Ram GallWORDFENCE:F7027F99D0A687FC30564B2086094AE1Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler
- WAF-RULE-565 - Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Unpatched | 44 |
| Patched | 48 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 0 |
| Medium Severity | 80 |
| High Severity | 11 |
| Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 37 |
| Cross-Site Request Forgery (CSRF) | 34 |
| Missing Authorization | 13 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 3 |
| Information Exposure | 3 |
| Server-Side Request Forgery (SSRF) | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| Lana Codes | 10 |
| Rio Darmawan | 7 |
| Dave Jong | 6 |
| rezaduty | 5 |
| Mika | 4 |
| minhtuanact | 3 |
| Rafie Muhammad | 3 |
| yuyudhn | 3 |
| Rafshanzani Suhada | 3 |
| Nithissh S | 3 |
| Aman Rawat | 2 |
| Marco Wotschka | 2 |
| Cat | 2 |
| TEAM WEBoB of BoB 11th | 2 |
| Prasanna V Balaji | 2 |
| Daniel Kelley | 2 |
| Ayoub Safa | 2 |
| Muhammad Daffa | 2 |
| FearZzZz | 1 |
| Bhuvanesh Jayaprakash | 1 |
| Erwan LR | 1 |
| Etan Imanol Castro Aldrete | 1 |
| Dimas Aprilianto | 1 |
| dc11 | 1 |
| Shreya Pohekar | 1 |
| Justiice | 1 |
| Nguyen Anh Tien | 1 |
| Vinay Kumar | 1 |
| Abdi Pranata | 1 |
| Brandon James Roldan | 1 |
| Pavak Tiwari | 1 |
| n0paew | 1 |
| Fariq Fadillah Gusti Insani | 1 |
| Le Ngoc Anh | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Admin side data storage for Contact Form 7 | admin-side-data-storage-for-contact-form-7 |
| Auto Rename Media On Upload | auto-rename-media-on-upload |
| Backup Bank: WordPress Backup Plugin | wp-backup-bank |
| Be POPIA Compliant | be-popia-compliant |
| Branda – White Label WordPress, Custom Login Page Customizer | branda-white-labeling |
| Bulk Resize Media | bulk-resize-media |
| CF7 Invisible reCAPTCHA | cf7-invisible-recaptcha |
| CMS Press | cms-press |
| Calendar Event Multi View | cp-multi-view-calendar |
| Chronoforms | chronoforms |
| Contact Form 7 Redirect & Thank You Page | cf7-redirect-thank-you-page |
| Contact Form 7 – PayPal & Stripe Add-on | contact-form-7-paypal-add-on |
| Contact Form Email | contact-form-to-email |
| Custom Options Plus | custom-options-plus |
| Customify – Intuitive Website Styling | customify |
| Data Tables Generator by Supsystic | data-tables-generator-by-supsystic |
| Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard | drag-n-drop-upload-cf7-pro |
| Dynamics 365 Integration | integration-dynamics |
| Easy Event calendar | easy-event-calendar |
| Ecwid Ecommerce Shopping Cart | ecwid-shopping-cart |
| Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files | embed-any-document |
| Event Manager and Tickets Selling Plugin for WooCommerce | mage-eventpress |
| Exxp | exxp-wp |
| Fluid Checkout for WooCommerce – Lite | fluid-checkout |
| Force First and Last Name as Display Name | force-first-last |
| Google XML Sitemap for Images | google-image-sitemap |
| Google XML Sitemap for Videos | xml-sitemaps-for-videos |
| HT Feed | ht-instagram |
| Hotel Booking Lite | motopress-hotel-booking-lite |
| Import External Images | import-external-images |
| Klaviyo | klaviyo |
| LOGIN AND REGISTRATION ATTEMPTS LIMIT | login-attempts-limit-wp |
| Modern Events Calendar Lite | modern-events-calendar-lite |
| Modern Footnotes | modern-footnotes |
| Open RDW kenteken voertuiginformatie | open-rdw-kenteken-voertuiginformatie |
| PB SEO Friendly Images | pb-seo-friendly-images |
| PhonePe Payment Solutions | phonepe-payment-solutions |
| Photo Gallery, Images, Slider in Rbs Image Gallery | robo-gallery |
| Popup Maker – Popup for opt-ins, lead gen, & more | popup-maker |
| Print Invoice & Delivery Notes for WooCommerce | woocommerce-delivery-notes |
| RapidLoad Power-Up for Autoptimize | unusedcss |
| Redirection | redirect-redirection |
| Return and Warranty Management System for WooCommerce | wc-return-warrranty |
| Reusable Blocks Extended | reusable-blocks-extended |
| SEO Plugin by Squirrly SEO | squirrly-seo |
| SMTP2GO – Email Made Easy | smtp2go |
| Shopping Cart & eCommerce Store | wp-easycart |
| Site Reviews | site-reviews |
| Slide Anything – Responsive Content / HTML Slider and Carousel | slide-anything |
| Slideshow Gallery LITE | slideshow-gallery |
| Solidres – Hotel booking plugin for WordPress | solidres |
| Store Locator for WordPress with Google Maps – LotsOfLocales | store-locator |
| Surbma | GDPR Proof Cookie Consent & Notice Bar |
| Tags Cloud Manager | tags-cloud-manager |
| UpdraftPlus WordPress Backup Plugin | updraftplus |
| User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | user-role |
| WH Testimonials | wh-testimonials |
| WP Basic Elements | wp-basic-elements |
| WP Express Checkout (Accept PayPal Payments Easily) | wp-express-checkout |
| WP Job Portal – A Complete Job Board | wp-job-portal |
| WP Popup Banners | wp-popup-banners |
| WP Shortcode by MyThemeShop | wp-shortcode |
| WP Simple Events | wp-simple-events |
| WSB Brands | wsb-brands |
| Website Monetization by MageNet | website-monetization-by-magenet |
| WooCommerce Weight Based Shipping | weight-based-shipping-for-woocommerce |
| WordPress Console | wordpress-console |
| WordPress Email Marketing Plugin – WP Email Capture | wp-email-capture |
| WordPress Mortgage Calculator Estatik | estatik-mortgage-calculator |
| WordPress Online Booking and Scheduling Plugin – Bookly | bookly-responsive-appointment-booking-tool |
| WordPress Plugin for Google Maps – WP MAPS | wp-google-map-plugin |
| WordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart |
| WordPress WP-Advanced-Search | wp-advanced-search |
| Yandex.News Feed by Teplitsa | yandexnews-feed-by-teplitsa |
| eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
| wpml | wpml |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Brilliance | brilliance |
| Chankhe | chankhe |
| Mediciti Lite | mediciti-lite |
| NewsMag | newsmag |
| Real Estate Directory | real-estate-directory |
| Regina Lite | regina-lite |
| intrepidity | intrepidity |
Vulnerability Details
Be POPIA Compliant <= 1.2.0 - Unauthenticated SQL Injection
Affected Software: Be POPIA Compliant CVE ID: CVE-2022-47445 CVSS Score: 9.8 (Critical) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eecd1497-c94e-4f67-8cc5-72afffe9fae2>
Intrepidity <= 1.5.1 - Cross-Site Request Forgery via mytheme_add_admin
Affected Software: intrepidity CVE ID: CVE-2023-27634 CVSS Score: 8.8 (High) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/01cc613a-d0b5-4c8f-8961-8f8aaf63b8ac>
UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler
Affected Software: UpdraftPlus WordPress Backup Plugin CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e329432-c404-4312-969b-42cac345637d>
WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection
Affected Software: WP Popup Banners CVE ID: CVE-2023-1471 CVSS Score: 8.8 (High) Researcher/s: Etan Imanol Castro Aldrete Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8281cb20-73d3-4ab5-910e-d353b2a5cbd8>
User Role by BestWebSoft <= 1.6.6 - Cross-Site Request Forgery to Privilege Escalation
Affected Software: User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress CVE ID: CVE-2023-0820 CVSS Score: 8.8 (High) Researcher/s: dc11 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b4bc525-a21f-46f2-895a-c8474f72eb92>
WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Missing Authorization to Email Capture List Download
Affected Software: WordPress Email Marketing Plugin – WP Email Capture CVE ID: CVE Unknown CVSS Score: 8.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a41d78b9-9bdb-48dd-b3ec-2559e79fa251>
Admin side data storage for Contact Form 7 <= 1.1.1 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Admin side data storage for Contact Form 7 CVE ID: CVE-2023-24420 CVSS Score: 7.2 (High) Researcher/s: Bhuvanesh Jayaprakash Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/172b2191-6595-47dd-bf2d-97dc3d17e5ca>
Tags Cloud Manager <= 1.0.0 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Tags Cloud Manager CVE ID: CVE-2023-28166 CVSS Score: 7.2 (High) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ad70391-7ea0-49c0-ac5c-ecf7ddb3c948>
Shopping Cart & eCommerce Store <= 5.4.2 - Authenticated (Admin+) Local File Inclusion via import_file_url
Affected Software: Shopping Cart & eCommerce Store CVE ID: CVE-2023-1124 CVSS Score: 7.2 (High) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/936e753b-b3e9-43c9-8686-c610faa8b20e>
WH Testimonials <= 3.0.0 - Unauthenticated Stored Cross-Site Scripting
Affected Software: WH Testimonials CVE ID: CVE-2023-1372 CVSS Score: 7.2 (High) Researcher/s: Daniel Kelley Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6fe5f1a-787e-4662-915f-c6f04961e194>
Bookly <= 21.5 - Unauthenticated Stored Cross-Site Scripting via Name
Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly CVE ID: CVE-2023-1172 CVSS Score: 7.2 (High) Researcher/s: Vinay Kumar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c3efbd9d-e2b5-4915-a964-29a49c7fba86>
Return and Warranty Management System for WooCommerce <= 1.2.3 - Unauthenticated Stored Cross-Site Scripting
Affected Software: Return and Warranty Management System for WooCommerce CVE ID: CVE-2023-22710 CVSS Score: 7.2 (High) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa1e6527-d874-4003-b36b-5769c2950864>
Slideshow Gallery LITE <= 1.7.6 - Authenticated(Admin+) SQL Injection
Affected Software: Slideshow Gallery LITE CVE ID: CVE-2023-28491 CVSS Score: 6.5 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61b07604-b206-4f13-b25f-7a6d54236eb1>
Exxp <= 2.6.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Exxp CVE ID: CVE-2022-45812 CVSS Score: 6.4 (Medium) Researcher/s: Aman Rawat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0de75f3f-1e6b-42ea-9f08-54c32e37b4c7>
Slide Anything <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting
Affected Software: Slide Anything – Responsive Content / HTML Slider and Carousel CVE ID: CVE-2023-28499 CVSS Score: 6.4 (Medium) Researcher/s: FearZzZz Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/130b069d-d224-44af-b2b4-26be7e081f6b>
Surbma | GDPR Proof Cookie Consent & Notice Bar <= 17.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Surbma | GDPR Proof Cookie Consent & Notice Bar CVE ID: CVE-2023-23894 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/48b9f3e3-b7fd-4d7c-8f8b-b11ed977aa92>
Robo Gallery <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
Affected Software: Photo Gallery, Images, Slider in Rbs Image Gallery CVE ID: CVE-2023-27620 CVSS Score: 6.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e0424f8-f60f-49c3-9969-a88c830dc0e2>
Ecwid Shopping Cart <= 6.11.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Ecwid Ecommerce Shopping Cart CVE ID: CVE-2023-24408 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8c530e2-ce42-40f3-82ab-1df9089a5407>
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG files
Affected Software: Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files CVE ID: CVE-2023-23707 CVSS Score: 6.4 (Medium) Researcher/s: n0paew Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eebe37bf-2983-47c0-afd8-0aa3e7982196>
WP Job Portal <= 1.1.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: WP Job Portal – A Complete Job Board CVE ID: CVE-2023-28534 CVSS Score: 6.4 (Medium) Researcher/s: Fariq Fadillah Gusti Insani Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f11ea6b2-1225-42a5-aa7b-260315d0bec5>
RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery
Affected Software: RapidLoad Power-Up for Autoptimize CVE ID: CVE-2023-1472 CVSS Score: 6.3 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f9ee168-82b1-4d13-a84e-379f16dcb283>
SEO Plugin by Squirrly SEO <= 12.1.20 - Missing Authorization
Affected Software: SEO Plugin by Squirrly SEO CVE ID: CVE-2022-44626 CVSS Score: 6.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9251afbb-1a6d-40c6-b62e-a8866742f669>
Data Tables Generator by Supsystic <= 1.10.25 - Missing Authorization
Affected Software: Data Tables Generator by Supsystic CVE ID: CVE-2023-25043 CVSS Score: 6.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ae98e3bd-f663-4609-92ed-ed0431047d85>
Open RDW kenteken voertuiginformatie <= 2.0.14 - Reflected Cross-Site Scripting via open_data_rdw_kenteken
Affected Software: Open RDW kenteken voertuiginformatie CVE ID: CVE-2022-47431 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1fa87357-09c0-4e99-8ceb-41a7987c4a57>
Solidres <= 0.9.4 - Reflected Cross-Site Scripting
Affected Software: Solidres – Hotel booking plugin for WordPress CVE ID: CVE-2023-1377 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36d9e9cd-7885-4127-b62c-ee0b3aad8846>
SEO Plugin by Squirrly SEO <= 12.1.20 - Reflected Cross-Site Scripting via 'page' and 'tab'
Affected Software: SEO Plugin by Squirrly SEO CVE ID: CVE-2022-45065 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3edce64d-13c2-454a-b5da-0454453f69cb>
WordPress Mortgage Calculator Estatik <= 2.0.7 - Reflected Cross-Site Scripting
Affected Software: WordPress Mortgage Calculator Estatik CVE ID: CVE-2023-28490 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ce9dd21-3c89-4ddd-9022-f1edf1224e2d>
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard <= 2.11.0 - Reflected Cross-Site Scripting
Affected Software: Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/60ae8b8f-bc65-40df-b6ae-4ec8e328dbe5>
WPML <= 4.6.1 - Cross-Site Scripting
Affected Software: wpml CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b5639c00-f34c-45e3-8ff1-dfde7856a80e>
Brilliance <= 1.3.1 - Reflected Cross-Site Scripting
Affected Software: Brilliance CVE ID: CVE-2023-28171 CVSS Score: 6.1 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5726c70-c2c7-45b9-bd03-38cf1320646a>
Mediciti Lite <= 1.3.0 - Reflected Cross-Site Scripting
Affected Software: Mediciti Lite CVE ID: CVE-2023-28418 CVSS Score: 6.1 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ec2825b2-c8df-40fd-b44d-a840be66446f>
Dynamics 365 Integration <= 1.3.12 - Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
Affected Software: Dynamics 365 Integration CVE ID: CVE-2023-28417 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1671e437-09f0-46bc-87ef-3a5712c3dc98>
Force First and Last Name as Display Name <= 1.2 - Cross-Site Request Forgery
Affected Software: Force First and Last Name as Display Name CVE ID: CVE-2023-28419 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/27d579d5-a4d2-45f7-a7bb-8f384d851d7a>
WP Google Map Plugin <= 4.4.2 - Cross-Site Request Forgery via delete()
Affected Software: WordPress Plugin for Google Maps – WP MAPS CVE ID: CVE-2023-28172 CVSS Score: 5.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/71f58781-3fb3-4eba-8e5a-f98f006f4607>
Redirect Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin De-Installation
Affected Software: Redirection CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7d500729-3b1a-4ece-81de-4c1f9afbf798>
Regina Lite <= 2.0.7 - Reflected Cross-Site Scripting
Affected Software: Regina Lite CVE ID: CVE-2023-27619 CVSS Score: 5.4 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7dcd3452-a340-44e5-b292-347dc69ab863>
WooCommerce Weight Based Shipping <= 5.4.1 - Cross-Site Request Forgery leading to Plugin Settings Changes
Affected Software: WooCommerce Weight Based Shipping CVE ID: CVE-2022-46794 CVSS Score: 5.4 (Medium) Researcher/s: Muhammad Daffa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b5086b8d-6c74-4970-9937-5ddc5b528495>
Site Reviews <= 6.5.1 - Missing Authorization
Affected Software: Site Reviews CVE ID: CVE-2023-27625 CVSS Score: 5.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d94f6cdd-8232-4e0c-b510-0e755c280b58>
Newsmag <= 2.4.4 - Reflected Cross-Site Scripting
Affected Software: NewsMag CVE ID: CVE-2023-28493 CVSS Score: 5.4 (Medium) Researcher/s: Brandon James Roldan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/debe6f54-0f56-4bc9-a0cd-4f2caa1ed9e3>
WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Information Exposure via wp_email_capture_options_process
Affected Software: WordPress Email Marketing Plugin – WP Email Capture CVE ID: CVE-2023-28421 CVSS Score: 5.3 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4570948-1625-44b3-8af6-73765d9710ee>
Popup Maker <= 1.17.1 - Sensitive Data Exposure via debug log file
Affected Software: Popup Maker – Popup for opt-ins, lead gen, & more CVE ID: CVE-2022-47597 CVSS Score: 5.3 (Medium) Researcher/s: rezaduty Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d0240b35-72d0-4943-84cd-5d1574609b36>
Backup Bank: WordPress Backup Plugin <= 4.0.28 - Missing Authorization via post_user_feedback_backup_bank
Affected Software: Backup Bank: WordPress Backup Plugin CVE ID: CVE-2023-28165 CVSS Score: 5.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e5ab6dcd-ef22-4fea-9e35-9358ede3ff5d>
WP Simple Shopping Cart <= 4.6.3 - Information Disclosure
Affected Software: WordPress Simple Shopping Cart CVE ID: CVE-2023-1431 CVSS Score: 5.3 (Medium) Researcher/s: Ayoub Safa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea4453bc-557b-4abf-85c6-4aecfd8f4012>
WordPress Console <= 0.3.9 - Missing Authorization via reload.php
Affected Software: WordPress Console CVE ID: CVE-2023-28168 CVSS Score: 5.3 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fd3cd605-6292-4a04-9aee-f4b9a8127e8e>
PhonePe Payment Solutions <= 1.0.15 - Authenticated (Subscriber+) Server-Side Request Forgery
Affected Software: PhonePe Payment Solutions CVE ID: CVE-2022-45835 CVSS Score: 5 (Medium) Researcher/s: Aman Rawat Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f24f7e2-2516-4f4d-955f-f3f6001cbce7>
Auto Rename Media On Upload <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Auto Rename Media On Upload CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/25a566ed-9ed6-4c72-9728-49a0edfb5ba5>
eCommerce Product Catalog plugin for WordPress <= 3.3.8 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: eCommerce Product Catalog Plugin for WordPress CVE ID: CVE-2023-1470 CVSS Score: 4.4 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/26b7438e-438b-41eb-9458-2fba8ab1964d>
WP Simple Events <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP Simple Events CVE ID: CVE-2023-24376 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53de68ad-76a6-4043-8369-7679c1c5c1cd>
Easy Event calendar <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Easy Event calendar CVE ID: CVE-2023-28169 CVSS Score: 4.4 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57dda8e6-54d1-41db-a54d-4a5d635e23b7>
Yandex.News Feed by Teplitsa <= 1.12.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Yandex.News Feed by Teplitsa CVE ID: CVE-2023-25052 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/756810c0-d805-4391-a67b-19b40597d219>
SMTP2GO <= 1.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
Affected Software: SMTP2GO – Email Made Easy CVE ID: CVE-2023-28496 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7cc618c8-63a9-4321-ad18-ee5277a5f5e0>
WSB Brands <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via $logo
Affected Software: WSB Brands CVE ID: CVE-2022-47437 CVSS Score: 4.4 (Medium) Researcher/s: TEAM WEBoB of BoB 11th Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89321887-0116-47fb-b65b-008c9fb01b62>
PB SEO Friendly Images <= 4.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: PB SEO Friendly Images CVE ID: CVE-2022-47434 CVSS Score: 4.4 (Medium) Researcher/s: Dimas Aprilianto Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/89fc8407-3d1f-4b1b-9b4c-13c0da928231>
CMS Press <= 0.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: CMS Press CVE ID: CVE-2023-25452 CVSS Score: 4.4 (Medium) Researcher/s: Prasanna V Balaji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/905cb57b-70ec-4324-ae66-9c06d1737939>
Modern Footnotes <= 1.4.15 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Modern Footnotes CVE ID: CVE-2023-28423 CVSS Score: 4.4 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94b98842-8c75-4623-8cc9-ad3dc0916a18>
Solidres <= 0.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Solidres – Hotel booking plugin for WordPress CVE ID: CVE-2023-1374 CVSS Score: 4.4 (Medium) Researcher/s: Daniel Kelley Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b13ee51b-9f23-428f-9cef-4a9b9b06b0c4>
WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon
Affected Software: WP Express Checkout (Accept PayPal Payments Easily) CVE ID: CVE-2023-1469 CVSS Score: 4.4 (Medium) Researcher/s: Ayoub Safa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b35ee801-f04d-4b22-8238-053b02a6ee0c>
Branda – White Label WordPress <= 3.4.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Branda – White Label WordPress, Custom Login Page Customizer CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c3508b46-6920-48b9-9acb-620ea34e07e2>
Klaviyo <= 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Klaviyo CVE ID: CVE-2023-25456 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d2b66f27-e4d2-4f6e-be96-b7f967a30885>
Modern Events Calendar lite <= 5.16.2 - Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: Modern Events Calendar Lite CVE ID: CVE-2023-1400 CVSS Score: 4.4 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e7465ca4-21e8-4935-b294-e7378b2b01a7>
Slideshow Gallery LITE <= 1.7.6 - Cross-Site Request Forgery via admin_galleries
Affected Software: Slideshow Gallery LITE CVE ID: CVE-2023-28497 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0a598274-3c67-4751-94d6-49abed38422c>
Google XML Sitemap for Images <= 2.1.3 - Cross-Site Request Forgery via image_sitemap_generate
Affected Software: Google XML Sitemap for Images CVE ID: CVE-2023-28173 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1165c68d-3da4-45f3-b054-4904e54d18ac>
Slideshow Gallery LITE <= 1.7.6 - Cross-Site Request Forgery via admin_slides
Affected Software: Slideshow Gallery LITE CVE ID: CVE-2023-28497 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/164ec659-e1a6-4267-b6e9-4e37a402e503>
Real Estate Directory <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
Affected Software: Real Estate Directory CVE ID: CVE-2023-28532 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/17031e21-e697-4e01-8848-c3957f5dac7f>
LOGIN AND REGISTRATION ATTEMPTS LIMIT <= 2.1 - Cross-Site Request Forgery
Affected Software: LOGIN AND REGISTRATION ATTEMPTS LIMIT CVE ID: CVE-2022-47138 CVSS Score: 4.3 (Medium) Researcher/s: rezaduty Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/257052f4-2b0a-4604-befd-651dc338b3d5>
Chronoforms <= 7.0.9 - Cross-Site Request Forgery
Affected Software: Chronoforms CVE ID: CVE-2022-47135 CVSS Score: 4.3 (Medium) Researcher/s: rezaduty Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2c02b9b2-b41e-4a30-b69a-9cdae86dd7a7>
Real Estate Directory <= 1.0.5 - Cross-Site Request Forgery via rdm_activate_plugin
Affected Software: Real Estate Directory CVE ID: CVE-2023-28532 CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/39a50c49-5c24-4ae7-8f77-4f3d98270f8f>
CP Multi View Event Calendar <= 1.4.10 - Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
Affected Software: Calendar Event Multi View CVE ID: CVE-2023-28492 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/49ebff14-ce09-4607-8246-50ae028957f6>
Customify <= 2.10.4 - Cross-Site Request Forgery to Settings Update
Affected Software: Customify – Intuitive Website Styling CVE ID: CVE-2023-27633 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4b1c0ee5-5329-411c-8030-14bec586d74d>
Fluid Checkout for WooCommerce – Lite <= 2.3.1 - Cross-Site Request Forgery via dismiss_notice
Affected Software: Fluid Checkout for WooCommerce – Lite CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c8caf17-7844-4f26-b989-d29593b3ffda>
Website Monetization by MageNet <= 1.0.29.1 - Cross-Site Request Forgery via admin_magenet_settings
Affected Software: Website Monetization by MageNet CVE ID: CVE-2023-22673 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5f1f3562-f869-4442-b77f-c06c5683c1b2>
Bulk Resize Media <= 1.1 - Cross-Site Request Forgery via bulk_resize_resize_image
Affected Software: Bulk Resize Media CVE ID: CVE-2022-46865 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/605fbfb9-85d8-43ff-a738-ad1a8a9584c3>
Import External Images <= 1.4 - Cross-Site Request Forgery via [placeholder]
Affected Software: Import External Images CVE ID: CVE-2022-46866 CVSS Score: 4.3 (Medium) Researcher/s: Cat Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6785be1c-85d4-48f1-be15-275c71284b3e>
Reusable Blocks Extended <= 0.9 - Cross-Site Request Forgery via reblex_reusable_screen_block_pattern_registration
Affected Software: Reusable Blocks Extended CVE ID: CVE-2023-27611 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/67c2cac8-c3cf-46d1-a592-229081bc31e1>
WP Shortcode by MyThemeShop <= 1.4.16 - Cross-Site Request Forgery
Affected Software: WP Shortcode by MyThemeShop CVE ID: CVE-2023-28495 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/763fec04-72c5-4910-af97-f58b5b69a02e>
WP Basic Elements <= 5.2.15 - Cross-Site Request Forgery via wpbe_save_settings
Affected Software: WP Basic Elements CVE ID: CVE-2022-47139 CVSS Score: 4.3 (Medium) Researcher/s: rezaduty Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/78e79423-7b69-4d85-a939-96eb5385624c>
Dynamics 365 Integration <= 1.3.12 - Cross-Site Request Forgery via wp_ajax_wpcrm_log
Affected Software: Dynamics 365 Integration CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7945110e-2a9d-4e0e-b0e8-77c16694993b>
Hotel Booking Lite <= 4.6.0 - Cross-Site Request Forgery to Settings Update
Affected Software: Hotel Booking Lite CVE ID: CVE-2023-28498 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a874287-c648-4807-8387-b0b47187651e>
CF7 Invisible reCAPTCHA <= 1.3.3 - Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page
Affected Software: CF7 Invisible reCAPTCHA CVE ID: CVE-2023-28167 CVSS Score: 4.3 (Medium) Researcher/s: Rio Darmawan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8fa1048e-bdcd-41d1-a7c4-196731a60843>
HT Feed <= 1.2.7 - Cross-Site Request Forgery leading to Limited Plugin Activation
Affected Software: HT Feed CVE ID: CVE-2023-23804 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/95723482-a6c5-4e95-a88d-c50a88108715>
Contact Form Email <= 1.3.31 - Missing Authorization to Feedback Submission
Affected Software: Contact Form Email CVE ID: CVE-2023-28494 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9596c243-4099-420a-aa2a-381b6299f927>
Custom Options Plus <= 1.8.1 - Cross-Site Request Forgery via custom_options_plus_adm
Affected Software: Custom Options Plus CVE ID: CVE-2023-28420 CVSS Score: 4.3 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/97c8858a-f05d-4159-b914-4e6ae9bf0d79>
Store Locator <= 3.98.7 - Cross-Site Request Forgery to Settings Update
Affected Software: Store Locator for WordPress with Google Maps – LotsOfLocales CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98ae3315-8361-43bb-be2c-1564f4df8d5b>
Dynamics 365 Integration <= 1.3.12 - Cross-Site Request Forgery via wp_ajax_wpcrm_log_verbosity
Affected Software: Dynamics 365 Integration CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98e0d103-2369-4c6a-93ae-6be2a1770bae>
Contact Form 7 Redirect & Thank You Page <= 1.0.3 - Cross-Site Request Forgery via cf7rl_admin_table
Affected Software: Contact Form 7 Redirect & Thank You Page CVE ID: CVE-2023-24395 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/99f831f2-fb96-4dc8-ba3d-6015fbc7e2e1>
WP-Advanced-Search <= 3.3.8 - Cross-Site Request Forgery leading to Plugin Settings Updates
Affected Software: WordPress WP-Advanced-Search CVE ID: CVE-2022-47447 CVSS Score: 4.3 (Medium) Researcher/s: rezaduty Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a2ba21cd-d8f3-402a-b067-1758937d9eb4>
Event Manager for WooCommerce <= 3.7.7 - Cross-Site Request Forgery leading to Uninstall Form Submission
Affected Software: Event Manager and Tickets Selling Plugin for WooCommerce CVE ID: CVE-2022-47164 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af59eb6d-1ffa-4593-9bfc-f910d907f6e0>
Contact Form 7 – PayPal & Stripe Add-on <= 1.9.3 - Cross-Site Request Forgery
Affected Software: Contact Form 7 – PayPal & Stripe Add-on CVE ID: CVE-2023-24405 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c0c13b83-6885-46db-bf33-0b2b63ff06db>
WP Basic Elements <= 5.2.15 - Missing Authorization to Plugin Settings Update via wpbe_save_settings
Affected Software: WP Basic Elements CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d6516fc0-4ef8-423b-9cdb-a275996fd98b>
Print Invoice & Delivery Notes for WooCommerce <= 4.7.2 - Cross-Site Request Forgery via ts_reset_tracking_setting
Affected Software: Print Invoice & Delivery Notes for WooCommerce CVE ID: CVE-2022-46795 CVSS Score: 4.3 (Medium) Researcher/s: Muhammad Daffa Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d811782e-3b59-4a46-9a2e-f24ef3dfbd4a>
Chankhe <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
Affected Software: Chankhe CVE ID: CVE-2023-28416 CVSS Score: 4.3 (Medium) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/efa4b67c-1bb8-413a-8cb8-039168b0b586>
Google XML Sitemap for Videos <= 2.6.1 - Cross-Site Request Forgery via video_sitemap_generate
Affected Software: Google XML Sitemap for Videos CVE ID: CVE-2023-25055 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/feb4f3dc-9abf-4ee3-834e-e5516652d810>
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) appeared first on Wordfence.
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H