Chloe ChamberlandWORDFENCE:F320F6882585637C2064490251196859Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 20, 2023 to Mar 26, 2023)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
49.9%
Last week, there were 80 vulnerabilities disclosed in 69 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WooCommerce Payments <= 5.6.1 -Authentication Bypass and Privilege Escalation
- The Wordfence Firewall has blocked57,136****exploit attempts targeting this vulnerability since its release to premium, care, and response customers on March 23, 2023.
- WAF-RULE-569 - Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
- SEO Plugin by Squirrly SEO <= 12.1.20 - Missing Authorization
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 27 |
| Patched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 70 |
| High Severity | 9 |
| Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 39 |
| Cross-Site Request Forgery (CSRF) | 18 |
| Missing Authorization | 10 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 4 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 3 |
| Improper Neutralization of Formula Elements in a CSV File | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Deserialization of Untrusted Data | 1 |
| Information Exposure | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Lana Codes | 10 |
| Mika | 7 |
| yuyudhn | 6 |
| Joshua Martinelle | 5 |
| Erwan LR | 4 |
| Yuki Haruma | 3 |
| Cat | 3 |
| Varun | 2 |
| Rafshanzani Suhada | 2 |
| Rio Darmawan | 2 |
| thiennv | 2 |
| Shreya Pohekar | 2 |
| minhtuanact | 2 |
| Vaibhav Rajput | 1 |
| Abdi Pranata | 1 |
| Nguyen Anh Tien | 1 |
| Michael Mazzolini | 1 |
| Fariq Fadillah Gusti Insani | 1 |
| Rafie Muhammad | 1 |
| Flaviu Popescu | 1 |
| rSolutions Security Team | 1 |
| ipatelsumit | 1 |
| Nithissh S | 1 |
| Bartłomiej Marek | 1 |
| NeginNrb | 1 |
| Pavitra Tiwari | 1 |
| Muhammad Daffa | 1 |
| Cyxow | 1 |
| Dave Jong | 1 |
| R3zk0n | 1 |
| Karol Mazurek | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advance WordPress Search Plugin | th-advance-product-search |
| All-In-One Security (AIOS) – Security and Firewall | all-in-one-wp-security-and-firewall |
| BigContact Contact Page | bigcontact |
| Branded Social Images – Open Graph Images with logo and extra text layer | branded-social-images |
| CBX Currency Converter | cbcurrencyconverter |
| Contact Form Email | contact-form-to-email |
| Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms | fluentform |
| ConvertBox Auto Embed WordPress plugin | convertbox-auto-embed |
| Custom Field Template | custom-field-template |
| Cyberus Key | cyberus-key |
| Disqus Conditional Load | disqus-conditional-load |
| Easy Table of Contents | easy-table-of-contents |
| Enhanced Plugin Admin | enhanced-plugin-admin |
| Event Manager and Tickets Selling Plugin for WooCommerce | mage-eventpress |
| Events Made Easy | events-made-easy |
| Export Users Data Distinct | export-users-data-distinct |
| Floating Cart and Menu Cart for WooCommerce | th-all-in-one-woo-cart |
| Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress | gallery-plugin |
| GamiPress – Youtube integration | gamipress-youtube-integration |
| GiveWP – Donation Plugin and Fundraising Platform | give |
| Google XML Sitemap for Mobile | google-mobile-sitemap |
| Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS | hummingbird-performance |
| I Recommend This | i-recommend-this |
| If Menu – Visibility control for Menus | if-menu |
| InPost Gallery | inpost-gallery |
| JS Job Manager | js-jobs |
| JetEngine | jet-engine |
| Kanban Boards for WordPress | kanban |
| Klaviyo | klaviyo |
| Lazy Social Comments | lazy-facebook-comments |
| MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
| Open Graphite | open-graphite |
| Owl Carousel | owl-carousel |
| Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin | pagination |
| Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
| Pricing Tables For WPBakery Page Builder (formerly Visual Composer) | pricing-tables-for-wpbakery-page-builder |
| Product Feed PRO for WooCommerce | woo-product-feed-pro |
| Safe SVG | safe-svg |
| Scheduled Announcements Widget | scheduled-announcements-widget |
| Simple Custom Author Profiles | simple-custom-author-profiles |
| Simple Giveaways – Grow your business, email lists and traffic with contests | giveasap |
| Simple Mobile URL Redirect | simple-mobile-url-redirect |
| Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows | ml-slider |
| Stock Sync for WooCommerce | stock-sync-for-woocommerce |
| Store Locator WordPress | agile-store-locator |
| Stylish Cost Calculator | stylish-cost-calculator-premium |
| Team Member – Team with Slider | team-showcase-supreme |
| Thank You Page Customizer for WooCommerce – Increase Your Sales | woo-thank-you-page-customizer |
| Time Sheets | time-sheets |
| TreePress – Easy Family Trees & Ancestor Profiles | treepress |
| User Registration – Custom Registration Form, Login Form And User Profile For WordPress | user-registration |
| Userlike – WordPress Live Chat plugin | userlike |
| Variation Swatches for WooCommerce | th-variation-swatches |
| Vertical scroll recent post | vertical-scroll-recent-post |
| VigilanTor | vigilantor |
| W4 Post List | w4-post-list |
| WP Content Filter – Censor All Offensive Content From Your Site | wp-content-filter |
| WP Popup Banners | wp-popup-banners |
| WP VR – 360 Panorama and Virtual Tour Builder For WordPress | wpvr |
| Waiting: One-click countdowns | waiting |
| Wbcom Designs – BuddyPress Activity Social Share | bp-activity-social-share |
| Weather Station | live-weather-station |
| WooCommerce JazzCash Gateway Plugin | jazzcash-woocommerce-gateway |
| WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo | woocommerce-payments |
| WordPress Amazon S3 Plugin | wp-s3 |
| WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg |
| WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout | gs-pinterest-portfolio |
| amr users | amr-users |
| eRoom – Zoom Meetings & Webinars | eroom-zoom-meetings-webinar |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Resoto | resoto |
Vulnerability Details
WooCommerce Payments 4.8.0 - 5.6.1 Authentication Bypass and Privilege Escalation
Affected Software: WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo CVE ID: CVE Unknown CVSS Score: 9.8 (Critical) Researcher/s: Michael Mazzolini Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41cf57ff-421d-4db2-894f-17f2c4d4b9ed>
Waiting: One-click countdowns <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'pbc_down[meta][id]'
Affected Software: Waiting: One-click countdowns CVE ID: CVE-2023-28659 CVSS Score: 8.8 (High) Researcher/s: Joshua Martinelle Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17d12a35-35a1-4f7b-aa03-33ddafe17f5b>
WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection via 'value'
Affected Software: WP Popup Banners CVE ID: CVE-2023-28661 CVSS Score: 8.8 (High) Researcher/s: Joshua Martinelle Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa64d6b4-5673-4d88-b5c7-d3441eaa0706>
Events Made Easy <= 2.3.14 - Authenticated (Subscriber+) SQL Injection via 'search_name'
Affected Software: Events Made Easy CVE ID: CVE-2023-28660 CVSS Score: 8.8 (High) Researcher/s: Joshua Martinelle Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2550461-2546-4dc4-85ff-decf2fca3f10>
Crocoblock JetEngine <= 3.1.3 - Authenticated(Author+) Arbitrary File Upload to Remote Code Execution
Affected Software: JetEngine CVE ID: CVE-2023-1406 CVSS Score: 8.8 (High) Researcher/s: R3zk0n Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d7e7247f-869a-4cf0-ae03-0b36ecbc1b7e>
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 - Authenticated (Subscriber+) Local File Inclusion via Shortcode
Affected Software: Pricing Tables For WPBakery Page Builder (formerly Visual Composer) CVE ID: CVE-2023-1274 CVSS Score: 8.1 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3475c8fe-17fa-4d8e-bffd-a33e59f6e03b>
User Registration <= 2.3.2.1 - PHP Object Injection
Affected Software: User Registration – Custom Registration Form, Login Form And User Profile For WordPress CVE ID: CVE-2023-27459 CVSS Score: 7.5 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5835fed0-5b9d-47b5-82ae-f0f19830ae2a>
Stylish Cost Calculator < 7.9.0 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Stylish Cost Calculator CVE ID: CVE-2023-0983 CVSS Score: 7.2 (High) Researcher/s: Flaviu Popescu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b7cc660-b430-4b0f-b2d1-68ba458de8a9>
Groundhogg <= 2.7.9.3 - Authenticated (Administrator)+ SQL Injection
Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg CVE ID: CVE-2023-1425 CVSS Score: 7.2 (High) Researcher/s: rSolutions Security Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/76c468cb-8ad6-4b62-8de5-dc8efd4b8e61>
SVG Sanitizer library <= 0.15.4 - Cross-Site Scripting Bypass
Affected Software: Safe SVG CVE ID: CVE-2023-28426 CVSS Score: 7.2 (High) Researcher/s: Cyxow Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca73de6d-2d47-4d7c-a917-0f99fed8c27d>
JS Job Manager <= 2.0.0 - Missing Authorization
Affected Software: JS Job Manager CVE ID: CVE-2023-28689 CVSS Score: 6.5 (Medium) Researcher/s: Fariq Fadillah Gusti Insani Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/55604ee9-7343-472c-9a29-035d18b266ab>
TH Advance WordPress Search <= 1.1.4 - Missing Authorization via settings_init
Affected Software: Advance WordPress Search Plugin CVE ID: CVE-2023-25969 CVSS Score: 6.5 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/826a3fa2-ee41-4960-becb-0df8813a964a>
FluentForms <= 4.3.24 - Authenticated(Contributor+) Stored Cross-Site Scripting
Affected Software: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms CVE ID: CVE-2023-0546 CVSS Score: 6.4 (Medium) Researcher/s: Vaibhav Rajput Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b79a851-1212-4a9c-89fe-b5f2d50ec18c>
Vertical scroll recent post <= 14.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Affected Software: Vertical scroll recent post CVE ID: CVE-2023-23862 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1a0e93cb-4311-4b38-8eb4-17152e1f3475>
WordPress Pinterest Plugin <= 1.6.1 - Stored (Contributor+) Cross-Site Scripting via Shortcode
Affected Software: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/20daf751-176d-48f2-ac68-480fda89cee1>
Team Member <= 4.4 - Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name
Affected Software: Team Member – Team with Slider CVE ID: CVE-2023-23647 CVSS Score: 6.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/353d22c5-dee1-485f-ae66-e9c7afe3ad8e>
W4 Post List <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options
Affected Software: W4 Post List CVE ID: CVE-2023-0374 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64ed8547-0dc1-4f0a-8b0b-27ce20b8bbd6>
Scheduled Announcements Widget <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Scheduled Announcements Widget CVE ID: CVE-2023-0363 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/755ae574-9df3-44d1-a14b-16887f234510>
GamiPress – Youtube integration <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: GamiPress – Youtube integration CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bb74a917-2dfb-4229-a72a-9c3d1f9a6324>
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Pricing Tables For WPBakery Page Builder (formerly Visual Composer) CVE ID: CVE-2023-0367 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c04a0f82-97f6-44ff-999d-08a8c106f889>
ConvertBox Auto Embed WordPress plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: ConvertBox Auto Embed WordPress plugin CVE ID: CVE-2023-23664 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8a4e9b8-9794-48b7-8c53-cfad37ed530c>
Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 - Reflected Cross-Site Scripting
Affected Software: Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows CVE ID: CVE-2023-1473 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/290233f0-a5dd-4c69-8039-7392268daf40>
InPost Gallery <= 2.1.4.1 - Reflected Cross-Site Scripting via 'imgurl'
Affected Software: InPost Gallery CVE ID: CVE-2023-28666 CVSS Score: 6.1 (Medium) Researcher/s: Joshua Martinelle Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/69fd66db-5693-4976-96c0-60dbfeccd14f>
MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 - Relected Cross-Site Scripting via 'tax_name'
Affected Software: MDTF – Meta Data and Taxonomies Filter CVE ID: CVE-2023-28664 CVSS Score: 6.1 (Medium) Researcher/s: Joshua Martinelle Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6edb6604-9da8-421e-933b-bac02b179bd0>
WP VR <= 8.2.8 - Reflected Cross-Site Scripting
Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress CVE ID: CVE-2023-1413 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fbde737-0730-49a4-a84e-a9c5e0e32af5>
W4 Post List <= 2.4.5 - Reflected Cross-Site Scripting
Affected Software: W4 Post List CVE ID: CVE-2023-1373 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d6a7230-07c7-43f3-a844-77d2bb19545d>
WordPress Amazon S3 Plugin <= 1.5 - Reflected Cross-Site Scripting
Affected Software: WordPress Amazon S3 Plugin CVE ID: CVE-2023-0423 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ab779713-7004-47f6-af16-2db2c7c1013b>
WooCommerce JazzCash Gateway Plugin <= 2.0 - Unauthenticated Cross-Site Scripting
Affected Software: WooCommerce JazzCash Gateway Plugin CVE ID: CVE-2022-46822 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6809f7f-4495-4185-b439-820010afc305>
Open Graphite <= 1.6.0 - Reflected Cross-Site Scripting via topic parameter
Affected Software: Open Graphite CVE ID: CVE-2022-47439 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd368b2c-ef40-453b-aeef-ad88d847c29b>
Export Users Data Distinct <= 1.3 - Authenticated (Subscriber+) CSV Injection
Affected Software: Export Users Data Distinct CVE ID: CVE-2022-46804 CVSS Score: 5.8 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/03a1724c-8fea-4e9f-a4a1-9de236e1f15a>
amr users <= 4.59.4 - Authenticated (Subscriber+) CSV Injection
Affected Software: amr users CVE ID: CVE-2022-45348 CVSS Score: 5.8 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/879e7695-3a61-4e65-b102-fcdc63fac688>
Simple Giveaways <= 2.45.0 - Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields
Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests CVE ID: CVE-2023-1122 CVSS Score: 5.5 (Medium) Researcher/s: Varun Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/240691c4-35c5-40e1-b1ab-a500ffcdac73>
Wbcom Designs – BuddyPress Activity Social Share <= 3.5.0 - Cross-Site Request Forgery
Affected Software: Wbcom Designs – BuddyPress Activity Social Share CVE ID: CVE-2023-28694 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c8152c5-7d72-48a1-9140-8b0341c86023>
TH Variation Swatches <= 1.2.7 - Cross-Site Request Forgery via delete_settings
Affected Software: Variation Swatches for WooCommerce CVE ID: CVE-2023-28688 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6e98fb74-46f2-4a6a-8012-e2824bd77070>
CBX Currency Converter <= 3.0.3 - Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes
Affected Software: CBX Currency Converter CVE ID: CVE-2023-28747 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/711d2c4d-700d-4d6e-911f-99abf86eff32>
Enhanced Plugin Admin <= 1.16 - Cross-Site Request Forgery via epa_options_page
Affected Software: Enhanced Plugin Admin CVE ID: CVE-2023-28618 CVSS Score: 5.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9b5bc030-7739-4eb4-b85d-99e5d0f2643a>
Easy Table of Contents <= 2.0.45.2 - Missing Authorization via eztoc_reset_options_to_default
Affected Software: Easy Table of Contents CVE ID: CVE-2023-25469 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff937860-c4e0-4172-9f0f-d66578fa7203>
TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 - Missing Authorization
Affected Software: Floating Cart and Menu Cart for WooCommerce CVE ID: CVE-2023-25969 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c0d18d3-8758-41ae-b104-dac69eee4ac9>
Branded Social Images <= 1.1.0 - Missing Authorization leading to Unauthenticated Plugin Settings Updates
Affected Software: Branded Social Images – Open Graph Images with logo and extra text layer CVE ID: CVE-2023-28536 CVSS Score: 5.3 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2cbc0b70-c8a4-4924-a67f-cea81ab19cdc>
Owl Carousel <= 0.5.3 - Missing Authorization via save_paramter.php
Affected Software: Owl Carousel CVE ID: CVE-2022-44578 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/37aaf109-e04f-40d7-8303-a581b0b09d24>
If Menu <= 0.16.3 - Missing Authorization to Admin Settings Modification
Affected Software: If Menu – Visibility control for Menus CVE ID: CVE-2022-41698 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3b5fc0ac-7a33-48da-8b0f-566b9eb0f17f>
eRoom – Zoom Meetings & Webinar <= 1.4.6 - Missing Authorization via add_feedback
Affected Software: eRoom – Zoom Meetings & Webinars CVE ID: CVE-2022-43472 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e0767a8-9e82-4ce4-9df9-19b458dc5ce0>
GiveWP <= 2.25.2 - Cross-Site Request Forgery via give_ajax_delete_payment_note
Affected Software: GiveWP – Donation Plugin and Fundraising Platform CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a2dc1a04-5503-412b-92e7-ed86910abd92>
GiveWP <= 2.25.2 - Cross-Site Request Forgery via give_ajax_store_payment_note
Affected Software: GiveWP – Donation Plugin and Fundraising Platform CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d09a0b62-6556-4be5-a6f2-0cb0edcced3b>
Hummingbird <= 3.4.1 - Unauthenticated Path Traversal
Affected Software: Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS CVE ID: CVE-2023-1478 CVSS Score: 5.3 (Medium) Researcher/s: Karol Mazurek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d9b8e6dc-a9ac-4afb-ad47-4f51032bb1f4>
Resoto <= 1.0.8 - Missing Authorization leading to Authenticated (Subscriber+) Arbitrary Plugin Activation
Affected Software: Resoto CVE ID: CVE-2023-28619 CVSS Score: 5 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb5c5e82-d6e5-4237-958f-12fc4698e77e>
Photo Gallery by 10Web <= 1.8.14 - Authenticated (Administrator+) Directory Traversal
Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery CVE ID: CVE Unknown CVSS Score: 4.9 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a0f55f3e-9a9a-42a7-91b5-0d515519d545>
Kanban Boards for WordPress <= 2.5.20 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Kanban Boards for WordPress CVE ID: CVE-2023-23884 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/071b5c32-b6ac-402a-af74-6ecd05279d93>
Userlike <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Userlike – WordPress Live Chat plugin CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14c94d47-c911-4874-a897-58f4c0800329>
Store Locator WordPress <= 1.4.9 - Authenticated (Editor+) Stored Cross-Site Scripting via 'category_name', 'description', 'description_2' parameters
Affected Software: Store Locator WordPress CVE ID: CVE-2023-27618 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1dad9de0-5e43-4dfd-a56c-5e9efff35c0a>
Klaviyo <= 3.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Klaviyo CVE ID: CVE-2023-0874 CVSS Score: 4.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/294de862-716c-4e17-a1cf-cade53207013>
VigilanTor <= 1.3.10 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: VigilanTor CVE ID: CVE-2023-28695 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2ea71d63-27ce-4f24-b3ef-de38e6f25e0d>
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.6.9 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3adf6b20-110f-4057-9fab-5248e9c18555>
Lazy Social Comments <= 2.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options
Affected Software: Lazy Social Comments CVE ID: CVE-2023-23733 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/43f2c020-a531-4e25-948e-372bc7af3bab>
Disqus Conditional Load <= 11.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.
Affected Software: Disqus Conditional Load CVE ID: CVE-2023-23732 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/762190dc-cd19-4bc1-8204-9219881d95e9>
Simple Giveaways <= 2.45.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings
Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests CVE ID: CVE-2023-1120 CVSS Score: 4.4 (Medium) Researcher/s: ipatelsumit Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86991143-d4e7-4114-b219-0deedd084858>
Simple Giveaways <= 2.45.0 - Authenticated(Admin+) Stored Cross-Site Scripting via form fields
Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests CVE ID: CVE-2023-1121 CVSS Score: 4.4 (Medium) Researcher/s: Varun Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91552a9b-d46b-4a75-b096-8f28bdd9fb56>
WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP Content Filter – Censor All Offensive Content From Your Site CVE ID: CVE-2023-23883 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95ffefff-80e1-4f5a-8939-47a00f75493d>
Simple Custom Author Profiles <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Simple Custom Author Profiles CVE ID: CVE-2023-24372 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/986d16d5-f1f4-4ed9-9978-0f12ee22a543>
All-In-One Security (AIOS) <= 5.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: All-In-One Security (AIOS) – Security and Firewall CVE ID: CVE-2023-0157 CVSS Score: 4.4 (Medium) Researcher/s: Bartłomiej Marek Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3ae55ad-b192-4dde-8a7c-3a4fd71d3475>
Pagination by BestWebSoft < 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4572874-afd4-4e46-8a28-76a0a6cc8acb>
Cyberus Key <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'uid' in 'cyberkey_settings' Plugin Setting
Affected Software: Cyberus Key CVE ID: CVE-2023-28620 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bf5e5eaf-b42d-49b9-8f55-6025e64748c9>
Event Manager for WooCommerce <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mep_get_option' function
Affected Software: Event Manager and Tickets Selling Plugin for WooCommerce CVE ID: CVE-2023-28422 CVSS Score: 4.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2f4c1de-7eeb-45c4-bbff-ec85f2cda5aa>
Time Sheets <= 1.29.2 - Authenticated(Admin+) Stored Cross-Site Scripting
Affected Software: Time Sheets CVE ID: CVE-2023-0893 CVSS Score: 4.4 (Medium) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e7e25e64-4504-4aad-aeb6-d58b5c36a4bd>
Cyberus Key <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Cyberus Key CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3944b2d-c431-4a53-b4e2-740480e746d6>
TreePress – Easy Family Trees & Ancestor Profiles <= 2.0.22 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'post_title' parameter
Affected Software: TreePress – Easy Family Trees & Ancestor Profiles CVE ID: CVE-2023-23863 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fbef8738-d639-48a5-98b7-abf9a7e9fec1>
TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 - Cross-Site Request Forgery
Affected Software: Floating Cart and Menu Cart for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18f04566-3a63-41f3-aa9b-766304d56499>
W4 Post List <= 2.4.5 - Information Disclosure via post_excerpt
Affected Software: W4 Post List CVE ID: CVE-2023-1371 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ac7408d-8ec7-415b-bf52-024182888cb4>
GiveWP <= 2.25.2 - Cross-Site Request Forgery
Affected Software: GiveWP – Donation Plugin and Fundraising Platform CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ea02dd5-d837-471c-aa6a-264ffcedd55d>
I Recommend This <= 3.8.3 - Cross-Site Request Forgery
Affected Software: I Recommend This CVE ID: CVE-2023-28696 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a0ee9b26-4e7f-475f-b42b-5af40b78cbca>
BigContact <= 1.5.8 - Cross-Site Request Forgery leading to Plugin Settings Updates
Affected Software: BigContact Contact Page CVE ID: CVE-2023-22694 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0403adb-08c4-4697-a7d9-50e39d46cd43>
Download Weather Station <= 3.8.11 - Cross-Site Request Forgery
Affected Software: Weather Station CVE ID: CVE-2023-25478 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1e1db3f-1ebc-4f16-b2d8-8bce9c51b3db>
Google XML Sitemap for Mobile <= 1.6.1 - Cross-Site Request Forgery via mobile_sitemap_generate
Affected Software: Google XML Sitemap for Mobile CVE ID: CVE-2023-23869 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b2b0c5f9-b734-41e6-8ecb-4cf3d891ddb7>
Custom Field Template <= 2.5.8 - Cross-Site Request Forgery via Plugin Options Update
Affected Software: Custom Field Template CVE ID: CVE-2023-22695 CVSS Score: 4.3 (Medium) Researcher/s: NeginNrb Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b55853e1-2f20-417f-b07e-eda758eaed32>
Stock Sync for WooCommerce <= 2.3.2 - Missing Authorization
Affected Software: Stock Sync for WooCommerce CVE ID: CVE-2022-46807 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b8faa34a-17fd-4a2e-b8bf-ed40fc7a88d9>
Simple Mobile URL Redirect <= 1.7.2 - Cross-Site Request Forgery leading to Mobile Redirect Updates
Affected Software: Simple Mobile URL Redirect CVE ID: CVE-2023-23897 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be8dcff9-1626-4919-b297-c423891f3d02>
Product Feed PRO for WooCommerce <= 12.4.0 - Cross-Site Request Forgery via update_project
Affected Software: Product Feed PRO for WooCommerce CVE ID: CVE-2022-46793 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5b0939a-1699-483c-9a4f-7978155e6ad1>
Contact Form Email <= 1.3.31 - Cross-Site Request Forgery to Feedback Submission
Affected Software: Contact Form Email CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ce6ea115-941e-482f-a2a4-95293ff10a69>
Stock Sync for WooCommerce <= 2.3.2 - Cross-Site Request Forgery
Affected Software: Stock Sync for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf13732b-7c24-443a-bae9-d8cf70b5cb33>
Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.0.13 - Cross-Site Request Forgery via send_email
Affected Software: Thank You Page Customizer for WooCommerce – Increase Your Sales CVE ID: CVE-2022-46812 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ecd504ad-8812-46ec-be18-e98d05982312>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 20, 2023 to Mar 26, 2023) appeared first on Wordfence.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
49.9%