Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:BB80DF031D1479D7066F4DDEE047D26D
HistoryApr 20, 2023 - 12:50 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023)

2023-04-2012:50:38
Chloe Chamberland
www.wordfence.com
56
wordfence
wordpress
vulnerabilities
plugins
themes
researchers
security
zm ajax login & register
report

0.053 Low

EPSS

Percentile

93.1%

JSON

Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 30
Patched 39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 60
High Severity 6
Critical Severity 3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 31
Cross-Site Request Forgery (CSRF) 16
Missing Authorization 10
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 5
Authorization Bypass Through User-Controlled Key 2
Improper Privilege Management 1
Information Exposure 1
Authentication Bypass Using an Alternate Path or Channel 1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1
Improper Neutralization of Formula Elements in a CSV File 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Mika 4
Lana Codes 4
yuyudhn 3
Erwan LR 3
Dave Jong 3
Shreya Pohekar 3
Rio Darmawan 2
Maurice Fielenbach 2
Alex Thomas 2
Prasanna V Balaji 2
Muhammad Daffa 2
Pavak Tiwari 2
Cat 2
Ivy 2
Abdi Pranata 2
Rafie Muhammad 2
Mahesh Nagabhairava 1
TEAM WEBoB of BoB 11th 1
Skalucy 1
Marc-Alexandre Montpas 1
Fariq Fadillah Gusti Insani 1
qilin_99 1
dc11 1
Pavitra Tiwari 1
Johan Kragt 1
Sajjad Shariati 1
Justiice 1
Yuki Haruma 1
LOURCODE 1
Ramuel Gall 1
Padavishree 1
Ameen Alkurdy 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AFFILIATE Solution affiliate-solution
AI ChatBot chatbot
AdFoxly – Ad Manager, AdSense Ads & Ads.txt adfoxly
Affiliate Links Lite affiliate-links
Article Directory Redux article-directory-redux
Best WordPress Gallery Plugin – FooGallery foogallery
Better Search – Relevant search results for WordPress better-search
Blocksy Companion blocksy-companion
Booqable Rental Plugin booqable-rental-reservations
Cloud Manager cloud-manager
CoSchedule coschedule-by-todaymade
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db
Coupon Affiliates – WooCommerce Affiliate Plugin woo-coupon-usage
Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce
Cyr to Lat enhanced cyr3lat
Database Collation Fix database-collation-fix
Download Manager Pro download-manager
Easy Appointments easy-appointments
ElasticPress elasticpress
Electric Studio Client Login electric-studio-client-login
Enable Accessibility enable-accessibility
External Videos external-videos
Fantastic Content Protector Free fantastic-content-protector-free
Featured Post Creative featured-post-creative
Forminator – Contact Form, Payment Form & Custom Form Builder forminator
Kaya QR Code Generator kaya-qr-code-generator
Landing Page Builder – Free Landing Page Templates ultimate-landing-page
Limit Login Attempts limit-login-attempts
Motor Racing League motor-racing-league
Neshan Maps neshan-maps
Newsletters newsletters-lite
Optima Express + MarketBoost IDX Plugin optima-express
Paytm – Donation Plugin paytm-donation
Pickup Delivery
PowerPress Podcasting plugin by Blubrry powerpress
Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin pretty-link
Product Catalog Feed by PixelYourSite product-catalog-feed
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress quiz-master-next
Restricted Site Access restricted-site-access
ReviewX – Multi-criteria Rating & Reviews for WooCommerce reviewx
Ruby Help Desk ruby-help-desk
ShiftController Employee Shift Scheduling shiftcontroller
Shortcodes by Angie Makes wc-shortcodes
Simple PopUp simple-popup
Stamped.io Product Reviews & UGC for WooCommerce stampedio-product-reviews
Stock Exporter for WooCommerce stock-exporter-for-woocommerce
SupportCandy – Helpdesk & Support Ticket System supportcandy
Ultimate Noindex Nofollow Tool II ultimate-noindex-nofollow-tool-ii
User registration & user profile – UserPlus userplus
Vimeotheque / Vimeo codeflavors-vimeo-video-post-lite
WP EasyPay – Square for WordPress wp-easy-pay
WP Inventory Manager wp-inventory-manager
WP Reroute Email wp-reroute-email
WP Roles at Registration wp-roles-at-registration
Watu Quiz watu
WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation) smart-wishlist-for-more-convert
ZM Ajax Login & Register zm-ajax-login-register
a3 Portfolio a3-portfolio
hiWeb Migration Simple hiweb-migration-simple
tencentcloud-cos tencentcloud-cos

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Betheme betheme
Blogger Buzz [blogger-buzz](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Blogger Buzz>)
Educenter educenter
Square square

Vulnerability Details

SupportCandy <= 3.1.4 - Unauthenticated SQL Injection via parse_user_filters

Affected Software: SupportCandy – Helpdesk & Support Ticket System CVE ID: CVE-2023-1730 CVSS Score: 9.8 (Critical) Researcher/s: dc11 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ca1c55a-cd4e-429a-ab74-dd1bad1a65f5&gt;

ZM Ajax Login & Register <= 2.0.2 - Authentication Bypass

Affected Software: ZM Ajax Login & Register CVE ID: CVE-2023-2027 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b10d01ec-54ef-456b-9410-ed013343a962&gt;

Quiz and Survey Master <= 8.1.4 - Unauthenticated SQL Injection

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress CVE ID: CVE-2023-28787 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b29dcd7a-a0bc-4983-85ba-6ebf2c405ceb&gt;

Cyr to Lat <= 3.5 - Authenticated SQL Injection

Affected Software: Cyr to Lat enhanced CVE ID: CVE-2022-4290 CVSS Score: 8.8 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9c29130-1b42-4edd-ad62-6f635e03ae31&gt;

webpack JS package <= 5.75.0 - Sandbox Bypass

Affected Software/s: Restricted Site Access, ElasticPress CVE ID: CVE-2023-28154 CVSS Score: 8.3 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1cda31a4-4c79-4567-a527-6510c31d2843&gt;

WP Reroute Email <= 1.4.6 - Authenticated (Administrator+) SQL Injection

Affected Software: WP Reroute Email CVE ID: CVE-2023-27605 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/395a8ca6-78b8-43f2-8e8c-896702b5da0d&gt;

Paytm Payment Donation <= 2.1 - Reflected Cross-Site Scripting

Affected Software: Paytm – Donation Plugin CVE ID: CVE-2023-28535 CVSS Score: 7.2 (High) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/534e6f80-b162-4a4b-a979-72ed63a8b0dc&gt;

Landing Page Builder – Free Landing Page Templates <= 3.1.9.8 - Local File Inclusion

Affected Software: Landing Page Builder – Free Landing Page Templates CVE ID: CVE-2023-24379 CVSS Score: 7.2 (High) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c40bf215-81c1-423a-9d41-9a231dfc8053&gt;

Neshan Maps <= 1.1.4 - Authenticated (Administrator+) SQL Injection

Affected Software: Neshan Maps CVE ID: CVE-2022-47426 CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ee7eb754-27f0-47b0-a82f-4781cfbb0fa6&gt;

Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 - Missing Authorization

Affected Software: Stamped.io Product Reviews & UGC for WooCommerce CVE ID: CVE-2023-30479 CVSS Score: 6.5 (Medium) Researcher/s: Fariq Fadillah Gusti Insani Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/490061dc-11f7-48f2-bc9a-974bedf16621&gt;

ReviewX <= 1.6.6 - Unauthenticated CSV Injection

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce CVE ID: CVE-2022-46809 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc465757-4295-4a75-90f6-92c4be4e8944&gt;

Limit Login Attempts <= 1.7.1 - Authenticated(Subscriber+) Stored Cross-Site Scripting

Affected Software: Limit Login Attempts CVE ID: CVE-2023-1861 CVSS Score: 6.4 (Medium) Researcher/s: Marc-Alexandre Montpas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3334fc78-48c5-4cfa-ac83-5690fdbf590a&gt;

Affiliate Links Lite <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Affiliate Links Lite CVE ID: CVE-2023-22696 CVSS Score: 6.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9511d8f1-ab96-4695-aa8c-16a3482a6de4&gt;

a3 Portfolio <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: a3 Portfolio CVE ID: CVE-2023-29097 CVSS Score: 6.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a190909-4b0f-4a44-8371-d79f64d323c2&gt;

Kaya QR Code Generator <= 1.5.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter

Affected Software: Kaya QR Code Generator CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad8b5fd2-ba92-4afa-9b4a-a95936b9a18d&gt;

Product Catalog Feed by PixelYourSite <= 2.1.0 - Reflected Cross-Site Scripting via 'page'

Affected Software: Product Catalog Feed by PixelYourSite CVE ID: CVE-2023-1805 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18d33d68-9719-4e74-a594-bc4add38ceee&gt;

Contact Form to DB <= 1.7.0 - Multiple Cross-Site Scripting

Affected Software: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19b21013-136a-41b0-a667-39f23ccedf2e&gt;

Watu Quiz <= 3.3.9.2 - Reflected Cross-Site Scripting via 'question'

Affected Software: Watu Quiz CVE ID: CVE-2023-30483 CVSS Score: 6.1 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1d24dbdf-8fb0-41c3-8c35-e0d65c6b96f5&gt;

WP Inventory Manager <= 2.1.0.11 - Reflected Cross-Site Scripting via 'message'

Affected Software: WP Inventory Manager CVE ID: CVE-2023-1806 CVSS Score: 6.1 (Medium) Researcher/s: Maurice Fielenbach Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/363ece80-1fa6-4019-84c9-e0a65f02625d&gt;

AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.4 - Unauthenticated Cross-Site Scripting

Affected Software: AdFoxly – Ad Manager, AdSense Ads & Ads.txt CVE ID: CVE-2023-30754 CVSS Score: 6.1 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d13ae87-f632-4eb0-bc71-5132ba6a9b13&gt;

Cloud Manager <= 1.0 - Reflected Cross-Site Scripting

Affected Software: Cloud Manager CVE ID: CVE-2023-0421 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d896366-a85d-49c9-9509-3f7454712474&gt;

Coupon Affiliates <= 5.4.5 - Reflected Cross-Site Scripting via 'page'

Affected Software: Coupon Affiliates – WooCommerce Affiliate Plugin CVE ID: CVE-2023-30475 CVSS Score: 6.1 (Medium) Researcher/s: Ivy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c6fc6be-7e9a-40cb-b9cd-bb71d4f487f7&gt;

Vimeotheque <= 2.2.1 - Reflected Cross-Site Scripting via 'view' and 'page'

Affected Software: Vimeotheque / Vimeo CVE ID: CVE-2023-30498 CVSS Score: 6.1 (Medium) Researcher/s: Ivy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72256ac2-72a7-4c3c-a892-1f1795671c5d&gt;

FooGallery <= 2.2.35 - Reflected Cross-Site Scripting

Affected Software: Best WordPress Gallery Plugin – FooGallery CVE ID: CVE-2023-29439 CVSS Score: 6.1 (Medium) Researcher/s: LOURCODE Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7181056-d2ee-4c0f-b9a8-fdb7ad042a6b&gt;

UserPlus <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: User registration & user profile – UserPlus CVE ID: CVE-2023-0824 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/acd0349b-7864-4e4e-84ba-6f0ec5b585f3&gt;

ShiftController Employee Shift Scheduling <= 4.9.25 - Reflected Cross-Site Scripting via Query String

Affected Software: ShiftController Employee Shift Scheduling CVE ID: CVE-2023-1978 CVSS Score: 6.1 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b5c61212-e68e-4198-b078-18121576b767&gt;

hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting

Affected Software: hiWeb Migration Simple CVE ID: CVE-2023-0769 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b9aacc69-aa46-4cdb-a301-c0bf2836d441&gt;

Betheme <= 26.7.5 - Reflected Cross-Site Scripting

Affected Software: Betheme CVE ID: CVE-2023-29101 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c14b948f-129d-4223-b3ee-0bef1f9fc703&gt;

Product Catalog Feed by PixelYourSite <= 2.1.0 - Reflected Cross-Site Scripting via 'edit'

Affected Software: Product Catalog Feed by PixelYourSite CVE ID: CVE-2023-1804 CVSS Score: 6.1 (Medium) Researcher/s: Maurice Fielenbach Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d82d1dd2-b5b5-490a-92e5-1a4d4ab0085d&gt;

Booqable Rental Plugin <= 2.4.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Booqable Rental Plugin CVE ID: CVE-2023-30746 CVSS Score: 5.5 (Medium) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/16f183a6-b8db-461e-b17d-2faa528ff0ff&gt;

Newsletters <= 4.8.8 - Cross-Site Request Forgery

Affected Software: Newsletters CVE ID: CVE-2023-30478 CVSS Score: 5.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0cd6474f-72e1-4ec2-a056-3c05a0dfa173&gt;

PowerPress <= 10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: PowerPress Podcasting plugin by Blubrry CVE ID: CVE-2023-1917 CVSS Score: 5.4 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44583cb7-bc32-4e62-8431-f5f1f6baeff2&gt;

Custom Order Numbers for WooCommerce <= 1.4.0 - Cross-Site Request Forgery

Affected Software: Custom Order Numbers for WooCommerce CVE ID: CVE-2022-45367 CVSS Score: 5.4 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d19800a-bff3-414f-a809-0159f49d263a&gt;

Featured Post Creative <= 1.2.7 - Missing Authorization via wpfp_update_featured_post

Affected Software: Featured Post Creative CVE ID: CVE-2023-30488 CVSS Score: 5.3 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61585a02-fe7b-4a54-959f-346e4e0d6658&gt;

Blogger Buzz <= 1.2.1 - Missing Authorization via activate_plugin

Affected Software: Blogger Buzz CVE ID: CVE-2023-30476 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/823dce74-2688-4573-b0c8-353f1789ea48&gt;

Download Manager Pro <= 6.2.9 - Unauthenticated Information Disclosure

Affected Software: Download Manager Pro CVE ID: CVE-2023-1809 CVSS Score: 5.3 (Medium) Researcher/s: Johan Kragt Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88d80702-a987-4b12-a003-2fa564fda409&gt;

Fantastic Content Protector Free <= 2.6 - Missing Authorization via update_setting_fantastic_content_protector

Affected Software: Fantastic Content Protector Free CVE ID: CVE-2023-25048 CVSS Score: 5.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b93f8036-4a89-45e6-b86f-9d57e1662a35&gt;

Shortcodes by Angie Makes <= 3.46 - Missing Authorization

Affected Software: Shortcodes by Angie Makes CVE ID: CVE-2023-23725 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e20feb23-f78e-42e7-8922-e7cf37dbdcb1&gt;

Optima Express + MarketBoost IDX Plugin <= 7.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optima Express + MarketBoost IDX Plugin CVE ID: CVE-2023-30749 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/059e262b-ee63-4f8b-82ab-c12bcf70f879&gt;

External Videos <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: External Videos CVE ID: CVE-2023-30752 CVSS Score: 4.4 (Medium) Researcher/s: Mahesh Nagabhairava Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/168e8512-d551-47f9-bc2b-c458180a6d13&gt;

Simple Popup Images <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple PopUp CVE ID: CVE-2023-24406 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18c0ecc5-b3e2-4ac0-b901-dae397e2d57c&gt;

WP Roles at Registration <= 0.23 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Roles at Registration CVE ID: CVE-2023-27609 CVSS Score: 4.4 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5a4eeb77-7a8b-489f-8ded-bbe09e881758&gt;

Article Directory Redux <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Article Directory Redux CVE ID: CVE-2023-30751 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63c681e5-3110-4790-a075-4996fa1f2129&gt;

Motor Racing League <= 1.9.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Motor Racing League CVE ID: CVE-2023-27614 CVSS Score: 4.4 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8876ecc4-1a50-43ac-9c8d-354f6de4abdd&gt;

Pickup | Delivery | Dine-in date time <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Pickup | Delivery | Dine-in date time CVE ID: CVE-2023-0894 CVSS Score: 4.4 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/936803ab-93d5-4808-8758-6b8f7c01b3c2&gt;

Easy Appointments <= 3.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Appointments CVE ID: CVE-2023-30748 CVSS Score: 4.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfe8d13b-f387-4c82-ba9f-efadda18c882&gt;

AI ChatBot <= 4.4.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: AI ChatBot CVE ID: CVE-2023-1649 CVSS Score: 4.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cdb3fbaa-4d33-4754-848b-77e902ea4a85&gt;

Electric Studio Client Login <= 0.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Electric Studio Client Login CVE ID: CVE-2023-27425 CVSS Score: 4.4 (Medium) Researcher/s: Padavishree Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e797c0ca-f348-4d9c-815e-0c1756686690&gt;

AFFILIATE Solution <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: AFFILIATE Solution CVE ID: CVE-2023-30477 CVSS Score: 4.4 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ef778a1d-d4ce-47fd-932b-9e86b38e2681&gt;

tencentcloud-cos <= 1.0.7 - Cross-Site Request Forgery

Affected Software: tencentcloud-cos CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0be21ac7-4f61-44fc-9ffc-ab65faa549f6&gt;

Forminator <= 1.22.1 - Missing Authorization on 'load_hcaptcha_preview' AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2ef15cb1-b320-42d9-a2fd-afff2ec8a93b&gt;

Database Collation Fix <= 1.2.7 - Cross-Site Request Forgery via admin_page

Affected Software: Database Collation Fix CVE ID: CVE-2023-23997 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31612b4b-a75f-4fa4-831b-43f62a8d5fad&gt;

Featured Post Creative <= 1.2.7 - Cross-Site Request Forgery via wpfp_update_featured_post

Affected Software: Featured Post Creative CVE ID: CVE-2023-30488 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33a47156-ee93-4b59-9f73-56be5c9e3b00&gt;

Educenter <= 1.5.1 - Missing Authorization via activate_plugin

Affected Software: Educenter CVE ID: CVE-2023-30480 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/344ad959-038a-46d1-b515-ae3473af8209&gt;

Shortlinks by Pretty Links <= 3.4.0 - Cross-Site Request Forgery via route

Affected Software: Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin CVE ID: CVE-2022-47149 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5304da48-5d42-47ce-b1b1-dc04b8fa9dff&gt;

Stock Exporter for WooCommerce <= 1.1.0 - Cross-Site Request Forgery

Affected Software: Stock Exporter for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c4a9092-fd49-42fe-a84d-a9f7fe708122&gt;

Forminator <= 1.22.1 - Missing Authorization on 'load_recaptcha_preview' AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/718e54f5-f040-42d6-958d-255d905615d5&gt;

Ultimate Noindex Nofollow Tool II <= 1.3.3 - Cross-Site Request Forgery

Affected Software: Ultimate Noindex Nofollow Tool II CVE ID: CVE-2023-30474 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7761fe7c-e7f5-4bab-8820-42e6fcabcb2f&gt;

Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 - Cross-Site Request Forgery

Affected Software: Stamped.io Product Reviews & UGC for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a8c4232-2e1e-4c99-83d5-d70f7ca1c879&gt;

MC Woocommerce Wishlist <= 1.5.4 - Cross-Site Request Forgery

Affected Software: WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c7f6ef2-6c50-4739-8844-0db7d9ffe7f7&gt;

WP Reroute Email <= 1.4.6 - Cross-Site Request Forgery

Affected Software: WP Reroute Email CVE ID: CVE-2023-27606 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9c3a047f-be12-4308-a4a5-fbbbc37f674d&gt;

Enable Accessibility <= 1.4 - Cross-Site Request Forgery

Affected Software: Enable Accessibility CVE ID: CVE-2023-30484 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0b8c4c3-eba2-4c20-b790-48eceeba898e&gt;

CoSchedule <= 3.3.8 - Cross-Site Request Forgery

Affected Software: CoSchedule CVE ID: CVE-2022-47165 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca55a7a0-da31-4d3f-845b-80f89ffbadf5&gt;

Forminator <= 1.22.1 - Missing Authorization on 'hubspot_support_request' AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d0cb4434-94c5-42a9-bd86-869058dcbf67&gt;

Blocksy Companion <= 1.8.81 - Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode

Affected Software: Blocksy Companion CVE ID: CVE-2023-1911 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d31aad1c-89d4-4f71-bfed-a795f7a4f209&gt;

Square <= 2.0.0 - Missing Authorization via activate_plugin

Affected Software: Square CVE ID: CVE-2023-30486 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3ca4c3c-2b20-42d4-8dcf-77f4d52c25a3&gt;

Better Search <= 3.1.0 - Cross-Site Request Forgery

Affected Software: Better Search – Relevant search results for WordPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7a02502-bc3c-4fd1-b6db-7b3c476c141f&gt;

WP EasyPay <= 4.0.4 - Cross-Site Request Forgery

Affected Software: WP EasyPay – Square for WordPress CVE ID: CVE-2022-47177 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e2c1606e-b6b6-4f7d-8473-1015677ded7c&gt;

Ruby Help Desk <= 1.3.3 - Missing Authorization to Arbitrary Ticket Modification

Affected Software: Ruby Help Desk CVE ID: CVE-2023-1125 CVSS Score: 4.3 (Medium) Researcher/s: Ameen Alkurdy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd741e2d-5478-4b9a-83ab-7ccafdc5d12f&gt;

_As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023) appeared first on Wordfence.

Related

wpvulndb 26
nvd 38
prion 34
cve 38
cvelist 37
nuclei 1
openvas 5
cnvd 1
nessus 4
ibm 3
osv 1
wpexploit 2
debiancve 1
fedora 3
ubuntucve 1
veracode 1
redhatcve 1
oraclelinux 1
rocky 1
wpvulndb
wpvulndb
External Videos <= 2.0.1 - Admin+ Stored XSS
2023-08-16 00:00:00
Booqable Rental <= 2.4.16 - Admin+ Stored XSS
2023-04-14 00:00:00
Simple Popup Images <= 1.8.6 - Admin+ Stored XSS
2023-04-13 00:00:00
nvd
nvd
CVE-2023-28535
2023-08-14 15:15:10
CVE-2023-27606
2023-07-17 11:15:09
CVE-2023-30754
2023-08-14 15:15:12
prion
prion
Cross site request forgery (csrf)
2023-11-10 14:15:00
Sql injection
2023-11-06 09:15:00
Cross site scripting
2023-08-14 15:15:00
cve
cve
CVE-2023-30484
2023-05-25 10:15:09
CVE-2023-27605
2023-11-06 09:15:07
CVE-2022-47165
2023-05-25 10:15:09
cvelist
cvelist
CVE-2023-27614 WordPress Motor Racing League Plugin <= 1.9.9 is vulnerable to Cross Site Scripting (XSS)
2023-04-23 10:54:36
CVE-2023-28535 WordPress Paytm Payment Donation Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)
2023-08-14 14:35:29
CVE-2023-24406 WordPress Simple Popup Images Plugin <= 1.8.6 is vulnerable to Cross Site Scripting (XSS)
2023-05-10 08:01:53
nuclei
nuclei
FooGallery plugin <= 2.2.35 - Cross-Site Scripting
2023-10-17 07:20:28
openvas
openvas
WordPress FooGallery Plugin < 2.2.41 XSS Vulnerability
2023-05-17 00:00:00
Fedora: Security Advisory for pcs (FEDORA-2023-5993ffa09a)
2023-04-23 00:00:00
Fedora: Security Advisory for pcs (FEDORA-2023-4d546e6b4b)
2023-04-23 00:00:00
cnvd
cnvd
Hospital Management System SQL Injection Vulnerability (CNVD-2023-64629)
2023-08-16 00:00:00
nessus
nessus
Rocky Linux 9 : pcs (RLSA-2023:1591)
2023-04-06 00:00:00
Oracle Linux 9 : pcs (ELSA-2023-12235)
2023-04-06 00:00:00
Fedora 38 : pcs (2023-4d546e6b4b)
2023-04-24 00:00:00
ibm
ibm
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Webpack (CVE-2023-28154)
2023-04-11 12:52:52
Security Bulletin: IBM Edge Application Manager has a vulnerability listed in CVE 2023-28154. IBM has addressed this vulnerability.
2023-06-01 20:27:52
Security Bulletin: IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Webpack [CVE-2023-28154]
2023-07-06 18:13:27
osv
osv
Important: pcs security update
2023-04-06 15:23:56
wpexploit
wpexploit
Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access
2023-04-10 00:00:00
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
2023-04-10 00:00:00
debiancve
debiancve
CVE-2023-28154
2023-03-13 01:15:10
fedora
fedora
[SECURITY] Fedora 37 Update: pcs-0.11.5-2.fc37
2023-04-22 00:55:59
[SECURITY] Fedora 36 Update: pcs-0.11.5-2.fc36
2023-04-22 01:12:33
[SECURITY] Fedora 38 Update: pcs-0.11.5-2.fc38
2023-04-22 00:49:16
ubuntucve
ubuntucve
CVE-2023-28154
2023-03-13 00:00:00
veracode
veracode
Sensitive Information Disclosure
2023-03-15 02:27:09
redhatcve
redhatcve
CVE-2023-28154
2023-03-17 05:43:44
oraclelinux
oraclelinux
pcs security update
2023-04-05 00:00:00
rocky
rocky
pcs security update
2023-04-06 15:23:56

0.053 Low

EPSS

Percentile

93.1%

JSON
Related for WORDFENCE:BB80DF031D1479D7066F4DDEE047D26D
wpvulndb26nvd38prion34cve38cvelist37nuclei1openvas5cnvd1nessus4ibm3osv1wpexploit2debiancve1fedora3ubuntucve1veracode1redhatcve1oraclelinux1rocky1