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store CVE ID: CVE-2023-51480 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f18147d-60e6-447d-a6f5-6ad7b633e62c>

WP Crowdfunding <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Crowdfunding CVE ID: CVE-2023-50859 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/294b5bd1-a7c8-4c06-b107-e80bf3b35da8>

Pay with Vipps for WooCommerce <= 1.14.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Pay with Vipps for WooCommerce CVE ID: CVE-2023-51485 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2950a264-b60c-48ad-b8e0-6d0e1a230982>

Colibri Page Builder <= 1.0.239 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Colibri Page Builder CVE ID: CVE-2023-6988 CVSS Score: 6.4 (Medium) Researcher/s: Hung -mov Nguyen Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b>

Booking for Appointments and Events Calendar – Amelia <= 1.0.85 - Stored Cross-Site Scripting via Shortcode

Affected Software: Booking for Appointments and Events Calendar – Amelia CVE ID: CVE-2023-50860 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33398af8-7b7f-47e5-b95b-c9faa33d0c80>

My Agile Privacy <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode

Affected Software: My Agile Privacy – The only GDPR solution for WordPress that you can truly trust CVE ID: CVE-2023-51404 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35c40c81-c7b4-4453-bd2f-7910fcb7f13e>

WP Tabs <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Tabs – Responsive Tabs Plugin for WordPress CVE ID: CVE-2023-52124 CVSS Score: 6.4 (Medium) Researcher/s: wpdabh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/433c8908-587e-4086-9d0c-c9b1819b26e8>

Currency Converter Widget <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Currency Converter Widget – Exchange Rates CVE ID: CVE-2023-50822 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47f051dd-138c-4c71-8a92-150c9ffd3601>

Colibri Page Builder <= 1.0.240 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Colibri Page Builder CVE ID: CVE-2023-50833 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/532d185c-4384-4b15-a104-42f8d2a1ca23>

Zoho Forms <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Form plugin for WordPress – Zoho Forms CVE ID: CVE-2023-50891 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57e9b09c-adfb-4fc2-8d2b-41cfc1f73e22>

Advanced Access Manager <= 6.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More CVE ID: CVE-2023-50881 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c50b451-519c-4da8-93ce-b84e594e6775>

WP Affiliate Disclosure <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via $id

Affected Software: WP Affiliate Disclosure CVE ID: CVE-2023-52178 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e38ee27-30a4-45be-bab6-a3e65ada215f>

Seos Contact Form <= 1.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Seos Contact Form CVE ID: CVE-2023-50830 CVSS Score: 6.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/62b2113a-70a2-4223-8c6c-6cd15057d72d>

HashBar – WordPress Notification Bar <= 1.4.1 - Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: HashBar – WordPress Notification Bar CVE ID: CVE-2023-51372 CVSS Score: 6.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f3e4e53-3a4a-4b9d-845c-927a59e03488>

WPCS – WordPress Currency Switcher Professional <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WPCS – WordPress Currency Switcher Professional CVE ID: CVE-2023-51506 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72a06690-f40a-472b-b9d1-985a49b914b3>

WP Remote Site Search <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Remote Site Search CVE ID: CVE-2023-51397 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/79d4e5a8-028a-488e-b419-77a0981a28a9>

CURCY – Multi Currency for WooCommerce <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CURCY – Multi Currency for WooCommerce CVE ID: CVE-2023-50831 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b7dee9e-1272-4e70-926c-a73e2897968c>

If-So Dynamic Content Personalization <= 1.6.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: If-So Dynamic Content Personalization CVE ID: CVE-2023-51492 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8407b678-76c5-4232-b17e-8db05f9e7b12>

Auto Amazon Links <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Auto Amazon Links – Amazon Associates Affiliate Plugin CVE ID: CVE-2023-52175 CVSS Score: 6.4 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b2a5938-232e-487c-b31b-f48e2b9acb65>

Limit Login Attempts Reloaded <= 2.25.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Limit Login Attempts Reloaded CVE ID: CVE-2023-6934 CVSS Score: 6.4 (Medium) Researcher/s: Hung -mov Nguyen Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/906049c0-4710-47aa-bf44-cdf29032dc1f>

Divi <= 4.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Divi CVE ID: CVE-2023-6744 CVSS Score: 6.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/999475c5-5f17-47fa-a0d0-47cb5a8a0eb4>

iframe Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: iframe Shortcode CVE ID: CVE-2023-50825 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3c323d5-59bc-4ecc-8211-2104fd22639f>

Restaurant Reservations <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Restaurant Reservations CVE ID: CVE-2023-51403 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4fa8aa9-0af8-4202-b219-863bbef8d02c>

CSS & JavaScript Toolbox <= 11.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: CSS & JavaScript Toolbox CVE ID: CVE-2023-50823 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ace85b25-251b-4549-8f6e-1a1494cbabb6>

WordPress.com Editing Toolkit <= 3.78784 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WordPress.com Editing Toolkit CVE ID: CVE-2023-50879 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b54307fb-ecbc-4742-9deb-59dbb85b4a7c>

BuddyPress <= 11.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BuddyPress CVE ID: CVE-2023-50880 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b824cab6-d340-487d-90ba-5b554db1da14>

Stock Ticker <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scritping

Affected Software: Stock Ticker CVE ID: CVE-2023-51541 CVSS Score: 6.4 (Medium) Researcher/s: resecured.io Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b8e921f4-d889-490f-a817-53d132a56f83>

Back Button Widget <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Back Button Widget CVE ID: CVE-2023-51399 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bcd28bc3-f893-4eb7-946f-34a2e9c7ff27>

Easy Video Player <= 1.2.2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Easy Video Player CVE ID: CVE-2023-51689 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bd28f7f0-ed52-45d0-8d97-5ff95d17eb26>

AMP for WP – Accelerated Mobile Pages <= 1.0.92 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

Affected Software: AMP for WP – Accelerated Mobile Pages CVE ID: CVE-2023-6782 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1cae64e-caed-43c0-9a75-9aa4234946a0>

WP User Profile Avatar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP User Profile Avatar CVE ID: CVE-2023-52118 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c291aa80-f1cd-4933-b522-73ec115a3a68>

Dan's Embedder for Google Calendar <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Dan's Embedder for Google Calendar CVE ID: CVE-2023-51504 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbca88e0-1563-43cb-adf4-4f89856a07d0>

CBX Bookmark & Favorite <= 1.7.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CBX Bookmark & Favorite CVE ID: CVE-2023-51514 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cddda02e-c36f-4ed8-b3ac-6cb3f17c6ce2>

Easy Digital Downloads <= 3.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) CVE ID: CVE-2023-51684 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d19a9c96-918f-4f19-82a9-badd5765cea3>

WordPress Infinite Scroll – Ajax Load More <= 6.1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WordPress Infinite Scroll – Ajax Load More CVE ID: CVE-2023-50874 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3bcc0aa-281f-4c59-b3de-dde4277cc989>

Themify Icons <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Themify Icons CVE ID: CVE-2023-51693 CVSS Score: 6.4 (Medium) Researcher/s: wpdabh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/efa156b7-ab18-414d-80a5-3a1c2a977b3b>

Advanced Access Manager <= 6.9.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More CVE ID: CVE-2023-51674 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f1bf4f77-9539-4a9f-afec-f43f602c684f>

Simple Membership <= 4.3.8 - Reflected Cross-Site Scripting

Affected Software: Simple Membership CVE ID: CVE-2023-50376 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18fe9769-3681-4a5e-866a-640b4cc76199>

Simple Membership <= 4.3.8 - Reflected Cross-Site Scripting Vulnerability via environment_mode

Affected Software: Simple Membership CVE ID: CVE-2023-6882 CVSS Score: 6.1 (Medium) Researcher/s: Rein Daelman (trein) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/366165fe-93e5-49ab-b2e5-1de624f22286>

WP Google Maps <= 9.0.27 - Unauthenticated Stored Cross-Site Scripting via REST API

Affected Software: WP Go Maps (formerly WP Google Maps) CVE ID: CVE-2023-6627 CVSS Score: 6.1 (Medium) Researcher/s: Marc-Alexandre Montpas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3a468814-ecb7-4414-9472-6c2aaa5f5c2c>

New User Approve <= 2.5.1 - Cross-Site Request Forgery via admin_notices

Affected Software: New User Approve CVE ID: CVE-2023-50902 CVSS Score: 6.1 (Medium) Researcher/s: Vladislav Pokrovsky (ΞX.MI) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3abde27c-8234-4146-9e55-ea20b275ca48>

HT Mega – Absolute Addons For Elementor <= 2.3.8 - Reflected Cross-Site Scripting

Affected Software: HT Mega – Absolute Addons For Elementor CVE ID: CVE-2023-50901 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6745be2e-d151-452a-8e65-0db2409dd54d>

Impreza <= 8.17.4 - Reflected Cross-Site Scripting

Affected Software: Impreza – WordPress Website and WooCommerce Builder CVE ID: CVE-2023-50893 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7bd931a9-18ec-48fa-9382-d4c2d99258c5>

TheGem <= 5.9.1 - Reflected Cross-Site Scripting

Affected Software: TheGem CVE ID: CVE-2023-50892 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a243fbde-951b-43e0-a432-c92ae4b04c26>

Crowdsignal Dashboard – Polls, Surveys & more <= 3.0.11 - Reflected Cross-Site Scripting

Affected Software: Crowdsignal Dashboard – Polls, Surveys & more CVE ID: CVE-2023-51488 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a78da5c5-fb12-4fc9-8c51-6d9f6f7a4043>

Google Photos Gallery with Shortcodes <= 4.0.2 - Reflected Cross-Site Scripting

Affected Software: Google Photos Gallery with Shortcodes CVE ID: CVE-2023-51373 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5ab6a1f-181c-4bc2-bcc3-e19f94fc5e46>

Uncode Core <= 2.8.6 - Reflected Cross-Site Scripting

Affected Software: uncode-core CVE ID: CVE-2023-51501 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4efe60a-d8e3-4e51-95b2-246e30e90e89>

HTML Forms <= 1.3.28 - Authenticated (Administrator+) Cross-Site Scripting

Affected Software: HTML Forms CVE ID: CVE-2023-50836 CVSS Score: 5.5 (Medium) Researcher/s: Huynh Tien Si Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2921ea67-e88a-489a-8c45-cfe458f29d2b>

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.5 - Authenticated (Admin+) SQL Injection

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID: CVE-2023-50838 CVSS Score: 5.5 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6b5964a7-410b-4fea-9de2-22ffda80c8e8>

ZeroBounce Email Verification & Validation <= 1.0.11 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ZeroBounce Email Verification & Validation CVE ID: CVE-2023-51374 CVSS Score: 5.5 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c7d215e9-e615-46ab-b0b8-b37f10cfae98>

Stylish Price List <= 7.0.17 - Missing Authorization

Affected Software: Stylish Price List – Price Table Builder & QR Code Restaurant Menu CVE ID: CVE-2023-51673 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0d9cea4e-b619-4935-bb7c-a64ddf52d480>

JSM file_get_contents() Shortcode <= 2.7.0 - Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

Affected Software: JSM file_get_contents() Shortcode CVE ID: CVE-2023-6991 CVSS Score: 5.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/191d5bcc-70d8-430b-9215-00ffdc04be87>

Simple Staff List <= 2.2.4 - Missing Authorization via ajax_flush_rewrite_rules and staff_member_export

Affected Software: Simple Staff List CVE ID: CVE-2023-51526 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ef8bf84-768f-4ef1-8037-4e51ccc20c83>

ARI Stream Quiz <= 1.2.32 - Cross-Site Request Forgery

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder CVE ID: CVE-2023-51487 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45180c8e-0625-4a21-b3a1-673abe52d78f>

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate CVE ID: CVE-2023-6488 CVSS Score: 5.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50a89ad1-a3d0-49e3-8d2e-4cb81ac115ba>

Happy Addons for Elementor <= 3.9.1.1 - Server Side Request Forgery (SSRF)

Affected Software: Happy Addons for Elementor CVE ID: CVE-2023-51676 CVSS Score: 5.4 (Medium) Researcher/s: Yuchen Ji Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64ae36a3-d102-4d51-b685-395283155101>

Molongui <= 4.7.3 - Missing Authorization

Affected Software: Author Box, Guest Author and Co-Authors for Your Posts – Molongui CVE ID: CVE-2023-50876 CVSS Score: 5.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f01ecab-2dfe-45d2-9d9a-ba1e30c7d75f>

FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: FOX – Currency Switcher Professional for WooCommerce CVE ID: CVE-2023-6556 CVSS Score: 5.4 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47>

Doofinder for WooCommerce <= 2.0.33 - Missing Authorization via multiple AJAX actions

Affected Software: Doofinder WP & WooCommerce Search CVE ID: CVE-2023-51678 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad50e216-f522-4294-a4dc-7f3bd52820b3>

Business Directory Plugin <= 6.3.9 - Missing Authorization via dispatch

Affected Software: Business Directory Plugin – Easy Listing Directories for WordPress CVE ID: CVE-2023-51516 CVSS Score: 5.4 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea3c5188-4570-4958-8b2d-69048b10c5f9>

Essential Blocks for Gutenberg <= 4.2.0 - Incorrect Authorization Checks

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-51359 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eca703ec-645c-4d12-ae57-75db14e08f3e>

WooCommerce Warranty Requests <= 2.2.7 - Missing Authorization

Affected Software: WooCommerce Warranty Requests CVE ID: CVE-2023-51496 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/03e96aea-30a2-4cd3-8967-52e1870cc293>

Block IPs for Gravity Forms <= 1.0.1 - Cross-Site Request Forgery

Affected Software: Block IPs for Gravity Forms CVE ID: CVE-2023-51358 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19958187-7eb1-479e-bd36-d40974ae65ca>

WP Optin Wheel <= 1.4.2 - Sensitive Information Exposure via Log File

Affected Software: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce CVE ID: CVE-2023-51408 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a83ade5-5e53-4d53-ada0-43d487e5e23f>

Rate my Post – WP Rating System <= 3.4.2 - IP Address Spoofing

Affected Software: Rate my Post – WP Rating System CVE ID: CVE-2023-51667 CVSS Score: 5.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2d24aa7e-bbf1-4a54-b53b-7a37e613e0e6>

Customer Reviews for WooCommerce <= 5.38.1 - Missing Authorization via CR_Manual

Affected Software: Customer Reviews for WooCommerce CVE ID: CVE-2023-51692 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e093d1f-9c5a-44f8-bc27-9c320e220358>

Poll Maker <= 4.8.0 - Missing Authorization

Affected Software: Poll Maker – Best WordPress Poll Plugin CVE ID: CVE-2023-50904 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/345097c7-8f0e-46ed-9a1d-7c8a4a589e3f>

Paid Memberships Pro <= 2.12.5 - Missing Authorization via API

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID: CVE-2023-6855 CVSS Score: 5.3 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2>

AI Power: Complete AI Pack – Powered by GPT-4 <= 1.8.1 - Missing Authorization to Sensitive Data Exposure

Affected Software: AI Power: Complete AI Pack – Powered by GPT-4 CVE ID: CVE-2023-51527 CVSS Score: 5.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3f95c288-7710-46aa-898b-a923afa7a4ab>

Database Cleaner <= 0.9.8 - Sensitive Information Exposure via Log File

Affected Software: Database Cleaner: Clean, Optimize & Repair CVE ID: CVE-2023-51508 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4031f857-9712-4f4a-93e8-0b01f9a9c32d>

Beaver Builder – WordPress Page Builder <= 2.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Beaver Builder – WordPress Page Builder CVE ID: CVE-2023-50889 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a13c7a1-f904-41b1-ab7f-2df95c9b2880>

RegistrationMagic <= 5.2.5.0 - IP Spoofing

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login CVE ID: CVE-2023-51543 CVSS Score: 5.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b37b57c-4a11-4971-b38f-12c70d71b76b>

MC4WP <= 4.9.9 - Missing Authorization via listen

Affected Software: MC4WP: Mailchimp for WordPress CVE ID: CVE-2023-51682 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f289527-3a89-4db9-887d-fb0980848734>

Product Catalog Simple <= 1.7.6 - Sensitive Information Exposure via Product CSV

Affected Software: Product Catalog Simple CVE ID: CVE-2023-51687 CVSS Score: 5.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f4099b3-6c79-42c2-be41-4ad8d73cc2b8>

Uncanny Automator <= 5.1.0.2 - Sensitive Information Exposure via Log File

Affected Software: Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin CVE ID: CVE-2023-52151 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5098e74a-9a99-48b3-9f44-b780bfdeb24e>

LA-Studio Element Kit for Elementor <= 1.1.5 - Missing Authorization

Affected Software: LA-Studio Element Kit for Elementor CVE ID: CVE-2023-50884 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/523f7a8a-d06d-4778-be14-d0b7ca32dab3>

WooCommerce Canada Post Shipping <= 2.8.3 - Missing Authorization

Affected Software: Woocommerce Shipping Canada Post CVE ID: CVE-2023-51498 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/549788e3-e31a-46a6-a2de-361747c98514>

Branda <= 3.4.14 - IP Address Spoofing

Affected Software: Branda – White Label WordPress, Custom Login Page Customizer CVE ID: CVE-2023-51542 CVSS Score: 5.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/552bc1cc-df98-4608-a50e-db1381ca8e0a>

Send Users Email <= 1.4.3 - Sensitive Information Exposure via Error Logs

Affected Software: Send Users Email CVE ID: CVE-2023-52126 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d50e9bb-e357-42d3-b131-468511b8e98a>

User Feedback <= 1.0.10 - Missing Authorization

Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds CVE ID: CVE-2023-50887 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63c7bb29-c8b2-49ee-8ac4-1046b61b7e6a>

WooPayments – Fully Integrated Solution Built and Supported by Woo <= 6.6.2 - Unauthenticated Insecure Direct Object Reference

Affected Software: WooPayments – Fully Integrated Solution Built and Supported by Woo CVE ID: CVE-2023-51503 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/68f5bc13-b0b2-48b6-82ac-ff02367f4780>

404 Solution <= 2.33.0 - Sensitive Information Exposure via Log File

Affected Software: 404 Solution CVE ID: CVE-2023-52146 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73643d45-9542-4372-a7a2-0a443819b8a2>

WP User Profile Avatar <= 1.0.0 - Authenticated (Author+) Insecure Direct Object Reference to Avatar Deletion/Update

Affected Software: WP User Profile Avatar CVE ID: CVE-2023-6384 CVSS Score: 5.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/75c325a1-1a88-4b67-a5f8-6307627d8c6a>

Metform Elementor Contact Form Builder <= 3.4.0 - Missing Authorization via submit

Affected Software: Metform Elementor Contact Form Builder CVE ID: CVE-2023-50903 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6425d39-cc8b-4130-8f67-2d6de7954934>

Affiliates Manager <= 2.9.30 - Sensitive Information Exposure via Log File

Affected Software: Affiliates Manager CVE ID: CVE-2023-52148 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abc3f352-8568-4649-bf3c-dd0ce0295589>

Conversios.io <= 6.5.0 - Missing Authorization

Affected Software: Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce CVE ID: CVE-2023-51357 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae007dc0-9ac7-459d-bfe6-bcde87028b14>

eCommerce Product Catalog <= 3.3.26 - Sensitive Information Exposure via CSV Files

Affected Software: eCommerce Product Catalog Plugin for WordPress CVE ID: CVE-2023-51688 CVSS Score: 5.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b48b9170-4dd9-4004-a081-488cafbc7597>

FastDup <= 2.1.7 - Sensitive Information Exposure via Log File

Affected Software: FastDup – Fastest WordPress Migration & Duplicator CVE ID: CVE-2023-51406 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b8261317-462b-49c5-9526-20b695895e49>

All-in-one Floating Contact Form – My Sticky Elements <= 2.1.3 - Missing Authorization

Affected Software: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements CVE ID: CVE-2023-51362 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4098a47-986c-4b2c-b27a-18ff81da0f58>

WooCommerce Warranty Requests <= 2.2.7 - Missing Authorization

Affected Software: WooCommerce Warranty Requests CVE ID: CVE-2023-51495 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8970d08-6c75-4dbb-ad24-6d9ba4c07530>

Everest Forms <= 2.0.3 - Unauthorized Form Submission via Disabled Forms

Affected Software: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! CVE ID: CVE-2023-51377 CVSS Score: 5.3 (Medium) Researcher/s: Revan Arifio Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc3d49c5-3054-4e1f-b571-6591a0b31d69>

BuddyBoss Theme <= 2.4.60 - Missing Authorization

Affected Software: BuddyBoss Theme CVE ID: CVE-2023-51477 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ccbeb69e-6476-42a6-86ac-723947c70301>

Easy Digital Downloads <= 3.1.5 - Missing Authorization

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) CVE ID: CVE-2023-40005 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dbce48b2-aa7c-4c92-8df8-ee3a17336e97>

Image Source Control <= 2.17.0 - Sensitive Information Exposure via Log File

Affected Software: Image Source Control Lite – Show Image Credits and Captions CVE ID: CVE-2023-52187 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3b3ce65-b226-4b93-ab0c-984f774454f7>

WooCommerce Product Vendors <= 2.2.2 - Missing Authorization

Affected Software: Product Vendors CVE ID: CVE-2023-52186 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4457df6-81ca-4149-bcca-623cff2cbeef>

Malware Scanner <= 4.7.1 - IP Spoofing

Affected Software: Malware Scanner CVE ID: CVE-2023-52176 CVSS Score: 5.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb19fd06-7b2c-41a1-a470-230da7ce944d>

WooCommerce Product Vendors <= 2.2.1 - Missing Authorization

Affected Software: Product Vendors CVE ID: CVE-2023-51494 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fcce0a92-520d-45ac-845e-a1635f763eed>

iFrame <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via srcdoc

Affected Software: iframe CVE ID: CVE-2023-52125 CVSS Score: 5 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66f392d0-d5fb-4a8c-b972-becfac6cf6e7>

Enable Media Replace <= 4.1.4 - Reflected Cross-Site Scripting

Affected Software: Enable Media Replace CVE ID: CVE-2023-6737 CVSS Score: 4.7 (Medium) Researcher/s: Nex Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c37d8218-6059-46f2-a5d9-d7c22486211e>

Menu Image, Icons made easy <= 3.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Menu Image, Icons made easy CVE ID: CVE-2023-50826 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0ff001c2-95f9-42a2-b5a3-74937be41756>

Ultimate Dashboard <= 3.7.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard CVE ID: CVE-2023-50828 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/10c1b000-537a-4009-a740-19666505989e>

Accredible Certificates & Open Badges <= 1.4.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Accredible Certificates & Open Badges CVE ID: CVE-2023-50827 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1d5ac3df-ddaf-4c78-acd3-baddea42443f>

Photo Gallery by 10Web <= 1.8.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Widget

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery CVE ID: CVE-2023-6924 CVSS Score: 4.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/21b4d1a1-55fe-4241-820c-203991d724c4>

Everest Forms <= 2.0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! CVE ID: CVE-2023-51695 CVSS Score: 4.4 (Medium) Researcher/s: Robert DeVore Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/381ec612-2086-4925-98cd-652a6c2ac081>

WP Review Slider <= 12.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Review Slider CVE ID: CVE-2023-51685 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/62233370-3b54-4d89-93e7-07afdae4a413>

WP Chat App <= 3.4.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Chat App CVE ID: CVE-2023-51370 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73232bff-b11a-4580-8cde-5bf085ba749c>

weForms – Easy Drag & Drop Contact Form Builder For WordPress <= 1.6.17 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: weForms – Easy Drag & Drop Contact Form Builder For WordPress CVE ID: CVE-2023-50896 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c44efe0-bdc0-42e0-9bdd-cf25bff1d2d5>

Brave Popup Builder <= 0.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content CVE ID: CVE-2023-51534 CVSS Score: 4.4 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88cf21c3-52d7-472f-8f55-8e1a5819f133>

Sticky Chat Widget <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons CVE ID: CVE-2023-51361 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/892fe839-57ca-45bc-aa9b-f1bf87994a77>

Event Management Tickets Booking <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Event Monster – Event Management, Tickets Booking, Upcoming Event CVE ID: CVE-2023-47525 CVSS Score: 4.4 (Medium) Researcher/s: Jeongwoo-Lee(Roronoa) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f4f2317-945e-4fd8-8a0b-981b88a8412c>

Multi Step Form <= 1.7.13 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Multi Step Form CVE ID: CVE-2023-50832 CVSS Score: 4.4 (Medium) Researcher/s: Benmalek Aymen (centaurus) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5e6b508-35ef-45da-bf17-c038d3b7ce52>

Custom Post Carousels with Owl <= 1.4.6 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Custom Post Carousels with Owl CVE ID: CVE-2023-51493 CVSS Score: 4.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a89f795d-246d-4a3c-a7a7-5c9867d7a01e>

CRM Perks Forms <= 1.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: CRM Perks Forms – WordPress Form Builder CVE ID: CVE-2023-51536 CVSS Score: 4.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca954d68-18a5-47e2-af56-261c7a55b017>

Simple Counter <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Simple Counter CVE ID: CVE-2023-50377 CVSS Score: 4.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb4eb28a-3dd5-4d8d-bef0-53cee7285180>

WP Edit Username <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: WP Edit Username CVE ID: CVE-2023-47527 CVSS Score: 4.4 (Medium) Researcher/s: Jeongwoo-Lee(Roronoa) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f445de97-b6fd-4180-b63e-5b8da40dae6a>

Loan Repayment Calculator and Application Form <= 2.9.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Loan Repayment Calculator and Application Form CVE ID: CVE-2023-50829 CVSS Score: 4.4 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8756fb7-ee15-4fc7-b5bd-b4f2e64f8e6f>

WooCommerce Easy Duplicate Product <= 0.3.0.7 - Missing Authorization via wedp_duplicate_product_action

Affected Software: WooCommerce Easy Duplicate Product CVE ID: CVE-2023-51523 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02d11be0-2e2e-4c76-8a8e-f3f637b99809>

EnvíaloSimple <= 2.1 - Cross-Site Request Forgery

Affected Software: EnvíaloSimple: Email Marketing y Newsletters CVE ID: CVE-2023-51416 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c533277-5cea-419f-93ec-e510c0fbd75d>

Simple Job Board <= 2.10.6 - Cross-Site Request Forgery

Affected Software: Simple Job Board CVE ID: CVE-2023-52122 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/100b6786-7cad-4d65-b457-9beb179e293a>

Webba Booking <= 4.5.33 - Cross-Site Request Forgery

Affected Software: Appointment & Event Booking Calendar Plugin – Webba Booking CVE ID: CVE-2023-51354 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12a195a0-f992-462d-9b4e-69e8a2975635>

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.20 - Cross-Site Request Forgery via apbct_settings__update_account_email

Affected Software: Spam protection, Anti-Spam, FireWall by CleanTalk CVE ID: CVE-2023-51696 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19dd6670-2813-4944-abcd-c26fb9b82092>

Custom Twitter Feeds (Tweets Widget) <= 2.1.2 - Cross-Site Request Forgery

Affected Software: Custom Twitter Feeds – A Tweets Widget or X Feed Widget CVE ID: CVE-2023-52136 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ab56d29-7e35-4bc3-812e-d82890f60c8e>

Republish Old Posts <= 1.21 - Cross-Site Request Forgery via rop_options_page

Affected Software: Republish Old Posts CVE ID: CVE-2023-52145 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1e1db52a-3966-4e04-b0ed-08bda9ba1ff6>

Advanced Access Manager <= 6.9.18 - Authenticated (Author+) Open Redirect

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More CVE ID: CVE-2023-51675 CVSS Score: 4.3 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1eb25ef3-28ea-4f8f-932a-e90ca1914e8d>

Floating Button <= 6.0 - Cross-Site Request Forgery via process_bulk_action

Affected Software: Floating Button CVE ID: CVE-2023-52149 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/20151f80-c25f-482e-a2b0-34607dba9d1e>

Rise Blocks – A Complete Gutenberg Page Builder <= 3.1 - Cross-Site Request Forgery

Affected Software: Rise Blocks – A Complete Gutenberg Page Builder CVE ID: CVE-2023-51378 CVSS Score: 4.3 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b249842-c480-495a-8eec-6c7d0893ef1c>

WP Simple Booking Calendar <= 2.0.8.4 - Cross-Site Request Forgery

Affected Software: WP Simple Booking Calendar CVE ID: CVE-2023-51525 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f72e5bb-e076-4379-8699-e399761c043f>

Icegram <= 3.1.18 - Cross-Site Request Forgery via save_campaign_preview

Affected Software: Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building CVE ID: CVE-2023-52119 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3000b140-2e38-463d-9128-b486293e3cf6>

White Label <= 2.9.0 - Cross-Site Request Forgery via white_label_reset_wl_admins

Affected Software: White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard CVE ID: CVE-2023-52128 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/383da457-b930-470c-a68a-db3e87af7a80>

Ultimate Addons for Beaver Builder <= 1.35.13 - Authenticated(Contributor+) Directory Traversal to Arbitrary File Download

Affected Software: Ultimate Addons for Beaver Builder CVE ID: CVE-2023-51401 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38a5be0c-f905-4e27-b5c3-8c0606d71a61>

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.3 - Cross-Site Request Forgery

Affected Software: HUSKY – Products Filter for WooCommerce Professional CVE ID: CVE-2023-50861 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3d9179d2-2e90-4de7-8178-073a0ce5865b>

Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php

Affected Software: Duplicator – WordPress Migration & Backup Plugin CVE ID: CVE-2023-51681 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/416da5d4-3d47-443b-a82c-c059c38f5218>

Quiz And Survey Master <= 8.1.18 - Cross-Site Request Forgery

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress CVE ID: CVE-2023-51521 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4cfdbf80-3733-4d5c-9bc6-01e543ee08b1>

Thrive Automator <= 1.17 - Cross-Site Request Forgery

Affected Software: Thrive Automator CVE ID: CVE-2023-51531 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d5b1a3d-ce7f-4d5d-b72b-61024d5c5378>

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.20 - Cross-Site Request Forgery

Affected Software: Spam protection, Anti-Spam, FireWall by CleanTalk CVE ID: CVE-2023-51535 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4eb4400d-d629-4c88-9ec5-06da9089f6d1>

WPC Product Bundles for WooCommerce <= 7.3.1 - Cross-Site Request Forgery

Affected Software: WPC Product Bundles for WooCommerce CVE ID: CVE-2023-52127 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5188dc72-a00d-4a07-b178-3f3ef26d7fc1>

GPT3 AI Content Writer <= 1.8.12 - Cross-Site Request Forgery

Affected Software: AI Power: Complete AI Pack – Powered by GPT-4 CVE ID: CVE-2023-51528 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5511c5f4-b71c-484b-ab6f-2389a29809cd>

Apollo13 Framework Extensions <= 1.9.1 - Cross-Site Request Forgery

Affected Software: Apollo13 Framework Extensions CVE ID: CVE-2023-51539 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/575b51f4-fed4-4057-9e8b-762fda275ef3>

WooCommerce Ship to Multiple Addresses <= 3.8.9 - Missing Authorization

Affected Software: WooCommerce Ship to Multiple Addresses CVE ID: CVE-2023-51497 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63ab255f-e061-447b-a2b6-21a85eed9d57>

WooCommerce PDF Invoice Builder <= 1.2.101 - Cross-Site Request Forgery

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more CVE ID: CVE-2023-51486 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/652367a0-fca2-4313-8217-d8811ada0ab5>

Paid Member Subscriptions <= 2.10.4 - Cross-Site Request Forgery via ajax_add_log_entry

Affected Software: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction CVE ID: CVE-2023-51522 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/69ab17fc-8290-4230-8c44-25d12009c08a>

HT Mega <= 2.3.3 - Cross-Site Request Forgery via Several Functions

Affected Software: HT Mega – Absolute Addons For Elementor CVE ID: CVE-2023-51529 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f26b04f-2a25-40a6-9b2c-27d9970acb8f>

FunnelKit Checkout <= 3.10.3 - Authenticated(Subscriber+) Missing Authorization to Arbitrary Plugin Activation

Affected Software: FunnelKit Checkout CVE ID: CVE-2023-51670 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f789ff9-5d86-4911-8b2f-2a425393c61d>

ProfileGrid <= 5.6.6 - Missing Authorization

Affected Software: ProfileGrid – User Profiles, Memberships, Groups and Communities CVE ID: CVE-2023-52117 CVSS Score: 4.3 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71fb1cef-6e01-4bd7-b0bc-5d21295f119a>

Dynamic Content for Elementor < 2.12.5 - Cross-Site Request Forgery

Affected Software: Dynamic Content for Elementor CVE ID: CVE-2023-52150 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77a85024-33ff-4056-89f6-991182d71b80>

Product Filter by WBW <= 2.5.0 - Missing Authorization via getListForTbl

Affected Software: Product Filter by WBW CVE ID: CVE-2023-50877 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77acb885-1776-4a74-96d0-4edbf1a92917>

Export Media URLs <= 1.0 - Cross-Site Request Forgery

Affected Software: Export Media URLs CVE ID: CVE-2023-51510 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b121abf-3842-43ac-a3dc-bde6d5e0b263>

Calculated Fields Form <= 1.2.28 - Authenticated (Contributor+) Open Redirect via Shortcode

Affected Software: Calculated Fields Form CVE ID: CVE-2023-51517 CVSS Score: 4.3 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/85555a8f-5d23-458d-9166-d30f8f0551e0>

Inline Image Upload for BBPress <= 1.1.18 - Cross-Site Request Forgery via hm_bbpui_admin_page

Affected Software: Inline Image Upload for BBPress CVE ID: CVE-2023-51668 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86bd6ae1-e74d-4aab-98e1-3c47cb484fe9>

WooCommerce Shipping Per Product <= 2.5.4 - Missing Authorization

Affected Software: WooCommerce Per Product Shipping CVE ID: CVE-2023-51499 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b0504f3-f8df-4b37-bafa-5320920e9571>

Easy PayPal Buy Now Button <= 1.8.1 - Cross-Site Request Forgery

Affected Software: Easy PayPal & Stripe Buy Now Button CVE ID: CVE-2023-51683 CVSS Score: 4.3 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f6fd0bb-d37b-40b6-b84e-9b21aae891cc>

BulkGate SMS Plugin for WooCommerce <= 3.0.2 - Missing Authorization via Multiple AJAX Actions

Affected Software: BulkGate SMS Plugin for WooCommerce CVE ID: CVE-2023-51679 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93e590f8-5f8d-4ee5-bcff-96bcb8daf4b7>

FunnelKit Checkout <= 3.10.3 - Authenticated(Subscriber+) Missing Authorization to Settings Change

Affected Software: FunnelKit Checkout CVE ID: CVE-2023-51671 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9603e394-b358-4599-8610-ef5737a39de0>

Booster Elite for WooCommerce <= 7.1.2 - Authenticated(Subscriber+) Content Injection

Affected Software: Booster Elite for WooCommerce CVE ID: CVE-2023-51511 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/995a086a-4795-4092-823c-b941445dc361>

MStore API <= 4.10.1 - Cross-Site Request Forgery

Affected Software: MStore API CVE ID: CVE-2023-50878 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d32bda7-2d2d-4364-8ac9-e32950f889ed>

Add Any Extension to Pages <= 1.4 - Cross-Site Request Forgery via aaetp_options_page

Affected Software: Add Any Extension to Pages CVE ID: CVE-2023-50873 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f49e727-cac4-4a46-b649-5ca48d5e2402>

Sirv <= 7.1.2 - Missing Authorization via sirv_disconnect

Affected Software: Image Optimizer, Resizer and CDN – Sirv CVE ID: CVE-2023-50898 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4a67ec6-ee13-4532-8213-d17dbf5f2c55>

Integrate Google Drive <= 1.3.3 - Missing Authorization via save_settings

Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site CVE ID: CVE-2023-52177 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4c8d390-145a-4926-99e9-b386dfe5e6ac>

Anti Hacker <= 4.34 - Cross-Site Request Forgery via antihacker_ajax_scan

Affected Software: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan CVE ID: CVE-2023-50858 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a8ae5712-09a8-45a4-9f79-3e5b7786e652>

NEX-Forms – Ultimate Form Builder <= 8.5.2 - Cross-Site Request Forgery

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID: CVE-2023-52120 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9b45e9b-57a6-4bfd-b9e4-d07780370f02>

Split Test For Elementor <= 1.6.9 - Cross-Site Request Forgery

Affected Software: Split Test For Elementor CVE ID: CVE-2023-51407 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be23388e-9371-4ea0-974b-80f76de90012>

GS Logo Slider <= 3.5.1 - Cross-Site Request Forgery

Affected Software: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation CVE ID: CVE-2023-51530 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c89a8001-ab50-466c-aa51-62c0ff5f86dc>

WP Job Portal <= 2.0.6 - Cross-Site Request Forgery

Affected Software: WP Job Portal – A Complete Job Board CVE ID: CVE-2023-52184 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d0aa1fad-1ff4-4bc5-a584-99b528470990>

ProjectHuddle Client Site <= 1.0.34 - Missing Authorization via ph_child_ajax_notice_handler

Affected Software: SureFeedback Client Site CVE ID: CVE-2023-51376 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d484500f-c8c1-4278-8a38-82a7fd5674f9>

Slider by Soliloquy <= 2.7.2 - Missing Authorization

Affected Software: Slider by Soliloquy – Responsive Image Slider for WordPress CVE ID: CVE-2023-51519 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d6331b42-f15b-46c6-b8bd-7f65c28c4a12>

Awesome Support <= 6.1.5 - Cross-Site Request Forgery

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin CVE ID: CVE-2023-51538 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d69915e9-af9b-4c07-ac43-21c6e350c3c4>

Advanced Category Template <= 0.1 - Cross-Site Request Forgery

Affected Software: Advanced Category Template CVE ID: CVE-2023-50835 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/da09b158-3626-455b-b3bc-b1109d0fab2e>

NitroPack <= 1.10.2 - Cross-Site Request Forgery

Affected Software: NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images CVE ID: CVE-2023-52121 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/daa30370-0d11-45b7-8ca3-b2a3b9046127>

Crowdsignal Dashboard – Polls, Surveys & more <= 3.0.11 - Cross-Site Request Forgery via update_rating

Affected Software: Crowdsignal Dashboard – Polls, Surveys & more CVE ID: CVE-2023-51489 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e03390e5-5604-4b9d-ab1b-dac2b19270cd>

Strong Testimonials <= 3.1.10 - Cross-Site Request Forgery

Affected Software: Strong Testimonials CVE ID: CVE-2023-52123 CVSS Score: 4.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e0ccdc0d-7c38-4dd3-be39-2359d63b2b6c>

Eazy Plugin Manager <= 4.1.2 - Missing Authorization via update_options

Affected Software: Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress CVE ID: CVE-2023-51482 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e214fadf-73fd-430f-8608-6630ce82b78c>

Ultimate Addons for WPBakery <= 3.19.17 - Cross-Site Request Forgery

Affected Software: Ultimate Addons for WPBakery CVE ID: CVE-2023-51402 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ece4eca1-9dc1-4f17-92e4-8b2e3e1a7306>

Product Table by WBW <= 1.8.6 - Cross-Site Request Forgery via saveGroup

Affected Software: Product Table by WBW CVE ID: CVE-2023-51512 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eff03dbc-1bb7-4a72-b57c-f1bde966c286>

Customize My Account for WooCommerce <= 1.8.3 - Cross-Site Request Forgery via restore_my_account_tabs

Affected Software: Customize My Account for WooCommerce CVE ID: CVE-2023-51369 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f79f9385-f8d1-44a0-9e53-7576a9453163>

Product Feed Manager <= 7.3.15 - Authenticated (Admin+) Directory Traversal

Affected Software: Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces CVE ID: CVE-2023-52144 CVSS Score: 2.7 (Low) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a20b65a-6d3a-41fc-80c5-94cce0459a6b>

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023) appeared first on Wordfence.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

74.6%

JSON

Related for WORDFENCE:B2BBFA00DF86BF8E854E701CB8C57F1F