Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:D8B13163CCD9C2A48F973C4B23392557
HistoryApr 27, 2023 - 12:16 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)

2023-04-2712:16:14
Chloe Chamberland
www.wordfence.com
83

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

53.2%

JSON

Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it's more important than ever to review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 81
Patched 71

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 134
High Severity 16
Critical Severity 2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 93
Cross-Site Request Forgery (CSRF) 30
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 11
Missing Authorization 10
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2
Deserialization of Untrusted Data 2
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1
Information Exposure 1
Improper Access Control 1
URL Redirection to Untrusted Site ('Open Redirect') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes 30
Marco Wotschka 11
Yuki Haruma 9
yuyudhn 7
Muhammad Daffa 6
LEE SE HYOUNG 6
Rio Darmawan 6
Sajjad Shariati 6
Shreya Pohekar 5
minhtuanact 5
Justiice 4
Ramuel Gall 4
TEAM WEBoB of BoB 11th 3
Mika 3
Ivan Kuzymchak 3
Le Ngoc Anh 3
Erwan LR 3
Cat 3
WPScanTeam 2
Lokesh Dachepalli 2
Nguyen Xuan Chien 2
Joshua Martinelle 1
Rafie Muhammad 1
Rafshanzani Suhada 1
Nguyen Huu Do 1
Ryo Sato 1
Skalucy 1
Shezad Master 1
zhangyunpei 1
Yeting Li VARAS@IIE 1
Ameen Alkurdy 1
Nithissh S 1
Chien Vuong 1
thiennv 1
Alexander Schmid 1
cydave 1
easyBug 1
Daniel Ruf 1
Alex Thomas 1
deokhunKim 1
Lucio Sá 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AI ChatBot chatbot
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Accessibility Suite by Online ADA online-accessibility
Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin helpie-faq
Active Directory Integration / LDAP Integration ldap-login-for-intranet-sites
ActiveCampaign – Forms, Site Tracking, Live Chat activecampaign-subscription-forms
Ad Inserter – Ad Manager & AdSense Ads ad-inserter
Album Gallery – WordPress Gallery new-album-gallery
ApexChat apexchat
Avirato hotels online booking engine avirato-calendar
BBSpoiler bbspoiler
BadgeOS badgeos
Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra yatra
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop woo-altcoin-payment-gateway
BizLibrary bizlibrary
Booking calendar, Appointment Booking System booking-calendar
Button Builder – Buttons X buttons-x
CMP – Coming Soon & Maintenance Plugin by NiteoThemes cmp-coming-soon-maintenance
CMS Tree Page View cms-tree-page-view
Cab Grid cab-grid
Captcha Them All captcha-them-all
Category Specific RSS feed Subscription category-specific-rss-feed-menu
Church Admin church-admin
Clock In Portal- Staff & Attendance Management clock-in-portal
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db
Continuous announcement scroller continuous-announcement-scroller
Custom Post Type List Shortcode custom-post-type-list-shortcode
Customer Support Software, Live Chat, & Marketing Automation formilla-chat-and-marketing
Dave's WordPress Live Search daves-wordpress-live-search
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress charitable
EZP Maintenance Mode easy-pie-maintenance-mode
Easy Ad Manager easy-ad-manager
Easy Slider Revolution easy-slider-revolution
Ebook Store ebook-store
Email posts to subscribers email-posts-to-subscribers
Enable/Disable Auto Login when Register auto-login-when-resister
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks
File Gallery file-gallery
Flyzoo Chat flyzoo
Form Block form-block
FormCraft – Contact Form Builder for WordPress formcraft-form-builder
Formilla Edge Targeted Messaging Platform for Sales and Marketing formilla-edge
Freshdesk (official) freshdesk-support
GDPR Compliance & Cookie Consent gdpr-compliance-cookie-consent
Gallery Metabox gallery-metabox
Google Analytics Top Content Widget google-analytics-top-posts-widget
Gps Plotter gps-plotter
Help Desk WP helpdeskwp
Image Optimizer by 10web – Image Optimizer and Compression plugin image-optimizer-wd
Japanized For WooCommerce woocommerce-for-japan
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation zero-bs-crm
Kaya QR Code Generator kaya-qr-code-generator
Kiwiz - Certification de facturation - Woocommerce woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz
Kodex Posts likes kodex-posts-likes
LIQUID SPEECH BALLOON liquid-speech-balloon
Layer Slider slider-slideshow
LearnPress Export Import – WordPress extension for LearnPress learnpress-import-export
Live Chat by Formilla – Real-time Chat & Chatbots Plugin formilla-live-chat
Locatoraid Store Locator locatoraid
Login Page Styler Custom Login
Mail Subscribe List mail-subscribe-list
Mega Addons For WPBakery Page Builder mega-addons-for-visual-composer
Membership Database member-database
Modal Dialog modal-dialog
Motors – Car Dealer, Classifieds & Listing motors-car-dealership-classified-listings
NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder
Ninja Tables – Best Data Table Plugin for WordPress ninja-tables
OoohBoi Steroids for Elementor ooohboi-steroids-for-elementor
Panorama – WordPress Project Management Plugin project-panorama-lite
Post Shortcode post-shortcode
PowerPress Podcasting plugin by Blubrry powerpress
Pretty Url pretty-url
Product Slider For WooCommerce Lite product-slider-for-woocommerce-lite
PropertyHive propertyhive
Query Wrangler query-wrangler
RapidExpCart rapidexpcart
Redirect After Login redirect-after-login
Reservation.Studio widget reservation-studio-widget
Responsive Filterable Portfolio responsive-filterable-portfolio
ReviewX – Multi-criteria Rating & Reviews for WooCommerce reviewx
Robokassa payment gateway for Woocommerce robokassa
Semalt Blocker semalt
ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution shopengine
Shortcode IMDB shortcode-imdb
Simple Share Buttons Adder simple-share-buttons-adder
Simple Tooltips simple-tooltips
SiteAlert – Uptime, Speed, and Security Monitoring for WordPress my-wp-health-check
Sloth Logo Customizer sloth-logo-customizer
Smart WooCommerce Search smart-woocommerce-search
Social Share Boost social-share-boost
SparkPost sparkpost
Stock Exporter for WooCommerce stock-exporter-for-woocommerce
Stream stream
Subscribers – Free Web Push Notifications subscribers-com
Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT ) tablesome
TaxoPress is the WordPress Tag, Category, and Taxonomy Manager simple-tags
The School Management – Education & Learning Management school-management-system
Themify Portfolio Post themify-portfolio-post
Thumbnail carousel slider wp-responsive-thumbnail-slider
Uji Popup uji-popup
Ultimate Carousel For Elementor ultimate-carousel-for-elementor
Ultimate Carousel For WPBakery Page Builder ultimate-carousel-for-visual-composer
Update Image Tag Alt Attribute update-alt-attribute
Verified Reviews (Avis Vérifiés) netreviews
Video Grid video-grid
Video List Manager video-list-manager
Visual CSS Style Editor yellow-pencil-visual-theme-customizer
WCP Contact Form wcp-contact-form
WP Cerber Security, Anti-spam & Malware Scan wp-cerber
WP Custom Author URL wp-custom-author-url
WP Docs wp-docs
WP Links Page wp-links-page
WP Login Box wp-login-box
WP Original Media Path wp-original-media-path
WP Popups – WordPress Popup builder wp-popups-lite
WP Responsive Tabs horizontal vertical and accordion Tabs responsive-horizontal-vertical-and-accordion-tabs
WP-FormAssembly formassembly-web-forms
WP-dTree wp-dtree-30
WPJAM Basic wpjam-basic
White Label Branding for Elementor Page Builder white-label-branding-elementor
WooCommerce Easy Duplicate Product woo-easy-duplicate-product
WooCommerce Order Status Change Notifier woocommerce-order-status-change-notifier
Woocommerce Email Report wooemailreport
Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals woocommerce-products-designer
WordPress Header Builder Plugin – Pearl pearl-header-builder
Wp-D3 wp-d3
YARPP – Yet Another Related Posts Plugin yet-another-related-posts-plugin
YML for Yandex Market yml-for-yandex-market
YourChannel: Everything you want in a YouTube plugin. yourchannel
Zendesk Support for WordPress zendesk
eRocket erocket
f(x) TOC fx-toc
miniOrange's Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) Passwordless login
vSlider Multi Image Slider for WordPress vslider

Vulnerability Details

Email posts to subscribers <= 6.2 - Unauthenticated SQL Injection

Affected Software: Email posts to subscribers CVE ID: CVE-2022-46818 CVSS Score: 9.8 (Critical) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51f73041-927d-42da-92cc-14242a397356&gt;

Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.1 - Unauthenticated SQL Injection

Affected Software: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop CVE ID: CVE-2022-4118 CVSS Score: 9.8 (Critical) Researcher/s: cydave Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4e1315b-31e5-428c-9a48-6185b4eeb2fc&gt;

ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 - Authenticated (Subscriber+) SQL Injection

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce CVE ID: CVE-2023-26325 CVSS Score: 8.8 (High) Researcher/s: Joshua Martinelle Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/072092ef-17bc-4b8b-bf8b-bd69a761c56a&gt;

YARPP <= 5.30.2 - Authenticated (Subscriber+) Local File Inclusion

Affected Software: YARPP – Yet Another Related Posts Plugin CVE ID: CVE-2022-45374 CVSS Score: 8.8 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1091862b-784b-496f-a951-6784544cb51b&gt;

Accessibility Suite by Online ADA <= 4.11 - Authenticated (Subscriber+) SQL Injection

Affected Software: Accessibility Suite by Online ADA CVE ID: CVE-2022-47420 CVSS Score: 8.8 (High) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71c21af1-a007-4535-98ea-a6f25142bcf6&gt;

Avirato hotels online booking engine <= 5.0.5 - Authenticated (Subscriber+) SQL Injection

Affected Software: Avirato hotels online booking engine CVE ID: CVE-2023-0768 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b62fb1a8-d62d-4d1f-bcce-a081432b9e61&gt;

Contact Form to DB by BestWebSoft <= 1.7.0 - Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department

Affected Software: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress CVE ID: CVE-2023-29096 CVSS Score: 8.8 (High) Researcher/s: easyBug Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba317acb-d45c-42c0-b5fb-b163bcd59340&gt;

Kiwiz - Certification de facturation - Woocommerce <= 2.1.3 - Unauthenticated Arbitrary File Download

Affected Software: Kiwiz - Certification de facturation - Woocommerce CVE ID: CVE-2023-2180 CVSS Score: 7.5 (High) Researcher/s: WPScanTeam Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/603f0c9d-6964-4911-b4a5-bdad24a1a8dd&gt;

miniOrange's Google Authenticator <= 5.6.5 - Missing Authorization to Plugin Settings Change

Affected Software: miniOrange's Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login CVE ID: CVE-2022-4943 CVSS Score: 7.5 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23&gt;

Jetpack CRM <= 5.3.1 - Cross-Site Request Forgery and PHAR Deserialization

Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation CVE ID: CVE-2022-3342 CVSS Score: 7.5 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80&gt;

The School Management – Education & Learning Management <= 4.1 - Authenticated (Administrator+) SQL Injection

Affected Software: The School Management – Education & Learning Management CVE ID: CVE-2022-47430 CVSS Score: 7.2 (High) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1268bdb9-7f80-4fdc-a95a-d51b0ab83e17&gt;

Ad Inserter <= 2.7.25 - Authenticated (Admin+) PHP Object Injection

Affected Software: Ad Inserter – Ad Manager & AdSense Ads CVE ID: CVE-2023-1549 CVSS Score: 7.2 (High) Researcher/s: Nguyen Huu Do Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c94028c-a774-45ac-817d-ad9b966a3b51&gt;

Shortcode IMDB <= 6.0.8 - Authenticated (Administrator+) SQL Injection

Affected Software: Shortcode IMDB CVE ID: CVE-2022-47432 CVSS Score: 7.2 (High) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3ae6bf2e-b39a-4bb3-9203-22ff4c23ddf4&gt;

WP Cerber Security <= 9.1 - Unauthenticated Stored Cross-Site Scripting

Affected Software: WP Cerber Security, Anti-spam & Malware Scan CVE ID: CVE-2022-4712 CVSS Score: 7.2 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6cd9cbba-10b0-4fb0-ad49-4593a307a615&gt;

Video List Manager <= 1.7 - Authenticated (Admin+) SQL Injection

Affected Software: Video List Manager CVE ID: CVE-2023-1408 CVSS Score: 7.2 (High) Researcher/s: zhangyunpei, Yeting Li VARAS@IIE Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b2d42ab-46c1-4c3e-b99a-1cdcade1b5bb&gt;

Help Desk WP <= 1.2.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Help Desk WP CVE ID: CVE-2023-1019 CVSS Score: 7.2 (High) Researcher/s: Ameen Alkurdy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ec5173b-7b0d-4887-8c13-f48137aa8593&gt;

Booking calendar, Appointment Booking System <= 3.2.6 - Authenticated (Administrator+) SQL Injection via *_selected

Affected Software: Booking calendar, Appointment Booking System CVE ID: CVE-2022-47428 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9c44b6e5-7fb2-402e-8c8c-79d811ff0e9a&gt;

NEX-Forms <= 8.3.3 - Authenticated (Administrator+) SQL Injection

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID: CVE-2023-2114 CVSS Score: 7.2 (High) Researcher/s: Alexander Schmid Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d19be8b-3e0b-4d74-97e0-f17132d2d34c&gt;

Ebook Store <= 5.775 - Missing Authorization via ebook_store_export_orders

Affected Software: Ebook Store CVE ID: CVE-2023-22701 CVSS Score: 6.5 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4b17cce-bb52-4125-8c85-6da15517275f&gt;

f(x) TOC <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: f(x) TOC CVE ID: CVE-2023-0490 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/09479df1-ff7e-4df8-9aea-8c7622ecea4e&gt;

Easy Slider Revolution <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via esrcpt_slider_allow_iframes_filter

Affected Software: Easy Slider Revolution CVE ID: CVE-2023-28622 CVSS Score: 6.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14a20f9c-cf5a-4d57-b723-ad29a12c8881&gt;

Button Builder – Buttons X <= 0.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Button Builder – Buttons X CVE ID: CVE-2023-23867 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1aea8fe3-7c75-4d3a-847a-ce0d1f9700f1&gt;

Uji Popup <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode

Affected Software: Uji Popup CVE ID: CVE-2023-23641 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1e81208c-771f-409e-b665-b07def0ca774&gt;

WPJAM Basic <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WPJAM Basic CVE ID: CVE-2023-23709 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a5ccc0b-a80a-41df-991c-5c356eb10512&gt;

ActiveCampaign – Forms, Site Tracking, Live Chat <= 8.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ActiveCampaign – Forms, Site Tracking, Live Chat CVE ID: CVE-2023-0233 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47e25cfa-fedf-413a-bfe7-18a1de429bc3&gt;

Mail Subscribe List <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode

Affected Software: Mail Subscribe List CVE ID: CVE-2023-23657 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/55b39859-b8a0-418b-ae7a-cd42d6e0bf00&gt;

BBSpoiler <= 2.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BBSpoiler CVE ID: CVE-2023-23873 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/789497b1-36cf-4de2-bca0-52c0c2a08f72&gt;

Product Slider For WooCommerce Lite <= 1.1.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys

Affected Software: Product Slider For WooCommerce Lite CVE ID: CVE-2023-0537 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8159ee7c-69ac-4422-ba8b-664f1fee8e07&gt;

Wp-D3 <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Wp-D3 CVE ID: CVE-2023-0536 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89409461-c87e-4882-bf53-cc789e459b4f&gt;

Social Share Boost <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode

Affected Software: Social Share Boost CVE ID: CVE-2023-23688 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9290532f-58d7-4e7d-9fa0-89c7f82b0466&gt;

WP Links Page <= 4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Links Page CVE ID: CVE-2023-22720 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ef3297d-8686-44aa-ac73-793b644be3f2&gt;

WP-FormAssembly <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP-FormAssembly CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3b164e0-de2e-40d5-935e-31f5bebd87cf&gt;

Mega Addons For WPBakery Page Builder <= 4.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Mega Addons For WPBakery Page Builder CVE ID: CVE-2023-0268 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a443b20e-1686-4519-890d-e6f1838fb05c&gt;

WP Popups – WordPress Popup builder <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Popups – WordPress Popup builder CVE ID: CVE-2023-1905 CVSS Score: 6.4 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9747cda-735c-4087-8c4d-9c445c6d1596&gt;

Ultimate Carousel For Elementor <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ultimate Carousel For Elementor CVE ID: CVE-2023-0280 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0e35280-0c2a-4fe1-bfbe-3321338ff1a5&gt;

Custom Post Type List Shortcode <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Custom Post Type List Shortcode CVE ID: CVE-2023-0542 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b702f507-475a-4d45-8bb1-635f5f377c88&gt;

File Gallery <= 1.8.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode

Affected Software: File Gallery CVE ID: CVE-2023-23676 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c11be4ba-1bed-4234-b475-468394b7be90&gt;

Ultimate Carousel For WPBakery Page Builder <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ultimate Carousel For WPBakery Page Builder CVE ID: CVE-2023-0267 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c97fc289-1ee3-4401-a57e-b4c8d998259e&gt;

FormCraft <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode

Affected Software: FormCraft – Contact Form Builder for WordPress CVE ID: CVE-2023-22717 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf17a817-6f61-43d5-9da2-58fbbef458d9&gt;

Post Shortcode <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Post Shortcode CVE ID: CVE-2023-0526 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3e1d66d-34cf-491c-8a07-0f9efd3c9669&gt;

Kaya QR Code Generator <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute

Affected Software: Kaya QR Code Generator CVE ID: CVE-2023-30784 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4f0bb58-d904-4bf4-9e15-4ee6289c2df4&gt;

vSlider Multi Image Slider <= 4.1.2 - Cross-Site Request Forgery

Affected Software: vSlider Multi Image Slider for WordPress CVE ID: CVE-2023-22672 CVSS Score: 6.3 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14376064-13c4-4874-afea-395af2a1933d&gt;

WP Docs <= 1.9.8 - Missing Authorization via multiple AJAX actions

Affected Software: WP Docs CVE ID: CVE-2023-30873 CVSS Score: 6.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45a870f4-7ad1-447b-81ea-5d9e9b67b1bb&gt;

Membership Database <= 1.0 - Reflected Cross-Site Scripting

Affected Software: Membership Database CVE ID: CVE-2023-0514 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07ede585-c0d2-4643-9c36-7b5da5f721bd&gt;

CMS Tree Page View <= 1.6.7 - Reflected Cross-Site Scripting

Affected Software: CMS Tree Page View CVE ID: CVE-2023-30868 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19796773-3d5f-458d-aab1-743b6835c71b&gt;

Church Admin <= 3.7.5 - Reflected Cross-Site Scripting

Affected Software: Church Admin CVE ID: CVE-2023-30782 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2204017a-0363-4f2f-909a-e0826463477c&gt;

Update Image Tag Alt Attribute <= 2.4.5 - Reflected Cross-Site Scripting

Affected Software: Update Image Tag Alt Attribute CVE ID: CVE-2023-27455 CVSS Score: 6.1 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25b13322-d305-45db-8ac7-20762398dc21&gt;

Charitable <= 1.7.0.10 - Reflected Cross-Site Scripting

Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress CVE ID: CVE-2022-47441 CVSS Score: 6.1 (Medium) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b3b9576-7c7d-4665-92d5-03aa292cdbbe&gt;

WCP Contact Form <= 3.1.0 - Reflected Cross-Site Scripting via tab parameter

Affected Software: WCP Contact Form CVE ID: CVE-2023-22703 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33fd4542-0a46-4779-be02-d713dcbc8f96&gt;

Google Analytics Top Content Widget <= 1.5.5 - Reflected Cross-Site Scripting

Affected Software: Google Analytics Top Content Widget CVE ID: CVE-2015-10101 CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4522480a-dfbf-4ff4-93c2-68b8cc15367c&gt;

RapidExpCart <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: RapidExpCart CVE ID: CVE-2023-0520 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52fde632-f3a4-48d5-8c2c-c42b9d20dcb7&gt;

ChatBot <= 4.4.4 - Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery

Affected Software: AI ChatBot CVE ID: CVE-2023-1011 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/56fad8de-6646-4305-83a9-0ed443c3aa7d&gt;

WooCommerce Easy Duplicate Product <= 0.3.0.0 - Reflected Cross-Site Scripting via wedp_duplicated

Affected Software: WooCommerce Easy Duplicate Product CVE ID: CVE-2023-30747 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b06d68e-153d-4cee-94d5-cbeac7468665&gt;

Tablesome <= 1.0.8 - Reflected Cross-Site Scripting

Affected Software: Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT ) CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8d769308-6273-4ed2-b64a-d9f065de4cce&gt;

YellowPencil Visual CSS Style Editor <= 7.5.8 - Reflected Cross-Site Scripting liveLink

Affected Software: Visual CSS Style Editor CVE ID: CVE-2022-33961 CVSS Score: 6.1 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/967ff273-33f3-4580-928a-7764583429aa&gt;

Sloth Logo Customizer <= 2.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Sloth Logo Customizer CVE ID: CVE-2023-0603 CVSS Score: 6.1 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/974f14e8-1a59-4ba5-8806-b4d8b135315e&gt;

Modal Dialog <= 3.5.14 - Reflected Cross-Site Scripting

Affected Software: Modal Dialog CVE ID: CVE-2023-31071 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/99140d47-88bb-48a1-863a-93a558541800&gt;

Thumbnail carousel slider <= 1.1.9 - Reflected Cross-Site Scripting

Affected Software: Thumbnail carousel slider CVE ID: CVE-2023-1915 CVSS Score: 6.1 (Medium) Researcher/s: Chien Vuong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/99711f41-d21b-4725-acc8-9542283daf12&gt;

Yml for Yandex Market <= 3.10.7 - Reflected Cross-Site Scripting

Affected Software: YML for Yandex Market CVE ID: CVE-2023-30473 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a823a21e-78b5-4186-bb67-88799509970d&gt;

Woocommerce Email Report <= 2.4 - Unauthenticated Cross-Site Scripting

Affected Software: Woocommerce Email Report CVE ID: CVE-2023-27627 CVSS Score: 6.1 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abdbee50-b8c3-4254-a828-37629a798c92&gt;

Stock Exporter for WooCommerce <= 1.1.0 - Reflected Cross-Site Scripting

Affected Software: Stock Exporter for WooCommerce CVE ID: CVE-2023-30871 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b65184e6-8072-4dd7-8291-c92817e55beb&gt;

Query Wrangler <= 1.5.51 - Reflected Cross-Site Scripting via page parameter

Affected Software: Query Wrangler CVE ID: CVE-2023-30779 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c79d781e-4c11-43e9-8c5f-aa89e8fbf635&gt;

Video Grid <= 1.21 - Reflected Cross-Site Scripting

Affected Software: Video Grid CVE ID: CVE-2023-30785 CVSS Score: 6.1 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c92e166d-2ede-4280-a875-d30c0cf6f467&gt;

RapidExpCart <= 1.0 - Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting

Affected Software: RapidExpCart CVE ID: CVE-2023-0520 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc1e480c-577a-467a-8297-747512286a39&gt;

Video Grid <= 1.21 - Reflected Cross-Site Scripting

Affected Software: Video Grid CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db5247ad-dbbf-4d8e-92f5-3a673b97d080&gt;

Responsive Filterable Portfolio <= 1.0.19 - Reflected Cross-Site Scripting

Affected Software: Responsive Filterable Portfolio CVE ID: CVE-2023-2119 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e67dfe0f-ac1c-4a78-bfc9-0cfd6c3040d4&gt;

Japanized For WooCommerce <= 2.5.6 - Reflected Cross-Site Scripting

Affected Software: Japanized For WooCommerce CVE ID: CVE-2023-0948 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea7d643c-3388-469f-b4a9-5c68341e2af0&gt;

PropertyHive <= 1.5.48 - Reflected Cross-Site Scripting via date_post_id

Affected Software: PropertyHive CVE ID: CVE-2023-22706 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea82e978-a653-4ae3-94aa-bc77b94a176c&gt;

Thumbnail carousel slider <= 1.1.9 - Reflected Cross-Site Scripting

Affected Software: Thumbnail carousel slider CVE ID: CVE-2023-2120 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4bf4e12-5cbb-45bc-938e-62163baaa15d&gt;

ARMember <= 4.0 - Reflected Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2022-47140 CVSS Score: 6.1 (Medium) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd22babc-f1a9-4f50-9756-fe692105dca3&gt;

WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 - Reflected Cross-Site Scripting

Affected Software: WP Responsive Tabs horizontal vertical and accordion Tabs CVE ID: CVE-2023-2184 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fe54c37f-1421-48aa-b502-045847d13ae3&gt;

Themify Portfolio Post <= 1.2.2 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Themify Portfolio Post CVE ID: CVE-2022-32970 CVSS Score: 5.5 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f3c3629-b7a9-4f83-a821-64119ed662ce&gt;

TaxoPress <= 3.6.4 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager CVE ID: CVE-2023-2168 CVSS Score: 5.5 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c051bfd-2754-4faf-8062-91752555166c&gt;

TaxoPress <= 3.6.4 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager CVE ID: CVE-2023-2169 CVSS Score: 5.5 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/52574d99-1ffe-4152-bf13-9cdd11d7300a&gt;

YourChannel <= 1.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: YourChannel: Everything you want in a YouTube plugin. CVE ID: CVE-2023-1869 CVSS Score: 5.5 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317&gt;

TaxoPress <= 3.6.4 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager CVE ID: CVE-2023-2170 CVSS Score: 5.5 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e98ed932-4e4c-4127-ae72-500e2a34f371&gt;

Motors – Car Dealer & Classified Ads <= 1.4.4 - Cross-Site Request Forgery via Multiple Functions

Affected Software: Motors – Car Dealer, Classifieds & Listing CVE ID: CVE-2022-38716 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0ca9e920-3c7a-4991-8c24-2e55c4f4767c&gt;

LearnPress - Export/Import Courses <= 4.0.2 - Reflected Cross-Site Scripting

Affected Software: LearnPress Export Import – WordPress extension for LearnPress CVE ID: CVE-2023-30487 CVSS Score: 5.4 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1322e229-5e0b-4c3d-ae96-e211a2831842&gt;

PowerPress <= 10.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: PowerPress Podcasting plugin by Blubrry CVE ID: CVE-2023-30778 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c40c28f-554f-42d0-9f6d-a899d8f61519&gt;

Smart WooCommerce Search <= 2.5.0 - Missing Authorization

Affected Software: Smart WooCommerce Search CVE ID: CVE-2023-30783 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59931266-766f-42d2-bcde-04d694a444b0&gt;

ShopEngine <= 4.1.1 - Cross-Site Request Forgery

Affected Software: ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution CVE ID: CVE-2022-45371 CVSS Score: 5.4 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94abb34a-4451-4f41-ba23-d2a723e5a2e7&gt;

Freshdesk (official) <= 1.7 - Open Redirect

Affected Software: Freshdesk (official) CVE ID: CVE-2015-10102 CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d6f20fc3-41e5-4220-ac8b-54eb11719f07&gt;

Locatoraid Store Locator <= 3.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Locatoraid Store Locator CVE ID: CVE-2023-2031 CVSS Score: 5.4 (Medium) Researcher/s: Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dba0a90b-f13c-4914-b6b7-278227ffc122&gt;

Active Directory Integration / LDAP Integration <= 4.1.0 - Unauthenticated Information Disclosure

Affected Software: Active Directory Integration / LDAP Integration CVE ID: CVE-2023-0812 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2568018b-29f3-4261-ae0d-658ca9d96846&gt;

CMP – Coming Soon & Maintenance <= 4.1.7 - Maintenance Mode Bypass

Affected Software: CMP – Coming Soon & Maintenance Plugin by NiteoThemes CVE ID: CVE-2023-2159 CVSS Score: 5.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05e-6a57a5f16dfa&gt;

Helpie FAQ <= 1.9.6 - Reflected Cross-Site Scripting

Affected Software: Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin CVE ID: CVE Unknown CVSS Score: 4.7 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f389f4bf-ffff-4862-b4e2-4465ca0556ef&gt;

Formilla Live Chat <= 1.3.0 - Authenticated (Administrator+) Cross-Site Scripting via 'FormillaID'

Affected Software: Live Chat by Formilla – Real-time Chat & Chatbots Plugin CVE ID: CVE-2023-23727 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/044e110d-2435-41b8-8aec-917c329b944c&gt;

Dave's WordPress Live Search <= 4.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Dave's WordPress Live Search CVE ID: CVE-2023-30876 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/046ecbe5-4b2f-40d3-8585-4d4230ba33f0&gt;

Yatra <= 2.1.13 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra CVE ID: CVE-2022-47436 CVSS Score: 4.4 (Medium) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07372843-f7d3-4ae4-96b4-ef3f475504ff&gt;

Ebook Store <= 5.775 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Ebook Store CVE ID: CVE-2023-22690 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/097f6887-e15f-4e35-ab12-1115630e13cc&gt;

WP Original Media Path <= 2.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP Original Media Path CVE ID: CVE-2023-23674 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/277eb517-c949-41e9-becf-af056fd32f35&gt;

Verified Reviews (Avis Vérifiés) <= 2.3.13 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Verified Reviews (Avis Vérifiés) CVE ID: CVE-2023-23720 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3044dbfc-e12d-47e0-a297-67ff0510eded&gt;

Login Page Styler <= 6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login CVE ID: CVE-2022-46861 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4d70cd0a-5c30-4a9b-81e8-e465d1e8f2b0&gt;

WP Custom Author URL <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Custom Author URL CVE ID: CVE-2023-1614 CVSS Score: 4.4 (Medium) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f3a57ce-eead-4631-93da-ba1a0a33ec2d&gt;

Formilla Edge <= 1.0 - Authenticated (Administrator+) Cross-Site Scripting via 'FormillaPluginID'

Affected Software: Formilla Edge Targeted Messaging Platform for Sales and Marketing CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59f7a1b2-f718-40e7-8030-b9212edf71b7&gt;

Captcha Them All <= 1.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Captcha Them All CVE ID: CVE-2023-30786 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e2c83b6-3444-4cd1-82ec-567937c563b9&gt;

WP Login Box <= 2.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Login Box CVE ID: CVE-2023-0544 CVSS Score: 4.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66c58d4c-8c36-40af-827d-0e86f2110e3c&gt;

Subscribers – Free Web Push Notifications <= 1.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Subscribers – Free Web Push Notifications CVE ID: CVE-2023-22684 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66e78219-b3fd-40e9-a58c-8e27ef3c5e4a&gt;

Pretty Url <= 1.5.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Pretty Url CVE ID: CVE-2023-2009 CVSS Score: 4.4 (Medium) Researcher/s: Shezad Master Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f54fb59-03c1-45e9-a498-1fa1409c4466&gt;

Flyzoo Chat <= 2.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Flyzoo Chat CVE ID: CVE-2022-46817 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74ea8f1e-d6ff-4a32-b8bf-5d4c8e69433e&gt;

Robokassa payment gateway for Woocommerce <= 1.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Robokassa payment gateway for Woocommerce CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/75824b96-8674-4340-9e56-b0cb0f52503d&gt;

White Label Branding for Elementor Page Builder <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: White Label Branding for Elementor Page Builder CVE ID: CVE-2023-23683 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e187b71-860e-4404-bbe2-193c6ecfd485&gt;

Category Specific RSS feed Subscription <= v2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Category Specific RSS feed Subscription CVE ID: CVE-2023-22685 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ac9c146-5065-46fc-b2ae-20b820a8016b&gt;

Formilla Chat and Marketing Automation <= 1.0 - Authenticated (Administrator+) Cross-Site Scripting via 'FormillaToolsID'

Affected Software: Customer Support Software, Live Chat, & Marketing Automation CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5436d14-cbb5-420f-9f3a-698ce59c1e1e&gt;

Semalt Blocker <= 1.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Semalt Blocker CVE ID: CVE-2023-23794 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a658d150-bcd5-4334-b07a-e09b3995169d&gt;

SparkPost <= 3.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: SparkPost CVE ID: CVE-2023-23654 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab86ddc9-9b43-4949-b150-7b944bc40558&gt;

EZP Maintenance Mode <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: EZP Maintenance Mode CVE ID: CVE-2023-23682 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ac1239c9-72a6-44d8-911f-70a528c66c62&gt;

Redirect After Login <= 0.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Redirect After Login CVE ID: CVE-2023-27624 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad1a79f3-274f-4a33-a752-669c09c2d47d&gt;

GPS Plotter <= 5.1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Gps Plotter CVE ID: CVE-2023-30874 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca449d15-b05e-4341-99b0-472a14cab8f4&gt;

WP-dTree <= 4.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP-dTree CVE ID: CVE-2022-47423 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cde92185-d63a-47b3-a17e-3f2b2b20270c&gt;

Panorama – WordPress Project Management Plugin <= 1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Panorama – WordPress Project Management Plugin CVE ID: CVE-2023-23810 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d131115b-e2c9-42c6-9262-a19272944652&gt;

Continuous announcement scroller <= 13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Continuous announcement scroller CVE ID: CVE-2022-46819 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d88eb628-09c9-451c-b5ae-f26a93514447&gt;

ApexChat <= 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: ApexChat CVE ID: CVE-2023-28414 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dbe8d164-85c7-444d-80ad-4d03151b939b&gt;

Simple Tooltips <= 2.1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Tooltips CVE ID: CVE-2023-25958 CVSS Score: 4.4 (Medium) Researcher/s: deokhunKim Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc7e4235-5f40-48c2-8474-cf57af5e35bd&gt;

Cab Grid <= 1.5.15 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cab Grid CVE ID: CVE-2023-28533 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e09c629b-9908-4548-b828-9e6140ff5670&gt;

Image Optimizer WD <= 1.0.26 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5eea72d-f10b-460b-be00-bb5b1c4a1a62&gt;

BizLibrary <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: BizLibrary CVE ID: CVE-2023-0892 CVSS Score: 4.4 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ee7513d9-e76c-4da4-919b-ba376f0c4022&gt;

Easy Ad Manager <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Ad Manager CVE ID: CVE-2023-25460 CVSS Score: 4.4 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f7750f70-e79c-45fb-b792-ba6a4da59964&gt;

eRocket <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: eRocket CVE ID: CVE-2023-28174 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb9b8f3a-6f49-455d-99c6-cdf5671af49d&gt;

Ninja Tables <= 4.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Ninja Tables – Best Data Table Plugin for WordPress CVE ID: CVE-2022-47137 CVSS Score: 4.4 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc296c70-358e-4908-be49-5ffae83aca9b&gt;

GDPR Compliance & Cookie Consent <= 1.2 - Cross-Site Request Forgery

Affected Software: GDPR Compliance & Cookie Consent CVE ID: CVE-2022-45815 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/052b345a-7b71-4de5-9bf8-8b81cc1b4e77&gt;

Image Optimizer by 10web <= 1.0.25 - Directory Traversal to Information Exposure

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b4a0dff-1054-4f50-8ff5-e3cc2b45d77b&gt;

Essential Blocks <= 4.0.6 - Missing Authorization via get

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-2084 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0be8c668-0f1c-4f83-8a71-49c8bb9b67ae&gt;

Album Gallery – WordPress Gallery <= 1.4.9 - Cross-Site Request Forgery via album-gallery-column-settings.php

Affected Software: Album Gallery – WordPress Gallery CVE ID: CVE-2023-23646 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f3df75e-cf2f-4076-b5ff-b8540408044a&gt;

Layer Slider <= 1.1.9.6 - Cross-Site Request Forgery via save_slide_ajax

Affected Software: Layer Slider CVE ID: CVE-2023-23671 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1ad366f1-2369-4fb2-aeda-301c85cf6801&gt;

Enable/Disable Auto Login when Register <= 1.1.0 Cross-Site Request Forgery

Affected Software: Enable/Disable Auto Login when Register CVE ID: CVE-2023-0522 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1fa45fa7-b1da-42f0-945b-2a6b0db5ba91&gt;

Zendesk Support for WordPress <= 1.8.4 - Cross-Site Request Forgery

Affected Software: Zendesk Support for WordPress CVE ID: CVE-2023-23716 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/212b7da7-bd3e-42df-8b50-a3eb472cf440&gt;

LIQUID SPEECH BALLOON <= 1.1.8 - Cross-Site Request Forgery to Settings Update

Affected Software: LIQUID SPEECH BALLOON CVE ID: CVE-2023-27889 CVSS Score: 4.3 (Medium) Researcher/s: Ryo Sato Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/23980e13-b632-43ec-938e-8171884cb87b&gt;

Ninja Tables <= 4.3.4 - Cross-Site Request Forgery

Affected Software: Ninja Tables – Best Data Table Plugin for WordPress CVE ID: CVE-2022-47136 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/338158b5-bbda-4cd8-b4ea-97a3926a0989&gt;

Clock In Portal <= 2.1 - Cross-Site Request Forgery To Staff Deletion

Affected Software: Clock In Portal- Staff & Attendance Management CVE ID: CVE-2023-0761 CVSS Score: 4.3 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51ce7b71-0a19-48ef-8748-3848742c542b&gt;

Clock In Portal <= 2.1 - Cross-Site Request Forgery to Holidays Deletion

Affected Software: Clock In Portal- Staff & Attendance Management CVE ID: CVE-2023-0763 CVSS Score: 4.3 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c852fa1-698b-4e72-b781-095e2a98df81&gt;

WP Docs <= 1.9.8 - Cross-Site Request Forgery to folder management

Affected Software: WP Docs CVE ID: CVE-2023-30873 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6003b1bf-b176-4ca9-9de2-58133259e0f6&gt;

Pearl <= 1.3.4 - Cross-Site Request Forgery via stm_hb_save_settings

Affected Software: WordPress Header Builder Plugin – Pearl CVE ID: CVE-2022-38356 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6058da9e-8ca3-4966-bb10-e5da526e8c7e&gt;

WooCommerce Order Status Change Notifier <= 1.1.0 - Authenticated (Subscriber+) Arbitrary Order Status Update

Affected Software: WooCommerce Order Status Change Notifier CVE ID: CVE-2023-2179 CVSS Score: 4.3 (Medium) Researcher/s: WPScanTeam Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66bc83f5-0f6c-425f-a560-e79e777b76ca&gt;

Woocommerce Product Designer <= 4.3.3 - Cross-Site Request Forgery

Affected Software: Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals CVE ID: CVE-2022-46856 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70d168a4-a659-4354-889e-7907215351a2&gt;

Kodex Posts likes <= 2.4.3 - Cross-Site Request Forgery

Affected Software: Kodex Posts likes CVE ID: CVE-2022-46814 CVSS Score: 4.3 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/77d56f61-7e45-405e-878d-fa3d53acede0&gt;

Reservation.Studio widget <= 1.0.9 - Cross-Site Request Forgery via plugin settings

Affected Software: Reservation.Studio widget CVE ID: CVE-2023-25468 CVSS Score: 4.3 (Medium) Researcher/s: Lokesh Dachepalli Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/783e5794-0d74-4b7a-a1cd-2b834a50c50c&gt;

BadgeOS <= 3.7.1.6 - Cross-Site Request Forgery

Affected Software: BadgeOS CVE ID: CVE-2022-41987 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7bb1be6d-5af9-4b58-a641-05a913548fe7&gt;

Essential Blocks <= 4.0.6 - Missing Authorization via template_count

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-2086 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9efc782a-ec61-4741-81fd-a263a2739e16&gt;

Gallery Metabox <= 1.5 - Cross-Site Request Forgery via gallery_remove

Affected Software: Gallery Metabox CVE ID: CVE-2022-47134 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f8b1103-71b2-421e-bcbe-f2716b59e367&gt;

Essential Blocks <= 4.0.6 - Missing Authorization via templates

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-2085 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad2c1ab6-5c78-4317-b5e7-c86e2eebeb4f&gt;

SiteAlert (Formerly WP Health) <= 1.9.7 - Cross-Site Request Forgery

Affected Software: SiteAlert – Uptime, Speed, and Security Monitoring for WordPress CVE ID: CVE-2022-46857 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1870c6e-23b6-4f3b-adba-72633d62dfd0&gt;

OoohBoi Steroids for Elementor <= 2.1.4 - Missing Authorization leading to Authenticated (Subscriber+) Image Upload

Affected Software: OoohBoi Steroids for Elementor CVE ID: CVE-2023-1169 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c56ed896-9267-49e6-a207-fe5362fe18cd&gt;

Clock In Portal <= 2.1 - Cross-Site Request Forgery To Designation Deletion

Affected Software: Clock In Portal- Staff & Attendance Management CVE ID: CVE-2023-0762 CVSS Score: 4.3 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c6b17e90-42df-47ed-9e92-f5f1b990f921&gt;

Form Block <= 1.0.1 - Cross-Site Request Forgery

Affected Software: Form Block CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Daniel Ruf Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb18d6d8-28e5-4125-9209-a71403f678f0&gt;

Clock In Portal <= 2.1 - Cross-Site Request Forgery to Designation Deletion

Affected Software: Clock In Portal- Staff & Attendance Management CVE ID: CVE-2023-0762 CVSS Score: 4.3 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc97109c-187f-43b7-b5ed-5afeec5ea8fd&gt;

Essential Blocks <= 4.0.6 - Cross-Site Request Forgery via save

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-2087 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d38d41c7-8786-4145-9591-3e24eff3b79c&gt;

Clock In Portal <= 2.1 - Cross-Site Request Forgery to Staff Deletion

Affected Software: Clock In Portal- Staff & Attendance Management CVE ID: CVE-2023-0761 CVSS Score: 4.3 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d8ec03c6-6ea9-4017-915a-e10b757d98ff&gt;

Clock In Portal <= 2.1 - Cross-Site Request Forgery To Holiday Deletion

Affected Software: Clock In Portal- Staff & Attendance Management CVE ID: CVE-2023-0763 CVSS Score: 4.3 (Medium) Researcher/s: Sajjad Shariati Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ddc0261d-56ed-47a6-a0b2-0ab5f9dee815&gt;

Simple Share Buttons Adder <= 8.4.6 - Cross-Site Request Forgery

Affected Software: Simple Share Buttons Adder CVE ID: CVE-2022-47178 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e57bfae5-4cc0-4d97-9431-4c8ebb2f0882&gt;

Stream <= 3.9.2 - Cross-Site Request Forgery

Affected Software: Stream CVE ID: CVE-2022-43490 CVSS Score: 4.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e7203b5c-5753-453c-8fc2-26fcebdeea5b&gt;

Essential Blocks <= 4.0.6 - Missing Authorization via save

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-2083 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8bf0933-1c97-4374-b323-c55b91fe4d27&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023) appeared first on Wordfence.

Related

wpvulndb 55
openvas 3
prion 70
cve 69
wpexploit 1
jvn 1
wpvulndb
wpvulndb
Essential Blocks < 4.0.7 - Multiple Functions Missing Authorization Checks
2023-04-18 00:00:00
TaxoPress < 3.6.5 - Editor+ Stored XSS
2023-04-18 00:00:00
Yatra < 2.1.15 - Admin+ Stored XSS
2023-04-19 00:00:00
openvas
openvas
WordPress Essential Blocks Plugin < 4.0.7 Multiple Vulnerabilities
2023-06-15 00:00:00
WordPress CMS Tree Page View Plugin < 1.6.8 XSS Vulnerability
2023-09-12 00:00:00
WordPress ReviewX Plugin < 1.6.9 SQL Injection Vulnerability
2023-09-12 00:00:00
prion
prion
Cross site scripting
2023-05-12 15:15:00
Cross site scripting
2023-05-10 10:15:00
Cross site scripting
2023-05-10 10:15:00
cve
cve
CVE-2022-47432
2023-11-06 08:15:00
CVE-2023-28533
2023-08-17 09:15:10
CVE-2022-47420
2023-11-06 08:15:00
wpexploit
wpexploit
ReviewX < 1.6.4 - Subscriber+ SQLi
2023-02-23 00:00:00
jvn
jvn
JVN#99657911: WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery
2023-04-19 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

53.2%

JSON
Related for WORDFENCE:D8B13163CCD9C2A48F973C4B23392557
wpvulndb55openvas3prion70cve69wpexploit1jvn1