Chloe ChamberlandWORDFENCE:C7A41545F983F844753D1279C7677BA5Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023)
EPSS
Percentile
61.1%
Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 34 |
| Patched | 30 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 2 |
| Medium Severity | 54 |
| High Severity | 6 |
| Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Missing Authorization | 18 |
| Cross-Site Request Forgery (CSRF) | 18 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 16 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 3 |
| Server-Side Request Forgery (SSRF) | 2 |
| Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 1 |
| Improper Authorization | 1 |
| Protection Mechanism Failure | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 1 |
| Use of Hard-coded Cryptographic Key | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Abdi Pranata | 7 |
| Mika | 7 |
| Rafie Muhammad | 5 |
| Skalucy | 3 |
| Lana Codes | |
| (Wordfence Vulnerability Researcher) | 3 |
| longxi | 3 |
| Nguyen Xuan Chien | 2 |
| yuyudhn | 2 |
| Dipak Panchal | 2 |
| Chloe Chamberland | |
| (Wordfence Vulnerability Researcher) | 2 |
| Junsu Yeo | 1 |
| Cat | 1 |
| TaeEun Lee | 1 |
| Emili Castells | 1 |
| Truoc Phan | 1 |
| konagash | 1 |
| Dmitriy | 1 |
| Christiaan Swiers | 1 |
| Stephen | 1 |
| Muhammad Daffa | 1 |
| LOURCODE | 1 |
| Bob Matyas | 1 |
| Yuchen Ji | 1 |
| Phd | 1 |
| Muhamad Arsyad | 1 |
| Marco Wotschka | |
| (Wordfence Vulnerability Researcher) | 1 |
| Jonas Höbenreich | 1 |
| Marc-Alexandre Montpas | 1 |
| Rio Darmawan | 1 |
| PetiteMais | 1 |
| LEE SE HYOUNG | 1 |
| thiennv | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| ACF Photo Gallery Field | navz-photo-gallery |
| AGP Font Awesome Collection | agp-font-awesome-collection |
| APIExperts Square for WooCommerce | woosquare |
| Assistant – Every Day Productivity Apps | assistant |
| Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui | molongui-authorship |
| Backup Migration | backup-backup |
| Banner Management For WooCommerce | banner-management-for-woocommerce |
| Blog2Social: Social Media Auto Post & Scheduler | blog2social |
| Booster Elementor Addons | booster-for-elementor |
| Change WP Admin Login | change-wp-admin-login |
| Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget | bit-assist |
| Church Admin | church-admin |
| Clone | wp-clone-by-wp-academy |
| CodeBard's Patron Button and Widgets for Patreon | patron-button-and-widgets-by-codebard |
| Contact Form Builder by Bit Form – Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress | bit-form |
| Custom Field For WP Job Manager | custom-field-for-wp-job-manager |
| Custom Field Template | custom-field-template |
| Discussion Board – WordPress Forum Plugin | wp-discussion-board |
| Donations Made Easy – Smart Donations | smart-donations |
| Duplicate Post | copy-delete-posts |
| Enhanced Text Widget | enhanced-text-widget |
| Fraud Prevention For Woocommerce | woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers |
| Google Map Shortcode | google-map-shortcode |
| HTTP Auth | http-auth |
| InstaWP Connect – 1-click WP Staging & Migration (beta) | instawp-connect |
| Instant CSS | instant-css |
| LWS Affiliation | lws-affiliation |
| Local Development | local-development |
| Meks Smart Social Widget | meks-smart-social-widget |
| Mobile Address Bar Changer | mobile-address-bar-changer |
| MultiParcels Shipping For WooCommerce | multiparcels-shipping-for-woocommerce |
| Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress | ninja-forms |
| Optimize Database after Deleting Revisions | rvg-optimize-database |
| Perelink Pro | perelink |
| Pop-up | pop-up-pop-up |
| Post to Google My Business (Google Business Profile) | post-to-google-my-business |
| QR code MeCard/vCard generator | wp-qrcode-me-v-card |
| Quasar form free – Contact Form Builder for WordPress | quasar-form |
| RSS Redirect & Feedburner Alternative | feedburner-alternative-and-rss-redirect |
| Redirection | redirect-redirection |
| Remove Duplicate Posts | remove-duplicate-posts |
| SSL Mixed Content Fix | http-https-remover |
| Saphali Woocommerce Lite | saphali-woocommerce-lite |
| Schema Pro | wp-schema-pro |
| Simple Author Box | simple-author-box |
| Simple Googlebot Visit | simple-googlebot-visit |
| Simple Wp Sitemap | simple-wp-sitemap |
| Slider Carousel – Responsive Image Slider | slider-images |
| Social Media Share Buttons & Social Sharing Icons | ultimate-social-media-icons |
| Social Share Icons & Social Share Buttons | ultimate-social-media-plus |
| Taboola | taboola |
| The Events Calendar | the-events-calendar |
| Ultimate Posts Widget | ultimate-posts-widget |
| Update Theme and Plugins from Zip File | update-theme-and-plugins-from-zip-file |
| User Activity Log | user-activity-log |
| User Email Verification for WooCommerce | woo-confirmation-email |
| Video Conferencing with Zoom | video-conferencing-with-zoom-api |
| WP Clone Menu | clone-menu |
| WP Quick Post Duplicator | wp-quick-post-duplicator |
| WPS Limit Login | wps-limit-login |
| Web Accessibility By accessiBe | accessibe |
| WordPress Database Administrator | wp-database-admin |
| cartflows-pro | cartflows-pro |
| tagDiv Composer | td-composer |
| wp tell a friend popup form | wp-tell-a-friend-popup-form |
| wpml-string-translation | wpml-string-translation |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| nsc | nsc |
| winters | winters |
| yourjourney | yourjourney |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
InstaWP Connect <= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver
Affected Software: InstaWP Connect – 1-click WP Staging & Migration (beta) CVE ID: CVE-2023-3956 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-8657-0701910ce69b>
LWS Affiliation <= 2.2.6 - Unauthenticated Remote/Local File Inclusion
Affected Software: LWS Affiliation CVE ID: CVE-2023-32297 CVSS Score: 9.8 (Critical) Researcher/s: Marco Wotschka, Jonas Höbenreich Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7b1871d-9d26-4bdc-bd20-0535143902d4>
Quasar form <= 6.1 - Authenticated (Subscriber+) SQL Injection via 'id'
Affected Software: Quasar form free – Contact Form Builder for WordPress CVE ID: CVE-2023-35910 CVSS Score: 8.8 (High) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/150021d3-71bb-41c0-bb1c-5843e94ec0b6>
User Activity Log <= 1.6.4 - Unauthenticated SQL Injection
Affected Software: User Activity Log CVE ID: CVE-2023-3435 CVSS Score: 7.5 (High) Researcher/s: Marc-Alexandre Montpas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4ca985e-cae1-4e26-ad2d-413724cfd45d>
WordPress Database Administrator <= 1.0.3 - Authenticated (Administrator+) SQL Injection
Affected Software: WordPress Database Administrator CVE ID: CVE-2023-3211 CVSS Score: 7.2 (High) Researcher/s: Christiaan Swiers Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2c314acf-d5bb-433a-8e2d-4ca333944bb6>
WPML String Translation <= 3.2.5 - Authenticated (Administrator+) SQL Injection via 'context'
Affected Software: wpml-string-translation CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Stephen Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e8f224c-cd22-4926-be24-9da2f22afa50>
MultiParcels Shipping For WooCommerce <= 1.15.4 - Unauthenticated Stored Cross-Site Scripting
Affected Software: MultiParcels Shipping For WooCommerce CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5ce2d08-6e01-4a7c-a2d5-ba98639107a8>
Molongui <= 4.6.19 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui CVE ID: CVE-2023-39164 CVSS Score: 7.2 (High) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cff04656-5930-4324-9ddf-43a2166cdf04>
Booster Elementor Addons <= 1.4.9 - Missing Authorization
Affected Software: Booster Elementor Addons CVE ID: CVE-2023-38480 CVSS Score: 6.5 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60ee9cfc-016d-45ee-b3f4-da999d093776>
Ninja Forms <= 3.6.25 - Reflected Cross-Site Scripting via 'data'
Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress CVE ID: CVE-2023-37979 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1460dc44-dd64-4fd6-952b-1f5d4285bfa4>
tagDiv Composer <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting
Affected Software: tagDiv Composer CVE ID: CVE-2023-39166 CVSS Score: 6.1 (Medium) Researcher/s: Truoc Phan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/199d3a1f-bfde-4081-bb68-ebb6f9d360b2>
User Email Verification for WooCommerce <= 3.5.0 - Reflected Cross-Site Scripting
Affected Software: User Email Verification for WooCommerce CVE ID: CVE-2023-39162 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/282ef0bb-4db5-4b07-9aad-b128e8fdb915>
CodeBard's Patron Button and Widgets for Patreon <= 2.1.8 - Reflected Cross-Site Scripting via 'site_account'
Affected Software: CodeBard's Patron Button and Widgets for Patreon CVE ID: CVE-2023-30491 CVSS Score: 6.1 (Medium) Researcher/s: LOURCODE Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/46f5d1fa-dba7-4882-be29-39dc281d7278>
nsc <= 1.0 - Prototype Pollution to Reflected Cross-Site Scripting
Affected Software: nsc CVE ID: CVE-2023-3965 CVSS Score: 6.1 (Medium) Researcher/s: longxi Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5909513d-8877-40ff-bee9-d565141b7ed2>
Winters <= 1.4.3 - Prototype Pollution to Reflected Cross-Site Scripting
Affected Software: winters CVE ID: CVE-2023-3962 CVSS Score: 6.1 (Medium) Researcher/s: longxi Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f8b75a1-f0f2-445b-a1c7-1628916470d3>
Custom Field Template <= 2.5.9 - Reflected Cross-Site Scripting
Affected Software: Custom Field Template CVE ID: CVE-2023-38392 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/752a07c4-ae88-4152-b449-68228a54604a>
Blog2Social: Social Media Auto Post & Scheduler <= 7.2.0 - Reflected Cross-Site Scripting
Affected Software: Blog2Social: Social Media Auto Post & Scheduler CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a00147db-2ca5-4290-ae13-27be6119b751>
AGP Font Awesome Collection <= 3.2.4 - Reflected Cross-Site Scripting
Affected Software: AGP Font Awesome Collection CVE ID: CVE-2023-30481 CVSS Score: 6.1 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4df1fc3-ea7e-4f41-a5f0-d3928f8add70>
Your Journey <= 1.9.8 - Prototype Pollution to Reflected Cross-Site Scripting
Affected Software: yourjourney CVE ID: CVE-2023-3933 CVSS Score: 6.1 (Medium) Researcher/s: longxi Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c738e051-ad1c-4115-94d3-127dd5dff935>
Church Admin <= 3.7.56 - Server-Side Request Forgery via church_admin_import_csv
Affected Software: Church Admin CVE ID: CVE-2023-38515 CVSS Score: 5.5 (Medium) Researcher/s: Yuchen Ji Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ff53647-572f-419f-ad39-965658a10263>
Assistant <= 1.4.3 - Authenticated (Editor+) Server Side Request Forgery
Affected Software: Assistant – Every Day Productivity Apps CVE ID: CVE Unknown CVSS Score: 5.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d5ed6cf-ae12-4da5-809f-6a8c61eeb4f6>
WP Quick Post Duplicator <= 1.0 - Missing Authorization
Affected Software: WP Quick Post Duplicator CVE ID: CVE-2023-31214 CVSS Score: 5.4 (Medium) Researcher/s: TaeEun Lee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/12a576ee-f8a9-4740-b87b-091a46970d53>
Discussion Board <= 2.4.8 - Authenticated (Subscriber+) Content Injection
Affected Software: Discussion Board – WordPress Forum Plugin CVE ID: CVE-2023-39161 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e9d7776-aa96-47c8-9e31-5484ab65bc66>
wp tell a friend popup form <= 7.1 - Cross-Site Request Forgery via 'TellAFriend_admin'
Affected Software: wp tell a friend popup form CVE ID: CVE-2023-25463 CVSS Score: 5.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f760821-98d4-4154-a4ae-861283f991f8>
HTTP Auth <= 0.3.2 - Cross-Site Request Forgery
Affected Software: HTTP Auth CVE ID: CVE-2023-27435 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/43357daa-4dce-4851-b41b-48d3ffb8a387>
Schema Pro <= 2.7.8 - Authenticated(Contributor+) Missing Authorization
Affected Software: Schema Pro CVE ID: CVE-2023-36683 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/645ab4b9-e421-4610-b99b-960a7fbb7779>
Saphali Woocommerce Lite <= 1.8.13 - Cross-Site Request Forgery via 'woocommerce_saphali_page_s_l'
Affected Software: Saphali Woocommerce Lite CVE ID: CVE-2023-25788 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c58d9011-a082-48ca-b702-ef5563af2c66>
WP Clone Menu <= 1.0.1 - Missing Authorization to Menu Clone
Affected Software: WP Clone Menu CVE ID: CVE-2023-38395 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0bbbefce-4451-410d-bc19-f489318dda4a>
APIExperts Square for WooCommerce <= 4.2.8 - Missing Authorization
Affected Software: APIExperts Square for WooCommerce CVE ID: CVE-2022-47182 CVSS Score: 5.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e1193b1-6e5a-4ecc-ae97-1a3129ad330e>
Ninja Forms <= 3.6.25 - Missing Authorization to Contributor+ Form Submission Export
Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress CVE ID: CVE-2023-38386 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6551eea6-1059-4caa-876c-3d08083130f6>
Change WP Admin Login <= 1.1.3 - Protection Mechanism Failure to Login Page Disclosure
Affected Software: Change WP Admin Login CVE ID: CVE-2023-3604 CVSS Score: 5.3 (Medium) Researcher/s: Muhamad Arsyad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9410b5b8-1bb2-42d7-8d4d-721131d392e3>
Instant CSS <= 1.1.4 - Missing Authorization via AJAX Actions
Affected Software: Instant CSS CVE ID: CVE-2023-38483 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b82a9ae8-ff82-40bf-a5d4-5175daab9146>
Slider Carousel – Responsive Image Slider <= 1.5.0 - Missing Authorization
Affected Software: Slider Carousel – Responsive Image Slider CVE ID: CVE-2023-25457 CVSS Score: 5.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c32f1c6a-cf65-419e-bfcd-48ac8e3735bc>
Meks Smart Social Widget <= 1.6 - Missing Authorization to notice dimissal
Affected Software: Meks Smart Social Widget CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eaabaadf-7881-4c4f-8987-fbba8318a458>
Custom Field For WP Job Manager <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Custom Field For WP Job Manager CVE ID: CVE-2023-3328 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f504434-2de9-4d2e-848d-6c7fc0880672>
Contact Form Builder by Bit Form <= 2.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Contact Form Builder by Bit Form – Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress CVE ID: CVE-2023-3645 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9cb6384a-f9dc-454c-be39-c2c681e57d36>
Web Accessibility By accessiBe <= 1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Web Accessibility By accessiBe CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d79ce22-33ef-4dfb-a842-591cd7cedc94>
wp tell a friend popup form <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: wp tell a friend popup form CVE ID: CVE-2023-25465 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec860ad9-7054-4ed2-a8f2-6589e4db36cd>
Bit Assist <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget CVE ID: CVE-2023-3667 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb88e629-6811-4651-99b9-7394e4a787b6>
Remove Duplicate Posts <= 1.3.4 - Missing Authorization to Post Deletion
Affected Software: Remove Duplicate Posts CVE ID: CVE-2023-29237 CVSS Score: 4.3 (Medium) Researcher/s: Junsu Yeo Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02dcf609-e8ef-4ff5-a61e-6c513af04ca2>
Donations Made Easy – Smart Donations <= 4.0.12 - Missing Authorization
Affected Software: Donations Made Easy – Smart Donations CVE ID: CVE-2023-38475 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0efebdcb-c3fb-435a-8687-6abdd5f9334b>
Woocommerce Category Banner Management <= 2.4.1 - Cross-Site Request Forgery
Affected Software: Banner Management For WooCommerce CVE ID: CVE-2023-39158 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/223a6c35-712a-458c-8708-6981c9041fe1>
Simple Author Box <= 2.51 - Authenticated (Contributor+) Insecure Direct Object Reference to Arbitrary User Sensitive Information Exposure
Affected Software: Simple Author Box CVE ID: CVE-2023-3601 CVSS Score: 4.3 (Medium) Researcher/s: Dmitriy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a1b7e37-1e30-473c-aadc-176de729e619>
Mobile Address Bar Changer <= 3.0 - Cross-Site Request Forgery to Settings Update
Affected Software: Mobile Address Bar Changer CVE ID: CVE-2023-38390 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f1b0b50-663f-40ff-803e-a20d7c7ea980>
Meks Smart Social Widget <= 1.6 - Cross-Site Request Forgery via meks_remove_notification
Affected Software: Meks Smart Social Widget CVE ID: CVE-2023-25989 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3d0efe1d-69ad-483c-b200-38873f88433b>
Simple Wp Sitemap <= 1.2.1 - Cross-Site Request Forgery
Affected Software: Simple Wp Sitemap CVE ID: CVE-2023-24380 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3e3dc509-73c3-4869-b520-6f5c1d691184>
Optimize Database after Deleting Revisions <= 5.0.110 - Cross-Site Request Forgery via 'odb_start_manually'
Affected Software: Optimize Database after Deleting Revisions CVE ID: CVE-2023-25980 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d01548e-91bf-44db-83dc-10c7d5962f9b>
Perelink Pro <= 2.1.4 - Cross-Site Request Forgery to Settings Update
Affected Software: Perelink Pro CVE ID: CVE-2023-37990 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/65b9fea3-323a-4123-ad83-3d713eb5552f>
ACF Photo Gallery Field <= 1.9 - Authenticated (Subscriber+) Arbitrary Usermeta Update
Affected Software: ACF Photo Gallery Field CVE ID: CVE-2023-3957 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/689511e0-1355-4fcb-8a72-d819abc8e9a3>
QR code MeCard/vCard generator <= 1.6.0 - Missing Authorization via wqm_make_url_permanent
Affected Software: QR code MeCard/vCard generator CVE ID: CVE-2023-38477 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8896fa5a-1642-4fcd-8fff-1e5828c28523>
Taboola <= 2.0.1 - Cross-Site Request Forgery to Plugin Settings Update
Affected Software: Taboola CVE ID: CVE-2023-38398 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab015cb4-0b1e-40ff-ab9b-6c03eed3142f>
Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function
Affected Software/s: SSL Mixed Content Fix, Duplicate Post, Social Share Icons & Social Share Buttons, Ultimate Posts Widget, Backup Migration, Pop-up, Redirection, Clone, Social Media Share Buttons & Social Sharing Icons, RSS Redirect & Feedburner Alternative, Enhanced Text Widget CVE ID: CVE-2023-3977 CVSS Score: 4.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab7c8926-c762-49b1-bc97-4b7a2f4f97fc>
Simple Googlebot Visit <= 1.2.4 - Missing Authorization to Settings Update
Affected Software: Simple Googlebot Visit CVE ID: CVE-2023-38479 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1e7bb04-28b4-407c-910b-e37a7e26682e>
Post to Google My Business <= 3.1.14 - Cross-Site Request Forgery to Dismiss Notification
Affected Software: Post to Google My Business (Google Business Profile) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/baa8e48f-769a-4f48-bc47-d55c179d1ca1>
The Events Calendar <= 6.1.2.2 - Missing Authorization
Affected Software: The Events Calendar CVE ID: CVE-2023-35777 CVSS Score: 4.3 (Medium) Researcher/s: PetiteMais Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c513e674-c027-4335-8ba3-b19696a1ce9b>
Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function
Affected Software/s: SSL Mixed Content Fix, Duplicate Post, Social Share Icons & Social Share Buttons, Ultimate Posts Widget, Backup Migration, Pop-up, Redirection, Clone, Social Media Share Buttons & Social Sharing Icons, RSS Redirect & Feedburner Alternative, Enhanced Text Widget CVE ID: CVE-2023-0958 CVSS Score: 4.3 (Medium) Researcher/s: Chloe Chamberland Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf7bdd0e-f3b3-4be5-8a30-2c6d9cb783a3>
CartFlows Pro <= 1.11.12 - Cross-Site Request Forgery
Affected Software: cartflows-pro CVE ID: CVE-2023-36685 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d0631ec9-fb72-4573-a41b-9b6b01aeaae9>
Ninja Forms <= 3.6.25 - Missing Authorization to Form Submission Export
Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress CVE ID: CVE-2023-38393 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7befdf6-07d7-42c9-876a-abb8f8f9c3df>
Google Map Shortcode <= 3.1.2 - Cross-Site Request Forgery to Plugin Setting Update
Affected Software: Google Map Shortcode CVE ID: CVE-2023-38396 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3f05af5-35f5-4813-b8a3-bb90709af677>
Update Theme and Plugins from Zip File <= 2.0.0 - Cross-Site Request Forgery
Affected Software: Update Theme and Plugins from Zip File CVE ID: CVE-2023-25489 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e59293a6-cc61-4913-9ed0-13fa16299705>
Woocommerce Blocker Lite <= 2.1.4.1 - Cross-Site Request Forgery
Affected Software: Fraud Prevention For Woocommerce CVE ID: CVE-2023-39159 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4f84b2a-2674-42a1-9db1-d9c1f3db2376>
Local Development <=2.8.2 - Cross-Site Request Forgery to Settings Update
Affected Software: Local Development CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f962a3ef-205d-42e2-acf1-45eabfdba3ee>
WPS Limit Login <= 1.5.6 - Race Condition
Affected Software: WPS Limit Login CVE ID: CVE-2023-39160 CVSS Score: 3.7 (Low) Researcher/s: konagash Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/298b31e4-739e-424e-918f-77092148a6bb>
Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure
Affected Software: Video Conferencing with Zoom CVE ID: CVE-2023-3947 CVSS Score: 3.7 (Low) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba2515d9-ced0-4b49-87c4-04c8391c2608>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) appeared first on Wordfence.
Related
