Lucene search

K
wordfenceChloe ChamberlandWORDFENCE:FDAE7FD68D9B505034DC615922BD2B1D
HistoryNov 16, 2023 - 7:16 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

2023-11-1619:16:47
Chloe Chamberland
www.wordfence.com
46
wordfence
wordpress
vulnerability
bug bounty
security
cve
cwe
api
webhook

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

43.8%

🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th._
_

Last week, there were 135 vulnerabilities disclosed in 119 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 99
Patched 36

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 124
High Severity 9
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 70
Cross-Site Request Forgery (CSRF) 29
Missing Authorization 21
Information Exposure 5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 4
Improper Authorization 2
Deserialization of Untrusted Data 1
URL Redirection to Untrusted Site ('Open Redirect') 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 1
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
István Márton
(Wordfence Vulnerability Researcher) 20
LEE SE HYOUNG (hackintoanetwork) 11
Abdi Pranata 10
Emili Castells 9
Le Ngoc Anh 8
Rafie Muhammad 7
Mika 7
thiennv 7
Nguyen Xuan Chien 4
yuyudhn 4
Skalucy 3
minhtuanact 3
Elliot 3
Krzysztof Zając 3
Dmitrii Ignatyev 3
Ala Arfaoui 2
Enrico Marcolini 2
Claudio Marchesini (Dottormarc) 2
Joshua Chan 2
Huynh Tien Si 1
Robert DeVore 1
Jeongwoo-Lee 1
BuShiYue 1
Nithissh S 1
lttn 1
Robin Wood 1
Fariq Fadillah Gusti Insani 1
Abu Hurayra (HurayraIIT) 1
Vaishnav Rajeevan 1
Luqman Hakim Y 1
DoYeon Park (p6rkdoye0n) 1
Brandon Roldan 1
qilin_99 1
Erwan LR 1
SeungYongLee 1
Taihei Shimamine 1
Nguyen Anh Tien 1
Nicolas Decayeux 1
Rafshanzani Suhada 1
Alex Thomas
(Wordfence Vulnerability Researcher) 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
ANAC XML Bandi di Gara avcp
ANAC XML Viewer anac-xml-viewer
ARI Stream Quiz – WordPress Quizzes Builder ari-stream-quiz
Actueel Financieel Nieuws – Denk Internet Solutions denk-internet-solutions
Add Local Avatar add-local-avatar
Additional Order Filters for WooCommerce additional-order-filters-for-woocommerce
Advanced iFrame advanced-iframe
Amazonify amazonify
Animator – Scroll Triggered Animations scroll-triggered-animations
Arigato Autoresponder and Newsletter bft-autoresponder
Auto Affiliate Links wp-auto-affiliate-links
Auto Tag Creator auto-tag-creator
BZScore – Live Score bzscore-live-score
BadgeOS badgeos
Best Restaurant Menu by PriceListo best-restaurant-menu-by-pricelisto
Bitly's WordPress Plugin wp-bitly
Brizy – Page Builder brizy
CBX Map for Google Map & OpenStreetMap cbxgooglemap
Category Post List Widget category-post-list-widget
Checkout Field Manager (Checkout Manager) for WooCommerce woocommerce-checkout-manager
Cloud Templates & Patterns collection templates-patterns-collection
CoCart – Decoupling WooCommerce Made Easy cart-rest-api-for-woocommerce
Code Snippets code-snippets
CodeBard's Patron Button and Widgets for Patreon patron-button-and-widgets-by-codebard
Contact Form – Custom Builder, Payment Form, and More powr-pack
Countdown and CountUp, WooCommerce Sales Timer countdown-wpdevart-extended
Custom post types, Custom Fields & more custom-post-types
Direct Checkout – Quick View – Buy Now For WooCommerce quick-view-and-buy-now-for-woocommerce
Donations Made Easy – Smart Donations smart-donations
Dragfy Addons for Elementor dragfy-addons-for-elementor
Droit Dark Mode droit-dark-mode
Easy Social Icons easy-social-icons
EasyRotator for WordPress – Slider Plugin easyrotator-for-wordpress
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase) eazydocs
Ecwid Ecommerce Shopping Cart ecwid-shopping-cart
Edit WooCommerce Templates woo-edit-templates
Elementor Website Builder – More than Just a Page Builder elementor
Email Marketing for WooCommerce by Omnisend omnisend-connect
Essential Grid Portfolio – Photo Gallery essential-grid
Extra Product Options for WooCommerce extra-product-options-for-woocommerce
Featured Image Caption featured-image-caption
Flo Forms – Easy Drag & Drop Form Builder flo-forms
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List mailchimp-wp
Foyer – Digital Signage for WordPress foyer
Front End PM front-end-pm
Garden Gnome Package garden-gnome-package
Image Hover Effects – WordPress Plugin image-hover-effects
ImageMapper imagemapper
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site integrate-google-drive
Japanized For WooCommerce woocommerce-for-japan
Job Manager & Career – Manage job board listings, and recruitments job-manager-career
Korea SNS korea-sns
Lava Directory Manager lava-directory-manager
LearnPress – WordPress LMS Plugin learnpress
Live Gold Price & Silver Price Charts Widgets gold-price-chart-widget
Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic martins-link-network
Membership Plugin – Restrict Content restrict-content
Mmm Simple File List mmm-file-list
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images nitropack
OneClick Chat to Order oneclick-whatsapp-order
Patreon WordPress patreon-connect
Photo Feed photo-feed
Pinyin Slugs so-pinyin-slugs
Plainview Protect Passwords plainview-protect-passwords
Plugin Name: Device Theme Switcher device-theme-switcher
Podlove Web Player podlove-web-player
Post Pay Counter post-pay-counter
Preloader Matrix matrix-pre-loader
Product Catalog Simple post-type-x
Product Enquiry for WooCommerce gm-woocommerce-quote-popup
Product Visibility by Country for WooCommerce product-visibility-by-country-for-woocommerce
Products, Order & Customers Export for WooCommerce export-woocommerce
ProfileGrid – User Profiles, Memberships, Groups and Communities profilegrid-user-profiles-groups-and-communities
Q2W3 Post Order q2w3-post-order
QR Code Tag qr-code-tag
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress quiz-master-next
Recently viewed and most viewed products recently-viewed-and-most-viewed-products
Redirect 404 Error Page to Homepage or Custom Page with Logs redirect-404-error-page-to-homepage-or-custom-page
Rename Media Files rename-media-files
Responsive Column Widgets responsive-column-widgets
Responsive Pricing Table dk-pricr-responsive-pricing-table
Restrict Categories restrict-categories
SEO by 10Web seo-by-10web
Seers GDPR & CCPA Cookie Consent & Compliance
SendPress Newsletters sendpress
Simple Like Page Plugin simple-facebook-plugin
Social Feed All social media in one place
Social Sharing Plugin – Social Warfare social-warfare
Solid Central – Site Management, Backups, Security, and Reporting ithemes-sync
Sponsors wp-sponsors
Star CloudPRNT for WooCommerce star-cloudprnt-for-woocommerce
TWB Woocommerce Reviews twb-woocommerce-reviews
Team Members Showcase dazzlersoft-teams
Telephone Number Linker telephone-number-linker
Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7
Under Construction / Maintenance Mode from Acurax coming-soon-maintenance-mode-from-acurax
UpdraftPlus: WordPress Backup & Migration Plugin updraftplus
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder
UserHeat Plugin userheat
Visitor Traffic Real Time Statistics visitors-traffic-real-time-statistics
Visual Website Collaboration, Feedback & Project Management – Atarim atarim-visual-collaboration
WD WidgetTwitter widget-twitter
WP Crowdfunding wp-crowdfunding
WP Discord Invite wp-discord-invite
WP Edit Username wp-edit-username
WP Full Stripe Free wp-full-stripe-free
WP Links Page wp-links-page
WP MapIt wp-mapit
WPDBSpringClean wpdbspringclean
Web Push Notifications – Webpushr webpushr-web-push-notifications
Who Hit The Page – Hit Counter who-hit-the-page-hit-counter
Woo Custom and Sequential Order Number woo-custom-and-sequential-order-number
WooCommerce Product Enquiry woo-product-enquiry
WooCommerce Product Table Lite wc-product-table-lite
WordPress Backup & Migration wp-migration-duplicator
Youtube SpeedLoad youtube-speedload
Ziteboard Online Whiteboard ziteboard-online-whiteboard
masterslider masterslider
코드엠샵 마이사이트 – MSHOP MY SITE mshop-mysite

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Master Slider Pro <= 3.6.5 - Unauthenticated PHP Object Injection

Affected Software: masterslider CVE ID: CVE-2023-47507 CVSS Score: 9.8 (Critical) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/66749606-e76f-41fb-bcf1-c06681de2ee3&gt;


WD WidgetTwitter <= 1.0.9 - Authenticated (Contributor+) SQL Injection via Shortcode

Affected Software: WD WidgetTwitter CVE ID: CVE-2023-5709 CVSS Score: 8.8 (High) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/86cdbfec-b1af-48ec-ae70-f97768694e44&gt;


Rename Media Files <= 1.0.1 - Authenticated (Contributor+) Remote Code Execution

Affected Software: Rename Media Files CVE ID: CVE-2023-32095 CVSS Score: 8.8 (High) Researcher/s: Taihei Shimamine Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c22c2c17-c9c5-46eb-877a-a49ccf1a74ef&gt;


Mmm Simple File List <= 2.3 - Authenticated (Subscriber+) Directory Traversal

Affected Software: Mmm Simple File List CVE ID: CVE-2023-4297 CVSS Score: 8.8 (High) Researcher/s: Dmitrii Ignatyev Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f33a13dc-ebff-4033-9b8d-10076b1c2d0d&gt;


Brizy <= 2.4.29 - Cross-Site Scripting

Affected Software: Brizy – Page Builder CVE ID: CVE Unknown CVSS Score: 7.2 (High) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/546cd218-3f6d-4e8f-83d5-e9aceb6f33ed&gt;


Who Hit The Page – Hit Counter <= 1.4.14.3 - Authenticated (Administrator+) SQL Injection

Affected Software: Who Hit The Page – Hit Counter CVE ID: CVE-2023-47558 CVSS Score: 7.2 (High) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/54c94de4-59b4-4f0b-85db-2074a41d04f8&gt;


Redirect 404 Error Page to Homepage or Custom Page with Logs <= 1.8.7 - Authenticated (Administrator+) SQL Injection

Affected Software: Redirect 404 Error Page to Homepage or Custom Page with Logs CVE ID: CVE-2023-47530 CVSS Score: 7.2 (High) Researcher/s: Fariq Fadillah Gusti Insani Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/59ec4bbd-5192-45f8-8cfc-d43858b46901&gt;


Webpushr <= 4.34.0 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Affected Software: Web Push Notifications – Webpushr CVE ID: CVE-2023-5620 CVSS Score: 7.2 (High) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7e092d67-ab81-4366-824c-cfb240ba3042&gt;


Master Slider Pro <= 3.6.5 - Authenticated (Editor+) SQL Injection

Affected Software: masterslider CVE ID: CVE-2023-47506 CVSS Score: 7.2 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a69a5249-f9ab-4489-a032-33dd482fdc96&gt;


Profile Builder <= 3.10.3 - Cross-Site Request Forgery via pms-cross-promotion.php

Affected Software: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor CVE ID: CVE-2023-47669 CVSS Score: 7.1 (High) Researcher/s: Brandon Roldan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0b2bdb3-713c-47c6-8907-ac0f86038dc2&gt;


EazyDocs <= 2.3.3 - Missing Authorization via doc_one_page and edit_doc_one_page

Affected Software: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase) CVE ID: CVE-2023-47648 CVSS Score: 6.5 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0ec64507-b77e-4685-978f-7408fe8db5ee&gt;


Japanized For WooCommerce <= 2.6.4 - Missing Authorization

Affected Software: Japanized For WooCommerce CVE ID: CVE-2023-47698 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0fc675e8-8ba1-40b0-829e-7a48d5eb586d&gt;


Podlove Web Player <= 5.7.1 - Missing Authorization

Affected Software: Podlove Web Player CVE ID: CVE-2023-47691 CVSS Score: 6.5 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7fd8a952-d723-45a2-9027-12e3d99f715b&gt;


Elementor Website Builder <= 3.16.4 - Missing Authorization to Arbitrary Attachment Read

Affected Software: Elementor Website Builder – More than Just a Page Builder CVE ID: CVE-2023-47504 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c873c76a-144e-4945-8fa2-c9ffe0e3c061&gt;


WooCommerce Checkout Manager <= 7.3.0 - Missing Authorization

Affected Software: Checkout Field Manager (Checkout Manager) for WooCommerce CVE ID: CVE-2023-47681 CVSS Score: 6.5 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fffd7d50-6563-4652-8fae-3fe698125c59&gt;


Telephone Number Linker <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Telephone Number Linker CVE ID: CVE-2023-5743 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/06424d9f-0064-4101-b819-688489a18eee&gt;


Featured Image Caption <= 0.8.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Featured Image Caption CVE ID: CVE-2023-5669 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0c43a88c-6374-414f-97ae-26ba15d75cdc&gt;


ANAC XML Bandi di Gara <= 7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: ANAC XML Bandi di Gara CVE ID: CVE-2023-47242 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/101945f6-d709-4c99-8c80-def9dd2fa636&gt;


EasyRotator for WordPress <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: EasyRotator for WordPress – Slider Plugin CVE ID: CVE-2023-5742 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3041e28e-d965-4672-ab10-8b1f3d874f19&gt;


Bitly's WordPress Plugin <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Bitly's WordPress Plugin CVE ID: CVE-2023-5577 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31522e54-f260-46d0-8d57-2d46af7d3450&gt;


BZScore – Live Score <= 1.03 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: BZScore – Live Score CVE ID: CVE-2023-47654 CVSS Score: 6.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/438a94c4-a7f2-4c08-960b-e18c19196169&gt;


Sponsors <= 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Sponsors CVE ID: CVE-2023-5662 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4af04219-26c5-401d-94ef-11d2321f98bf&gt;


WP MapIt <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP MapIt CVE ID: CVE-2023-5658 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ef6f598-e1a7-4036-9485-1aad0416349a&gt;


Social Feed <= 1.5.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

Affected Software: Social Feed | All social media in one place CVE ID: CVE-2023-5661 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8b145772-624e-4af0-9156-03c483bf8381&gt;


Garden Gnome Package <= 2.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Garden Gnome Package CVE ID: CVE-2023-5664 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8c7385c7-47de-4511-b474-7415c3977aa8&gt;


Social Sharing Plugin - Social Warfare <= 4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Social Sharing Plugin – Social Warfare CVE ID: CVE-2023-4842 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91&gt;


Donations Made Easy – Smart Donations <= 4.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Donations Made Easy – Smart Donations CVE ID: CVE-2023-47550 CVSS Score: 6.4 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/92aae1f6-e624-4619-8195-ee3c443a31fc&gt;


WordPress Backup & Migration <= 1.4.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: WordPress Backup & Migration CVE ID: CVE-2023-5738 CVSS Score: 6.4 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/93de1604-2494-4c51-a93d-b01bf7ed4c07&gt;


ImageMapper <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ImageMapper CVE ID: CVE-2023-5507 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6e687e9-6ffe-4457-8d57-3c03f657eb74&gt;


CBX Map for Google Map & OpenStreetMap <= 1.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: CBX Map for Google Map & OpenStreetMap CVE ID: CVE-2023-47240 CVSS Score: 6.4 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/aa5505b7-2d9e-4a03-9655-75d004f53259&gt;


Elementor Website Builder <= 3.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()

Affected Software: Elementor Website Builder – More than Just a Page Builder CVE ID: CVE-2023-47505 CVSS Score: 6.4 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b44ef21f-464e-487a-ba5a-fe889e4c488c&gt;


QR Code Tag <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: QR Code Tag CVE ID: CVE-2023-5567 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/be004002-a3ac-46e9-b0c1-258f05f97b2a&gt;


Mmm Simple File List <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Mmm Simple File List CVE ID: CVE-2023-4514 CVSS Score: 6.4 (Medium) Researcher/s: Erwan LR Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c064227f-6332-40c8-9e96-337c608da832&gt;


POWR <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Contact Form – Custom Builder, Payment Form, and More CVE ID: CVE-2023-5741 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c2967eae-82bb-4556-a21a-c5bb6b905c62&gt;


SendPress Newsletters <= 1.22.3.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: SendPress Newsletters CVE ID: CVE-2023-5660 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cbce42a0-29a7-40df-973c-1fe7338f6c94&gt;


Lava Directory Manager <= 1.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Lava Directory Manager CVE ID: CVE-2023-47659 CVSS Score: 6.4 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3d21ebb-52de-4b25-b9e9-5d6f3284cf94&gt;


Advanced iFrame <= 2023.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced iFrame CVE ID: CVE-2023-4775 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e9944443-2e71-45c4-8a19-d76863cf66df&gt;


Ziteboard Online Whiteboard <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode

Affected Software: Ziteboard Online Whiteboard CVE ID: CVE-2023-5076 CVSS Score: 6.4 (Medium) Researcher/s: István Márton, Alex Thomas Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f5608f50-e17a-471f-b644-dceb64d82f0c&gt;


Simple Like Page Plugin <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Simple Like Page Plugin CVE ID: CVE-2023-4888 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f81df26f-4390-4626-8539-367a52f8a027&gt;


NitroPack <= 1.9.2 - Missing Authorization via multiple AJAX functions

Affected Software: NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images CVE ID: CVE Unknown CVSS Score: 6.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb6f4b0b-25b8-4dcd-b002-293ce8ab307e&gt;


Category Post List Widget <= 2.0 - Unauthenticated Stored Cross-Site Scripting via custom_css

Affected Software: Category Post List Widget CVE ID: CVE-2023-47516 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0182ca6c-23f8-4212-bfd8-cb898e98b37b&gt;


Essential Grid <= 3.1.0 - Reflected Cross-Site Scripting

Affected Software: Essential Grid Portfolio – Photo Gallery CVE ID: CVE-2023-47684 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02eadae8-7aa6-42f5-b807-9ed82332fa72&gt;


Category Post List Widget <= 2.0 - Cross-Site Request Forgery via get_cplw_settings

Affected Software: Category Post List Widget CVE ID: CVE-2023-47516 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/04ffc248-2b5c-4c64-8bfd-361a8ff6a8af&gt;


SendPress Newsletters <= 1.23.11.6 - Reflected Cross-Site Scripting

Affected Software: SendPress Newsletters CVE ID: CVE-2023-47517 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2cd6e69b-f927-4cea-a838-5c73f52233a2&gt;


Edit WooCommerce Templates <= 1.1.1 - Unauthenticated Cross-Site Scripting

Affected Software: Edit WooCommerce Templates CVE ID: CVE-2023-47509 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/34f7ab72-a4e3-4264-b6d3-530dd255dc87&gt;


Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated Cross-Site Scripting

Affected Software: Under Construction / Maintenance Mode from Acurax CVE ID: CVE-2023-39926 CVSS Score: 6.1 (Medium) Researcher/s: Robert DeVore Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/359b8977-6d0d-4856-8d72-17091a420f67&gt;


EazyDocs <= 2.3.3 - Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page

Affected Software: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase) CVE ID: CVE-2023-47549 CVSS Score: 6.1 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/38145ad1-f441-40a4-9e92-6837cfeba656&gt;


Restrict Categories <= 2.6.4 - Reflected Cross-Site Scripting via rc-search

Affected Software: Restrict Categories CVE ID: CVE-2023-47518 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/45671cab-f719-4ee6-af81-7c19b37b8d91&gt;


Post Pay Counter <= 2.789 - Reflected Cross-Site Scripting

Affected Software: Post Pay Counter CVE ID: CVE-2023-47673 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a9fce6d-d5c2-4ab7-87ea-8dd6e4d92e07&gt;


Atarim <= 3.12 - Unauthenticated Cross-Site Scripting

Affected Software: Visual Website Collaboration, Feedback & Project Management – Atarim CVE ID: CVE-2023-47544 CVSS Score: 6.1 (Medium) Researcher/s: lttn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4f5919eb-ac74-4926-9ede-e651bb4463b2&gt;


Product Enquiry for WooCommerce <= 3.0 - Unauthenticated Stored Cross-Site Scripting via name

Affected Software: Product Enquiry for WooCommerce CVE ID: CVE-2023-47512 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6840add4-62db-4b99-b48b-0b51aa2451b8&gt;


Martins Free & Easy SEO BackLink Link Building Network <= 1.2.29 - Reflected Cross-Site Scripting via _wpnonce

Affected Software: Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic CVE ID: CVE-2023-5641 CVSS Score: 6.1 (Medium) Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/773b5a79-017a-4e16-b563-3aa2939fa179&gt;


WP Crowdfunding <= 2.1.6 - Reflected Cross-Site Scripting via postid

Affected Software: WP Crowdfunding CVE ID: CVE-2023-47532 CVSS Score: 6.1 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f13a432-e37d-4183-85ff-e2a04b40cda8&gt;


LearnPress <= 4.2.5.3 - Reflected Cross-Site Scripting via add_internal_scripts_to_head

Affected Software: LearnPress – WordPress LMS Plugin CVE ID: CVE Unknown CVSS Score: 6.1 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/81fd3ac1-91af-4cfa-ac4e-712beb4236c0&gt;


Photo Feed <= 2.2.1 - Reflected Cross-Site Scripting via pf-gid

Affected Software: Photo Feed CVE ID: CVE-2023-47522 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8a36b98b-7197-434e-88ac-6fcfa34d6abb&gt;


Auto Affiliate Links <= 6.4.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Auto Affiliate Links CVE ID: CVE-2023-47652 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8c84ffd3-e000-4d67-9789-e439e7c128e8&gt;


CodeBard's Patron Button and Widgets for Patreon <= 2.1.9 - Reflected Cross-Site Scripting via cb_p6_tab

Affected Software: CodeBard's Patron Button and Widgets for Patreon CVE ID: CVE-2023-47524 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/96649aa6-f3ba-4e9e-9fa5-a5fbd52c3836&gt;


Master Slider Pro <= 3.6.5 - Reflected Cross-Site Scripting

Affected Software: masterslider CVE ID: CVE-2023-47508 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f77755a-9b28-4e31-8a01-42e96b5698bf&gt;


Star CloudPRNT for WooCommerce <= 2.0.3 - Unauthenticated Cross-Site Scripting

Affected Software: Star CloudPRNT for WooCommerce CVE ID: CVE-2023-47514 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9f850644-4923-46c1-90f6-d29088c9cb1a&gt;


WPDBSpringClean <= 1.6 - Reflected Cross-Site Scripting

Affected Software: WPDBSpringClean CVE ID: CVE-2023-47510 CVSS Score: 6.1 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a6627f96-63d6-4f22-9eb7-fb42e748ae38&gt;


Q2W3 Post Order <= 1.2.8 - Reflected Cross-Site Scripting

Affected Software: Q2W3 Post Order CVE ID: CVE-2023-47521 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/affc9dff-75a1-4cb3-8465-55254db6441b&gt;


Seo By 10Web <= 1.2.9 - Reflected Cross-Site Scripting

Affected Software: SEO by 10Web CVE ID: CVE-2023-34375 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b4533554-52e4-44b4-9230-b6e3feb2e4a1&gt;


Plainview Protect Passwords <= 1.4 - Reflected Cross-Site Scripting

Affected Software: Plainview Protect Passwords CVE ID: CVE-2023-47665 CVSS Score: 6.1 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b63d8238-267f-4a40-9af0-37ae8b9ba26b&gt;


Additional Order Filters for WooCommerce <= 1.10 - Reflected Cross-Site Scripting

Affected Software: Additional Order Filters for WooCommerce CVE ID: CVE-2023-47690 CVSS Score: 6.1 (Medium) Researcher/s: qilin_99 Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/baa8b5ce-7ef8-4ca8-9957-2c3469f55dda&gt;


ImageMapper <= 1.2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title

Affected Software: ImageMapper CVE ID: CVE-2023-5532 CVSS Score: 6.1 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bbb67f02-87e8-4ca3-8a9d-6663a700ab5b&gt;


Responsive Column Widgets <= 1.2.7 - Reflected Cross-Site Scripting via tab

Affected Software: Responsive Column Widgets CVE ID: CVE-2023-47520 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d749c24c-0ed9-423b-872a-4771e9d8a2eb&gt;


Products, Order & Customers Export for WooCommerce <= 2.0.7 - Reflected Cross-Site Scripting via date parameters

Affected Software: Products, Order & Customers Export for WooCommerce CVE ID: CVE-2023-47547 CVSS Score: 6.1 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eac8685b-8ed9-432d-8912-b66bd62c950f&gt;


Extra Product Options for WooCommerce <= 3.0.3 - Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

Affected Software: Extra Product Options for WooCommerce CVE ID: CVE-2023-47658 CVSS Score: 5.5 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/393a856e-dc13-4fb6-8ff3-5880631953c4&gt;


Actueel Financieel Nieuws – Denk Internet Solutions <= 5.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Actueel Financieel Nieuws – Denk Internet Solutions CVE ID: CVE-2023-6107 CVSS Score: 5.5 (Medium) Researcher/s: Nithissh S Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4e0ad29a-b7a0-407e-8fb0-0917b8671afb&gt;


Direct Checkout – Quick View – Buy Now For WooCommerce <= 1.5.8 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code

Affected Software: Direct Checkout – Quick View – Buy Now For WooCommerce CVE ID: CVE-2023-47657 CVSS Score: 5.5 (Medium) Researcher/s: Emili Castells Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/514aa001-24c8-4624-8e25-f17b8454354c&gt;


Recently viewed and most viewed products <= 1.1.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

Affected Software: Recently viewed and most viewed products CVE ID: CVE-2023-47646 CVSS Score: 5.5 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/61ec0e78-b367-438f-929d-94e055c83477&gt;


Responsive Pricing Table < 5.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Responsive Pricing Table CVE ID: CVE-2023-4810 CVSS Score: 5.5 (Medium) Researcher/s: Vaishnav Rajeevan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7fb7dd8f-6258-46e1-9cc5-87ec73d5736c&gt;


Forms for Mailchimp by Optin Cat <= 2.5.4 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List CVE ID: CVE-2023-47545 CVSS Score: 5.5 (Medium) Researcher/s: DoYeon Park (p6rkdoye0n) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7d5edee-04fb-41e0-be5e-ca3681956d2d&gt;


Countdown and CountUp, WooCommerce Sales Timer <= 1.8.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Countdown and CountUp, WooCommerce Sales Timer CVE ID: CVE-2023-47533 CVSS Score: 5.5 (Medium) Researcher/s: SeungYongLee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1ec113c-d11f-4b0b-8d4a-46d37687b3b2&gt;


Live Gold Price & Silver Price Charts Widgets <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Live Gold Price & Silver Price Charts Widgets CVE ID: CVE-2023-47662 CVSS Score: 5.5 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c53ebf2f-44ab-4d0f-ac3d-c08806c07343&gt;


ANAC XML Bandi di Gara <= 7.5 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: ANAC XML Bandi di Gara CVE ID: CVE-2023-47656 CVSS Score: 5.5 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cb610baa-093d-4a41-8e28-c65fdb0e32aa&gt;


Add Local Avatar <= 12.1 - Cross-Site Request Forgery via manage_avatar_cache

Affected Software: Add Local Avatar CVE ID: CVE-2023-47650 CVSS Score: 5.4 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/241da621-b892-4263-8409-a40ac5a1ade3&gt;


Code Snippets <= 3.5.0 - Cross-Site Request Forgery via load

Affected Software: Code Snippets CVE ID: CVE-2023-47666 CVSS Score: 5.4 (Medium) Researcher/s: Huynh Tien Si Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/28aae3d4-c4c4-4cda-9f4b-7f2ea58629aa&gt;


ImageMapper <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax

Affected Software: ImageMapper CVE ID: CVE-2023-5506 CVSS Score: 5.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31dff395-c3ce-4ebe-8d38-5243fc4510d6&gt;


Solid Central <= 3.0.0 - Stored Cross-Site Scripting via packages

Affected Software: Solid Central – Site Management, Backups, Security, and Reporting CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Robin Wood Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/55234307-9d51-4fe8-bc22-78d32a5fed11&gt;


Quiz And Survey Master <= 8.1.18 - Multiple Cross-Site Request Forgery

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/91c5a83a-679c-405b-973d-a2255d2bced2&gt;


WP Discord Invite < 2.5.1 - Cross-Site Request Forgery to Settings Update

Affected Software: WP Discord Invite CVE ID: CVE-2023-5006 CVSS Score: 5.4 (Medium) Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d92bfa61-7ae2-427a-8f3a-82709471735b&gt;


UpdraftPlus <= 1.23.10 - Cross-Site Request Forgery to Google Drive Storage Update

Affected Software: UpdraftPlus: WordPress Backup & Migration Plugin CVE ID: CVE-2023-5982 CVSS Score: 5.4 (Medium) Researcher/s: Nicolas Decayeux Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e1be11c5-0a44-4816-b6bf-d330cb51dbf3&gt;


Ecwid Ecommerce Shopping Cart <= 6.12.3 - Missing Authorization on multiple functions

Affected Software: Ecwid Ecommerce Shopping Cart CVE ID: CVE Unknown CVSS Score: 5.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3d5bc99-2b55-4e19-8304-e56f3d4a2f1a&gt;


Ultimate Addons for Contact Form 7 <= 3.2.6 - Missing Authorization

Affected Software: Ultimate Addons for Contact Form 7 CVE ID: CVE-2023-47693 CVSS Score: 5.3 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/73720e67-79e5-4b4c-8720-e28ad718b2b3&gt;


Front End PM < 11.4.3 - Sensitive Information Exposure via Directory Listing

Affected Software: Front End PM CVE ID: CVE-2023-4930 CVSS Score: 5.3 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8250c277-200a-4808-98ae-ede169aad3fd&gt;


CoCart – Headless ecommerce <= 3.9.0 - Missing Authorization

Affected Software: CoCart – Decoupling WooCommerce Made Easy CVE ID: CVE-2023-47241 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98e8e09c-f2fe-40ab-b1ce-62a1627b6b65&gt;


Restrict Content <= 3.2.7 - Information Exposure via legacy log file

Affected Software: Membership Plugin – Restrict Content CVE ID: CVE-2023-47668 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad2d5070-ddc6-4478-abe5-776e197a4507&gt;


Cloud Templates & Patterns collection <= 1.2.2 - Sensitive Information Exposure via Log File

Affected Software: Cloud Templates & Patterns collection CVE ID: CVE-2023-47529 CVSS Score: 5.3 (Medium) Researcher/s: Joshua Chan Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c59baad8-b888-4475-8371-645811a6b569&gt;


Email Marketing for WooCommerce by Omnisend <= 1.13.8 - Sensitive Information Exposure

Affected Software: Email Marketing for WooCommerce by Omnisend CVE ID: CVE-2023-47244 CVSS Score: 5.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc2cd74d-b828-4524-b33d-c806bfd970b9&gt;


Seers <= 8.0.6 - Missing Authorization via multiple AJAX actions

Affected Software: Seers | GDPR & CCPA Cookie Consent & Compliance CVE ID: CVE-2023-47515 CVSS Score: 5.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d300288e-f100-4c02-ba65-d728e3b1522e&gt;


Animator <= 3.0.9 - Missing Authorization to Plugin Settings Update

Affected Software: Animator – Scroll Triggered Animations CVE ID: CVE-2023-47689 CVSS Score: 5.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f8457aeb-867b-4185-8271-a5452b7c5365&gt;


WooCommerce Product Enquiry <= 2.3.4 - Unauthenticated Self-Based Cross-Site Scripting

Affected Software: WooCommerce Product Enquiry CVE ID: CVE-2023-32796 CVSS Score: 4.7 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/97c68df7-69fd-4817-9473-3d3e1fd6d348&gt;


Integrate Google Drive <= 1.3.1 - Open Redirect via state

Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site CVE ID: CVE-2023-47548 CVSS Score: 4.7 (Medium) Researcher/s: minhtuanact Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bccceb2d-2087-4ee6-8118-eb3fb53654dc&gt;


Amazonify <= 0.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Amazonify CVE ID: CVE-2023-5819 CVSS Score: 4.4 (Medium) Researcher/s: Ala Arfaoui Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41adfb58-d79f-40a3-8a7e-f3f08f64659f&gt;


WP Edit Username <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Edit Username CVE ID: CVE-2023-47528 CVSS Score: 4.4 (Medium) Researcher/s: Jeongwoo-Lee Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/47461b7b-e986-4048-88aa-175242305795&gt;


Pinyin Slugs <= 2.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Pinyin Slugs CVE ID: CVE-2023-47511 CVSS Score: 4.4 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/65e76681-80e0-40aa-a68b-87cb0c42b4f8&gt;


OneClick Chat to Order <= 1.0.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: OneClick Chat to Order CVE ID: CVE-2023-47546 CVSS Score: 4.4 (Medium) Researcher/s: Luqman Hakim Y Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/94f338c2-95c9-4ce8-8579-0b2b66547aa0&gt;


ANAC XML Viewer <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ANAC XML Viewer CVE ID: CVE-2023-47245 CVSS Score: 4.4 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9af963ed-8bc5-4b5e-bacd-30a2ef429ce8&gt;


Team Members Showcase <= 1.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Team Members Showcase CVE ID: CVE-2023-32957 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad88c661-601c-411f-9495-2c3b8a568c6b&gt;


Product Visibility by Country for WooCommerce <= 1.4.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Product Visibility by Country for WooCommerce CVE ID: CVE-2023-47660 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e56b11a1-dd40-461b-9624-b60367c0c727&gt;


Custom post types <= 4.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom post types, Custom Fields & more CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/eb94520e-a99d-4e34-b174-e01898de0978&gt;


TWB Woocommerce Reviews <= 1.7.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: TWB Woocommerce Reviews CVE ID: CVE-2023-47653 CVSS Score: 4.4 (Medium) Researcher/s: Emili Castells Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f85df8f1-9283-48d0-8f19-88a4a839d501&gt;


Flo Forms <= 1.0.41 - Missing Authorization via flo_send_test_email

Affected Software: Flo Forms – Easy Drag & Drop Form Builder CVE ID: CVE-2023-47692 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/04401d7e-996d-4b46-b391-bfb0b065900b&gt;


Arigato Autoresponder and Newsletter <= 2.7.2.2 - Cross-Site Request Forgery

Affected Software: Arigato Autoresponder and Newsletter CVE ID: CVE-2023-47686 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1bf798b5-2a5c-42d9-a4b3-d3ed056e1fdb&gt;


Best Restaurant Menu by PriceListo <= 1.3.1 - Cross-Site Request Forgery via menu_page

Affected Software: Best Restaurant Menu by PriceListo CVE ID: CVE-2023-47649 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1c24f881-52bc-4210-9037-bcdd1e4aa895&gt;


Amazonify <= 0.8.1 - Cross-Site Request Forgery to Amazon Tracking ID Update

Affected Software: Amazonify CVE ID: CVE-2023-5818 CVSS Score: 4.3 (Medium) Researcher/s: Ala Arfaoui Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33f3c466-bdeb-402f-bf34-bc703f35e1e2&gt;


ANAC XML Bandi di Gara <= 7.5 - Cross-Site Request Forgery via settings.php

Affected Software: ANAC XML Bandi di Gara CVE ID: CVE-2023-47655 CVSS Score: 4.3 (Medium) Researcher/s: yuyudhn Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/36cf102b-bff1-4516-9a76-030ddc98c207&gt;


WooCommerce Product Table Lite <= 2.6.2 - Cross-Site Request Forgery

Affected Software: WooCommerce Product Table Lite CVE ID: CVE-2023-47519 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4528f805-bbf3-4a0f-a06f-879c6e607bfa&gt;


Patreon WordPress <= 1.8.6 - Cross-Site Request Forgery

Affected Software: Patreon WordPress CVE ID: CVE-2023-41129 CVSS Score: 4.3 (Medium) Researcher/s: BuShiYue Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/481121b2-4ea9-489e-b582-ec8bbf87c902&gt;


Product Catalog Simple <= 1.7.5 - Cross-Site Request Forgery via ic_system_status

Affected Software: Product Catalog Simple CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4a134509-8dc0-41ac-9b5c-5b173a1e3c68&gt;


BadgeOS <= 3.7.1.6 - Missing Authorization

Affected Software: BadgeOS CVE ID: CVE-2023-47647 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/515e62ba-c3b8-42d0-95e3-be347b8851a5&gt;


Korea SNS <= 1.6.3 - Cross-Site Request Forgery via kon_tergos_options

Affected Software: Korea SNS CVE ID: CVE-2023-47670 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/51d07d2a-74e6-499e-8d66-90893faedeaf&gt;


Woo Custom and Sequential Order Number <= 2.6.0 - Cross-Site Request Forgery

Affected Software: Woo Custom and Sequential Order Number CVE ID: CVE-2023-47687 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/67279c70-c416-4d18-9951-470773b9221a&gt;


WP Links Page <= 4.9.4 - Cross-Site Request Forgery via wplf_ajax_update_screenshots

Affected Software: WP Links Page CVE ID: CVE-2023-47651 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6fa70ddc-9a5c-4001-967a-5aad789c862c&gt;


Dragfy Addons for Elementor <= 1.0.2 - Missing Authorization via save_settings

Affected Software: Dragfy Addons for Elementor CVE ID: CVE-2023-47661 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7caaaaef-075b-44f6-8809-a02d5f034f26&gt;


WordPress Backup & Migration <= 1.4.3 - Missing Authorization to Settings Update

Affected Software: WordPress Backup & Migration CVE ID: CVE-2023-5737 CVSS Score: 4.3 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7de132d5-51c9-464c-b687-8e367dd8d846&gt;


Donations Made Easy – Smart Donations <= 4.0.12 - Cross-Site Request Forgery

Affected Software: Donations Made Easy – Smart Donations CVE ID: CVE-2023-47551 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7f5d3973-5bbb-4c85-9790-e12f3fc14f30&gt;


Foyer <= 1.7.5 - Content Injection via Improper Access Control

Affected Software: Foyer – Digital Signage for WordPress CVE ID: CVE-2023-47663 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/97344674-15df-45e6-9906-f21a9920a6e1&gt;


Preloader Matrix <= 2.0.1 - Cross-Site Request Forgery

Affected Software: Preloader Matrix CVE ID: CVE-2023-47685 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/97548879-f015-4adc-8a84-535d210ae0de&gt;


Youtube SpeedLoad <= 0.6.3 - Cross-Site Request Forgery

Affected Software: Youtube SpeedLoad CVE ID: CVE-2023-47688 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d11c022-9938-4a9e-be16-db986fdfa1c8&gt;


Plugin Name: Device Theme Switcher <= 3.0.2 - Cross-Site Request Forgery

Affected Software: Plugin Name: Device Theme Switcher CVE ID: CVE-2023-47556 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Xuan Chien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d64d711-f2d9-4447-9ac1-80c5ea51c23e&gt;


ImageMapper <= 1.2.6 - Cross-Site Request Forgery to Plugin Settings Change via ajax

Affected Software: ImageMapper CVE ID: CVE-2023-5975 CVSS Score: 4.3 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a128018b-f19b-4b18-a53c-cf1310d3d0e7&gt;


WP Full Stripe Free <= 1.6.1 - Cross-Site Request Forgery

Affected Software: WP Full Stripe Free CVE ID: CVE-2023-47667 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4f7211b-0ff0-406e-9a0a-2dd7b1314d6d&gt;


MSHOP MY SITE <= 1.1.6 - Missing Authorization via update_settings

Affected Software: 코드엠샵 마이사이트 – MSHOP MY SITE CVE ID: CVE-2023-47243 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc2cbf43-3e8a-4364-9355-6d6587204c1c&gt;


Plainview Protect Passwords <= 1.4 - Cross-Site Request Forgery

Affected Software: Plainview Protect Passwords CVE ID: CVE-2023-47664 CVSS Score: 4.3 (Medium) Researcher/s: Mika Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bc59b997-a8e2-4c75-aa5f-36cc5a66326e&gt;


UserHeat Plugin <= 1.1.6 - Cross-Site Request Forgery

Affected Software: UserHeat Plugin CVE ID: CVE-2023-47553 CVSS Score: 4.3 (Medium) Researcher/s: LEE SE HYOUNG (hackintoanetwork) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c03b5670-9f7e-4001-ba90-197559b794a1&gt;


Easy Social Icons <= 3.2.4 - Missing Authorization via cnss_save_ajax_order

Affected Software: Easy Social Icons CVE ID: CVE-2023-33998 CVSS Score: 4.3 (Medium) Researcher/s: Nguyen Anh Tien Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c3bdc0c4-34fb-43cc-ba2b-340347bca146&gt;


Auto Tag Creator <= 1.0.2 - Missing Authorization via tag_save_settings_callback

Affected Software: Auto Tag Creator CVE ID: CVE-2023-47523 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d4b6d2c6-d157-4c4c-b6e1-557b8353c742&gt;


Droit Dark Mode <= 1.1.2 - Cross-Site Request Forgery

Affected Software: Droit Dark Mode CVE ID: CVE-2023-47531 CVSS Score: 4.3 (Medium) Researcher/s: Elliot Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e3afaa85-9eb5-4cc4-883a-11d42504a8e1&gt;


Visitors Traffic Real Time Statistics <= 7.2 - Missing Authorization via multiple AJAX actions

Affected Software: Visitor Traffic Real Time Statistics CVE ID: CVE-2023-47557 CVSS Score: 4.3 (Medium) Researcher/s: Rafshanzani Suhada Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f4aac424-abf3-4d6c-a0a4-a95e2cf89864&gt;


ProfileGrid <= 5.6.6 - Cross-Site Request Forgery

Affected Software: ProfileGrid – User Profiles, Memberships, Groups and Communities CVE ID: CVE-2023-47644 CVSS Score: 4.3 (Medium) Researcher/s: thiennv Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f58efd6c-58f2-464b-8aaf-f4f5c4c52f09&gt;


ARI Stream Quiz <= 1.3.0 - Authenticated(Contributor+) Content Injection

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder CVE ID: CVE-2023-47513 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fa6fc22e-0d30-4c4b-8c8d-13f04ed1aa7c&gt;


Image Hover Effects <= 5.5 - Cross-Site Request Forgery

Affected Software: Image Hover Effects – WordPress Plugin CVE ID: CVE-2023-47552 CVSS Score: 4.3 (Medium) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fb947f1f-8cce-448d-9c86-1d3c01a4637d&gt;


Job Manager & Career <= 1.4.3 - Sensitive Information Exposure

Affected Software: Job Manager & Career – Manage job board listings, and recruitments CVE ID: CVE-2023-5906 CVSS Score: 3.7 (Low) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c66bc0b1-c157-4c05-ae9d-0927863c6b95&gt;


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023) appeared first on Wordfence.

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

43.8%

Related for WORDFENCE:FDAE7FD68D9B505034DC615922BD2B1D