Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:F520026AA8840306F37689E8DCC76E4C
HistoryMay 11, 2023 - 1:16 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)

2023-05-1113:16:44
Chloe Chamberland
www.wordfence.com
38
wordfence
wordpress
vulnerabilities
threat intelligence
firewall
severity
api
protection
researcher
cross-site scripting
sql injection
csrf

0.006 Low

EPSS

Percentile

78.4%

JSON

Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 27 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 14
Patched 44

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 48
High Severity 8
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 31
Missing Authorization 9
Cross-Site Request Forgery (CSRF) 5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 3
Server-Side Request Forgery (SSRF) 2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2
Improper Authentication 1
Information Exposure 1
Unverified Password Change 1
URL Redirection to Untrusted Site ('Open Redirect') 1
Deserialization of Untrusted Data 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Dave Jong 7
Lana Codes 7
yuyudhn 4
Le Ngoc Anh 3
Mika 3
Rafie Muhammad 3
Junsu Yeo 2
Erwan LR 2
LEE SE HYOUNG 2
Chien Vuong 2
deokhunKim 2
Alex Sanford 2
Fioravante Souza 1
Nguyen Xuan Chien 1
Ivan Kuzymchak 1
Yash Kanchhal 1
WPScanTeam 1
Sanjay Das 1
Marco Wotschka 1
Taurus Omar 1
Nguyen Anh Tien 1
Suprit S Pandurangi 1
Skalucy 1
Ramuel Gall 1
thiennv 1
Phd 1
Pablo Sanchez 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Add to Feedly add-to-feedly
Advanced Custom Fields (ACF) advanced-custom-fields
Advanced Custom Fields Pro advanced-custom-fields-pro
Advanced Woo Search advanced-woo-search
Albo Pretorio On line albo-pretorio-on-line
AnyWhere Elementor anywhere-elementor
CM Pop-Up banners for WordPress cm-pop-up-banners
Community by PeepSo – Social Network, Membership, Registration, User Profiles peepso-core
Contact Form 7 extension for Google Map fields cf7-google-map
Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free cryptocurrency-donation-box
Custom 404 Pro custom-404-pro
DX Delete Attached Media dx-delete-attached-media
Easy Appointments easy-appointments
Easy Digital Downloads – Simple eCommerce for Selling Digital Files easy-digital-downloads
FV Flowplayer Video Player fv-wordpress-flowplayer
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox holler-box
Hostel hostel
Image Optimizer by 10web – Image Optimizer and Compression plugin image-optimizer-wd
Library Viewer library-viewer
Login rebuilder login-rebuilder
Loginizer loginizer
Manager for Icomoon manager-for-icomoon
Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress metform
Multi Rating multi-rating
Newsletter Popup newsletter-popup
OSM – OpenStreetMap osm
Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE otter-blocks
Participants Database participants-database
Photo Gallery by Ays – Responsive Image Gallery gallery-photo-gallery
Product Addons & Fields for WooCommerce woocommerce-product-addon
Spiffy Calendar spiffy-calendar
TK Google Fonts GDPR Compliant tk-google-fonts
TP Education tp-education
UserAgent-Spy useragent-spy
WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor
WP Directory Kit wpdirectorykit
WP Docs wp-docs
WP EasyPay – Square for WordPress wp-easy-pay
WP Fastest Cache wp-fastest-cache
WP Job Portal – A Complete Job Board wp-job-portal
WP-FormAssembly formassembly-web-forms
WPO365 Mail Integration for Office 365 / Outlook
WPPizza – A Restaurant Plugin wppizza

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Editorialmag editorialmag
JupiterX jupiterx
TheGem thegem

Vulnerability Details

Easy Digital Downloads 3.1 - 3.1.1.4.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation

Affected Software: Easy Digital Downloads – Simple eCommerce for Selling Digital Files CVE ID: CVE-2023-30869 CVSS Score: 9.8 (Critical) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e3e07c8-8fd0-4966-8276-aece794b75b2&gt;

Otter - Gutenberg Blocks <= 2.2.5 - Authenticated (Author+) PHAR Deserialization

Affected Software: Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE CVE ID: CVE-2023-2288 CVSS Score: 8.8 (High) Researcher/s: Alex Sanford Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f18be13a-1b16-40f8-85a7-bd77b49e243c&gt;

CM Pop-Up banners <= 1.5.10 - Authenticated (Subscriber+) SQL Injection via getStatistics

Affected Software: CM Pop-Up banners for WordPress CVE ID: CVE-2023-30750 CVSS Score: 8.8 (High) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff29e160-993b-422c-b49b-a216db5a0765&gt;

AnyWhere Elementor <= 1.2.7 - Sensitive Information Exposure

Affected Software: AnyWhere Elementor CVE ID: CVE-2023-0443 CVSS Score: 8.6 (High) Researcher/s: Sanjay Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5782439f-a546-45f6-aec7-e600442d3c41&gt;

JupiterX Theme <= 3.0.0 - Authenticated Local File Inclusion via print_pane

Affected Software: JupiterX CVE ID: CVE-2023-32110 CVSS Score: 8.1 (High) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d5abb538-9e69-485e-9389-90a2422510ca&gt;

TK Google Fonts GDPR Compliant <= 2.2.7 - Authorization Bypass

Affected Software: TK Google Fonts GDPR Compliant CVE ID: CVE Unknown CVSS Score: 7.3 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c1e005f-c0f1-4dff-928b-18919f117048&gt;

Newsletter Popup <= 1.2 - Unauthenticted Stored Cross-Site Scripting via 'nl_data'

Affected Software: Newsletter Popup CVE ID: CVE-2023-0733 CVSS Score: 7.2 (High) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2b5d64b8-c339-4bbc-b91e-4805428f7296&gt;

Cryptocurrency Donation Box – Bitcoin & Crypto Donations <= 2.2.5 - Authenticated (Administrator+) SQL Injection

Affected Software: Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free CVE ID: CVE-2023-32128 CVSS Score: 7.2 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6c98430d-0881-4f45-b934-c393739ef71c&gt;

Contact Form 7 extension for Google Map fields <= 1.8.3 - Stored Cross-Site Scripting

Affected Software: Contact Form 7 extension for Google Map fields CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd3fc3a4-ba32-4c05-bc93-ed7b86c426fa&gt;

HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection

Affected Software: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox CVE ID: CVE-2023-2111 CVSS Score: 6.6 (Medium) Researcher/s: WPScanTeam Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4970be62-9aad-4a5f-9dd3-4bf48bded022&gt;

Metform Elementor Contact Form Builder <= 3.3.0 - Missing Authorization

Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress CVE ID: CVE-2023-1843 CVSS Score: 6.5 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5db00eb6-3e05-42fa-bb84-2df4bcae3955&gt;

WP Directory Kit <= 1.2.2 - Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action

Affected Software: WP Directory Kit CVE ID: CVE-2023-2280 CVSS Score: 6.5 (Medium) Researcher/s: Ramuel Gall, Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/abb1a758-5c16-4841-b1c7-0705ab16b328&gt;

WP Fastest Cache <= 1.1.4 - Authenticated(Administrator+) Blind Server Side Request Forgery via check_url

Affected Software: WP Fastest Cache CVE ID: CVE-2023-1938 CVSS Score: 6.5 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b937940c-a3e0-49d3-b066-550b78351b54&gt;

WOLF <= 1.0.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional CVE ID: CVE-2023-31218 CVSS Score: 6.4 (Medium) Researcher/s: Junsu Yeo Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2be16ee8-6bae-44d9-bde7-8e893293c3f9&gt;

OSM - OpenStreetMap <= 6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: OSM – OpenStreetMap CVE ID: CVE-2022-4676 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6dac6353-9e70-482d-b54b-ffde661b212c&gt;

Library Viewer <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Library Viewer CVE ID: CVE-2023-32102 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/82c08769-2bb6-4c87-b198-f18216b3e744&gt;

Manager for Icomoon <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Manager for Icomoon CVE ID: CVE-2023-29387 CVSS Score: 6.4 (Medium) Researcher/s: deokhunKim Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ef75bb4-febf-4009-a6b4-f0b40a4fc903&gt;

TP Education <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes

Affected Software: TP Education CVE ID: CVE-2023-32103 CVSS Score: 6.4 (Medium) Researcher/s: deokhunKim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfba9979-44a2-4ad4-bb6a-f54f73b628d4&gt;

TheGem < 5.8.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: TheGem CVE ID: CVE-2023-32237 CVSS Score: 6.4 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc4d4103-a19a-45a5-9059-23eb7f72c84b&gt;

TheGem < 5.8.1.1 - Missing Authorization

Affected Software: TheGem CVE ID: CVE-2023-32238 CVSS Score: 6.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/074e8e37-147d-47ea-93ed-652d7de7be9e&gt;

TheGem < 5.8.1.1 - Improper Authentication

Affected Software: TheGem CVE ID: CVE-2023-32238 CVSS Score: 6.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3942bba9-3c3a-47bf-9a53-95376917d6bb&gt;

Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions

Affected Software: Easy Appointments CVE ID: CVE-2022-36424 CVSS Score: 6.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/461cec8c-77e4-4f20-8dff-c4f675dc235f&gt;

Editorialmag <= 1.1.9 - Missing Authorization to Authenticated Plugin Activation

Affected Software: Editorialmag CVE ID: CVE-2023-32129 CVSS Score: 6.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5fd470bb-d791-45dc-a743-6f03fc75f00c&gt;

WPO365 | Mail Integration for Office 365 / Outlook <= 1.9.0 - reflected Cross-Site Scripting via error_description

Affected Software: WPO365 | Mail Integration for Office 365 / Outlook CVE ID: CVE-2023-32119 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b3b4b45-5964-490a-991b-c9eb79c670e2&gt;

WPPizza <= 3.17.1 - Reflected Cross-Site Scripting

Affected Software: WPPizza – A Restaurant Plugin CVE ID: CVE-2023-32105 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/225ac126-7448-4faf-92c7-ee96831b272e&gt;

Loginizer <= 1.7.8 - Reflected Cross-Site Scripting via 'limit_session[count]'

Affected Software: Loginizer CVE ID: CVE-2023-2296 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e6ef932-975c-423b-b780-b38449eec577&gt;

Custom 404 Pro <= 3.7.2 - Reflected Cross-Site Scripting via 's'

Affected Software: Custom 404 Pro CVE ID: CVE-2023-2023 CVSS Score: 6.1 (Medium) Researcher/s: Chien Vuong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e5bdc92-e682-4121-9ba5-167742f61138&gt;

WP Docs <= 1.9.9 - Reflected Cross-Site Scripting

Affected Software: WP Docs CVE ID: CVE-2023-32106 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ac15c0d-74d3-4121-a63e-97dbbe594274&gt;

FV Flowplayer Video Player <= 7.5.32.7212 - Reflected Cross-Site Scripting via id

Affected Software: FV Flowplayer Video Player CVE ID: CVE-2023-30499 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9b78834c-cb13-4698-aa19-65f8c6874c8f&gt;

Albo Pretorio Online <= 4.6.3 - Reflected Cross-Site Scripting

Affected Software: Albo Pretorio On line CVE ID: CVE-2023-32108 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b186c98e-6a8d-4675-aaaa-c6748319dec1&gt;

Advanced Custom Fields PRO <= 6.1.5 - Reflected Cross-Site Scripting via 'post_status'

Affected Software: Advanced Custom Fields Pro CVE ID: CVE-2023-30777 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cfb9812b-3804-436b-b665-5e4e599b1bec&gt;

PPOM for WooCommerce <= 32.0.6 - Reflected Cross-Site Scripting

Affected Software: Product Addons & Fields for WooCommerce CVE ID: CVE-2023-2256 CVSS Score: 6.1 (Medium) Researcher/s: Alex Sanford Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d223de07-6377-491f-8d2c-9c31aa814792&gt;

Photo Gallery by Ays <= 5.1.3 - Reflected Cross-Site Scripting via ays_gpg_settings_tab

Affected Software: Photo Gallery by Ays – Responsive Image Gallery CVE ID: CVE-2023-32107 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/db48a271-e649-4dbe-901b-aa55eba9123b&gt;

Albo Pretorio Online <= 4.6.3 - Reflected Cross-Site Scripting

Affected Software: Albo Pretorio On line CVE ID: CVE-2023-32109 CVSS Score: 6.1 (Medium) Researcher/s: Phd Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e1a3ea4c-163f-406c-a819-92d3157fd93f&gt;

Advanced Custom Fields <= 6.1.5 - Reflected Cross-Site Scripting via 'post_status'

Affected Software: Advanced Custom Fields (ACF) CVE ID: CVE-2023-30777 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e7ae8dcd-00b6-4afc-85bb-6697820bb37c&gt;

WP EasyPay <= 4.0.4 - Reflected Cross-Site Scripting

Affected Software: WP EasyPay – Square for WordPress CVE ID: CVE-2023-1465 CVSS Score: 6.1 (Medium) Researcher/s: Pablo Sanchez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e8786f44-09b9-4281-b615-5df4b494a083&gt;

TheGem < 5.8.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: TheGem CVE ID: CVE-2023-32237 CVSS Score: 5.4 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6134c76d-754b-4e54-aa4e-b791d9321b8e&gt;

Participants Database <= 2.4.9 - Cross-Site Request Forgery via _process_general

Affected Software: Participants Database CVE ID: CVE-2023-31235 CVSS Score: 5.4 (Medium) Researcher/s: Skalucy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7ce9573-eda5-45c0-8775-966f2fbe9496&gt;

Library Viewer <= 2.0.6 - Open Redirect via 'redirect_to'

Affected Software: Library Viewer CVE ID: CVE-2023-32101 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b12a7e57-a45f-407a-9dd9-843a628d73ac&gt;

Community by PeepSo <= 6.0.9.0 - Missing Authorization to Sensitive Information Exposure

Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles CVE ID: CVE-2023-27630 CVSS Score: 5.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3479e7a4-7719-4438-8bf5-bf9b9990f3f4&gt;

WP Job Portal <= 1.1.9 - Missing Authorization to Settings Modification

Affected Software: WP Job Portal – A Complete Job Board CVE ID: CVE-2022-41786 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ce039db-b597-4bbf-8067-933a262ae1b6&gt;

Multi Rating <= 5.0.6 - Missing Authorization to Arbitrary Ratings Value Change

Affected Software: Multi Rating CVE ID: CVE-2023-32127 CVSS Score: 5.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3d00464-557f-4177-87aa-f5340b796dbb&gt;

WP-FormAssembly <= 2.0.8 - Limited Server Side Request Forgery via 'formassembly' shortcode

Affected Software: WP-FormAssembly CVE ID: CVE Unknown CVSS Score: 5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/288853b8-7523-472e-8406-257ffb3bd5ea&gt;

Spiffy Calendar <= 4.9.3 - Reflected Cross-Site Scripting via page parameter

Affected Software: Spiffy Calendar CVE ID: CVE-2023-32122 CVSS Score: 4.7 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5adf03ff-5b87-4ed3-b7ec-b89bc814aba6&gt;

Add to Feedly <= 1.2.11 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Add to Feedly CVE ID: CVE-2023-2470 CVSS Score: 4.4 (Medium) Researcher/s: Fioravante Souza Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1496ce98-ee19-4f37-9ec7-eb0fafb5df19&gt;

Advanced Woo Search <= 2.77 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Advanced Woo Search CVE ID: CVE-2023-2452 CVSS Score: 4.4 (Medium) Researcher/s: Ivan Kuzymchak Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4278e9d7-aa1e-47a5-b715-09dae5156303&gt;

UserAgent-Spy <= 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: UserAgent-Spy CVE ID: CVE-2023-2490 CVSS Score: 4.4 (Medium) Researcher/s: Yash Kanchhal Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/434755f8-b2af-4f35-9af9-f0b9578718c8&gt;

Multi Rating <= 5.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Multi Rating CVE ID: CVE-2023-32130 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ca2311c-7b44-4dad-bea0-131776205319&gt;

Login rebuilder <= 2.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login rebuilder CVE ID: CVE-2023-2223 CVSS Score: 4.4 (Medium) Researcher/s: Taurus Omar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ae14765-ba85-4aba-83ae-41f7de2f2551&gt;

PPOM for WooCommerce <= 32.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Product Addons & Fields for WooCommerce CVE ID: CVE-2023-1839 CVSS Score: 4.4 (Medium) Researcher/s: Suprit S Pandurangi Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f105002-a19a-4376-af65-7e9416175174&gt;

Participants Database <= 2.4.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Participants Database CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a52015fe-c4df-46a6-8f23-b33730797f4c&gt;

Hostel <= 1.1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings

Affected Software: Hostel CVE ID: CVE-2023-32120 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4865576-9929-4ce2-a220-935f1f3e0485&gt;

Newsletter Popup <= 1.2 - Cross-Site Request Forgery to Record Deletion

Affected Software: Newsletter Popup CVE ID: CVE-2023-0766 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/274429f7-1cd1-49e4-a145-dce36bebb9c2&gt;

DX Delete Attached Media <= 2.0.2 - Missing Authorization to Settings Update

Affected Software: DX Delete Attached Media CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b78004e-caa5-4478-ba16-5f1a10e31541&gt;

Multi Rating <= 5.0.6 - Cross-Site Request Forgery to Arbitrary Ratings Value Change

Affected Software: Multi Rating CVE ID: CVE-2023-32125 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/80ad0b55-bd85-4240-ae54-f72d6b81ea7c&gt;

WP Job Portal <= 1.1.9 - Cross-Site Request Forgery to Settings Modification

Affected Software: WP Job Portal – A Complete Job Board CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98a2570c-c757-44ad-9981-af0bf2d3c341&gt;

WOLF <= 1.0.6 - Cross-Site Request Forgery via wpbe_update_page_field

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Junsu Yeo Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a39ca182-981b-4636-acd5-4c8a269858dd&gt;

Image Optimizer by 10web <= 1.0.26 - Authenticated(Administator+) Directory Traversal

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin CVE ID: CVE-2023-2117 CVSS Score: 2.7 (Low) Researcher/s: Chien Vuong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f58a5eb-53cb-4a25-b693-bcd2b7a1cd00&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023) appeared first on Wordfence.

Related

cve 40
nvd 39
vulnrichment 2
prion 36
cvelist 40
wpvulndb 21
openvas 6
nuclei 1
githubexploit 1
wpexploit 12
packetstorm 1
cve
cve
CVE-2023-31235
2023-11-09 23:15:09
CVE-2023-29387
2023-08-18 15:15:09
CVE-2023-32122
2023-08-18 16:15:10
nvd
nvd
CVE-2023-32107
2023-08-18 14:15:23
CVE-2022-41786
2024-01-17 18:15:45
CVE-2023-32237
2024-03-26 09:15:08
vulnrichment
vulnrichment
CVE-2023-32110 WordPress JupiterX theme <= 3.0.0 - Auth. Local File Inclusion vulnerability
2024-05-17 06:42:16
CVE-2023-32129 WordPress Editorialmag theme <= 1.1.9 - Authenticated Arbitrary Plugin Activation
2024-05-17 06:42:45
prion
prion
Cross site scripting
2023-09-04 12:15:00
Authorization
2024-01-17 18:15:00
Cross site scripting
2023-08-18 16:15:00
cvelist
cvelist
CVE-2023-32237 Auth. Stored Cross-Site Scripting (XSS) vulnerability in TheGem theme by CodexThemes
2024-03-26 08:53:36
CVE-2023-32119 WordPress WPO365 | Mail Integration for Office 365 / Outlook Plugin <= 1.9.0 is vulnerable to Cross Site Scripting (XSS)
2023-08-23 12:41:15
CVE-2023-31218 WordPress WOLF Plugin <= 1.0.6 is vulnerable to CSRF leading to Stored Cross Site Scripting (XSS) vulnerability
2023-08-18 13:28:46
wpvulndb
wpvulndb
WP Job Portal <= 2.0.1 - Unauthenticated Settings Update
2023-05-05 00:00:00
Photo Gallery by Ays < 5.1.4 - Reflected XSS
2023-08-18 00:00:00
TP Education < 4.5 - Contributor+ Stored XSS
2023-08-18 00:00:00
openvas
openvas
WordPress Advanced Custom Fields Plugin 5.8.10 < 5.12.6 XSS Vulnerability
2024-01-09 00:00:00
WordPress Advanced Custom Fields Plugin < 6.1.6 XSS Vulnerability
2023-05-08 00:00:00
WordPress Advanced Custom Fields Pro Plugin < 6.1.6 XSS Vulnerability
2024-01-09 00:00:00
nuclei
nuclei
Advanced Custom Fields < 6.1.6 - Cross-Site Scripting
2023-07-07 09:38:49
githubexploit
githubexploit
Exploit for Cross-site Scripting in Advancedcustomfields Advanced Custom Fields
2023-06-17 12:43:51
wpexploit
wpexploit
Advanced Custom Fields < 6.1.6 - Reflected XSS
2023-05-04 00:00:00
OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode
2023-05-03 00:00:00
Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting
2023-05-01 00:00:00
packetstorm
packetstorm
WordPress Login Rebuilder Cross Site Scripting
2023-07-25 00:00:00

0.006 Low

EPSS

Percentile

78.4%

JSON
Related for WORDFENCE:F520026AA8840306F37689E8DCC76E4C
cve40nvd39vulnrichment2prion36cvelist40wpvulndb21openvas6nuclei1githubexploit1wpexploit12packetstorm1