Chloe ChamberlandWORDFENCE:CC689C0AD3F684FFD6890197813E532FWordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2024 to January 7, 2024)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.28 Low
EPSS
Percentile
96.8%
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.6 - Authorization Bypass via type connect-app API
- Astra Pro <= 4.3.1 - Authenticated(Contributor+) Remote Code Execution via Metabox
- Generic Object Injection
- Generic XSS in Custom Meta
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 33 |
| Patched | 52 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 67 |
| High Severity | 13 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 27 |
| Missing Authorization | 18 |
| Cross-Site Request Forgery (CSRF) | 13 |
| Deserialization of Untrusted Data | 7 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 5 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 |
| Improper Input Validation | 2 |
| Information Exposure | 2 |
| Argument Injection or Modification | 1 |
| Use of Less Trusted Source | 1 |
| Improper Access Control | 1 |
| Storing Passwords in a Recoverable Format | 1 |
| Path Traversal: '…/filedir' | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Rafie Muhammad | 11 |
| Ngô Thiên An (ancorn_) | 9 |
| Lucio Sá | 6 |
| Dave Jong | 5 |
| Webbernaut | 4 |
| Daniel Ruf | 4 |
| Francesco Carlucci | 4 |
| Ulyses Saicha | 3 |
| Le Ngoc Anh | 3 |
| Krzysztof Zając | 3 |
| hir0ot | 2 |
| Nex Team | 2 |
| Mika | 2 |
| Abu Hurayra (HurayraIIT) | 2 |
| Abdi Pranata | 2 |
| Colin Xu | 2 |
| Kang SeoHee | 1 |
| Huynh Tien Si | 1 |
| xEHLE | 1 |
| Bob Matyas | 1 |
| lttn | 1 |
| Akbar Kustirama | 1 |
| Joshua Chan | 1 |
| drop | 1 |
| emad | 1 |
| Matan Berson (matanber) | 1 |
| Sean Murphy | 1 |
| Pedro Cuco (illex) | 1 |
| Friday | 1 |
| Angelo Delicato | 1 |
| Dimas Maulana | 1 |
| Arvandy | 1 |
| István Márton | 1 |
| Rafshanzani Suhada | 1 |
| Debangshu Kundu | 1 |
| Arpeet Rathi | 1 |
| Dhabaleshwar Das | 1 |
| Dmitrii Ignatyev | 1 |
| Nguyen Xuan Chien | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 3D FlipBook – PDF Flipbook WordPress | interactive-3d-flipbook-powered-physics-engine |
| ActivityPub | activitypub |
| Ads Invalid Click Protection | ads-invalid-click-protection |
| Ajax Search Lite | ajax-search-lite |
| Autotitle for WordPress | autotitle-for-wordpress |
| Booster Elite for WooCommerce | booster-elite-for-woocommerce |
| Booster Plus for WooCommerce | booster-plus-for-woocommerce |
| CPT Bootstrap Carousel | cpt-bootstrap-carousel |
| Complianz – GDPR/CCPA Cookie Consent | complianz-gdpr |
| Constant Contact Forms | constant-contact-forms |
| Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder | arforms-form-builder |
| Coupon Referral Program | coupon-referral-program |
| Depicter Slider – Responsive Image Slider, Video Slider & Post Slider | depicter |
| Easy SVG Allow | easy-svg-image-allow |
| Easy Social Feed – Social Photos Gallery – Post Feed – Like Box | easy-facebook-likebox |
| EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
| Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
| Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) | mystickymenu |
| FooGallery Premium | foogallery-premium |
| Gecka Terms Thumbnails | gecka-terms-thumbnails |
| HTML5 MP3 Player with Folder Feedburner Playlist Free | html5-mp3-player-with-mp3-folder-feedburner-playlist |
| HTML5 MP3 Player with Playlist Free | html5-mp3-player-with-playlist |
| HTML5 SoundCloud Player with Playlist Free | html5-soundcloud-player-with-playlist |
| Happy Addons for Elementor | happy-elementor-addons |
| Happy Addons for Elementor Pro | happy-elementor-addons-pro |
| Hostinger | hostinger |
| Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building | icegram |
| Ideal Interactive Map | ideal-interactive-map |
| Infogram – Add charts, maps and infographics | infogram |
| JS & CSS Script Optimizer | js-css-script-optimizer |
| Keap Official Opt-in Forms | infusionsoft-official-opt-in-forms |
| Laybuy Payment Extension for WooCommerce | laybuy-gateway-for-woocommerce |
| LearnPress – WordPress LMS Plugin | learnpress |
| LightStart – Maintenance Mode, Coming Soon and Landing Page Builder | wp-maintenance-mode |
| MapPress Maps for WordPress | mappress-google-maps-for-wordpress |
| Mapster WP Maps | mapster-wp-maps |
| MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) | google-analytics-for-wordpress |
| OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. |
| Orbit Fox by ThemeIsle | themeisle-companion |
| Oxygen Builder | oxygenbuilder |
| POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications | post-smtp |
| Page Builder: Live Composer | live-composer-page-builder |
| Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
| Posts to Page | posts-to-page |
| PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
| Private Google Calendars | private-google-calendars |
| Product Delivery Date for WooCommerce – Lite | product-delivery-date-for-woocommerce-lite |
| Product Expiry for WooCommerce | product-expiry-for-woocommerce |
| Quiz Maker | quiz-maker |
| RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | feedzy-rss-feeds |
| Randomize | randomize |
| Rate Star Review – AJAX Reviews for Content, with Star Ratings | rate-star-review |
| Site Notes | site-notes |
| TJ Shortcodes | theme-junkie-shortcodes |
| Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics | taggbox-widget |
| User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | profile-builder |
| Void Contact Form 7 Widget For Elementor Page Builder | cf7-widget-elementor |
| WP 2FA – Two-factor authentication for WordPress | wp-2fa |
| WP Compress – Image Optimizer [All-In-One] | wp-compress-image-optimizer |
| WP ERP | Complete HR solution with recruitment & job listings |
| WP Job Manager | wp-job-manager |
| WP Plugin Lister | wp-plugin-lister |
| WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
| WP SOCIAL BOOKMARK MENU | wp-social-bookmark-menu |
| WP Ultimate Review | wp-ultimate-review |
| WP-Members Membership Plugin | wp-members |
| WooCommerce | woocommerce |
| WooCommerce Conversion Tracking | woocommerce-conversion-tracking |
| WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | print-invoices-packing-slip-labels-for-woocommerce |
| Woocommerce Tranzila Payment Gateway | woo-tranzila-gateway |
| WordPress Users | wordpress-users |
| cformsII | cforms2 |
| oEmbed Gist | oembed-gist |
| pTypeConverter | ptypeconverter |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Meris | meris |
| Weaver Xtreme | [weaver-xtreme](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Weaver Xtreme>) |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
WooCommerce Tranzila Gateway <= 1.0.8 - Unauthenticated PHP Object Injection
Affected Software: Woocommerce Tranzila Payment Gateway CVE ID: CVE-2023-52218 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ed30ebb-cb06-428c-a60e-676f36e75fa9>
LearnPress <= 4.2.5.7 - Unauthenticated SQL Injection via order_by
Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE-2023-6567 CVSS Score: 9.8 (Critical) Researcher/s: hir0ot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ab578cd-3a0b-43d3-aaa7-0a01f431a4e2>
Taggbox <= 3.1 - Unauthenticated PHP Object Injection
Affected Software: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics CVE ID: CVE-2023-52225 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cae6e8b9-a8a9-41d3-83e8-d833515a0244>
WP Compress – Image Optimizer [All-In-One] <= 6.10.33 - Unauthenticated Directory Traversal via css
Affected Software: WP Compress – Image Optimizer [All-In-One] CVE ID: CVE-2023-6699 CVSS Score: 9.1 (Critical) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44>
Gecka Terms Thumbnails <= 1.1 - Authenticated (Subscriber+) PHP Object Injection
Affected Software: Gecka Terms Thumbnails CVE ID: CVE-2023-52219 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07abe182-370f-4241-9631-387a7930f2f6>
HTML5 SoundCloud Player <= 2.8.0 - Authenticated (Author+) PHP Object Injection
Affected Software: HTML5 SoundCloud Player with Playlist Free CVE ID: CVE-2023-52205 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/229235de-03c6-4560-b0ea-ab21fde256be>
Page Builder: Live Composer <= 1.5.25 - Authenticated (Author+) PHP Object Injection
Affected Software: Page Builder: Live Composer CVE ID: CVE-2023-52206 CVSS Score: 8.8 (High) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a0f9f80-e338-4afd-9a4b-e421865c8b0b>
HTML5 MP3 Player with Playlist Free <= 3.0.0 - Authenticated (Author+) PHP Object Injecton
Affected Software: HTML5 MP3 Player with Playlist Free CVE ID: CVE-2023-52207 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2eac991e-fc34-456c-a9a6-d30fde39fd42>
Randomize <= 1.4.3 - Authenticated (Contributor+) SQL Injection
Affected Software: Randomize CVE ID: CVE-2023-52204 CVSS Score: 8.8 (High) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b971ae0-624d-416e-b2f2-92ce44e96418>
HTML5 MP3 Player with Folder Feedburner <= 2.8.0 - Authenticated (Author+) PHP Object Injection
Affected Software: HTML5 MP3 Player with Folder Feedburner Playlist Free CVE ID: CVE-2023-52202 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b7321e8-153c-4586-8114-65583e06573e>
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 - Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
Affected Software: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. CVE ID: CVE-2023-6600 CVSS Score: 8.6 (High) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c>
LearnPress <= 4.2.5.7 - Command Injection
Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE-2023-6634 CVSS Score: 8.1 (High) Researcher/s: hir0ot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed>
Hostinger <= 1.9.7 - Missing Authorization to Maintenance Mode Activation
Affected Software: Hostinger CVE ID: CVE-2023-6751 CVSS Score: 7.3 (High) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d89cf759-5e5f-43e2-90a9-a8e554653ee1>
ARForms <= 1.5.8 - Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url
Affected Software: Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder CVE ID: CVE-2023-6828 CVSS Score: 7.2 (High) Researcher/s: drop Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6e349cae-a996-4a32-807a-a98ebcb01edd>
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Unauthenticated Stored Cross-Site Scripting via device
Affected Software: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications CVE ID: CVE-2023-7027 CVSS Score: 7.2 (High) Researcher/s: Sean Murphy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e8911a3-ce0f-420c-bf2a-1c2929d01cef>
WP ERP <= 1.12.8 - Authenticated (Accounting manager+) SQL Injection
Affected Software: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting CVE ID: CVE-2024-21747 CVSS Score: 7.2 (High) Researcher/s: Arvandy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b7d85921-9d70-4812-9c5f-11ee1d0821be>
pTypeConverter <= 0.2.8.1 - Authenticated (Editor+) SQL Injection
Affected Software: pTypeConverter CVE ID: CVE-2023-52201 CVSS Score: 7.2 (High) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3c26454-a91d-4141-9b31-5c902c5e8eec>
WP-Members Membership Plugin <= 3.4.8 - Missing Authorization to Sensitive Information Exposure
Affected Software: WP-Members Membership Plugin CVE ID: CVE-2023-6733 CVSS Score: 6.5 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/46c61f38-553e-43b2-a666-b160db40e66d>
Coupon Referral Program <= 1.7.2 - Sensitive Information Disclosure
Affected Software: Coupon Referral Program CVE ID: CVE-2023-52190 CVSS Score: 6.5 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6015e204-1e07-4c75-ad22-969045934468>
Ideal Interactive Map <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Ideal Interactive Map CVE ID: CVE-2023-52189 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/019c5e06-1345-4c8e-abb9-dc0ea5d55ef5>
Page Builder: Live Composer <= 1.5.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Page Builder: Live Composer CVE ID: CVE-2023-52193 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09631637-55e2-4e1e-9dcb-bba205be5f43>
Easy SVG Allow <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG
Affected Software: Easy SVG Allow CVE ID: CVE-2023-7089 CVSS Score: 6.4 (Medium) Researcher/s: Bob Matyas Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a766b5b-e21e-4009-86d9-7f0a5c91ed51>
Orbit Fox Companion <= 2.10.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields
Affected Software: Orbit Fox by ThemeIsle CVE ID: CVE-2023-6781 CVSS Score: 6.4 (Medium) Researcher/s: Nex Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/23e39019-c322-4027-84f2-faabd9ca4983>
MapPress Maps for WordPress <= 2.88.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: MapPress Maps for WordPress CVE ID: CVE-2023-6524 CVSS Score: 6.4 (Medium) Researcher/s: Akbar Kustirama Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/28a8f025-c2ab-4a5f-a99e-a2d19b14a190>
Posts to Page <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Posts to Page CVE ID: CVE-2023-52195 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e5fdaae-3ef2-477e-b79b-0b6e415edb40>
Laybuy Payment Extension for WooCommerce <= 5.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Laybuy Payment Extension for WooCommerce CVE ID: CVE-2024-21745 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4c91caaa-9bdd-4170-98f1-0d686d3ffcba>
3D Flipbook <= 1.15.2 - Authenticated (Contributor+) Cross-Site Scripting via Ready Function
Affected Software: 3D FlipBook – PDF Flipbook WordPress CVE ID: CVE-2023-6776 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/500fd8aa-9ad1-41ee-bbeb-cda9c80c4fcb>
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders CVE ID: CVE-2023-7044 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6e770e98-3c13-4e37-b51b-4c39bce2cb42>
Infogram <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Infogram – Add charts, maps and infographics CVE ID: CVE-2023-52191 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72e1482c-0f55-4f43-8590-d4f2758f0eea>
Keap Official Opt-in Forms <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Keap Official Opt-in Forms CVE ID: CVE-2023-52192 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9a0f1006-8015-4e67-9b03-16d3ad3c0e77>
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 - Authenticated (Author+) Stored Cross-Site Scripting
Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID: CVE-2023-6801 CVSS Score: 6.4 (Medium) Researcher/s: Colin Xu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a713d897-c549-4e0d-9cb3-7002ef2b127f>
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID: CVE-2023-6986 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ceae0115-268c-401b-876b-3477d10c10e6>
Mapster WP Maps <= 1.2.38 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Mapster WP Maps CVE ID: CVE-2024-21744 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d38ee896-8cdd-45c5-b393-bdcb7baa7bd3>
FooGallery Premium <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: FooGallery Premium CVE ID: CVE-2023-6747 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut, Debangshu Kundu, Arpeet Rathi Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dce8ac32-cab8-4e05-bf6f-cc348d0c9472>
Private Google Calendars <= 20231125 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Private Google Calendars CVE ID: CVE-2023-52198 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e276cc49-2da1-4e2f-bb64-28ffe6ec9acf>
Oxygen Builder <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
Affected Software: Oxygen Builder CVE ID: CVE-2023-6938 CVSS Score: 6.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ee069cb3-370e-48ea-aa35-c30fe83c2498>
TJ Shortcodes 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: TJ Shortcodes CVE ID: CVE-2023-6530 CVSS Score: 6.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f88ef4cf-3f22-40e0-b651-59cb40f148fd>
oEmbed Gist <= 4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: oEmbed Gist CVE ID: CVE-2023-52194 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fed0e3bc-1401-410a-805d-1ea3e423024b>
Rate Star Review <= 1.5.1 - Reflected Cross-Site Scripting
Affected Software: Rate Star Review – AJAX Reviews for Content, with Star Ratings CVE ID: CVE-2023-52213 CVSS Score: 6.1 (Medium) Researcher/s: Kang SeoHee Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/025a13e6-5f0a-49ca-bd63-44e4095072bd>
Autotitle for WordPress <= 1.0.3 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Affected Software: Autotitle for WordPress CVE ID: CVE-2023-6946 CVSS Score: 6.1 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/062d906d-5a6e-4180-a2f2-18411334b9a1>
Happy Addons for Elementor <= 3.9.1.1 - Reflected Cross-Site Scripting
Affected Software/s: Happy Addons for Elementor Pro, Happy Addons for Elementor CVE ID: CVE-2023-6632 CVSS Score: 6.1 (Medium) Researcher/s: xEHLE Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06ef69f0-34d3-4389-8a81-a4d9922f1468>
Ajax Search Lite <= 4.11.4 - Reflected Cross-Site Scripting
Affected Software: Ajax Search Lite CVE ID: CVE-2024-21752 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19418da4-bef4-4cbc-901c-f2aeee39b3cf>
WP Plugin Lister <= 2.1.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
Affected Software: WP Plugin Lister CVE ID: CVE-2023-6503 CVSS Score: 6.1 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3b819e88-111a-4611-ae23-87ac7a878b4a>
POST SMTP Mailer <= 2.8.6 - Reflected Cross-Site Scripting via msg
Affected Software: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications CVE ID: CVE-2023-6629 CVSS Score: 6.1 (Medium) Researcher/s: Matan Berson (matanber) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7681f984-d488-4da7-afe1-988e5ad012f2>
Meris <= 1.1.2 - Reflected Cross-Site Scripting
Affected Software: Meris CVE ID: CVE-2023-7194 CVSS Score: 6.1 (Medium) Researcher/s: Angelo Delicato Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a627f10a-1463-4e4b-98a9-2008fa76e25a>
CPT Bootstrap Carousel <= 1.12 - Reflected Cross-Site Scripting
Affected Software: CPT Bootstrap Carousel CVE ID: CVE-2023-52196 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a78321b7-b62b-40ab-a15d-037ebd905d8b>
WP SMS <= 6.5 - Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID: CVE-2023-6981 CVSS Score: 6.1 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b8f53053-5150-4fba-b8d6-3d6c9df32c69>
Weaver Xtreme <= 6.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Weaver Xtreme CVE ID: CVE-2023-6990 CVSS Score: 5.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc7384d7-c2fd-4d63-9b80-bb5bde9a23d5>
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 - Missing Authorization
Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID: CVE-2023-6798 CVSS Score: 5.4 (Medium) Researcher/s: Colin Xu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2cdf4e5-0a40-42ca-b5ac-78511fdd2b77>
Product Expiry for WooCommerce <= 2.5 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Affected Software: Product Expiry for WooCommerce CVE ID: CVE-2024-0201 CVSS Score: 5.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4006612-770a-482f-a8c2-e62f607914a9>
PageLayer <= 1.7.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder CVE ID: CVE-2023-6738 CVSS Score: 5.4 (Medium) Researcher/s: Nex Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d14c8890-482c-4d43-a68f-0d04c4feca8f>
Constant Contact Forms <= 2.4.2 - Information Disclosure via Log Files
Affected Software: Constant Contact Forms CVE ID: CVE-2023-52208 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2990b307-2b07-4daf-917b-d9587253cbeb>
Wp Ultimate Review <= 2.2.5 - IP Spoofing
Affected Software: WP Ultimate Review CVE ID: CVE-2024-21746 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31418a45-7dae-4cd4-8f85-0498a285ef6d>
ActivityPub <= 1.0.5 - Missing Authorization
Affected Software: ActivityPub CVE ID: CVE-2023-52199 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3666a841-711d-4ecf-bb77-f2db4d5817ea>
Product Delivery Date for WooCommerce – Lite <= 2.7.0 - Missing Authorization
Affected Software: Product Delivery Date for WooCommerce – Lite CVE ID: CVE-2023-52210 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a32ae77-3d4e-4fd4-a43a-7d1a52dcfa77>
WP Job Manager <= 2.0.0 - Missing Authorization
Affected Software: WP Job Manager CVE ID: CVE-2023-52211 CVSS Score: 5.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b1af76a-3836-4527-9ea6-8bffa173a84e>
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 - Cross-Site Request Forgery
Affected Software: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) CVE ID: CVE-2023-6984 CVSS Score: 5.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fe2cfc96-63f4-4e4b-bf49-6031594a4805>
Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 - Authenticated(Administrator+) Stored Cross-site Scripting via settings
Affected Software: Complianz – GDPR/CCPA Cookie Consent CVE ID: CVE-2023-6498 CVSS Score: 4.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01c1458d-3e38-4dbf-bb65-80465ea6d0ad>
CformsII <= 15.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: cformsII CVE ID: CVE-2023-52203 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/72800e9b-8e2c-4725-9a87-a9b187ad5967>
Ads Invalid Click Protection <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Ads Invalid Click Protection CVE ID: CVE-2023-52197 CVSS Score: 4.4 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f0fa8050-6318-4528-8dd4-a3ca5467cfaa>
Icegram <= 3.1.20 - Missing Authorization
Affected Software: Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building CVE ID: CVE-2024-21748 CVSS Score: 4.3 (Medium) Researcher/s: Huynh Tien Si Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/059f526f-6769-4092-92b0-2ef6248963ee>
WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery
Affected Software: WP 2FA – Two-factor authentication for WordPress CVE ID: CVE-2023-6520 CVSS Score: 4.3 (Medium) Researcher/s: Ulyses Saicha Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0af451be-2477-453c-a230-7f3fb804398b>
WP Social Bookmark Menu <= 1.2 - Cross-Site Request Forgery to Settings Update
Affected Software: WP SOCIAL BOOKMARK MENU CVE ID: CVE-2023-7074 CVSS Score: 4.3 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/120a75c5-4fff-4a77-b376-d6968853b40e>
LearnPress <= 4.2.5.7 - Insecure Direct Object Reference to Information Disclosure
Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE-2023-6223 CVSS Score: 4.3 (Medium) Researcher/s: lttn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/215d5d9e-dabb-462d-8c51-952f8c497b78>
Booster Plus for WooCommerce < 7.1.2 - Missing Authorization to Order Information Disclosure
Affected Software: Booster Plus for WooCommerce CVE ID: CVE-2023-52231 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38a90190-569f-46d8-bef4-fe28caf5e2fc>
WordPress Users <= 1.4 - Cross-Site Request Forgery to Settings Update
Affected Software: WordPress Users CVE ID: CVE-2023-6390 CVSS Score: 4.3 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3c1a7bda-29c5-4b4b-bbd8-71187609892e>
Easy Social Feed <= 6.5.2 - Missing Authorization to Settings Modification
Affected Software: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box CVE ID: CVE-2023-6883 CVSS Score: 4.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3deee9b5-2e36-447d-a492-e22e3dc6a5ab>
Quiz Maker <= 6.5.1.1 - Missing Authorization
Affected Software: Quiz Maker CVE ID: CVE-2024-21743 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e62f27b-c6b0-48ed-bfd7-a1893552eb3e>
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 - Missing Authorization to Order Export
Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels CVE ID: CVE-2023-7068 CVSS Score: 4.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5abc282d-68c9-423c-a15c-d4d3f7035661>
WP Job Manager <= 2.0.0 - Cross-Site Request Forgery
Affected Software: WP Job Manager CVE ID: CVE-2023-52212 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/69430e1a-db2f-4715-84aa-5a1dfd712180>
Google Analytics by Monster Insights <= 8.21.0 - Missing Authorization
Affected Software: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) CVE ID: CVE-2023-52220 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/81099cdc-bce6-4ee6-b819-c3925acf96a8>
Site Notes <= 2.0.0 - Cross-Site Request Forgery to Admin Note Deletion
Affected Software: Site Notes CVE ID: CVE-2023-6633 CVSS Score: 4.3 (Medium) Researcher/s: Pedro Cuco (illex) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89cbe41d-3765-4061-8ef6-b63556a5677c>
Void Contact Form 7 Widget For Elementor Page Builder <= 2.3 - Missing Authorization
Affected Software: Void Contact Form 7 Widget For Elementor Page Builder CVE ID: CVE-2023-52214 CVSS Score: 4.3 (Medium) Researcher/s: Friday Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93784c84-93b3-4f43-84a0-5aeed3ba9cfd>
WP SMS <= 6.5 - Cross-Site Request Forgery to Subscriber Deletion
Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID: CVE-2023-6980 CVSS Score: 4.3 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94ad6b51-ff8d-48d5-9a70-1781d13990a5>
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 - Missing Authorization
Affected Software: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder CVE ID: CVE-2023-7019 CVSS Score: 4.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b57d3d1d-dcdb-4f11-82d8-183778baa075>
WooCommerce Conversion Tracking <= 2.0.11 - Missing Authorization
Affected Software: WooCommerce Conversion Tracking CVE ID: CVE-2023-52217 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf798142-4daf-41f5-8416-701d03476520>
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider <= 2.0.6 - Cross-Site Request Forgery via save
Affected Software: Depicter Slider – Responsive Image Slider, Video Slider & Post Slider CVE ID: CVE-2023-6493 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9c907ea-3ab4-4674-8945-ade4f6ff2679>
WP 2FA <= 2.5.0 - Insecure Direct Object Reference to Arbitrary Email Sending
Affected Software: WP 2FA – Two-factor authentication for WordPress CVE ID: CVE-2023-6506 CVSS Score: 4.3 (Medium) Researcher/s: Ulyses Saicha Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40>
Booster Plus for WooCommerce < 7.1.3 - Missing Authorization to Arbitrary Options Disclosure
Affected Software: Booster Plus for WooCommerce CVE ID: CVE-2023-52230 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd0a4212-fe04-4c3b-9d78-b1a0bf97e274>
Booster Plus for WooCommerce < 7.1.2 - Missing Authorization to Arbitrary Page/Post Deletion
Affected Software: Booster Plus for WooCommerce CVE ID: CVE-2023-52232 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/df65af54-ce55-4c50-8a62-5541a1879ad4>
WooCommerce <= 8.2.2 - Cross-Site Request Forgery
Affected Software: WooCommerce CVE ID: CVE-2023-52222 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eb8517bc-f45f-40a1-ae80-ed227c8b32d7>
Booster Elite for WooCommerce < 7.1.2 - Missing Authorization to Order Information Disclosure
Affected Software: Booster Elite for WooCommerce CVE ID: CVE-2023-52234 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4afcb16-9c97-483f-be48-31b5156bcca3>
Profile Builder <= 3.10.7 - Insecure Direct Object Reference to Sensitive Information Exposure via user_meta Shortcode
Affected Software: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor CVE ID: CVE-2023-6504 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f515ccf8-7231-4728-b155-c47049087d42>
JS & CSS Script Optimizer <= 0.3.3 - Cross-Site Request Forgery
Affected Software: JS & CSS Script Optimizer CVE ID: CVE-2023-52216 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb863896-5a5a-4c65-b2a5-0901de7961f2>
My Sticky Bar <= 2.6.6 - Cross-Site Request Forgery to Sensitive Information Exposure
Affected Software: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) CVE ID: CVE-2023-7048 CVSS Score: 3.1 (Low) Researcher/s: Ulyses Saicha Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be0ab40f-cff7-48bd-8dae-cc50af047151>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2024 to January 7, 2024) appeared first on Wordfence.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.28 Low
EPSS
Percentile
96.8%