Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceChloe ChamberlandWORDFENCE:FA8F4537963EA26461C43B989B8F22C6
HistoryJan 18, 2024 - 2:52 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024)

2024-01-1814:52:18
Chloe Chamberland
www.wordfence.com
13
wordfence
wordpress
vulnerability
report
plugins
themes
security
researchers
api
webhook
firewall
premium
care
response

9.2 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.3%

JSON

🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • Stored Cross-Site Scripting via Block
  • WAF-RULE-666 - This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
  • WAF-RULE-665 - This is for an undisclosed vulnerability that we are working with the vendor on getting patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 12
Patched 55

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 54
High Severity 7
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Cross-Site Request Forgery (CSRF) 20
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 19
Missing Authorization 8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 4
Unrestricted Upload of File with Dangerous Type 4
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3
Information Exposure 2
Information Exposure Through Debug Information 1
Exposure of Private Information ('Privacy Violation') 1
Use of Less Trusted Source 1
Protection Mechanism Failure 1
Server-Side Request Forgery (SSRF) 1
Authorization Bypass Through User-Controlled Key 1
Improper Access Control 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Francesco Carlucci 5
Rafie Muhammad 4
Dave Jong 3
Daniel Ruf 2
Nex Team 2
drop 2
Artem Guzhva (hexcat) 2
Ngô Thiên An (ancorn_) 2
Abdi Pranata 2
Brandon James Roldan (tomorrowisnew) 2
Webbernaut 2
Dateoljo of BoB 12th 1
Lucio Sá 1
LVT-tholv2k 1
Le Ngoc Anh 1
Huynh Tien Si 1
Mika 1
Joshua Chan 1
Abu Hurayra (HurayraIIT) 1
Akbar Kustirama 1
Yudistira Arya 1
Naveen Muthusamy 1
thiennv 1
Yuchen Ji 1
Dmitrii Ignatyev 1
Rafshanzani Suhada 1
Ulyses Saicha 1
Elliot 1
Nicolas Decayeux 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! ai-engine
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Advanced Flamingo advanced-flamingo
Advanced Woo Search advanced-woo-search
Auto Affiliate Links wp-auto-affiliate-links
Beds24 Online Booking beds24-online-booking
Constant Contact Forms by MailMunch constant-contact-forms-by-mailmunch
Contact Form 7 Connector ari-cf7-connector
Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension
Contact Form 7 – Dynamic Text Extension contact-form-7-dynamic-text-extension
Customer Reviews for WooCommerce customer-reviews-woocommerce
Download Monitor download-monitor
Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder droit-elementor-addons
ElementsKit Elementor addons elementskit-lite
Email Encoder – Protect Email Addresses and Phone Numbers email-encoder-bundle
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks
EventON eventon-lite
EventON Pro eventon
Football Pool football-pool
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder formidable
GD Rating System gd-rating-system
Gallery Plugin for WordPress – Envira Photo Gallery envira-gallery-lite
Happy Addons for Elementor happy-elementor-addons
Index Now mihdan-index-now
InstaWP Connect – 1-click WP Staging & Migration instawp-connect
List category posts list-category-posts
MailerLite – WooCommerce integration woo-mailerlite
Metform Elementor Contact Form Builder metform
Newsletter – Send awesome emails from WordPress newsletter
OneClick Chat to Order oneclick-whatsapp-order
Order Export & Order Import for WooCommerce order-import-export-for-woocommerce
PDF Invoices & Packing Slips for WooCommerce woocommerce-pdf-invoices-packing-slips
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications post-smtp
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress contest-gallery
Plugin for Google Reviews widget-google-reviews
Products, Order & Customers Export for WooCommerce export-woocommerce
Profile Builder Pro profile-builder-pro
RabbitLoader rabbit-loader
Schema & Structured Data for WP & AMP schema-and-structured-data-for-wp
Seraphinite Accelerator seraphinite-accelerator
Seraphinite Alternative Slugs Manager seraphinite-old-slugs-mgr
Shortcodes Finder shortcodes-finder
Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Swift SMTP (formerly Welcome Email Editor) welcome-email-editor
TNC PDF viewer pdf-viewer-by-themencode
The Events Calendar the-events-calendar
Voting Record voting-record
WP Register Profile With Shortcode wp-register-profile-with-shortcode
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms
WP Spell Check wp-spell-check
WP Testimonials testimonial-widgets
WPS Hide Login wps-hide-login
WooCommerce woocommerce
Woocommerce Vietnam Checkout woo-vietnam-checkout
Word Replacer Pro word-replacer-ultra
WordPress Button Plugin MaxButtons maxbuttons
WordPress Live Chat Plugin for Elementor – LiveChat livechat-elementor
WordPress Live Chat Plugin for WooCommerce – LiveChat livechat-woocommerce
WordPress Manutenção wp-manutencao

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Barcode Scanner with Inventory & Order Manager <= 1.5.1 - Unauthenticated Arbitrary File Upload via uploadFile

Affected Software: Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce CVE ID: CVE-2023-52221 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/34439db4-1b66-4ccb-bf84-fddef6bc1f88&gt;

Customer Reviews for WooCommerce <= 5.38.9 - Authenticated (Author+) Arbitrary File Upload

Affected Software: Customer Reviews for WooCommerce CVE ID: CVE-2023-6979 CVSS Score: 9.8 (Critical) Researcher/s: Artem Guzhva (hexcat) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4af801db-44a6-4cd3-bd1a-3125490c8c48&gt;

AI Engine: ChatGPT Chatbot <= 1.9.98 - Unauthenticated Arbitrary File Upload via rest_upload

Affected Software: AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! CVE ID: CVE-2023-51409 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7&gt;

Barcode Scanner with Inventory & Order Manager <= 1.5.1 - Unauthenticated SQL Injection via userToken

Affected Software: Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce CVE ID: CVE-2023-52215 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ba18bd0c-ba6c-4f98-ac29-660a79affa6c&gt;

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Authorization Bypass via type connect-app API

Affected Software: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications CVE ID: CVE-2023-6875 CVSS Score: 9.8 (Critical) Researcher/s: Ulyses Saicha Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af&gt;

WP Testimonials <= 1.4.4 - Authenticated (Contributor+) SQL Injection

Affected Software: WP Testimonials CVE ID: CVE Unknown CVSS Score: 8.8 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4da18aad-3c82-4bc6-8dad-523643c12d5b&gt;

WP Register Profile With Shortcode <= 3.5.9 - Cross-Site Request Forgery to User Password Reset

Affected Software: WP Register Profile With Shortcode CVE ID: CVE-2023-5448 CVSS Score: 8.8 (High) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca564941-4780-4da2-b937-c9bd45966d81&gt;

Profile Builder Pro <= 3.10.0 - Cross-Site Request Forgery

Affected Software: Profile Builder Pro CVE ID: CVE-2024-22140 CVSS Score: 8.8 (High) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4c8932b-ede8-4f17-9612-5493c1130170&gt;

Download Monitor <= 4.9.4 - Authenticated (Admin+) SQL Injection

Affected Software: Download Monitor CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/105ae6be-2cb7-4ab2-8e4c-5d3ff84c5b9f&gt;

Order Export & Order Import for WooCommerce <= 2.4.3 - Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file

Affected Software: Order Export & Order Import for WooCommerce CVE ID: CVE-2024-22135 CVSS Score: 7.2 (High) Researcher/s: Dateoljo of BoB 12th Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/15ce2e54-ca5a-4dbc-9795-6e989e85b330&gt;

PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 - Authenticated (Shop Manager+) SQL Injection

Affected Software: PDF Invoices & Packing Slips for WooCommerce CVE ID: CVE-2024-22147 CVSS Score: 7.2 (High) Researcher/s: Yudistira Arya Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a92e307d-b3c0-441a-abac-580a60dd44cf&gt;

Index Now <= 2.6.3 - Cross-Site Request Forgery via reset_form

Affected Software: Index Now CVE ID: CVE-2024-0428 CVSS Score: 7.1 (High) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c7641d52-e930-4143-9180-2903d018da91&gt;

EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta

Affected Software/s: EventON, EventON Pro CVE ID: CVE-2023-6158 CVSS Score: 6.5 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/19f94c4f-145b-4058-aabd-06525fce3cea&gt;

List category posts <= 0.89.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: List category posts CVE ID: CVE-2023-6994 CVSS Score: 6.5 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/611871cc-737f-44e3-baf5-dbaa8bd8eb81&gt;

EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery via save_virtual_event_settings

Affected Software/s: EventON, EventON Pro CVE ID: CVE-2023-6244 CVSS Score: 6.5 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fcc3a82-f116-446e-9e5f-4f074e20403b&gt;

Profile Builder Pro <= 3.10.0 - Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure

Affected Software: Profile Builder Pro CVE ID: CVE-2024-22141 CVSS Score: 6.5 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a388b406-1640-443d-9656-6a87588ce201&gt;

Word Replacer Pro <= 1.0 - Missing Authorization

Affected Software: Word Replacer Pro CVE ID: CVE-2023-52229 CVSS Score: 6.5 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bd31e8b0-6089-4521-a80f-e65e61ad062f&gt;

GD Rating System <= 3.5.0 - Unauthenticated Stored Cross-Site Scripting via IP

Affected Software: GD Rating System CVE ID: CVE Unknown CVSS Score: 6.5 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c0b3662d-e369-4978-aa7a-debbb3ee37e4&gt;

EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Cross-Site Request Forgery via evo_eventpost_update_meta

Affected Software/s: EventON, EventON Pro CVE ID: CVE-2023-6242 CVSS Score: 6.5 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c8e9a333-a6b7-4b5e-93c1-b95566e5d6fb&gt;

Formidable Forms <= 6.7 - HTML Injection

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder CVE ID: CVE-2023-6830 CVSS Score: 6.5 (Medium) Researcher/s: drop Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff294b0f-97fe-4d27-bf93-f5bbb57ac1f6&gt;

Happy Elementor Addons <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Happy Addons for Elementor CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1453815d-4e28-41ec-9aa4-4fd2899c619a&gt;

Voting Record <= 2.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Voting Record CVE ID: CVE-2023-7084 CVSS Score: 6.4 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/286c3e26-07a8-4fca-9fdc-98e62ae88b67&gt;

OneClick Chat to Order <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: OneClick Chat to Order CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3e4aaf2e-a0c6-47d2-9eb8-d65952a74424&gt;

Beds24 Online Booking <= 2.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Beds24 Online Booking CVE ID: CVE-2023-52228 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fc2b2a5-00b0-424e-8678-c6b5cd76baec&gt;

TNC PDF viewer <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: TNC PDF viewer CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a5f29ce-e266-4f52-af63-159253e7987c&gt;

Constant Contact Forms by MailMunch <= 2.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Constant Contact Forms by MailMunch CVE ID: CVE-2024-22137 CVSS Score: 6.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a84bd9c8-97bd-4572-8bfa-5191d98c9523&gt;

Plugin for Google Reviews <= 3.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Plugin for Google Reviews CVE ID: CVE-2023-6884 CVSS Score: 6.4 (Medium) Researcher/s: Akbar Kustirama Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599&gt;

WP SMS <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9141ad3-86cf-47ae-be99-d78f0337f2ca&gt;

Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers CVE ID: CVE-2023-7070 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5afe6ea-93b8-4782-8593-76468e370a45&gt;

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates CVE ID: CVE-2023-7071 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f969cb24-734f-46e5-a74d-fddf8e61e096&gt;

Football pool <= 2.11.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Football Pool CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff150706-5fbf-4881-976b-89fdaf637fb1&gt;

ARMember <= 4.0.22 - Cross-Site Request Forgery

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup CVE ID: CVE-2023-52200 CVSS Score: 6.3 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/88907f28-7b1d-4a5a-b846-67dfd21d6488&gt;

WooCommerce < 8.4.0 - Reflected Cross-Site Scripting

Affected Software: WooCommerce CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/43810a17-89b4-44f5-887e-1ad0989ea5b4&gt;

Profile Builder Pro <= 3.10.0 - Reflected Cross-Site Scripting

Affected Software: Profile Builder Pro CVE ID: CVE-2024-22142 CVSS Score: 6.1 (Medium) Researcher/s: Dave Jong Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/578d8ca7-7042-493d-92b4-63241b4bdfca&gt;

Shortcodes Finder <= 1.5.4 - Reflected Cross-Site Scripting

Affected Software: Shortcodes Finder CVE ID: CVE-2024-21750 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8eb77a53-4aea-46c3-8eea-a16f728dfa23&gt;

Advanced Woo Search <= 2.96 - Reflected Cross-Site Scripting

Affected Software: Advanced Woo Search CVE ID: CVE-2024-0251 CVSS Score: 6.1 (Medium) Researcher/s: Artem Guzhva (hexcat) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91358e40-e64f-4e8e-b5a3-7d2133db5fe9&gt;

Voting Record <= 2.0 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

Affected Software: Voting Record CVE ID: CVE-2023-7083 CVSS Score: 6.1 (Medium) Researcher/s: Daniel Ruf Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f93aa003-5b8b-4836-af65-80df2f9fbdb6&gt;

Auto Affiliate Links <= 6.4.2.7 - Cross-Site Request Forgery

Affected Software: Auto Affiliate Links CVE ID: CVE Unknown CVSS Score: 5.8 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d89918e1-b525-4d32-9b11-5e014eb02c16&gt;

Metform Elementor Contact Form Builder <= 3.8.1 - Cross-Site Request Forgery

Affected Software: Metform Elementor Contact Form Builder CVE ID: CVE-2023-6788 CVSS Score: 5.4 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/30fd2425-ee48-4777-91c1-03906d63793a&gt;

Schema & Structured Data for WP & AMP <= 1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Schema & Structured Data for WP & AMP CVE ID: CVE-2024-22146 CVSS Score: 5.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ca21247-c443-4808-8397-790669453bfc&gt;

RabbitLoader <= 2.19.13 - Missing Authorization via multiple AJAX actions

Affected Software: RabbitLoader CVE ID: CVE-2024-21751 CVSS Score: 5.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/958118ec-437e-45c8-a0f0-6aaf54e60d04&gt;

MailerLite – WooCommerce integration <= 2.0.8 - Cross-Site Request Forgery via Multiple AJAX Functions

Affected Software: MailerLite – WooCommerce integration CVE ID: CVE-2023-52223 CVSS Score: 5.4 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ea7ccb0-c0fb-4ef3-8041-9bf5abe36e3f&gt;

Contact Form 7 Extension For Mailchimp <= 0.5.70 - Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: Contact Form 7 Extension For Mailchimp CVE ID: CVE-2024-22134 CVSS Score: 5.4 (Medium) Researcher/s: Yuchen Ji Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bed25977-040e-4427-b1e3-e9be9733b31f&gt;

Paid Memberships Pro <= 2.12.6 - Information Exposure in Debug Logs

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/852b1895-3bed-4c2f-912c-c136b38a09bb&gt;

Seraphinite Accelerator <= 2.20.45 - Unauthenticated Sensitive Information Exposure via Log File

Affected Software: Seraphinite Accelerator CVE ID: CVE-2024-22138 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a5991df2-1aab-4d07-9e30-1257aa9ec884&gt;

WordPress Manutenção <= 1.0.6 - IP Spoofing to Maintenance Mode Bypass

Affected Software: WordPress Manutenção CVE ID: CVE-2024-22139 CVSS Score: 5.3 (Medium) Researcher/s: Brandon James Roldan (tomorrowisnew) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6664039-554b-43bf-8925-00c1e62e28f5&gt;

The Events Calendar <= 6.2.8.2 - Unauthenticated Sensitive Information Exposure

Affected Software: The Events Calendar CVE ID: CVE-2023-6557 CVSS Score: 5.3 (Medium) Researcher/s: Nicolas Decayeux Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fc40196e-c0f3-4bc6-ac4b-b866902def61&gt;

ElementsKit Lite <= 3.0.3 - Unauthenticated Sensitive Information Exposure

Affected Software: ElementsKit Elementor addons CVE ID: CVE-2023-6582 CVSS Score: 5.3 (Medium) Researcher/s: Nex Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ff4ae5c8-d164-4c2f-9bf3-83934c22cf4c&gt;

Newsletter <= 8.0.6 - Cross-Site Request Forgery

Affected Software: Newsletter – Send awesome emails from WordPress CVE ID: CVE Unknown CVSS Score: 4.7 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5c24ee66-7b57-4e4c-bbb5-0451fc24ce4b&gt;

Contest Gallery <= 21.2.8.4 - Cross-Site Request Forgery

Affected Software: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress CVE ID: CVE Unknown CVSS Score: 4.7 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f2b5213d-fdc5-4c98-9a05-15d83bd7308f&gt;

Formidable Forms <= 6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder CVE ID: CVE-2023-6842 CVSS Score: 4.4 (Medium) Researcher/s: drop Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47e402c3-e06c-4ac9-8c60-5666cb1101ce&gt;

Woocommerce Vietnam Checkout <= 2.0.8 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Woocommerce Vietnam Checkout CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5344499d-c183-4164-a52c-0dca7873f63d&gt;

WordPress Button Plugin MaxButtons <= 9.7.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Button Plugin MaxButtons CVE ID: CVE-2023-6594 CVSS Score: 4.4 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cfe2cabd-98f6-4ebc-8a02-e6951202aa88&gt;

Swift SMTP <= 5.0.6 - Cross-Site Request Forgery

Affected Software: Swift SMTP (formerly Welcome Email Editor) CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1b9ed184-814d-46cb-979c-908bc9359fae&gt;

LiveChat Elementor <= 1.0.13 - Cross-Site Request Forgery

Affected Software: WordPress Live Chat Plugin for Elementor – LiveChat CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/32c2a25d-e660-4700-8df3-b043cf6aa78a&gt;

Envira Gallery Lite <= 1.8.7.2 - Missing Authorization to Gallery Modification via envira_gallery_insert_images

Affected Software: Gallery Plugin for WordPress – Envira Photo Gallery CVE ID: CVE-2023-6742 CVSS Score: 4.3 (Medium) Researcher/s: Nex Team Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/40655278-6915-4a76-ac2d-bb161d3cee92&gt;

InstaWP Connect <= 0.1.0.8 - Cross-Site Request Forgery via create_file_db_manager

Affected Software: InstaWP Connect – 1-click WP Staging & Migration CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5954c35a-7d0a-4bc5-9cad-3223e7be56eb&gt;

Seraphinite Alternative Slugs Manager <= 1.3 - Cross-Site Request Forgery

Affected Software: Seraphinite Alternative Slugs Manager CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66377ee2-cc87-4cfe-a4e4-cef4459bf2ec&gt;

MailerLite – WooCommerce integration <= 2.0.8 - Missing Authorization via Multiple Functions

Affected Software: MailerLite – WooCommerce integration CVE ID: CVE-2023-52227 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/757690b0-6c59-4e74-aad2-f5fde9f7a2fb&gt;

LiveChat WooCommerce <= 2.2.16 - Cross-Site Request Forgery

Affected Software: WordPress Live Chat Plugin for WooCommerce – LiveChat CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/872f13bc-e6d0-4307-b2c9-b55a44df1016&gt;

Advanced Flamingo <= 1.0 - Cross-Site Request Forgery

Affected Software: Advanced Flamingo CVE ID: CVE-2023-52226 CVSS Score: 4.3 (Medium) Researcher/s: Huynh Tien Si Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ce8ad5f-05e8-4279-915a-1c94559d4e56&gt;

WP Spell Check <= 9.17 - Cross-Site Request Forgery

Affected Software: WP Spell Check CVE ID: CVE-2024-22143 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9eef053c-16a1-4624-8393-08e78b221d4f&gt;

Contact Form 7 – Dynamic Text Extension <= 4.1.0 - Insecure Direct Object Reference

Affected Software: Contact Form 7 – Dynamic Text Extension CVE ID: CVE-2023-6630 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a3f1d836-da32-414f-9f2b-d485c44b2486&gt;

Contact Form 7 Connector <= 1.2.2 - Cross-Site Request Forgery

Affected Software: Contact Form 7 Connector CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b437020c-31a3-413e-a1da-b4781da34f10&gt;

Products & Order Export for WooCommerce <= 2.0.7 - Missing Authorization

Affected Software: Products, Order & Customers Export for WooCommerce CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/da1f68a5-8ca7-4744-9b73-09e767072885&gt;

Droit Elementor Addons <= 3.1.5 - Cross-Site Request Forgery

Affected Software: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder CVE ID: CVE-2024-22136 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e7b49fd1-2d1e-4083-bc1d-010a9c8f4c2f&gt;

WPS Hide Login <= 1.9.11 - Hidden Login Page Location Disclosure

Affected Software: WPS Hide Login CVE ID: CVE-2023-49748 CVSS Score: 3.7 (Low) Researcher/s: Naveen Muthusamy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bb81e90f-8da4-483c-9bc1-18b6c016df5e&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024) appeared first on Wordfence.

Related

cvelist 40
cve 37
nvd 41
vulnrichment 5
prion 31
wpvulndb 37
githubexploit 3
trellix 1
nuclei 1
wpexploit 3
cvelist
cvelist
CVE-2024-22135 WordPress Order Export & Order Import for WooCommerce Plugin <= 2.4.3 is vulnerable to Arbitrary File Upload
2024-01-24 11:51:37
CVE-2024-22138 WordPress Seraphinite Accelerator plugin <= 2.20.47 - Sensitive Data Exposure via Log File vulnerability
2024-03-28 06:29:12
CVE-2023-52215 WordPress Barcode Scanner with Inventory & Order Manager Plugin <=1.5.1 is vulnerable to SQL Injection
2024-01-08 17:42:11
cve
cve
CVE-2024-22142
2024-01-13 00:15:44
CVE-2024-22136
2024-01-31 14:15:49
CVE-2023-49748
2024-06-04 11:15:51
nvd
nvd
CVE-2023-52226
2024-02-28 17:15:08
CVE-2024-22140
2024-01-31 14:15:49
CVE-2024-22147
2024-01-27 00:15:24
vulnrichment
vulnrichment
CVE-2024-21751 WordPress RabbitLoader plugin <= 2.19.13 - Broken Access Control vulnerability
2024-06-10 08:05:14
CVE-2023-49748 WordPress WPS Hide Login plugin <= 1.9.11 - Secret Login Page Location Disclosure on Multisites vulnerability
2024-06-04 11:07:01
CVE-2023-51409 WordPress AI Engine plugin <= 1.9.98 - Unauthenticated Arbitrary File Upload vulnerability
2024-04-12 13:15:12
prion
prion
Cross site request forgery (csrf)
2024-01-31 14:15:00
Sql injection
2024-01-27 00:15:00
Unrestricted file upload
2024-01-24 12:15:00
wpvulndb
wpvulndb
Droit Elementor Addons <= 3.1.5 - Cross-Site Request Forgery
2024-01-15 00:00:00
MailerLite – WooCommerce integration < 2.0.9 - Missing Authorization via Multiple Functions
2024-01-15 00:00:00
Beds24 Online Booking < 2.0.25 - Contributor+ Stored XSS
2024-01-15 00:00:00
githubexploit
githubexploit
Exploit for Missing Authorization in Wpexperts Post Smtp Mailer
2024-02-05 09:44:35
Exploit for Missing Authorization in Wpexperts Post Smtp Mailer
2024-01-13 15:23:17
Exploit for Missing Authorization in Wpexperts Post Smtp Mailer
2024-01-27 14:20:51
trellix
trellix
The Dark Side of Innovation: Cybercriminals and Their Adoption of GenAI
2024-03-06 00:00:00
nuclei
nuclei
WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
2024-01-17 05:48:19
wpexploit
wpexploit
POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API
2024-01-11 00:00:00
Voting Record <= 2.0 - Settings Update to Stored XSS via CSRF
2024-01-10 00:00:00
Voting Record <= 2.0 - Subscriber+ Stored XSS
2024-01-10 00:00:00

9.2 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.3%

JSON
Related for WORDFENCE:FA8F4537963EA26461C43B989B8F22C6
cvelist40cve37nvd41vulnrichment5prion31wpvulndb37githubexploit3trellix1nuclei1wpexploit3