Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:C9F3B985B14F9658F8BFC9D1BD8EE17C
HistorySep 28, 2023 - 1:18 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023)

2023-09-2813:18:16
Chloe Chamberland
www.wordfence.com
31
wordfence
wordpress
vulnerabilities
plugins
themes
security
api
webhook
firewall
protection
patch
severity
database
cross-site scripting
csrf
authorization
sql injection

0.001 Low

EPSS

Percentile

39.9%

JSON

Last week, there were 42 vulnerabilities disclosed in 37 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 10 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 11,800 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 5
Patched 37

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 37
High Severity 5
Critical Severity 0

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 21
Cross-Site Request Forgery (CSRF) 8
Missing Authorization 6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 2
Improper Neutralization of Formula Elements in a CSV File 1
Information Exposure 1
Deserialization of Untrusted Data 1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1
Authorization Bypass Through User-Controlled Key 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher) 11
Marco Wotschka
(Wordfence Vulnerability Researcher) 3
Ivan Kuzymchak
(Wordfence Vulnerability Researcher) 3
Do Xuan Trung 1
Skalucy 1
Zeyad Alshahrani 1
Etharus 1
JackYu 1
Malek Althubiany 1
Nguyen Xuan Chien 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Ad Inserter – Ad Manager & AdSense Ads ad-inserter
Anchor Episodes Index (Spotify for Podcasters) anchor-episodes-index
Astra Bulk Edit astra-bulk-edit
Brands for WooCommerce brands-for-woocommerce
Chat Button: WhatsApp, Facebook Messenger Chat, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget bit-assist
Checkfront Online Booking System checkfront-wp-booking
Comment Blacklist Updater comment-blacklist-updater
Comments – wpDiscuz wpdiscuz
Connect Matomo (WP-Matomo, WP-Piwik) wp-piwik
Contact Form by FormGet – Best Form Builder Plugin for WordPress formget-contact-form
Copy Anything to Clipboard copy-the-code
DoFollow Case by Case dofollow-case-by-case
Drag and Drop Multiple File Upload for WooCommerce drag-and-drop-multiple-file-upload-for-woocommerce
Easy Registration Forms easy-registration-forms
Inactive Logout inactive-logout
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free funnelforms-free
Leaflet Map leaflet-map
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator legal-pages
Media Library Assistant media-library-assistant
Memberlite Shortcodes memberlite-shortcodes
Migration, Backup, Staging – WPvivid wpvivid-backuprestore
Payment gateway per Product for WooCommerce woocommerce-product-payments
Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin poptin
Pre-Publish Checklist pre-publish-checklist
School Management System – WPSchoolPress wpschoolpress
Simple Cloudflare Turnstile – CAPTCHA Alternative simple-cloudflare-turnstile
Statify – Extended Evaluation extended-evaluation-for-statify
Super Store Finder superstorefinder-wp
Table of Contents Plus table-of-contents-plus
WP Discord Invite wp-discord-invite
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce wp-event-manager
WP Mailto Links – Protect Email Addresses wp-mailto-links
Weaver Xtreme Theme Support weaverx-theme-support
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode coming-soon
Widget Responsive for Youtube youtube-widget-responsive
WordPress Charts wp-charts
iPanorama 360 – WordPress Virtual Tour Builder ipanorama-360-virtual-tour-builder-lite

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

wpDiscuz <= 7.6.5 - Unauthenticated SQL Injection

Affected Software: Comments – wpDiscuz CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9dd1e52c-83b7-4b3e-a791-a2c0ccd856bc&gt;

Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal

Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-4274 CVSS Score: 8.7 (High) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d94f38f-4b52-4b0d-800c-a6fca40bda3c&gt;

iPanorama 360 – WordPress Virtual Tour Builder <= 1.7.3 - Authenticated (Admin+) SQL injection

Affected Software: iPanorama 360 – WordPress Virtual Tour Builder CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/00687370-8374-44cc-8fd1-53b462acd061&gt;

Weaver Xtreme Theme Support <= 6.3.0 - Authenticated (Administrator+) PHP Object Injection via Imported File

Affected Software: Weaver Xtreme Theme Support CVE ID: CVE-2023-4971 CVSS Score: 7.2 (High) Researcher/s: Do Xuan Trung Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/572689c6-d7d6-46c3-9e96-b9185337e8ce&gt;

Drag and Drop Multiple File Upload for WooCommerce <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Drag and Drop Multiple File Upload for WooCommerce CVE ID: CVE-2023-4821 CVSS Score: 7.2 (High) Researcher/s: Zeyad Alshahrani Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abc8ee11-c149-4a2b-a388-7bd234c2cc64&gt;

Funnelforms Free <= 3.3.9 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free CVE ID: CVE-2023-4950 CVSS Score: 6.5 (Medium) Researcher/s: Malek Althubiany Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ebcbf872-1420-4a57-a4b4-8a52ba74e0a1&gt;

WordPress Charts <= 0.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WordPress Charts CVE ID: CVE-2023-5062 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2de2d2c5-1373-45b6-93a0-575713226669&gt;

Leaflet Map <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Leaflet Map CVE ID: CVE-2023-5050 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3084c9ab-00aa-4b8e-aa46-bd70b335ec77&gt;

Widget Responsive for Youtube <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Widget Responsive for Youtube CVE ID: CVE-2023-5063 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72daa533-8b17-420c-9b51-b5f72da2726c&gt;

Poptin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin CVE ID: CVE-2023-4961 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/778af777-4c98-45cd-9704-1bdc96054aa7&gt;

Simple Cloudflare Turnstile <= 1.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Simple Cloudflare Turnstile – CAPTCHA Alternative CVE ID: CVE-2023-5135 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91f6c9d3-641d-42f7-bf11-e3c3a44eeb76&gt;

Memberlite Shortcodes <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Memberlite Shortcodes CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/935054c3-8541-4ff3-a035-7ee8afe53f72&gt;

Anchor Episodes Index (Spotify for Podcasters) <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Anchor Episodes Index (Spotify for Podcasters) CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/96defcb7-6af1-4fb8-9fa0-231c6776bbc1&gt;

Media Library Assistant <= 3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Media Library Assistant CVE ID: CVE-2023-4716 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5f6ae5d-7854-44c7-9fb8-efaa6e850d59&gt;

Copy Anything to Clipboard <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Copy Anything to Clipboard CVE ID: CVE-2023-5086 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e834a211-ccc8-4a30-a15d-879ba34184e9&gt;

WP Mailto Links – Protect Email Addresses <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Mailto Links – Protect Email Addresses CVE ID: CVE-2023-5109 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec882062-0059-47ca-a007-3347e7adb70b&gt;

WP-Matomo Integration (WP-Piwik) <= 1.0.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Connect Matomo (WP-Matomo, WP-Piwik) CVE ID: CVE-2023-4774 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/faa4f041-4740-4ebb-afb3-10019ce571be&gt;

Contact Form by FormGet <= 5.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Contact Form by FormGet – Best Form Builder Plugin for WordPress CVE ID: CVE-2023-5125 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fdd73289-f292-4903-951e-6a89049d39a7&gt;

WPSchoolPress <= 2.2.4 - Cross-Site Request Forgery

Affected Software: School Management System – WPSchoolPress CVE ID: CVE Unknown CVSS Score: 6.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a2fb050-1a7c-45cc-86c7-02331d47f780&gt;

Payment gateway per Product for WooCommerce <= 3.2.7 - Reflected Cross-Site Scripting

Affected Software: Payment gateway per Product for WooCommerce CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/597786ce-58eb-4e96-a80e-bad3e75787fa&gt;

WP Discord Invite <= 2.4.1 - Reflected Cross-Site Scripting via webhook

Affected Software: WP Discord Invite CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a961d30e-f2cb-458d-8f1a-18f6e769efbc&gt;

Super Store Finder <= 6.9.2 - Unauthenticated Email Creation/Sending

Affected Software: Super Store Finder CVE ID: CVE-2023-5054 CVSS Score: 5.8 (Medium) Researcher/s: Etharus Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d31d0553-9378-4c7e-a258-12562aa6b388&gt;

Statify – Extended Evaluation <= 2.6.3 - Authenticated (Admin+) CSV Injection

Affected Software: Statify – Extended Evaluation CVE ID: CVE Unknown CVSS Score: 5.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/35027df9-ae55-453f-bb42-4b2664d66293&gt;

Comment Blacklist Updater <= 1.1.0 - Cross-Site Request Forgery via update_blacklist_manual

Affected Software: Comment Blacklist Updater CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc7bab78-4ebb-4be9-8891-1ac0e3ed0af3&gt;

Ad Inserter <= 2.7.30 - Unauthenticated Sensitive Information Exposure via ai_ajax

Affected Software: Ad Inserter – Ad Manager & AdSense Ads CVE ID: CVE-2023-4645 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57b3eef3-e165-45ac-89d7-2a2a6529b310&gt;

Pre-Publish Checklist <= 1.1.1 - Insecure Direct Object Reference to Arbitrary Post '_ppc_meta_key' Update

Affected Software: Pre-Publish Checklist CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e00a06c-9623-48e0-b212-20a2f1e7e640&gt;

Inactive Logout <= 3.2.2 - Missing Authorization

Affected Software: Inactive Logout CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c583ef34-ddec-4d6c-9685-ef4bce5e785e&gt;

Ad Inserter <= 2.7.30 - Unauthenticated Sensitive Information Exposure via ai-debug-processing-fe

Affected Software: Ad Inserter – Ad Manager & AdSense Ads CVE ID: CVE-2023-4668 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ce457c98-c55b-4b71-a80b-393eceb9effd&gt;

Table of Contents Plus <= 2302 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Table of Contents Plus CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/05206a31-033e-49b9-9b66-5a6165782643&gt;

Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated Stored Cross-Site Scripting

Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-5120 CVSS Score: 4.4 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/320f4260-20c2-4f27-91ba-d2488b417f62&gt;

Bit Assist <= 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Chat Button: WhatsApp, Facebook Messenger Chat, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77a923d5-b73e-45cf-9617-09b4d5c8bb5a&gt;

Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Migration, Backup, Staging – WPvivid CVE ID: CVE-2023-5121 CVSS Score: 4.4 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cdcac5f9-a744-4853-8a80-ed38fec81dbb&gt;

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce <= 3.1.37.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce CVE ID: CVE-2023-4423 CVSS Score: 4.4 (Medium) Researcher/s: JackYu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd9d22b0-a84a-4bf2-b8b4-89bae2970f29&gt;

Astra Bulk Edit <= 1.2.7 - Missing Authorization

Affected Software: Astra Bulk Edit CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2548d5b0-1f1a-4847-a5ea-e3bb6f7a5013&gt;

Website Builder by SeedProd <= 6.15.13.1 - Cross-Site Request Forgery to Settings Update

Affected Software: Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode CVE ID: CVE-2023-4975 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2cb5370f-14aa-445d-bda3-62a0dd068fc5&gt;

Easy Registration Forms <= 2.1.1 - Authenticated (Subscriber+) Information Disclosure via Shortcode

Affected Software: Easy Registration Forms CVE ID: CVE-2023-5134 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/562fe11f-36a0-4f23-9eed-50ada7ab2961&gt;

DoFollow Case by Case <= 3.4.1 Cross-Site Request Forgery via getEmail and getUrl

Affected Software: DoFollow Case by Case CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60c63be2-dd17-4224-ba96-ba30ed0b25ce&gt;

Brands for WooCommerce <= 3.8.2.2 - Cross-Site Request Forgery

Affected Software: Brands for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/996dc1d7-12f8-467d-bf48-a7a82f1c0a41&gt;

Legal Pages <= 1.3.7 - Missing Authorization on 'deleteLegalTemplate'

Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3f87bd6-b432-4bf8-9046-8d66b45f6a85&gt;

Inactive Logout <= 3.2.2 - Cross-Site Request Forgery

Affected Software: Inactive Logout CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9189eb3-be7f-42e1-92cc-b48af5615eb9&gt;

Brands for WooCommerce <= 3.8.2.2 - Missing Authorization to Unauthenticated Order Manipulation and Information Retrieval

Affected Software: Brands for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7afbe2b-72a8-40da-bc94-ff2a1b9569b4&gt;

Checkfront Online Booking System <= 3.6 - Cross-Site Request Forgery

Affected Software: Checkfront Online Booking System CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc5a8506-b191-4ab3-9c59-4f1150be6a38&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023) appeared first on Wordfence.

Related

openvas 3
cvelist 22
prion 22
cve 22
nvd 22
wpvulndb 22
osv 2
wpexploit 3
wordfence 1
openvas
openvas
WordPress Migration, Backup, Staging - WPvivid Plugin < 0.9.90 Multiple Vulnerabilities
2023-10-26 00:00:00
WordPress Website Builder by SeedProd Plugin < 6.15.15.3 CSRF Vulnerability
2023-11-03 00:00:00
WordPress Ad Inserter Plugin < 2.7.31 Information Disclosure Vulnerability
2023-10-25 00:00:00
cvelist
cvelist
CVE-2023-4961
2023-10-20 07:29:21
CVE-2023-5050
2023-10-20 06:35:15
CVE-2023-4716
2023-09-22 05:31:26
prion
prion
Cross site scripting
2023-10-20 08:15:00
Cross site scripting
2023-09-22 06:15:00
Cross site scripting
2023-10-16 20:15:00
cve
cve
CVE-2023-4961
2023-10-20 08:15:12
CVE-2023-4774
2023-09-22 06:15:11
CVE-2023-4821
2023-10-16 20:15:16
nvd
nvd
CVE-2023-4961
2023-10-20 08:15:12
CVE-2023-4716
2023-09-22 06:15:11
CVE-2023-5054
2023-09-19 07:15:51
wpvulndb
wpvulndb
Poptin < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
2023-11-23 00:00:00
WP-Matomo Integration (WP-Piwik) < 1.0.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
2023-11-24 00:00:00
Media Library Assistant < 3.11 - Contributor+ Stored XSS
2023-09-22 00:00:00
osv
osv
CVE-2023-4774
2023-09-22 06:15:11
CVE-2023-4423
2023-09-27 15:19:40
wpexploit
wpexploit
Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
2023-09-21 00:00:00
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting
2023-09-20 00:00:00
Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection
2023-09-19 00:00:00
wordfence
wordfence
Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting
2023-12-12 17:18:12

0.001 Low

EPSS

Percentile

39.9%

JSON
Related for WORDFENCE:C9F3B985B14F9658F8BFC9D1BD8EE17C
openvas3cvelist22prion22cve22nvd22wpvulndb22osv2wpexploit3wordfence1