Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wordfenceRam GallWORDFENCE:FC0CCCF450B0210705EE372325FEECDE
HistoryMay 04, 2023 - 12:54 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023)

2023-05-0412:54:16
Ram Gall
www.wordfence.com
86
wordfence
wordpress
vulnerabilities
patched
unpatched
cvss severity
cwe type
researcher

0.049 Low

EPSS

Percentile

92.8%

JSON

Last week, there were 77 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 40
Patched 37

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 65
High Severity 10
Critical Severity 2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 44
Cross-Site Request Forgery (CSRF) 9
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8
Missing Authorization 7
URL Redirection to Untrusted Site ('Open Redirect') 3
Deserialization of Untrusted Data 2
Server-Side Request Forgery (SSRF) 2
Improper Neutralization of Formula Elements in a CSV File 1
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes 7
Mika 6
Yuki Haruma 5
qilin_99 4
Pavitra Tiwari 4
Erwan LR 4
Justiice 3
minhtuanact 3
László Radnai 3
Shreya Pohekar 3
thiennv 3
Nguyen Xuan Chien 2
Ramuel Gall 2
Abdi Pranata 2
Marco Wotschka 2
Ivy 2
Le Ngoc Anh 2
Nguyen Xuan Hoa 1
LEE SE HYOUNG 1
rezaduty 1
TomS 1
Pavak Tiwari 1
daniloalbuqrque 1
yuyudhn 1
Taurus Omar 1
qerogram 1
Felipe Restrepo Rodriguez 1
deokhunKim 1
Phạm Ngọc Khánh 1
Lucio Sá 1
Nguyen Duy Quoc Khanh 1
Trần Quốc Trường An 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AJAX Thumbnail Rebuild ajax-thumbnail-rebuild
Advanced Category Template advanced-category-template
Advanced Youtube Channel Pagination advanced-youtube-channel-pagination
Arconix Shortcodes arconix-shortcodes
Autoptimize autoptimize
BSK Forms Blacklist bsk-gravityforms-blacklist
Bit File Manager – 100% free file manager for WordPress file-manager
Booking Manager booking-manager
CM On Demand Search And Replace cm-on-demand-search-and-replace
CRM Memberships crm-memberships
Chronosly Events Calendar chronosly-events-calendar
ClickFunnels clickfunnels
Custom 404 Pro custom-404-pro
Customizer Export/Import customizer-export-import
Decon WP SMS decon-wp-sms
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider depicter
Display custom fields in the frontend – Post and User Profile Fields shortcode-to-display-post-and-user-data
Dynamically Register Sidebars dynamically-register-sidebars
Easy Bet easy-bet
Elementor Website Builder elementor
Emails & Newsletters with Jackmail jackmail-newsletters
Extensions for Leaflet Map extensions-leaflet-map
Forms Ada – Form Builder forms-ada-form-builder
HTTP Headers http-headers
Image Optimizer by 10web – Image Optimizer and Compression plugin image-optimizer-wd
Inactive User Deleter inactive-user-deleter
Integration for Contact Form 7 HubSpot cf7-hubspot
Ko-fi Button ko-fi-button
Logo Scheduler – Great for holidays, events, and more logo-scheduler-great-for-holidays-events-and-more
Maintenance Switch maintenance-switch
Mass Email To users mass-email-to-users
NS Coupon To Become Customer ns-coupon-to-become-customer
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress ninja-forms
Orbit Fox by ThemeIsle themeisle-companion
Photo Gallery Slideshow & Masonry Tiled Gallery wp-responsive-photo-gallery
Plugins List plugins-list
Progress Bar progress-bar
Push Notifications for WordPress by PushAssist push-notification-for-wp-by-pushassist
REST API TO MiniProgram rest-api-to-miniprogram
Rating-Widget: Star Review System rating-widget
Recipe Maker For Your Food Blog from Zip Recipes zip-recipes
SEO ALert seo-alert
Shield Security – Smart Bot Blocking & Intrusion Prevention wp-simple-firewall
Simple Giveaways – Grow your business, email lists and traffic with contests giveasap
Stock Sync for WooCommerce stock-sync-for-woocommerce
Stream stream
Thumbnail Slider With Lightbox wp-responsive-slider-with-lightbox
Thumbs Rating thumbs-rating
Tiempo.com tiempocom
Tippy tippy
URL Params url-params
Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7
Updraft updraft
User IP and Location user-ip-and-location
Video XML Sitemap Generator video-xml-sitemap-generator
WP BrowserUpdate wp-browser-update
WP Directory Kit wpdirectorykit
WP Inventory Manager wp-inventory-manager
WP Page Numbers wp-page-numbers
WP Search Analytics search-analytics
WP Visitor Statistics (Real Time Traffic) wp-stats-manager
WP-CORS wp-cors
WooCommerce Multivendor Marketplace – REST API wcfm-marketplace-rest-api
Woocommerce Tip/Donation woo-tipdonation
XML for Google Merchant Center xml-for-google-merchant-center
YARPP – Yet Another Related Posts Plugin yet-another-related-posts-plugin
Zephyr Project Manager zephyr-project-manager
wordpress vertical image slider plugin wp-vertical-image-slider

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Arya Multipurpose [arya-multipurpose](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Arya Multipurpose>)
Mocho Blog [mocho-blog](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Mocho Blog>)
Viable Blog [viable-blog](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Viable Blog>)

Vulnerability Details

Custom 404 Pro <= 3.7.2 - Unauthenticated SQL Injection

Affected Software: Custom 404 Pro CVE ID: CVE Unknown CVSS Score: 9.8 (Critical) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d22fb2e8-bb61-49bc-9fab-8f7c58339a69&gt;

WP Visitor Statistics (Real Time Traffic) <= 6.8.1 - Unauthenticated SQL Injection

Affected Software: WP Visitor Statistics (Real Time Traffic) CVE ID: CVE-2023-0600 CVSS Score: 9.8 (Critical) Researcher/s: Trần Quốc Trường An Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8e511ec-93d3-45f3-98ee-ffa7a79bf74e&gt;

Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated (Subscriber+) SQL Injection via id

Affected Software: Ultimate Addons for Contact Form 7 CVE ID: CVE-2023-30495 CVSS Score: 8.8 (High) Researcher/s: Ivy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5db5c5e0-f2ba-4082-b3eb-33cc0ce418e8&gt;

Easy Bet <= 1.0.2 - Authenticated(Contributor+) SQL Injection

Affected Software: Easy Bet CVE ID: CVE-2023-31092 CVSS Score: 8.8 (High) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a833fe01-caf5-434a-82f9-8d3ac755a66f&gt;

YARPP - Yet Another Related Posts Plugin <= 5.30.2 - Authenticated (Subscriber+) SQL Injection via Shortcode

Affected Software: YARPP – Yet Another Related Posts Plugin CVE ID: CVE-2023-0579 CVSS Score: 8.8 (High) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bda2f3f6-b036-4feb-bb38-1d4eaf965c24&gt;

Thumbnail Slider With Lightbox <= 1.0.17

Affected Software: Thumbnail Slider With Lightbox CVE ID: CVE Unknown CVSS Score: 8.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33b92a86-bb3e-4307-b2cb-7dfde56505cc&gt;

Orbit Fox by ThemeIsle <= 2.10.23 - Authenticated (Author+) Server-Side Request Forgery via URL

Affected Software: Orbit Fox by ThemeIsle CVE ID: CVE Unknown CVSS Score: 7.4 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4c30b925-47ca-4e14-a418-d9524648db2a&gt;

Shield Security <= 17.0.17 - Unauthenticated Stored Cross-Site Scripting

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention CVE ID: CVE-2023-0992 CVSS Score: 7.2 (High) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/162dff28-94ea-4a47-a6cb-a13317cf1a04&gt;

Bit File Manager <= 5.2.7 - Authenticated (Admin+) PHP Object Injection

Affected Software: Bit File Manager – 100% free file manager for WordPress CVE ID: CVE-2022-47599 CVSS Score: 7.2 (High) Researcher/s: rezaduty Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24458c37-ebcc-471b-9044-78f24667f7a6&gt;

BSK Forms Blacklist <= 3.6.2 - Authenticated (Administrator+) SQL Injection via 'order' and 'orderby'

Affected Software: BSK Forms Blacklist CVE ID: CVE-2023-30872 CVSS Score: 7.2 (High) Researcher/s: TomS Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4550681f-d115-4451-9839-7862b84714fe&gt;

Customizer Export/Import <= 0.9.5 - Authenticated (Administrator+) PHP Object Injection

Affected Software: Customizer Export/Import CVE ID: CVE-2023-1347 CVSS Score: 7.2 (High) Researcher/s: Nguyen Duy Quoc Khanh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd7312ec-9654-4ddc-aec6-71c7e684fac0&gt;

Inactive User Deleter <= 1.58 - Cross-Site Request Forgery via multiple functions

Affected Software: Inactive User Deleter CVE ID: CVE-2023-27424 CVSS Score: 7.1 (High) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2f3c706f-fcce-4bcb-9773-ced011bf6407&gt;

HTTP Headers <= 1.18.9 - Authenticated(Administrator+) SQL Injection

Affected Software: HTTP Headers CVE ID: CVE-2023-1207 CVSS Score: 6.6 (Medium) Researcher/s: qerogram Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ea6b79c-2a09-4a6e-9b4b-a81f96e3bc12&gt;

Elementor <= 3.12.1 - Authenticated(Administrator+) SQL Injection via 'replace_urls'

Affected Software: Elementor Website Builder CVE ID: CVE Unknown CVSS Score: 6.6 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7bd173c-dc61-4cc6-b42f-311acf728080&gt;

Display custom fields in the frontend – Post and User Profile Fields <= 1.2.0 - Missing Authorization via vg_display_data shortcode

Affected Software: Display custom fields in the frontend – Post and User Profile Fields CVE ID: CVE-2023-31073 CVSS Score: 6.5 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cdf3b629-c1a2-4fdd-b7fc-d3550bd30857&gt;

ClickFunnels <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ClickFunnels CVE ID: CVE-2022-4782 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3daa3a7d-bb92-41c7-92ad-71f6ff0bb50a&gt;

Rating Widget <= 3.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes

Affected Software: Rating-Widget: Star Review System CVE ID: CVE-2023-23831 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53577cf4-af87-41a2-9424-56a584b78cf3&gt;

Arconix Shortcodes <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Arconix Shortcodes CVE ID: CVE-2023-23703 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7575e290-ad31-4c1b-9a89-eaa8b3eda6d1&gt;

Progress Bar <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via wppb shortcode

Affected Software: Progress Bar CVE ID: CVE-2023-23699 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/790bd89d-3913-4b43-9b00-7d4de5c4227d&gt;

REST API TO MiniProgram <= 4.6.1 - Authenticated (Subscriber+) Media Attachment Deletion

Affected Software: REST API TO MiniProgram CVE ID: CVE-2023-0551 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/941cf3f8-20a0-4d41-8fce-1554653d98da&gt;

URL Params <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: URL Params CVE ID: CVE-2023-0274 CVSS Score: 6.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98e22884-f7d6-47df-9b1b-9232c48e3685&gt;

User IP and Location <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: User IP and Location CVE ID: CVE-2023-30780 CVSS Score: 6.4 (Medium) Researcher/s: deokhunKim Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c557fc55-3c0d-43ff-8575-32f669299b39&gt;

Tippy <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via tippy shortcode

Affected Software: Tippy CVE ID: CVE-2023-31079 CVSS Score: 6.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e6460406-da83-4dad-97a5-fe961f0c46fc&gt;

Plugins List <= 2.5 - Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags

Affected Software: Plugins List CVE ID: CVE-2023-31232 CVSS Score: 6.4 (Medium) Researcher/s: Yuki Haruma Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9d42cc5-c213-454b-b05a-a57705e5c7e4&gt;

Booking Manager <= 2.0.28 - Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: Booking Manager CVE ID: CVE-2023-1977 CVSS Score: 6.3 (Medium) Researcher/s: Shreya Pohekar Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a9ee709d-6590-4c07-9788-6150733c1691&gt;

Updraft <= 0.6.1 - Reflected Cross-Site Scripting via 'backup_timestamp'

Affected Software: Updraft CVE ID: CVE-2023-26530 CVSS Score: 6.1 (Medium) Researcher/s: Nguyen Xuan Hoa Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02bfc849-0f36-4647-9290-eddbacdb419b&gt;

WP BrowserUpdate <= 4.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP BrowserUpdate CVE ID: CVE-2023-28690 CVSS Score: 6.1 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0d3fa716-6f11-428c-b2da-2bb768a92fe0&gt;

Mass Email To users <= 1.1.4 - Unauthenticated Reflected Cross-Site Scripting via 'entrant'

Affected Software: Mass Email To users CVE ID: CVE-2022-47600 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f218010-8429-4a8a-b7f6-e45945a2a1ba&gt;

XML for Google Merchant Center <= 3.0.1 - Reflected Cross-Site Scripting via page parameter

Affected Software: XML for Google Merchant Center CVE ID: CVE-2023-30877 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/16bd14a1-e69b-4b7d-8c0e-a294e120d2a6&gt;

Viable blog <= 1.1.4 - Cross-Site Scripting

Affected Software: Viable Blog CVE ID: CVE-2023-27419 CVSS Score: 6.1 (Medium) Researcher/s: László Radnai Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/262b5326-a5e6-4063-a345-59dedd14c3c2&gt;

Arya Multipurpose <= 1.0.5 - Unauthenticated Cross-Site Scripting

Affected Software: Arya Multipurpose CVE ID: CVE-2023-27420 CVSS Score: 6.1 (Medium) Researcher/s: László Radnai Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3d5c4bf6-36f7-4e6d-a012-95594e3d93f8&gt;

Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.13 - Reflected Cross-Site Scripting

Affected Software: Photo Gallery Slideshow & Masonry Tiled Gallery CVE ID: CVE-2023-2402 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51a1c2de-56be-4487-874a-a916e8a6992a&gt;

Forms Ada <= 1.0 - Reflected Cross-Site Scripting via 'p' parameter

Affected Software: Forms Ada – Form Builder CVE ID: CVE-2023-27613 CVSS Score: 6.1 (Medium) Researcher/s: Pavak Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54e330e7-d305-4254-a9e9-4d7f2c54c51c&gt;

WP Inventory Manager <= 2.1.0.12 - Reflected Cross-Site Scripting via 'message'

Affected Software: WP Inventory Manager CVE ID: CVE-2023-2123 CVSS Score: 6.1 (Medium) Researcher/s: daniloalbuqrque Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5b168045-9b68-43a7-89ce-d00a88bf8acd&gt;

Logo Scheduler <= 1.2.0 - Reflected Cross-Site Scripting via page parameter

Affected Software: Logo Scheduler – Great for holidays, events, and more CVE ID: CVE-2023-30875 CVSS Score: 6.1 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d853fbd-c615-4142-9ba9-9eef54d721da&gt;

Tiempo.com <= 0.1.2 - Reflected Cross-Site Scripting

Affected Software: Tiempo.com CVE ID: CVE-2023-2272 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7a5e3d82-4722-47ff-b66f-448cb2851c1f&gt;

Extensions for Leaflet Map <= 3.4.1 - Reflected Cross-Site Scripting

Affected Software: Extensions for Leaflet Map CVE ID: CVE-2023-31074 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8e332a52-071c-4725-99db-3cc10ee50230&gt;

Maintenance Switch <= 1.5.2 - Reflected Cross-Site Scripting

Affected Software: Maintenance Switch CVE ID: CVE-2022-47590 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a81d3b09-b8dd-4697-ab43-c863e8d1e1d5&gt;

Stock Sync for WooCommerce <= 2.4.0 - Reflected Cross-Site Scripting via page parameter

Affected Software: Stock Sync for WooCommerce CVE ID: CVE-2023-31094 CVSS Score: 6.1 (Medium) Researcher/s: Ivy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/adcaf2db-2026-46bb-8fbc-0400d7c1e296&gt;

wordpress vertical image slider plugin <= 1.2.16 - Reflected Cross-Site Scripting

Affected Software: wordpress vertical image slider plugin CVE ID: CVE-2023-2289 CVSS Score: 6.1 (Medium) Researcher/s: Marco Wotschka Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c9983364-9b52-4acc-91d4-b352c6d24d52&gt;

Ninja Forms Contact Form <= 3.6.21 - Reflected Cross-Site Scripting via 'title'

Affected Software: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress CVE ID: CVE-2023-1835 CVSS Score: 6.1 (Medium) Researcher/s: Erwan LR Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf4e9b41-20e8-4dba-a51c-6e8f09232ffb&gt;

Image Optimizer WD <= 1.0.26 - Reflected Cross-Site Scripting

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin CVE ID: CVE-2023-2122 CVSS Score: 6.1 (Medium) Researcher/s: Phạm Ngọc Khánh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d50d8d51-3bb4-4556-95e3-06812a31d0d6&gt;

Zip Recipes <= 8.0.6 - Reflected Cross-Site Scripting via 's' parameter

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes CVE ID: CVE-2023-31076 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dd7d3afd-6648-4ffb-85a9-cd5a6096963e&gt;

Advanced Category Template <= 0.1 - Stored Cross-Site Scripting via Cross-Site Request Forgery in _form.php

Affected Software: Advanced Category Template CVE ID: CVE-2023-31072 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e18ae7a9-7761-432f-a983-16ff1131c1e8&gt;

Mocho Blog <= 1.0.4 - Cross-Site Scripting

Affected Software: Mocho Blog CVE ID: CVE-2023-27412 CVSS Score: 6.1 (Medium) Researcher/s: László Radnai Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f10fd22e-a25b-4f16-ad65-a995559908e9&gt;

Push Notifications for WordPress by PushAssist <= 3.0.8 - Reflected Cross-Site Scripting

Affected Software: Push Notifications for WordPress by PushAssist CVE ID: CVE-2023-0644 CVSS Score: 6.1 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4454376-7c18-4f0e-a192-80212a59d94b&gt;

Emails & Newsletters with Jackmail <= 1.2.22 - Authenticated (Subscriber+) CSV Injecton

Affected Software: Emails & Newsletters with Jackmail CVE ID: CVE-2022-46821 CVSS Score: 6 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/084a209f-c67b-4df9-9f4b-c537ea065a50&gt;

Advanced Youtube Channel Pagination <= 1.0 - Cross-Site Request Forgery

Affected Software: Advanced Youtube Channel Pagination CVE ID: CVE-2023-28693 CVSS Score: 5.5 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5d858f96-7363-4098-af2d-f6f96fc80071&gt;

Advanced Youtube Channel Pagination <= 1.0 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: Advanced Youtube Channel Pagination CVE ID: CVE-2023-28693 CVSS Score: 5.5 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91898465-55fa-417c-8f00-ffe118232516&gt;

Woocommerce Tip/Donation <= 1.2 - Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

Affected Software: Woocommerce Tip/Donation CVE ID: CVE-2023-28783 CVSS Score: 5.5 (Medium) Researcher/s: Yuki Haruma Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9ec83425-c756-450e-ac46-c897ad72714c&gt;

WP Directory Kit <= 1.1.9 - Open Redirect

Affected Software: WP Directory Kit CVE ID: CVE-2023-31229 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0f01ee24-544b-45cb-9cf3-7db8263d8e54&gt;

Tiempo.com <= 0.1.2 - Cross-Site Request Forgery to Shortcode Deletion

Affected Software: Tiempo.com CVE ID: CVE-2023-2271 CVSS Score: 5.4 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3dacef70-a881-400e-b9f7-c0a815cf624a&gt;

Tiempo.com <= 0.1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Tiempo.com CVE ID: CVE-2023-0058 CVSS Score: 5.4 (Medium) Researcher/s: Shreya Pohekar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/62ac2725-0071-4a7d-8561-256e6a232de3&gt;

Simple Giveaways <= 2.45.1 - Cross-Site Request Forgery

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests CVE ID: CVE-2023-31086 CVSS Score: 5.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8390ab61-197a-4eb7-a589-47bf46a0e123&gt;

WP Directory Kit <= 1.2.1 - Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display

Affected Software: WP Directory Kit CVE ID: CVE-2023-2279 CVSS Score: 5.4 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a7a6da3-d67c-42b3-8826-7e7fc9b938b4&gt;

Zephyr Project Manager <= 3.3.9 - Open Redirect

Affected Software: Zephyr Project Manager CVE ID: CVE-2023-31237 CVSS Score: 5.4 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9af929a3-6e17-40c7-9fce-1ce0eb72bc7b&gt;

Thumbs Rating <= 4.1.0 - Race Condition

Affected Software: Thumbs Rating CVE ID: CVE-2022-45809 CVSS Score: 5.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb1105fc-ed12-4a82-9cc4-4b45aa34cdc5&gt;

CRM Memberships <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: CRM Memberships CVE ID: CVE-2023-27427 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/07c3c8d9-64c9-4d16-9a35-8477b358123f&gt;

CM On Demand Search And Replace <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: CM On Demand Search And Replace CVE ID: CVE-2023-31228 CVSS Score: 4.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3be9ffb4-5614-4a5f-bc2a-38ad626f8e3e&gt;

Dynamically Register Sidebars <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Dynamically Register Sidebars CVE ID: CVE-2023-31091 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e6b39da-26d4-4615-b6c7-68909bdf0a61&gt;

WP-CORS <= 0.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP-CORS CVE ID: CVE-2022-47606 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6d571dcc-74a4-4380-8961-890f10443b80&gt;

NS Coupon to Become Customer <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: NS Coupon To Become Customer CVE ID: CVE-2023-27422 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70e227a5-fc33-4ff2-a843-ef9484707ae7&gt;

SEO ALert <= 1.5.9 - Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: SEO ALert CVE ID: CVE-2023-2225 CVSS Score: 4.4 (Medium) Researcher/s: Taurus Omar Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a19b102-e097-46b3-9804-71edb91b3daa&gt;

WP Search Analytics <= 1.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Search Analytics CVE ID: CVE-2022-47587 CVSS Score: 4.4 (Medium) Researcher/s: Justiice Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/914d6f7a-053a-4555-9cbc-98bd0789bcd9&gt;

Ko-fi Button <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Ko-fi Button CVE ID: CVE-2023-2254 CVSS Score: 4.4 (Medium) Researcher/s: Felipe Restrepo Rodriguez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa13426a-2d4e-4268-bc0d-e496bc9e6f33&gt;

Autoptimize <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules

Affected Software: Autoptimize CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d16a3da0-9539-4555-8dfc-65cb4f4d7b4d&gt;

Decon WP SMS <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Decon WP SMS CVE ID: CVE-2023-27416 CVSS Score: 4.4 (Medium) Researcher/s: Pavitra Tiwari Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3bd7b0e-aae3-4ac9-b092-3101da441e1e&gt;

AJAX Thumbnail Rebuild <= 1.13 - Missing Authorization

Affected Software: AJAX Thumbnail Rebuild CVE ID: CVE-2022-47604 CVSS Score: 4.3 (Medium) Researcher/s: Justiice Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/039d2a35-fbd9-467b-ae98-2d47ff03fb2e&gt;

WP BrowserUpdate <= 4.4.1 - Cross-Site Request Forgery via wpbu_administration

Affected Software: WP BrowserUpdate CVE ID: CVE-2023-31078 CVSS Score: 4.3 (Medium) Researcher/s: qilin_99 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/050ca18d-7596-4094-b24a-752857f5e478&gt;

WP Page Numbers <= 0.5 - Cross-Site Request Forgery via wp_page_numbers_settings

Affected Software: WP Page Numbers CVE ID: CVE-2023-27623 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/44a2e2f3-1902-43c5-8e3c-4174cb1ffa63&gt;

Chronosly Events Calendar <= 2.6.2 - Cross-Site Request Forgery via plugin_settings_page

Affected Software: Chronosly Events Calendar CVE ID: CVE-2023-31093 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/57580c2c-c3de-44a3-b586-f7092c06dc6b&gt;

Shield Security <= 17.0.17 - Missing Authorization

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention CVE ID: CVE-2023-0993 CVSS Score: 4.3 (Medium) Researcher/s: Ramuel Gall Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/674461ad-9b61-48c4-af2a-5dfcaeb38215&gt;

Video XML Sitemap Generator <= 1.0.0 - Cross-Site Request Forgery via video_sitemap_generate

Affected Software: Video XML Sitemap Generator CVE ID: CVE-2023-31089 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9e11e1b5-dbba-4920-a65c-210600878861&gt;

Integration for Contact Form 7 HubSpot <= 1.2.8 - Open Redirect via state parameter

Affected Software: Integration for Contact Form 7 HubSpot CVE ID: CVE-2023-31095 CVSS Score: 4.3 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a60a9981-c945-4438-a844-f7942b86c4c0&gt;

WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API

Affected Software: WooCommerce Multivendor Marketplace – REST API CVE ID: CVE-2023-2275 CVSS Score: 4.3 (Medium) Researcher/s: Lana Codes Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0520601-7e5c-412d-a8da-df1bf8ce28df&gt;

Stream <= 3.9.2 - Missing Authorization via load_alerts_settings

Affected Software: Stream CVE ID: CVE-2022-43450 CVSS Score: 4.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d58e4317-8ad5-40d5-98b8-f8f07ab37e1f&gt;

Depicter Slider <= 1.9.0 - Missing Authorization

Affected Software: Depicter Slider – Responsive Image Slider, Video Slider & Post Slider CVE ID: CVE-2022-47176 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ed79e382-acb4-4348-9bc6-b44ec0d75fb5&gt;

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 24, 2023 to Apr 30, 2023) appeared first on Wordfence.

Related

cve 43
packetstorm 1
wordfence 1
zdt 1
prion 44
nvd 44
cvelist 46
wpvulndb 19
cve
cve
CVE-2023-0993
2023-06-09 06:15:55
CVE-2023-30872
2023-12-20 17:15:08
CVE-2022-47604
2024-04-11 01:17:17
packetstorm
packetstorm
WordPress Shield Security 17.0.17 Cross Site Scripting / Missing Authorization
2023-04-25 00:00:00
wordfence
wordfence
Multiple Vulnerabilities Patched in Shield Security
2023-04-25 13:14:00
zdt
zdt
WordPress Shield Security 17.0.17 Cross Site Scripting / Missing Authorization Vulnerability
2023-04-25 00:00:00
prion
prion
Cross site scripting
2023-06-09 06:15:00
Input validation
2023-11-07 17:15:00
Authorization
2023-12-19 22:15:00
nvd
nvd
CVE-2023-0993
2023-06-09 06:15:55
CVE-2022-47587
2023-05-10 11:15:11
CVE-2023-23703
2023-05-16 10:15:09
cvelist
cvelist
CVE-2023-0993
2023-06-09 05:33:19
CVE-2022-47604 WordPress AJAX Thumbnail Rebuild plugin <= 1.13 - Broken Access Control vulnerability
2024-03-21 17:41:52
CVE-2023-31228 WordPress CM On Demand Search And Replace Plugin <= 1.3.0 is vulnerable to Cross Site Scripting (XSS)
2023-08-18 12:57:43
wpvulndb
wpvulndb
WP Search Analytics < 1.4.6 - Admin+ Stored XSS
2023-04-28 00:00:00
Extensions for Leaflet Map < 3.4.2 - Reflected XSS
2023-08-17 00:00:00
WP-CORS <= 0.2.1 - Admin+ Stored XSS
2023-04-28 00:00:00

0.049 Low

EPSS

Percentile

92.8%

JSON
Related for WORDFENCE:FC0CCCF450B0210705EE372325FEECDE
cve43packetstorm1wordfence1zdt1prion44nvd44cvelist46wpvulndb19