Lucene search

Chloe ChamberlandWORDFENCE:D520B5D6F109875514762F017E8207D2

HistoryJun 22, 2023 - 1:11 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)

2023-06-2213:11:25

Chloe Chamberland

www.wordfence.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

66.9%

JSON

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	20
Patched	40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	53
High Severity	6
Critical Severity	0

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	26
Cross-Site Request Forgery (CSRF)	21
Missing Authorization	8
Information Exposure	1
Authorization Bypass Through User-Controlled Key	1
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	1
Unrestricted Upload of File with Dangerous Type	1
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Truoc Phan	6
LEE SE HYOUNG	5
Erwan LR	5
Marco Wotschka
(Wordfence Vulnerability Reasearcher)	4
Abdi Pranata	3
Mika	3
Lana Codes
(Wordfence Vulnerability Reasearcher)	3
yuyudhn	3
Nguyen Xuan Chien	3
Rafshanzani Suhada	2
konagash	2
NeginNrb	2
Rafie Muhammad	2
A. S. M. Muhiminul Hasan	1
Theodoros Malachias	1
Rio Darmawan	1
Le Ngoc Anh	1
emad	1
Alex Thomas
(Wordfence Vulnerability Reasearcher)	1
Daniel Ruf	1
Amirmohammad vakili	1
thiennv	1
Chloe Chamberland
(Wordfence Vulnerability Reasearcher)	1
Phd	1
killr00t	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
All Bootstrap Blocks	all-bootstrap-blocks
Booking and Rental Manager for Bike	Car
CF7 Google Sheets Connector	cf7-google-sheets-connector
CF7 Google Sheets Connector Pro	cf7-google-sheets-connector-pro
CHP Ads Block Detector	chp-ads-block-detector
Church Admin	church-admin
Constant Contact Forms	constant-contact-forms
Contact Form by WD – responsive drag & drop contact form builder tool	contact-form-maker
Elementor Forms Google Sheet Connector	gsheetconnector-for-elementor-forms
Elementor Forms Google Sheet Connector Pro	gsheetconnector-for-elementor-forms-pro
Flo Forms – Easy Drag & Drop Form Builder	flo-forms
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
Galleria	galleria
Google Map Shortcode	google-map-shortcode
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor	front-editor
LWS Cleaner	lws-cleaner
LWS Tools	lws-tools
Login Configurator	login-configurator
MStore API	mstore-api
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
ND Shortcodes	nd-shortcodes
Ninja Forms Google Sheet Connector	gsheetconnector-ninja-forms
Ninja Forms Google Sheet Connector Pro	gsheetconnector-ninja-forms-pro
Password Protected	password-protected
Protect WP Admin	protect-wp-admin
Recent Posts Slider	recent-posts-slider
Recipe Maker For Your Food Blog from Zip Recipes	zip-recipes
Securimage-WP	securimage-wp
Seed Fonts	seed-fonts
Sermon'e – Sermons Online	UNKNOWN-CVE-2023-35776-1
Stock Manager for WooCommerce	woocommerce-stock-manager
Template Debugger	quick-edit-template-link
Tutor LMS – eLearning and online course solution	tutor
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
WP Affiliate Links	wp-affiliate-links
WP Backup Manager	wp-backup-manager
WP Directory Kit	wpdirectorykit
WP Matterport Shortcode	shortcode-gallery-for-matterport-showcase
WP PDF Generator	wp-pdf-generator
WPForms Google Sheet Connector	gsheetconnector-wpforms
WPForms Google Sheet Connector Pro	gsheetconnector-wpforms-pro
Who Hit The Page – Hit Counter	who-hit-the-page-hit-counter
WooCommerce Stripe Payment Gateway	woocommerce-gateway-stripe
WordPress Contact Forms by Cimatti	contact-forms
WordPress NextGen GalleryView	wordpress-nextgen-galleryview
YaySMTP – Simple WP SMTP Mail	yaysmtp
Zephyr Project Manager	zephyr-project-manager
breadcrumb simple	breadcrumb-simple
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin	mycred
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件	fat-rat-collect

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 - Authenticated (Contributor+) Arbitrary File Upload

Affected Software: Unlimited Elements For Elementor (Free Widgets, Addons, Templates) CVE ID: CVE-2023-3295 CVSS Score: 8.8 (High) Researcher/s: Chloe Chamberland, Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ce1ac711-6026-49ef-b66b-2cc199697942>

Tutor LMS <= 2.2.0 - Missing Authorization via REST API

Affected Software: Tutor LMS – eLearning and online course solution CVE ID: CVE-2023-3133 CVSS Score: 7.5 (High) Researcher/s: A. S. M. Muhiminul Hasan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1d6c9765-6936-4b22-835e-e899f62c14c9>

WooCommerce Stripe Payment Gateway <= 7.4.0 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure

Affected Software: WooCommerce Stripe Payment Gateway CVE ID: CVE-2023-34000 CVSS Score: 7.5 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70971072-d743-466b-affe-d7f79d5712aa>

Ninja Forms Google Sheet Connector <= 1.2.6 - Reflected Cross-Site Scripting

Affected Software/s: Ninja Forms Google Sheet Connector, Ninja Forms Google Sheet Connector Pro CVE ID: CVE-2023-2333 CVSS Score: 7.2 (High) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/559a92e0-609e-415f-aab3-649a185eb431>

YaySMTP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email

Affected Software: YaySMTP – Simple WP SMTP Mail CVE ID: CVE-2023-3093 CVSS Score: 7.2 (High) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e>

Who Hit The Page – Hit Counter <= 1.4.14.3 - Unauthenticated Cross-Site Scripting

Affected Software: Who Hit The Page – Hit Counter CVE ID: CVE-2023-25466 CVSS Score: 7.2 (High) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/714d7811-0425-4833-a7b2-a408799181e4>

Contact Form Maker <= 1.13.23 - Authenticated (Administrator+) SQL Injection

Affected Software: Contact Form by WD – responsive drag & drop contact form builder tool CVE ID: CVE-2023-2655 CVSS Score: 6.6 (Medium) Researcher/s: killr00t Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb56c071-d7b9-40e0-8cc5-2dd48c93b8cf>

All Bootstrap Blocks <= 1.3.6 - Cross-Site Request Forgery to Plugin Settings Reset

Affected Software: All Bootstrap Blocks CVE ID: CVE-2023-35047 CVSS Score: 6.5 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a7a15ab-4f13-4eb1-aeb5-143230308871>

WP Directory Kit <= 1.2.3 - Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action

Affected Software: WP Directory Kit CVE ID: CVE-2023-2351 CVSS Score: 6.5 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50c5154c-1573-4c2b-85a1-a89bdb22dc7d>

MStore API <= 3.9.5 - Missing Authorization

Affected Software: MStore API CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a747542-0601-4fa5-a97c-c72d1347013b>

Sermon'e <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Sermon'e – Sermons Online CVE ID: CVE-2023-35776 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08b5f399-018c-4e0b-aefc-55463d4ac48d>

MasterStudy LMS <= 3.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education CVE ID: CVE-2023-35090 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/174e2bf3-2531-4a53-ade6-3df7e976ed29>

ND Shortcodes <= 6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ND Shortcodes CVE ID: CVE-2022-4623 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d92687e-cdf2-4dd2-b984-eaf9f0a56625>

WP Matterport Shortcode <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Matterport Shortcode CVE ID: CVE-2023-35094 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b76ce38-d9ee-4998-ba3b-9f21158ce18a>

ND Shortcodes <= 6.9 - Authenticated (Subscriber+) Local File Inclusion

Affected Software: ND Shortcodes CVE ID: CVE-2023-1273 CVSS Score: 6.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9b9bd42f-cb24-483a-ae91-add4378067d9>

Front User Submit | Front Editor <= 3.7.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f34722fb-e852-4194-b839-7d885d212fc9>

NextGen GalleryView <= 0.5.5 - Reflected Cross-Site Scripting

Affected Software: WordPress NextGen GalleryView CVE ID: CVE-2023-35098 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/043ed446-3af3-4d90-8da7-b1fe73e06bba>

CF7 Google Sheets Connector <= 5.0.1 - Reflected Cross-Site Scripting via 'code'

Affected Software/s: CF7 Google Sheets Connector Pro, CF7 Google Sheets Connector CVE ID: CVE-2023-2320 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c6b2c4b-5ea5-471d-9114-d2b469b6c59b>

Elementor Forms Google Sheet Connector <= 1.0.6 - Reflected Cross-Site Scripting via 'code'

Affected Software/s: Elementor Forms Google Sheet Connector Pro, Elementor Forms Google Sheet Connector CVE ID: CVE-2023-2324 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ac577f4-2e61-4b72-881e-6fbbfd268f7b>

WP Backup Manager <= 1.13.1 - Reflected Cross-Site Scripting

Affected Software: WP Backup Manager CVE ID: CVE-2023-35775 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ee3416b-d6df-4f8b-834b-4e78516c00ba>

WPForms Google Sheet Connector <= 3.4.5 - Reflected Cross-Site Scripting

Affected Software/s: WPForms Google Sheet Connector Pro, WPForms Google Sheet Connector CVE ID: CVE-2023-2321 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/75067f95-48b6-4c1d-8d8b-2601185b1f81>

WP Affiliate Links <= 0.1.1 - Reflected Cross-Site Scripting

Affected Software: WP Affiliate Links CVE ID: CVE-2023-35097 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba4638be-29d3-4638-84d3-6a9d540bfa33>

Google Map Shortcode <= 3.1.2 - Reflected Cross-Site Scripting

Affected Software: Google Map Shortcode CVE ID: CVE-2023-35772 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbd4983f-bf92-45c3-95a6-6f5e39bca228>

Church Admin <= 3.7.29 - Reflected Cross-Site Scripting

Affected Software: Church Admin CVE ID: CVE-2023-34021 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e85efdc1-cffc-411a-a2f7-6fa1132e2910>

LWS Tools <= 2.4.1 - Cross-Site Request Forgery

Affected Software: LWS Tools CVE ID: CVE-2023-35774 CVSS Score: 5.4 (Medium) Researcher/s: konagash Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/315dbb77-d872-4cc4-bb4c-9d4763a6ff8f>

LWS Cleaner <= 2.3.0 - Cross-Site Request Forgery

Affected Software: LWS Cleaner CVE ID: CVE-2023-35781 CVSS Score: 5.4 (Medium) Researcher/s: konagash Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b89c51fe-c056-4d85-a6e3-6678ed93b9d8>

Fat Rat Collect <= 2.6.1 - Missing Authorization

Affected Software: 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有开源插件 CVE ID: CVE-2023-35045 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/279cebb5-4be4-485a-92c7-e0bcc961f93e>

Protect WP Admin <= 3.8 - Unauthenticated Information Disclosure to Protection Bypass

Affected Software: Protect WP Admin CVE ID: CVE-2023-3139 CVSS Score: 5.3 (Medium) Researcher/s: Daniel Ruf Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7012b34d-8d65-4575-9965-417739206b5f>

Forminator <= 1.23.3 - Race Condition to Multiple Poll Voting

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder CVE ID: CVE-2023-2010 CVSS Score: 5.3 (Medium) Researcher/s: Amirmohammad vakili Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a40cb2da-dc13-4e20-9602-a4e6c2eade43>

CHP Ads Block Detector <= 3.9.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: CHP Ads Block Detector CVE ID: CVE-2023-2354 CVSS Score: 4.9 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f8514c9-0e11-4e26-ba0b-1d08a990b56c>

Seed Fonts 2.3.1 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Seed Fonts CVE ID: CVE-2023-35779 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57953bab-7430-4841-b073-7db7964e6a65>

ARMember <= 4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2023-33323 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/668d4bd3-adde-4347-9169-67c3c96e1743>

Booking and Rental Manager <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment CVE ID: CVE-2023-35048 CVSS Score: 4.4 (Medium) Researcher/s: NeginNrb Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6e7c629f-e9c6-4254-ba37-46de5206d77d>

Login Configurator <= 2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login Configurator CVE ID: CVE-2023-34369 CVSS Score: 4.4 (Medium) Researcher/s: NeginNrb Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74d3606f-bd62-4844-ac17-8e47feddab92>

Password Protected <= 2.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Password Protected CVE ID: CVE-2023-32580 CVSS Score: 4.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/79c296b1-e385-404d-96c0-a98f10b89f08>

Flo Forms <= 1.0.40 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Flo Forms – Easy Drag & Drop Form Builder CVE ID: CVE-2023-35095 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bdd35d61-0777-4e64-8a51-55fe928e75ba>

MStore API <= 3.9.6 - Cross-Site Request Forgery to Product Limit Update

Affected Software: MStore API CVE ID: CVE-2023-3203 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1aed51a2-9fd4-43bb-b72d-ae8e51ee6e87>

Zephyr Project Manager <= 3.3.93 - Cross-Site Request Forgery

Affected Software: Zephyr Project Manager CVE ID: CVE-2023-34373 CVSS Score: 4.3 (Medium) Researcher/s: Theodoros Malachias Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/236387f0-b58e-4ef1-b370-a0703a7902eb>

WP PDF Generator <= 1.2.2 - Cross-Site Request Forgery to PDF Settings Update

Affected Software: WP PDF Generator CVE ID: CVE-2023-35038 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/28a4c868-a24d-4fd8-ae0e-d5c0bf3a7436>

Securimage-WP <= 3.6.16 - Cross-Site Request Forgery

Affected Software: Securimage-WP CVE ID: CVE-2023-35044 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36f41de5-50d5-47ca-bbd0-eca3b756a0cd>

MasterStudy LMS <= 3.0.7 - Missing Authorization to Course Category Creation

Affected Software: MasterStudy LMS WordPress Plugin – for Online Courses and Education CVE ID: CVE-2023-35093 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/417ae2f2-e245-49bb-8b77-0eabf6095459>

CHP Ads Block Detector <= 3.9.4 - Missing Authorization to Plugin Settings Update

Affected Software: CHP Ads Block Detector CVE ID: CVE-2023-2353 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4eca64d7-6e33-4b8e-af37-a3e8bbf2b76f>

Zip Recipes <= 8.0.7 - Cross-Site Request Forgery

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/727a0649-082f-46d0-8d6f-de53ee7fb18e>

MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Message Update

Affected Software: MStore API CVE ID: CVE-2023-3200 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/78f3c503-e255-44d2-8432-48dc2c5f553d>

Form Maker <= 1.15.16 - Missing Authorization in check_score

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f0eac1e-4988-4b73-bf13-c959b0dc11e2>

Template Debugger <= 3.1.2 - Cross-Site Request Forgery

Affected Software: Template Debugger CVE ID: CVE-2023-35773 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8da0fed9-4b88-4b68-b317-124fe678cfa4>

Stock Manager for WooCommerce <= 2.10.0 - Cross-Site Request Forgery

Affected Software: Stock Manager for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/99984fff-94e3-46fb-8241-88fcda556054>

myCred <= 2.5 - Cross-Site Request Forgery

Affected Software: myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin CVE ID: CVE-2023-35096 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3936c4b-2326-41dc-b7d6-a8cf43752ddb>

MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Title Update

Affected Software: MStore API CVE ID: CVE-2023-3199 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a604df5d-92b3-4df8-a7ef-00f0ee95cf0f>

Constant Contact Forms <= 2.0.2 - Missing Authorization via constant_contact_privacy_ajax_handler

Affected Software: Constant Contact Forms CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b8a26695-4793-418b-9a23-6709fe79ea4f>

MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Status Update

Affected Software: MStore API CVE ID: CVE-2023-3198 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5f30190-4576-4c2b-b069-72501538733b>

MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Title Update

Affected Software: MStore API CVE ID: CVE-2023-3201 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb5cb1a5-30d2-434f-90f9-d37aecfbe158>

MStore API <= 3.9.6 - Cross-Site Request Forgery to Firebase Server Key Update

Affected Software: MStore API CVE ID: CVE-2023-3202 CVSS Score: 4.3 (Medium) Researcher/s: Truoc Phan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2b3612e-3c91-469b-98ef-fdb03b0ee9d9>

CHP Ads Block Detector <= 3.9.4 - Cross-Site Request Forgery via chp_abd_action

Affected Software: CHP Ads Block Detector CVE ID: CVE-2023-2352 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5a9cced-0e5e-4b6e-8291-0a862c9f9523>

Galleria <= 1.0.3 - Cross-Site Request Forgery via showOptionsPage

Affected Software: Galleria CVE ID: CVE-2023-35780 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea85fa9a-78ea-4017-b72e-49db7eafa11e>

Recipe Maker For Your Food Blog from Zip Recipes <= 8.0.7 - Cross-Site Request Forgery

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes CVE ID: CVE-2023-35089 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ebd1483a-949d-4edb-9b86-007879d2d207>

WordPress Contact Forms by Cimatti <= 1.5.7 - Cross-Site Request Forgery via _accua_forms_form_edit_action

Affected Software: WordPress Contact Forms by Cimatti CVE ID: CVE-2023-2563 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f80a1f13-c1b9-4259-8d96-71a3cbcaf4ca>

breadcrumb simple <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: breadcrumb simple CVE ID: CVE-2023-35092 CVSS Score: 3.3 (Low) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/598e38d7-b5a9-43c1-b908-dab8bbe24115>

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023) appeared first on Wordfence.