Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:C91946FF79A40391936EC8DFF932A01F
HistoryJul 13, 2023 - 4:59 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)

2023-07-1316:59:37
Chloe Chamberland
www.wordfence.com
45
wordfence intelligence
vulnerability database
wordpress plugins
wordpress themes
vulnerability researchers
security
firewall rules
premium
care
response
patch status
cvss severity
cwe type
researchers
cross-site scripting
csrf
authorization
sql injection
information exposure
resource exhaustion
file upload

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

75.6%

JSON

Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 29
Patched 32

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 49
High Severity 8
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 24
Cross-Site Request Forgery (CSRF) 14
Missing Authorization 14
Authorization Bypass Through User-Controlled Key 4
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 2
Information Exposure 1
Uncontrolled Resource Consumption ('Resource Exhaustion') 1
Unrestricted Upload of File with Dangerous Type 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Alex Thomas
(Wordfence Vulnerability Researcher) 9
LEE SE HYOUNG 6
Abdi Pranata 6
Lana Codes
(Wordfence Vulnerability Researcher) 3
Rafie Muhammad 3
yuyudhn 3
Rio Darmawan 2
Muhammad Daffa 2
Elliot 1
Rafael B. 1
Bob Matyas 1
Kijam López 1
easyBug 1
Alex Sanford 1
Dipak Panchal 1
Yassir Sbai Fahim 1
Rafi Priatna Kasbiantoro 1
Pavitra Tiwari 1
Nguyen Anh Tien 1
Nithissh S 1
Friday 1
Dave Jong 1
PetiteMais 1
Yuki Haruma 1
Le Ngoc Anh 1
thiennv 1
TaeEun Lee 1
Paolo Elia 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements mystickyelements
Animated Number Counters animated-number-counters
Auto Location for WP Job Manager via Google auto-location-for-wp-job-manager
BadgeOS badgeos
Baidu Tongji generator baidu-tongji-generator
Booking Package booking-package
Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin media-library-helper
Classified Listing – Classified ads & Business Directory Plugin classified-listing
Coming Soon Page – Responsive Coming Soon & Maintenance Mode responsive-coming-soon-page
Cryptocurrency Widgets – Price Ticker & Coins List cryptocurrency-price-ticker-widget
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin fluent-smtp
Getnet Argentina para Woocommerce integrar-getnet-con-woo
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) gift-voucher
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
Header Footer Code Manager header-footer-code-manager
Image Regenerate & Select Crop image-regenerate-select-crop
Image Social Feed Plugin add-instagram
Kingkong Board kingkong-board
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder learning-management-system
LearnPress – WordPress LMS Plugin learnpress
Livestream Notice livestream-notice
Menubar menubar
Mobile Call Now & Map Buttons mobile-call-now-map-buttons
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress ninja-forms
Product Category Tree product-category-tree
Querlo Chatbot querlo-chatbots
RSVPMaker rsvpmaker
Reservation.Studio widget reservation-studio-widget
SMTP Mail smtp-mail
Secondary Title secondary-title
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) woolentor-addons
Simple Giveaways – Grow your business, email lists and traffic with contests giveasap
Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) only-tweet-like-share-and-google-1
Simple Site Verify simple-site-verify
Social Share Boost social-share-boost
SrbTransLatin – Serbian Latinisation srbtranslatin
Sublanguage sublanguage
User Registration – Custom Registration Form, Login Form And User Profile For WordPress user-registration
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP yotuwp-easy-youtube-embed
Visibility Logic for Elementor visibility-logic-elementor
Visual Website Collaboration, Feedback & Project Management – Atarim atarim-visual-collaboration
WP Content Copy Protection & No Right Click wp-content-copy-protector
WP Dummy Content Generator wp-dummy-content-generator
WP Full Stripe Free wp-full-stripe-free
WP Mail Log wp-mail-log
WP RSS Images wp-rss-images
WP Reroute Email wp-reroute-email
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms
WP-Cirrus wp-cirrus
WP-Optimize – Cache, Clean, Compress. wp-optimize
WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps wordpress-mobile-pack
oAuth Twitter Feed for Developers oauth-twitter-feed-for-developers
wpForo Forum wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
WPLMS Learning Management System for WordPress, WordPress LMS [wplms](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/WPLMS Learning Management System for WordPress, WordPress LMS>)

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

User Registration <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: User Registration – Custom Registration Form, Login Form And User Profile For WordPress CVE ID: CVE-2023-3342 CVSS Score: 9.9 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d&gt;

HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation

Affected Software: HT Mega – Absolute Addons For Elementor CVE ID: CVE Unknown CVSS Score: 9.8 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/46f3cc62-c2d8-45af-bb92-c2040789cbc0&gt;

Booking Package <= 1.5.98 - Authorization Bypass to Arbitrary Password Reset

Affected Software: Booking Package CVE ID: CVE-2023-37389 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/65166432-a877-4070-94c1-cdaf7e5d7586&gt;

Atarim - Client Interface <= 3.9.1 - Missing Authorization via AJAX actions

Affected Software: Visual Website Collaboration, Feedback & Project Management – Atarim CVE ID: CVE Unknown CVSS Score: 9.1 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/15f3a6e1-6126-4825-b2b1-e40dc5694f43&gt;

Getnet Argentina para Woocommerce 0.0.1 - 0.0.4 - Authorization Bypass via webhook

Affected Software: Getnet Argentina para Woocommerce CVE ID: CVE-2023-3525 CVSS Score: 7.5 (High) Researcher/s: Kijam López Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/245e9117-ca63-458e-a094-60a759f5ec19&gt;

LearnPress <= 4.2.3 - Missing Authorization to Information Exposure

Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE-2023-36515 CVSS Score: 7.3 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea136a60-aa42-4577-88b6-a49c79098954&gt;

WP Reroute Email <= 1.4.9 - Unauthenticated Stored Cross-Site Scripting via Email Subject

Affected Software: WP Reroute Email CVE ID: CVE-2023-3168 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a0e962b-b6a0-4179-91d0-5ede508a9895&gt;

RSVPMarker <= 10.5.4 - Authenticated (Administrator+) SQL Injection via 'resend'

Affected Software: RSVPMaker CVE ID: CVE-2023-29095 CVSS Score: 7.2 (High) Researcher/s: Rafi Priatna Kasbiantoro Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6709f9b0-0915-4361-9fb0-1f2696e26c2f&gt;

WP Mail Log <= 1.1.1 - Unauthenticated Stored Cross-Site Scripting via Email

Affected Software: WP Mail Log CVE ID: CVE-2023-3088 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86ee1acb-6f0c-40e6-80a0-fc93b61c1602&gt;

SMTP Mail <= 1.2.16 - Unauthenticated Stored Cross-Site Scripting via Email Subject

Affected Software: SMTP Mail CVE ID: CVE-2023-3092 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ae734d1-0cd4-4ff5-8448-828b0fb64f70&gt;

Coming Soon <= 1.5.8 - Authenticated (Administrator+) SQL Injection

Affected Software: Coming Soon Page – Responsive Coming Soon & Maintenance Mode CVE ID: CVE-2022-46849 CVSS Score: 7.2 (High) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a371489-031e-483e-9fde-3901b55710c6&gt;

FluentSMTP <= 2.2.4 - Unauthenticated Stored Cross-Site Scripting via Email Subject

Affected Software: FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin CVE ID: CVE-2023-3087 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa47a794-e5ce-491d-a10b-c7c5718aa853&gt;

ARMember <= 4.0.5 - Cross-Site Request Forgery

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2023-3011 CVSS Score: 6.5 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/42f5f29b-2d83-4b15-82aa-0598f8a2317b&gt;

Masteriyo - LMS for WordPress <= 1.6.7 - Sensitive Information Exposure

Affected Software: LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder CVE ID: CVE-2023-3345 CVSS Score: 6.5 (Medium) Researcher/s: Yassir Sbai Fahim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e8933b8-1e09-4cd7-8206-711cc0716dba&gt;

Simple Giveaways <= 2.46.0 - Missing Authorization

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests CVE ID: CVE-2023-23893 CVSS Score: 6.5 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/721f8943-5d59-41ee-935e-999dff2e590d&gt;

BadgeOS <= 3.7.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion

Affected Software: BadgeOS CVE ID: CVE-2023-2173 CVSS Score: 6.5 (Medium) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ebb9e37c-9e8b-429b-b4ef-cd875351852c&gt;

Querlo Chatbot <= 1.2.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Querlo Chatbot CVE ID: CVE-2023-3418 CVSS Score: 6.4 (Medium) Researcher/s: Rafael B. Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/157ea849-7947-4d0d-9ecf-7705f9039c8d&gt;

Secondary Title <= 2.0.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Secondary Title CVE ID: CVE-2023-28773 CVSS Score: 6.4 (Medium) Researcher/s: TaeEun Lee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5ab7d3e-b0c8-4e30-942b-23d91daff2ac&gt;

WPLMS < 4.900 - Cross-Site Request Forgery

Affected Software: WPLMS Learning Management System for WordPress, WordPress LMS CVE ID: CVE-2023-36690 CVSS Score: 6.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9071acdf-8d40-4e8b-8d1f-be2cabf3d66e&gt;

Kingkong Board <= 2.1.0.2 - Missing Authorization

Affected Software: Kingkong Board CVE ID: CVE-2023-36694 CVSS Score: 6.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7b33199-d254-4d0c-88d0-ad2f7515d747&gt;

wpForo Forum <= 2.1.8 - Reflected Cross-Site Scripting via 'wpforo_debug'

Affected Software: wpForo Forum CVE ID: CVE-2023-2309 CVSS Score: 6.1 (Medium) Researcher/s: Alex Sanford Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35b6a26a-d7c1-4538-87f3-fcb1095797a3&gt;

WP-Optimize <= 3.2.12 & SrbTransLatin <= 2.4 - Stored/Reflected Cross-Site Scripting via Third Party Library

Affected Software/s: SrbTransLatin – Serbian Latinisation, WP-Optimize – Cache, Clean, Compress. CVE ID: CVE-2023-1119 CVSS Score: 6.1 (Medium) Researcher/s: Paolo Elia Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fdb822e8-583e-4437-a735-b116aa8886e2&gt;

Animated Number Counters <= 1.6 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Animated Number Counters CVE ID: CVE-2023-24393 CVSS Score: 5.5 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e87ea6b5-4288-4ebb-8a29-e0a179e6b584&gt;

WordPress Mobile Pack <= 3.4.1 - Cross-Site Request Forgery

Affected Software: WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps CVE ID: CVE-2023-37391 CVSS Score: 5.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f545c20-5be1-42bc-9268-640590ee4bf2&gt;

LearnPress <= 4.2.3 - Missing Authorization

Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/389277fd-e47e-42df-9305-61ceedbcfb29&gt;

Sublanguage <= 2.9 - Missing Authorization

Affected Software: Sublanguage CVE ID: CVE-2023-36695 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50726c57-8d42-4143-9e75-d30513d8d0e2&gt;

Header Footer Code Manager <= 1.1.34 - Cross-Site Request Forgery via process_bulk_action

Affected Software: Header Footer Code Manager CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60493635-b1b0-4e76-8f73-16c223d7b4d7&gt;

BadgeOS <= 3.7.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BadgeOS CVE ID: CVE-2023-2171 CVSS Score: 5.4 (Medium) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74a280e1-e4b6-4bd9-882b-d9f185332d61&gt;

Menubar <= 5.8.2 - Cross-Site Request Forgery in wpm-admin.php

Affected Software: Menubar CVE ID: CVE-2023-36687 CVSS Score: 5.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be10894d-2a86-4f07-8119-e6eac8c9c950&gt;

Image Regenerate & Select Crop <= 7.1.0 - Missing Authorization

Affected Software: Image Regenerate & Select Crop CVE ID: CVE-2023-36680 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb7335c0-b6ed-43bb-91b7-870093d14cb8&gt;

LearnPress <= 4.2.3 - Missing Authorization

Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE-2023-36516 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e91e864a-20f6-48a2-ab9f-d20836207383&gt;

Product Category Tree <= 2.5 - Missing Authorization

Affected Software: Product Category Tree CVE ID: CVE-2023-29173 CVSS Score: 5.3 (Medium) Researcher/s: Friday Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88840d66-1644-4af0-b811-41f0e9fe2c0c&gt;

Ninja Forms <= 3.6.25 - Denial of Service via Large Form Submissions

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress CVE ID: CVE-2023-35909 CVSS Score: 5.3 (Medium) Researcher/s: PetiteMais Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/952a3e52-4e23-4bc4-92d3-e15ae2f3d28b&gt;

Cryptocurrency Widgets – Price Ticker & Coins List <= 2.6.2 - Missing Authorization

Affected Software: Cryptocurrency Widgets – Price Ticker & Coins List CVE ID: CVE-2023-36681 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dec2855c-71a8-46b2-819a-d85cd11a1a24&gt;

WP Dummy Content Generator <= 2.3.0 - Missing Authorization

Affected Software: WP Dummy Content Generator CVE ID: CVE-2023-37394 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4dad030-41e4-4d67-8650-8d268c44d352&gt;

Auto Location for WP Job Manager via Google <= 1.0 - Authenticated (Administrator+) Stored Cross Site Scripting

Affected Software: Auto Location for WP Job Manager via Google CVE ID: CVE-2023-3344 CVSS Score: 4.4 (Medium) Researcher/s: Bob Matyas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19a70aa0-7075-4922-8feb-25b7fbe9da42&gt;

WP Full Stripe Free <= 1.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Full Stripe Free CVE ID: CVE-2023-28934 CVSS Score: 4.4 (Medium) Researcher/s: easyBug Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2afbc0a4-32ad-4fc4-9b10-5c06784f72f3&gt;

Social Share Boost <= 4.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Social Share Boost CVE ID: CVE-2023-25044 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41d09e93-8503-41e8-85d3-8550dc8f85bd&gt;

WP-Cirrus <= 0.6.11 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP-Cirrus CVE ID: CVE-2023-36692 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4cab3c9c-39c6-4279-9573-858b0592c3fa&gt;

All-in-one Floating Contact Form <= 2.1.1 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements CVE ID: CVE-2023-3248 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52538617-a1d1-40ed-8321-e39d06869398&gt;

Livestream Notice <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Livestream Notice CVE ID: CVE-2023-27621 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/69d957d3-a0d5-44ec-a9b0-8c9b41175379&gt;

Reservation.Studio widget <= 1.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Reservation.Studio widget CVE ID: CVE-2023-24397 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7caa4c73-cf57-4f99-8bc6-6fd02308a58f&gt;

Video Gallery <= 1.3.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP CVE ID: CVE-2023-25477 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93b5bc57-3bfa-4477-a9d4-f0563008cf94&gt;

WP Content Copy Protection & No Right Click <= 3.5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Content Copy Protection & No Right Click CVE ID: CVE-2023-36678 CVSS Score: 4.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9589d44b-55c3-45b4-84bb-c86143de3f95&gt;

Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) CVE ID: CVE-2023-37388 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98780ecc-fb45-4392-955d-ddecf9f7fca1&gt;

Mobile Call Now & Map Buttons <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Mobile Call Now & Map Buttons CVE ID: CVE-2023-24401 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a10ee756-1b71-4232-817c-1ba6ead7f0f0&gt;

Simple Site Verify <= 1.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Site Verify CVE ID: CVE-2023-36688 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1ea7e04-d3b3-43fa-be9a-a2d5ac3e34c3&gt;

Image Social Feed Plugin <= 1.7.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Image Social Feed Plugin CVE ID: CVE-2023-24412 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bcaa19b0-2d55-4a0c-98e7-9a38488dd922&gt;

oAuth Twitter Feed for Developers <= 2.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: oAuth Twitter Feed for Developers CVE ID: CVE-2023-25042 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa3819b1-8e7c-4e97-bac5-96d73d935845&gt;

Gift Cards (Gift Vouchers and Packages) <= 4.3.5 - Cross-Site Request Forgery in new_voucher_template.php

Affected Software: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0007d830-2e68-4c2f-8fac-f4363bc2d73d&gt;

WP Dummy Content Generator <= 2.3.0 - Cross-Site Request Forgery

Affected Software: WP Dummy Content Generator CVE ID: CVE-2023-37392 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0576737d-8330-4a80-af70-4f0eab6657ed&gt;

Classified Listing <= 2.4.5 - Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete

Affected Software: Classified Listing – Classified ads & Business Directory Plugin CVE ID: CVE-2023-37387 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2352dce7-5302-4892-9ae2-bf814f029af4&gt;

WooLentor <= 2.6.2 - Cross-Site Request Forgery via process_data

Affected Software: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) CVE ID: CVE-2022-47172 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c068079-0857-4116-8edb-1bc2fea3c6b7&gt;

BadgeOS <= 3.7.1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Title Overwrite

Affected Software: BadgeOS CVE ID: CVE-2023-2172 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5dae8e82-e252-48d9-ae1f-62acfcd17e2b&gt;

BadgeOS <= 3.7.1.6 - Missing Authorization in delete_badgeos_log_entries

Affected Software: BadgeOS CVE ID: CVE-2023-2174 CVSS Score: 4.3 (Medium) Researcher/s: Alex Thomas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64e0adbc-c524-4f9d-9741-ce69edf888f7&gt;

Visibility Logic for Elementor <= 2.3.4 - Missing Authorization via admin_post 'toggle_option'

Affected Software: Visibility Logic for Elementor CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72c04de6-78d2-4a45-834a-01ed879b528f&gt;

WP SMS <= 6.1.5 - Cross-Site Request Forgery

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/747afa58-182a-4fb3-bfe3-f15db0b1d85a&gt;

Baidu Tongji generator <= 1.0.2 - Cross-Site Request Forgery

Affected Software: Baidu Tongji generator CVE ID: CVE-2023-31230 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8438ea46-9ac1-4ef5-a436-e438c35a4321&gt;

WP RSS Images <= 1.1 - Cross-Site Request Forgery

Affected Software: WP RSS Images CVE ID: CVE-2023-36693 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/adb70798-2ef9-4384-bcca-8862afa044ed&gt;

Visibility Logic for Elementor <= 2.3.4 - Cross-Site Request Forgery via toggle_option

Affected Software: Visibility Logic for Elementor CVE ID: CVE-2022-47169 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bb8aca3a-e4f7-41d6-9ea9-d189817c2c04&gt;

Media Library Helper by Codexin <= 1.2.0 - Cross-Site Request Forgery via rate_the_plugin_action

Affected Software: Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin CVE ID: CVE-2023-37386 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc2356b2-e153-4e80-bfac-c25c15cdc259&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023) appeared first on Wordfence.

Related

cvelist 44
prion 44
wpvulndb 24
cve 45
openvas 4
nuclei 1
wpexploit 3
wordfence 3
thn 1
packetstorm 1
cvelist
cvelist
CVE-2023-37386 WordPress Media Library Helper by Codexin Plugin <= 1.2.0 is vulnerable to Cross Site Request Forgery (CSRF)
2023-07-18 12:06:21
CVE-2023-28773 WordPress Secondary Title Plugin <= 2.0.9.1 is vulnerable to Cross Site Scripting (XSS)
2023-08-08 12:14:56
CVE-2023-37388 WordPress Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS)
2023-08-10 13:08:02
prion
prion
Cross site scripting
2023-09-01 11:15:00
Cross site request forgery (csrf)
2023-07-11 11:15:00
Cross site request forgery (csrf)
2023-11-13 18:15:00
wpvulndb
wpvulndb
WP RSS Images <= 1.1 - Cross-Site Request Forgery
2023-07-04 00:00:00
Menubar < 5.9 - Cross-Site Request Forgery
2023-07-04 00:00:00
Simple Site Verify < 1.0.8 - Admin+ Stored XSS
2023-11-09 00:00:00
cve
cve
CVE-2023-36693
2023-07-11 10:15:10
CVE-2023-36678
2023-08-05 23:15:12
CVE-2023-36687
2023-07-11 11:15:08
openvas
openvas
WordPress WP Content Copy Protection & No Right Click Plugin < 3.5.6 XSS Vulnerability
2023-08-07 00:00:00
WordPress ShopLentor Plugin < 2.6.3 CSRF Vulnerability
2023-07-18 00:00:00
WordPress Ninja Forms Contact Form Plugin < 3.6.26 Multiple Vulnerabilities
2023-08-31 00:00:00
nuclei
nuclei
LMS by Masteriyo < 1.6.8 - Information Exposure
2023-07-15 12:32:13
wpexploit
wpexploit
LMS by Masteriyo < 1.6.8 - Information Exposure
2023-07-10 00:00:00
Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting
2023-06-26 00:00:00
Multiple Plugins - Cross-Site Scripting From Third-party Library
2023-06-19 00:00:00
wordfence
wordfence
Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin
2023-07-12 13:07:52
“Never Assume Anything” – Unauthenticated Stored Cross-Site Scripting Vulnerability Exposed in 14 Email Logging Plugins
2023-07-18 16:40:43
2023’s Critical WordPress Vulnerabilities and How They Work
2024-02-12 19:11:21
thn
thn
AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext
2023-07-14 11:07:00
packetstorm
packetstorm
WordPress User Registration 3.0.2 Arbitrary File Upload
2023-07-12 00:00:00

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

75.6%

JSON
Related for WORDFENCE:C91946FF79A40391936EC8DFF932A01F
cvelist44prion44wpvulndb24cve45openvas4nuclei1wpexploit3wordfence3thn1packetstorm1