Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceRam GallWORDFENCE:F69BC39EF6327EA1E98C515989E110CC
HistoryJul 06, 2023 - 12:58 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023)

2023-07-0612:58:56
Ram Gall
www.wordfence.com
33
wordpress
vulnerability
report
plugins
theme
review
site
protection
firewall
rules
enhanced
premium
severity
patched
cvss
cwe
csrf
xss
sql injection
authorization
bypass
ssrf
information exposure
researcher
lana codes

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.158 Low

EPSS

Percentile

95.2%

JSON

Last week, there were 66 vulnerabilities disclosed in 56 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 26
Patched 40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 52
High Severity 9
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Cross-Site Request Forgery (CSRF) 22
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 17
Missing Authorization 8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 4
Authorization Bypass Through User-Controlled Key 3
Authentication Bypass Using an Alternate Path or Channel 2
Information Exposure 2
Server-Side Request Forgery (SSRF) 2
Improper Neutralization of Formula Elements in a CSV File 2
Improper Privilege Management 1
Incorrect Privilege Assignment 1
Use of Hard-coded Cryptographic Key 1
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
(Wordfence Vulnerability Researcher) 6
Cat 5
Erwan LR 4
Rafie Muhammad 4
Rafshanzani Suhada 3
Dave Jong 2
Marco Wotschka
(Wordfence Vulnerability Researcher) 2
Dipak Panchal 1
NeginNrb 1
emad 1
Ravi Dharmawan 1
Justiice 1
Marc-Alexandre Montpas 1
Lukas Kinneberg 1
Kenichiro Ito 1
coogee86 1
Muhammad Daffa 1
Mika 1
Elliot 1
Chris Shultz 1
Le Ngoc Anh 1
Hoang Van Hiep 1
FearZzZz 1
Felipe Restrepo Rodriguez 1
Edison Poveda 1
yuyudhn 1
Etan Imanol Castro Aldrete 1
Abdi Pranata 1
qilin_99 1
Taurus Omar 1
Luca Greeb 1
Andreas Krüger 1
Abu Hurayra 1
Rafael B. 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AN_GradeBook an-gradebook
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Active Directory Integration / LDAP Integration ldap-login-for-intranet-sites
ApplyOnline – Application Form Builder and Manager apply-online
Autochat Automatic Conversation auyautochat-for-wp
AutomateWoo automatewoo
Booked - Appointment Booking for WordPress booked
Caldera Forms Google Sheets Connector gsheetconnector-caldera-forms
Catalyst Connect Zoho CRM Client Portal catalyst-connect-client-portal
Duplicate Post Page Menu & Custom Post Type duplicate-post-page-menu-custom-post-type
Easy Accordion FAQ and Knowledge Base Software for WordPress knowledge-center
Editorial Calendar editorial-calendar
Email download link email-download-link
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor embedpress
Enhanced Text Widget enhanced-text-widget
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty chaty
Form Builder Create Responsive Contact Forms
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor front-editor
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite image-map-pro-lite
Image Regenerate & Select Crop image-regenerate-select-crop
Layer Slider slider-slideshow
LearnDash LMS sfwd-lms
LiquidPoll – Advanced Polls for Creators and Brands wp-poll
Login Configurator login-configurator
Login/Signup Popup ( Inline Form + Woocommerce ) easy-login-woocommerce
My Content Management my-content-management
NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder
NOO Timetable noo-timetable
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress post-smtp
Poll Maker – Best WordPress Poll Plugin poll-maker
Post Hit Counter post-hit-counter
Post to CSV by BestWebSoft post-to-csv
Quiz Expert – Easy Quiz Maker, Exam and Test Manager quiz-expert
Request a Quote request-a-quote
SP Project & Document Manager sp-client-document-manager
SW Product Bundles sw-product-bundles
Salon booking system salon-booking-system
Short URL shorten-url
Subscribe2 – Form, Email Subscribers & Newsletters subscribe2
TrustProfile and reviews for WordPress trustprofile
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member
WP Abstracts wp-abstracts-manuscripts-manager
WP Job Board wpjobboard
WP Post Author – The Ideal Author Box for WordPress Posts, Co-Authors and Guest Authors with Author Login and Registration Form Builder wp-post-author
WP Social AutoConnect wp-fb-autoconnect
WPFactory Helper wpcodefactory-helper
WPGraphQL wp-graphql
Waitlist Woocommerce ( Back in stock notifier ) waitlist-woocommerce
Web3 – Crypto wallet Login & NFT token gating web3-authentication
WebwinkelKeur: Webshop keurmerk & reviews for WordPress webwinkelkeur
WooCommerce Google Sheet Connector wc-gsheetconnector
WooCommerce Pre-Orders woocommerce-pre-orders
WooCommerce Ship to Multiple Addresses woocommerce-shipping-multiple-addresses
Woocommerce Order Barcodes woocommerce-order-barcodes
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) miniorange-login-openid
houzez-crm houzez-crm

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
The7 — Website and eCommerce Builder for WordPress [dt-the7](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/The7 — Website and eCommerce Builder for WordPress>)

Vulnerability Details

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 - Authentication Bypass

Affected Software: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) CVE ID: CVE-2023-2982 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66&gt;

WP Post Author <= 3.2.3 - Privilege Escalation

Affected Software: WP Post Author – The Ideal Author Box for WordPress Posts, Co-Authors and Guest Authors with Author Login and Registration Form Builder CVE ID: CVE Unknown CVSS Score: 9.8 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/155e3de1-e115-4683-bb4d-a0c5667dc3d3&gt;

Ultimate Member <= 2.6.6 - Privilege Escalation via Arbitrary User Meta Updates

Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin CVE ID: CVE-2023-3460 CVSS Score: 9.8 (Critical) Researcher/s: Marc-Alexandre Montpas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b0e763e-f03e-41fb-8c6c-4de5d3acae00&gt;

WPJobBoard <= 5.9.0 - Unauthenticated SQL Injection

Affected Software: WP Job Board CVE ID: CVE-2023-36525 CVSS Score: 9.8 (Critical) Researcher/s: FearZzZz Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8cd1d385-001c-4c84-9a80-553315336a63&gt;

Web3 – Crypto wallet Login & NFT token gating <= 2.6.0 - Authentication Bypass

Affected Software: Web3 – Crypto wallet Login & NFT token gating CVE ID: CVE-2023-3249 CVSS Score: 9.8 (Critical) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e30b62de-7280-4c29-b882-dfa83e65966b&gt;

LearnDash LMS <= 4.6.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

Affected Software: LearnDash LMS CVE ID: CVE-2023-3105 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2318b3e1-268d-45fa-83bf-c6e88f1b9013&gt;

Houzez CRM <= 1.3.3 - Authenticated (Subscriber+) SQL Injection

Affected Software: houzez-crm CVE ID: CVE-2023-36529 CVSS Score: 8.8 (High) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54c14f04-32ec-4d05-b47b-3ff5e70c4daf&gt;

AN_GradeBook <= 5.0.1 - Authenticated (Subscriber+) SQL Injection

Affected Software: AN_GradeBook CVE ID: CVE-2023-2636 CVSS Score: 8.8 (High) Researcher/s: Lukas Kinneberg Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60d59753-5b6b-4f3e-8faf-8053750ae05d&gt;

SP Project & Document Manager <= 4.67 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change

Affected Software: SP Project & Document Manager CVE ID: CVE-2023-3063 CVSS Score: 8.8 (High) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6dc2e720-85d9-42d9-94ef-eb172425993d&gt;

Short URL <= 1.6.4 - Authenticated (Subscriber+) SQL Injection

Affected Software: Short URL CVE ID: CVE-2022-46860 CVSS Score: 8.8 (High) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86908097-a5b2-427a-85c9-fbe29b519883&gt;

Form Builder <= 1.9.9.0 - Unauthenticated CSV Injection

Affected Software: Form Builder | Create Responsive Contact Forms CVE ID: CVE-2023-23796 CVSS Score: 8.3 (High) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/432807d0-64d8-49b1-a4ab-33aa8fbc5189&gt;

Active Directory Integration / LDAP Integration <= 4.1.5 - Authenticated (Subscrber+) LDAP Injection

Affected Software: Active Directory Integration / LDAP Integration CVE ID: CVE-2023-3447 CVSS Score: 7.6 (High) Researcher/s: Luca Greeb, Andreas Krüger Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cd7553e8-e43d-4740-b2ee-e3d8dc351e53&gt;

Post to CSV by BestWebSoft <= 1.4.0 - Authenticated (Author+) CSV Injection

Affected Software: Post to CSV by BestWebSoft CVE ID: CVE-2023-36527 CVSS Score: 7.4 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/74f0af24-e4d9-4b89-b91e-c6ec3e3918e7&gt;

Autochat Automatic Conversation <= 1.1.7 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Autochat Automatic Conversation CVE ID: CVE-2023-3041 CVSS Score: 7.2 (High) Researcher/s: Rafael B. Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9ad533d-4ec0-42a0-99fc-75fc59498c94&gt;

Email download link <= 3.7 - Unauthenticated Sensitive Information Exposure

Affected Software: Email download link CVE ID: CVE-2023-36523 CVSS Score: 6.5 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/29d6df4e-eaf6-42ec-8cd9-7cf86908f4ef&gt;

POST SMTP Mailer <= 2.5.6 - Cross-Site Request Forgery to Account Compromise

Affected Software: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress CVE ID: CVE-2023-3179 CVSS Score: 6.5 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ca16602-52e6-4d14-99a5-ca4e26b9f377&gt;

Booked <= 2.4 - Unauthenticated Sensitive Information Exposure

Affected Software: Booked - Appointment Booking for WordPress CVE ID: CVE-2022-36399 CVSS Score: 6.5 (Medium) Researcher/s: coogee86 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6f917973-e207-4ba3-b61b-e562e884fe0f&gt;

Image Regenerate & Select Crop <= 7.1.0 - Missing Authorization on multiple AJAX actions

Affected Software: Image Regenerate & Select Crop CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0eb165f-c979-4318-8362-ca47500ed845&gt;

AutomateWoo <= 5.7.5 - Missing Authorization

Affected Software: AutomateWoo CVE ID: CVE-2023-36512 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb51383f-03c8-4e81-bfed-40fd9f5c4d20&gt;

Image Regenerate & Select Crop <= 7.1.0 - Cross-Site Request Forgery on multiple AJAX actions

Affected Software: Image Regenerate & Select Crop CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e8596412-53d5-45ed-998a-49799bd269d0&gt;

Front User Submit | Front Editor <= 3.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5bc03b4a-f7ec-4827-b914-0560b9268b6f&gt;

NOO Timetable <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: NOO Timetable CVE ID: CVE-2022-45821 CVSS Score: 6.4 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5fab1ae8-2aa4-452a-a594-64088c92b5c3&gt;

Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Missing Authorization to Stored Cross-Site Scripting

Affected Software: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite CVE ID: CVE-2023-3412 CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b58403df-af09-4d74-88e6-140e3f2f291b&gt;

Layer Slider <= 1.1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Layer Slider CVE ID: CVE-2023-23798 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5ac3714-27f1-4258-a1ab-12b969b31793&gt;

Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite CVE ID: CVE-2023-3411 CVSS Score: 6.1 (Medium) Researcher/s: Kenichiro Ito Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/63e108f4-5d9d-4bcf-aef9-aa856f4241ea&gt;

WPFactory Helper <= 1.5.2 - Reflected Cross-Site Scripting via item_slug

Affected Software: WPFactory Helper CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7c77259a-cdf3-4fa0-b468-9e98645293fe&gt;

WooCommerce Pre-Orders <= 2.0.1 - Reflected Cross-Site Scripting

Affected Software: WooCommerce Pre-Orders CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Chris Shultz Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f73d0a6-2eae-4d85-96ce-db5902bd6e3a&gt;

Login Configurator <= 2.1 - Reflected Cross-Site Scripting

Affected Software: Login Configurator CVE ID: CVE-2023-1893 CVSS Score: 6.1 (Medium) Researcher/s: Taurus Omar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb148264-c75e-4e73-95d7-3a06cdd8990e&gt;

WPGraphQL <= 1.14.5 - Authenticated (Editor+) Server-Side Request Forgery

Affected Software: WPGraphQL CVE ID: CVE-2023-23684 CVSS Score: 5.5 (Medium) Researcher/s: Ravi Dharmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38efd6d6-b931-41a7-b55d-b98cdeef4145&gt;

Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 - Cross-Site Request Forgery via reset_settings

Affected Software: Waitlist Woocommerce ( Back in stock notifier ) CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/69cc2fd1-b576-49f6-8afc-54f00058de8c&gt;

Editorial Calendar <= 3.7.12 - Authenticated (Contributor+) Insecure Direct Object Reference

Affected Software: Editorial Calendar CVE ID: CVE-2023-36520 CVSS Score: 5.4 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f01ad95-7a51-408c-917f-4350dbeabb2b&gt;

Salon Booking System <= 8.4.6 - Cross-Site Request Forgery to Admin Role Change to Customer, User Meta Update via save_customer

Affected Software: Salon booking system CVE ID: CVE-2023-3427 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93875f19-d9b9-4e33-bba9-afc75cf26bf2&gt;

EmbedPress <= 3.7.3 - Sensitive Information Exposure

Affected Software: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor CVE ID: CVE-2023-3371 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1033b4d-82a0-4484-aebf-f35d6a2a9a13&gt;

NEX-Forms - Ultimate Form Builder <= 8.4.3 - Authenticated Stored Cross-Site Scripting via Form Name

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more CVE ID: CVE-2023-0439 CVSS Score: 4.8 (Medium) Researcher/s: Felipe Restrepo Rodriguez, Edison Poveda Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a333d5b4-cedf-40ac-8da9-f4965d2a397a&gt;

Poll Maker <= 4.6.2 - Authenticated (Admin+) Server-Side Request Forgery

Affected Software: Poll Maker – Best WordPress Poll Plugin CVE ID: CVE-2023-34013 CVSS Score: 4.7 (Medium) Researcher/s: Abu Hurayra Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e55ba61d-6fd0-4269-8ee9-3b8645d52e1d&gt;

Floating Chat Widget - Chaty <= 3.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty CVE ID: CVE-2023-3245 CVSS Score: 4.4 (Medium) Researcher/s: Dipak Panchal Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a158653-f80c-48a3-840e-20ee7e85925a&gt;

SP Project & Document Manager <= 4.67 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: SP Project & Document Manager CVE ID: CVE-2023-36530 CVSS Score: 4.4 (Medium) Researcher/s: emad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/37eb77ed-0b2e-46ea-806d-8041742eab5d&gt;

Knowledge Center <= 2.7 - Authenticated (Admin+) Cross-Site Scripting

Affected Software: Easy Accordion FAQ and Knowledge Base Software for WordPress CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6309c706-f84a-4997-9a9b-1bd8cf8f711a&gt;

Catalyst Connect Zoho CRM Client Portal <= 2.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Catalyst Connect Zoho CRM Client Portal CVE ID: CVE-2022-44629 CVSS Score: 4.4 (Medium) Researcher/s: Hoang Van Hiep Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88cea535-1042-4011-aee9-684d7661e193&gt;

My Content Management <= 1.7.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: My Content Management CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9fc18fee-5813-4134-8c4d-44710665857a&gt;

ApplyOnline – Application Form Builder and Manager <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ApplyOnline – Application Form Builder and Manager CVE ID: CVE-2023-24391 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5dbcc22-ab2e-4114-a7d7-bac01a5c5b3f&gt;

Short URL <= 1.6.4 - Authenticated(Admin+) Stored Cross-Site Scripting

Affected Software: Short URL CVE ID: CVE-2023-1602 CVSS Score: 4.4 (Medium) Researcher/s: Etan Imanol Castro Aldrete Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5f29f35-da79-4389-a0a5-a1be0b0b8996&gt;

ARMember <= 4.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2022-47421 CVSS Score: 4.4 (Medium) Researcher/s: Cat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa2ed43b-cd8f-4d09-8576-d215c835a684&gt;

NOO Timetable <= 2.1.3 - Cross-Site Request Forgery

Affected Software: NOO Timetable CVE ID: CVE-2022-45828 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/13046019-f390-48ae-bf08-53293c41f178&gt;

Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 - Cross-Site Request Forgery to Settings Reset

Affected Software: Waitlist Woocommerce ( Back in stock notifier ) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/20910787-b99d-475e-acc9-cc2bb669aa56&gt;

TrustProfile <= 3.24 - Cross-Site Request Forgery

Affected Software: TrustProfile and reviews for WordPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/296f15eb-0782-4351-a2c5-c8ef6f005352&gt;

Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 - Cross-Site Request Forgery

Affected Software: Quiz Expert – Easy Quiz Maker, Exam and Test Manager CVE ID: CVE-2023-36522 CVSS Score: 4.3 (Medium) Researcher/s: NeginNrb Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/32ee3eb8-18b7-47da-b4f9-cb252ffabc71&gt;

Login/Signup Popup <= 2.3 - Cross-Site Request Forgery to Settings Reset

Affected Software: Login/Signup Popup ( Inline Form + Woocommerce ) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3fa62b8f-1c2f-4bc9-9f2a-8b9765c2d30d&gt;

Post Hit Counter <= 1.3.2 - Missing Authorization

Affected Software: Post Hit Counter CVE ID: CVE-2023-36518 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4049f8fb-ad81-4f09-97b3-39ac6a9275d6&gt;

Duplicate Post Page Menu & Custom Post Type <= 2.3.1 - Missing Authorization

Affected Software: Duplicate Post Page Menu & Custom Post Type CVE ID: CVE-2023-36526 CVSS Score: 4.3 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44e84fd9-bc83-4780-ab7a-8898a8c5c78a&gt;

The7 <= 11.6.0 - Cross-Site Request Forgery

Affected Software: The7 — Website and eCommerce Builder for WordPress CVE ID: CVE-2023-32123 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f481478-5dc9-4b11-ba3e-1942882a9f43&gt;

WP Social AutoConnect <= 4.6.1 - Cross-Site Request Forgery via jfb_admin_page

Affected Software: WP Social AutoConnect CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/50f69182-66c0-4d3a-aabe-015b72937f3e&gt;

Enhanced Text Widget <= 1.5.7 - Missing Authorization

Affected Software: Enhanced Text Widget CVE ID: CVE-2023-23823 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7487f72c-9852-4651-a848-239d4882bbf8&gt;

Subscribe2 <= 10.40 - Cross-Site Request Forgery

Affected Software: Subscribe2 – Form, Email Subscribers & Newsletters CVE ID: CVE-2023-3407 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92b4d800-2895-4f7b-8b3b-ee6df75a7908&gt;

Request a Quote <= 2.3.10 - Cross-Site Request Forgery

Affected Software: Request a Quote CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9854d09a-2fab-46e6-9fc1-ff6d68df2662&gt;

WebwinkelKeur <= 3.24 - Cross-Site Request Forgery

Affected Software: WebwinkelKeur: Webshop keurmerk & reviews for WordPress CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a077e95f-7912-4b94-89f3-54f37adfcd8e&gt;

AutomateWoo <= 5.7.5 - Cross-Site Request Forgery

Affected Software: AutomateWoo CVE ID: CVE-2023-36513 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a33c8a80-e11e-403d-9eb0-e1c5b59204b0&gt;

LiquidPoll – Advanced Polls for Creators and Brands <= 3.3.68 - Missing Authorization via activate_addon

Affected Software: LiquidPoll – Advanced Polls for Creators and Brands CVE ID: CVE-2023-36531 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa154536-9f9f-48c3-96c7-4091991e4f6c&gt;

SW Product Bundles <= 2.0.15 - Missing Authorization

Affected Software: SW Product Bundles CVE ID: CVE-2023-36519 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0ceff94-e312-41da-acec-15d550aba792&gt;

POST SMTP Mailer <= 2.5.6 - Cross-Site Request Forgery to Arbitrary Log Deletion

Affected Software: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress CVE ID: CVE-2023-3178 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b1af4be1-a9d6-4f44-91b3-22cf3130cc34&gt;

Caldera Forms Google Sheets Connector <= 1.2 - Cross-Site Request Forgery

Affected Software: Caldera Forms Google Sheets Connector CVE ID: CVE-2023-2330 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b5ec03e9-06bb-4677-b480-4ebdb33acd08&gt;

WooCommerce Ship to Multiple Addresses <= 3.8.5 - Cross-Site Request Forgery

Affected Software: WooCommerce Ship to Multiple Addresses CVE ID: CVE-2023-36514 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bda44801-6599-459d-a70c-164f563bf158&gt;

Subscribe2 <= 10.40 - Missing Authorization

Affected Software: Subscribe2 – Form, Email Subscribers & Newsletters CVE ID: CVE-2023-1844 CVSS Score: 4.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c34ce601-5cf9-433f-bc9d-5c705eba6b08&gt;

WP Abstracts <= 2.6.2 - Cross-Site Request Forgery

Affected Software: WP Abstracts CVE ID: CVE-2023-36517 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5b74908-65ed-4b6f-856f-e95cfd64f998&gt;

WooCommerce Order Barcodes <= 1.6.4 - Cross-Site Request Forgery

Affected Software: Woocommerce Order Barcodes CVE ID: CVE-2023-36511 CVSS Score: 4.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cefa38d0-7da1-48dd-98d7-fe2f36e19d7c&gt;

WooCommerce Google Sheet Connector <= 1.3.4 - Cross-Site Request Forgery

Affected Software: WooCommerce Google Sheet Connector CVE ID: CVE-2023-2329 CVSS Score: 4.3 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e30e64e7-5de9-4eb3-914f-457daa6f3fe5&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023) appeared first on Wordfence.

Related

cvelist 43
prion 44
cve 44
thn 2
wpvulndb 25
osv 3
githubexploit 10
github 1
veracode 1
wpexploit 8
packetstorm 4
zdt 3
openvas 4
hackerone 1
wordfence 3
nuclei 2
hackread 1
cvelist
cvelist
CVE-2023-32123 WordPress The7 Theme <= 11.7.3 is vulnerable to Cross Site Request Forgery (CSRF)
2023-11-13 17:20:24
CVE-2023-34013 WordPress Poll Maker Plugin <= 4.6.2 is vulnerable to Server Side Request Forgery (SSRF)
2023-11-13 02:28:32
CVE-2022-46860 WordPress Short URL Plugin <= 1.6.4 is vulnerable to SQL Injection
2023-11-06 07:53:42
prion
prion
Input validation
2023-11-07 16:15:00
Cross site request forgery (csrf)
2023-11-13 18:15:00
Sql injection
2023-11-06 08:15:00
cve
cve
CVE-2023-32123
2023-11-13 18:15:07
CVE-2023-36517
2023-07-11 09:15:09
CVE-2023-36513
2023-07-17 15:15:09
thn
thn
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts
2023-06-29 07:24:00
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts
2023-07-01 07:25:00
wpvulndb
wpvulndb
NOO Timetable <= 2.1.3 - Cross-Site Request Forgery
2023-06-27 00:00:00
Quiz Expert – Easy Quiz Maker, Exam and Test Manager <= 1.5.0 - Cross-Site Request Forgery
2023-06-27 00:00:00
WooCommerce Order Barcodes < 1.6.5 - Cross-Site Request Forgery
2023-07-17 00:00:00
osv
osv
CVE-2023-23684
2023-11-13 03:15:07
WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)
2023-06-30 20:35:37
CVE-2023-3460
2023-07-04 08:15:10
githubexploit
githubexploit
Exploit for CVE-2023-36531
2023-07-06 08:55:42
Exploit for CVE-2023-2982
2023-06-29 14:21:08
Exploit for CVE-2023-2982
2023-06-30 09:15:02
github
github
WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)
2023-06-30 20:35:37
veracode
veracode
Server Side Request Forgery (SSRF)
2023-07-09 14:16:53
wpexploit
wpexploit
NEX-Forms < 8.4.4 - Authenticated Stored XSS
2023-06-26 00:00:00
WooCommerce Google Sheet Connector <= 1.3.5 - Access Code Update via CSRF
2023-06-26 00:00:00
Login Configurator <= 2.1 - Reflected Cross-Site Scripting
2023-06-26 00:00:00
packetstorm
packetstorm
WordPress Login Configurator 2.1 Cross Site Scripting
2023-07-25 00:00:00
WordPress Social Login And Register 7.6.4 Authentication Bypass
2023-06-28 00:00:00
WordPress AN_Gradebook 5.0.1 SQL Injection
2023-07-31 00:00:00
zdt
zdt
WordPress AN_Gradebook 5.0.1 Plugin - SQL injection Vulnerability
2023-07-28 00:00:00
WordPress Social Login And Register 7.6.4 Authentication Bypass Vulnerability
2023-06-28 00:00:00
WordPress LearnDash LMS 4.6.0 Insecure Direct Object Reference Vulnerability
2023-06-27 00:00:00
openvas
openvas
WordPress Chaty Plugin < 3.1.2 XSS Vulnerability
2023-07-19 00:00:00
WordPress Post SMTP Mailer/Email Log Plugin < 2.5.7 CSRF Vulnerability
2023-07-20 00:00:00
WordPress Social Login and Register < 7.6.5 Authentication Bypass Vulnerability
2023-06-29 00:00:00
hackerone
hackerone
CS Money: Authentication Bypass to (CVE-2023-2982)
2023-12-02 14:35:46
wordfence
wordfence
miniOrange Addresses Authentication Bypass Vulnerability in WordPress Social Login and Register WordPress Plugin
2023-06-28 13:12:37
Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin
2023-06-27 13:14:44
PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited
2023-06-29 20:43:31
nuclei
nuclei
Miniorange Social Login and Register <= 7.6.3 - Authentication Bypass
2023-06-29 12:58:22
Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
2023-07-16 09:50:13
hackread
hackread
Zero-Day Exploit Threatens 200,000 WordPress Websites
2023-07-03 14:59:42

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.158 Low

EPSS

Percentile

95.2%

JSON
Related for WORDFENCE:F69BC39EF6327EA1E98C515989E110CC
cvelist43prion44cve44thn2wpvulndb25osv3githubexploit10github1veracode1wpexploit8packetstorm4zdt3openvas4hackerone1wordfence3nuclei2hackread1