Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 20, 2023 to Mar 26, 2023)

Last week, there were 80 vulnerabilities disclosed in 69 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 27
Patched 53

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 70
High Severity 9
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 39
Cross-Site Request Forgery (CSRF) 18
Missing Authorization 10
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 3
Improper Neutralization of Formula Elements in a CSV File 2
Authentication Bypass Using an Alternate Path or Channel 1
Deserialization of Untrusted Data 1
Information Exposure 1
Unrestricted Upload of File with Dangerous Type 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes 10
Mika 7
yuyudhn 6
Joshua Martinelle 5
Erwan LR 4
Yuki Haruma 3
Cat 3
Varun 2
Rafshanzani Suhada 2
Rio Darmawan 2
thiennv 2
Shreya Pohekar 2
minhtuanact 2
Vaibhav Rajput 1
Abdi Pranata 1
Nguyen Anh Tien 1
Michael Mazzolini 1
Fariq Fadillah Gusti Insani 1
Rafie Muhammad 1
Flaviu Popescu 1
rSolutions Security Team 1
ipatelsumit 1
Nithissh S 1
Bartłomiej Marek 1
NeginNrb 1
Pavitra Tiwari 1
Muhammad Daffa 1
Cyxow 1
Dave Jong 1
R3zk0n 1
Karol Mazurek 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Advance WordPress Search Plugin th-advance-product-search
All-In-One Security (AIOS) – Security and Firewall all-in-one-wp-security-and-firewall
BigContact Contact Page bigcontact
Branded Social Images – Open Graph Images with logo and extra text layer branded-social-images
CBX Currency Converter cbcurrencyconverter
Contact Form Email contact-form-to-email
Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform
ConvertBox Auto Embed WordPress plugin convertbox-auto-embed
Custom Field Template custom-field-template
Cyberus Key cyberus-key
Disqus Conditional Load disqus-conditional-load
Easy Table of Contents easy-table-of-contents
Enhanced Plugin Admin enhanced-plugin-admin
Event Manager and Tickets Selling Plugin for WooCommerce mage-eventpress
Events Made Easy events-made-easy
Export Users Data Distinct export-users-data-distinct
Floating Cart and Menu Cart for WooCommerce th-all-in-one-woo-cart
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress gallery-plugin
GamiPress – Youtube integration gamipress-youtube-integration
GiveWP – Donation Plugin and Fundraising Platform give
Google XML Sitemap for Mobile google-mobile-sitemap
Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS hummingbird-performance
I Recommend This i-recommend-this
If Menu – Visibility control for Menus if-menu
InPost Gallery inpost-gallery
JS Job Manager js-jobs
JetEngine jet-engine
Kanban Boards for WordPress kanban
Klaviyo klaviyo
Lazy Social Comments lazy-facebook-comments
MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter
Open Graphite open-graphite
Owl Carousel owl-carousel
Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin pagination
Photo Gallery by 10Web – Mobile-Friendly Image Gallery photo-gallery
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) pricing-tables-for-wpbakery-page-builder
Product Feed PRO for WooCommerce woo-product-feed-pro
Safe SVG safe-svg
Scheduled Announcements Widget scheduled-announcements-widget
Simple Custom Author Profiles simple-custom-author-profiles
Simple Giveaways – Grow your business, email lists and traffic with contests giveasap
Simple Mobile URL Redirect simple-mobile-url-redirect
Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows ml-slider
Stock Sync for WooCommerce stock-sync-for-woocommerce
Store Locator WordPress agile-store-locator
Stylish Cost Calculator stylish-cost-calculator-premium
Team Member – Team with Slider team-showcase-supreme
Thank You Page Customizer for WooCommerce – Increase Your Sales woo-thank-you-page-customizer
Time Sheets time-sheets
TreePress – Easy Family Trees & Ancestor Profiles treepress
User Registration – Custom Registration Form, Login Form And User Profile For WordPress user-registration
Userlike – WordPress Live Chat plugin userlike
Variation Swatches for WooCommerce th-variation-swatches
Vertical scroll recent post vertical-scroll-recent-post
VigilanTor vigilantor
W4 Post List w4-post-list
WP Content Filter – Censor All Offensive Content From Your Site wp-content-filter
WP Popup Banners wp-popup-banners
WP VR – 360 Panorama and Virtual Tour Builder For WordPress wpvr
Waiting: One-click countdowns waiting
Wbcom Designs – BuddyPress Activity Social Share bp-activity-social-share
Weather Station live-weather-station
WooCommerce JazzCash Gateway Plugin jazzcash-woocommerce-gateway
WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo woocommerce-payments
WordPress Amazon S3 Plugin wp-s3
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg groundhogg
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout gs-pinterest-portfolio
amr users amr-users
eRoom – Zoom Meetings & Webinars eroom-zoom-meetings-webinar

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Resoto resoto

Vulnerability Details

WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation

Affected Software: WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo
CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Michael Mazzolini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41cf57ff-421d-4db2-894f-17f2c4d4b9ed

Waiting: One-click countdowns <= 0.6.2 – Authenticated (Subscriber+) SQL Injection via ‘pbc_down[meta][id]’

Affected Software: Waiting: One-click countdowns
CVE ID: CVE-2023-28659
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17d12a35-35a1-4f7b-aa03-33ddafe17f5b

WP Popup Banners <= 1.2.5 – Authenticated (Subscriber+) SQL Injection via ‘value’

Affected Software: WP Popup Banners
CVE ID: CVE-2023-28661
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa64d6b4-5673-4d88-b5c7-d3441eaa0706

Events Made Easy <= 2.3.14 – Authenticated (Subscriber+) SQL Injection via ‘search_name’

Affected Software: Events Made Easy
CVE ID: CVE-2023-28660
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2550461-2546-4dc4-85ff-decf2fca3f10

Crocoblock JetEngine <= 3.1.3 – Authenticated(Author+) Arbitrary File Upload to Remote Code Execution

Affected Software: JetEngine
CVE ID: CVE-2023-1406
CVSS Score: 8.8 (High)
Researcher/s: R3zk0n
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7e7247f-869a-4cf0-ae03-0b36ecbc1b7e

Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 – Authenticated (Subscriber+) Local File Inclusion via Shortcode

Affected Software: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
CVE ID: CVE-2023-1274
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3475c8fe-17fa-4d8e-bffd-a33e59f6e03b

User Registration <= 2.3.2.1 – PHP Object Injection

Affected Software: User Registration – Custom Registration Form, Login Form And User Profile For WordPress
CVE ID: CVE-2023-27459
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5835fed0-5b9d-47b5-82ae-f0f19830ae2a

Stylish Cost Calculator < 7.9.0 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Stylish Cost Calculator
CVE ID: CVE-2023-0983
CVSS Score: 7.2 (High)
Researcher/s: Flaviu Popescu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b7cc660-b430-4b0f-b2d1-68ba458de8a9

Groundhogg <= 2.7.9.3 – Authenticated (Administrator)+ SQL Injection

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-1425
CVSS Score: 7.2 (High)
Researcher/s: rSolutions Security Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76c468cb-8ad6-4b62-8de5-dc8efd4b8e61

SVG Sanitizer library <= 0.15.4 – Cross-Site Scripting Bypass

Affected Software: Safe SVG
CVE ID: CVE-2023-28426
CVSS Score: 7.2 (High)
Researcher/s: Cyxow
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca73de6d-2d47-4d7c-a917-0f99fed8c27d

JS Job Manager <= 2.0.0 – Missing Authorization

Affected Software: JS Job Manager
CVE ID: CVE-2023-28689
CVSS Score: 6.5 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55604ee9-7343-472c-9a29-035d18b266ab

TH Advance WordPress Search <= 1.1.4 – Missing Authorization via settings_init

Affected Software: Advance WordPress Search Plugin
CVE ID: CVE-2023-25969
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826a3fa2-ee41-4960-becb-0df8813a964a

FluentForms <= 4.3.24 – Authenticated(Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
CVE ID: CVE-2023-0546
CVSS Score: 6.4 (Medium)
Researcher/s: Vaibhav Rajput
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b79a851-1212-4a9c-89fe-b5f2d50ec18c

Vertical scroll recent post <= 14.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

Affected Software: Vertical scroll recent post
CVE ID: CVE-2023-23862
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a0e93cb-4311-4b38-8eb4-17152e1f3475

WordPress Pinterest Plugin <= 1.6.1 – Stored (Contributor+) Cross-Site Scripting via Shortcode

Affected Software: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20daf751-176d-48f2-ac68-480fda89cee1

Team Member <= 4.4 – Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name

Affected Software: Team Member – Team with Slider
CVE ID: CVE-2023-23647
CVSS Score: 6.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353d22c5-dee1-485f-ae66-e9c7afe3ad8e

W4 Post List <= 2.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options

Affected Software: W4 Post List
CVE ID: CVE-2023-0374
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64ed8547-0dc1-4f0a-8b0b-27ce20b8bbd6

Scheduled Announcements Widget <= 0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Scheduled Announcements Widget
CVE ID: CVE-2023-0363
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/755ae574-9df3-44d1-a14b-16887f234510

GamiPress – Youtube integration <= 1.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: GamiPress – Youtube integration
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb74a917-2dfb-4229-a72a-9c3d1f9a6324

Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
CVE ID: CVE-2023-0367
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c04a0f82-97f6-44ff-999d-08a8c106f889

ConvertBox Auto Embed WordPress plugin <= 1.0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ConvertBox Auto Embed WordPress plugin
CVE ID: CVE-2023-23664
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8a4e9b8-9794-48b7-8c53-cfad37ed530c

Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 – Reflected Cross-Site Scripting

Affected Software: Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows
CVE ID: CVE-2023-1473
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/290233f0-a5dd-4c69-8039-7392268daf40

InPost Gallery <= 2.1.4.1 – Reflected Cross-Site Scripting via ‘imgurl’

Affected Software: InPost Gallery
CVE ID: CVE-2023-28666
CVSS Score: 6.1 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69fd66db-5693-4976-96c0-60dbfeccd14f

MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 – Relected Cross-Site Scripting via ‘tax_name’

Affected Software: MDTF – Meta Data and Taxonomies Filter
CVE ID: CVE-2023-28664
CVSS Score: 6.1 (Medium)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6edb6604-9da8-421e-933b-bac02b179bd0

WP VR <= 8.2.8 – Reflected Cross-Site Scripting

Affected Software: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
CVE ID: CVE-2023-1413
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fbde737-0730-49a4-a84e-a9c5e0e32af5

W4 Post List <= 2.4.5 – Reflected Cross-Site Scripting

Affected Software: W4 Post List
CVE ID: CVE-2023-1373
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d6a7230-07c7-43f3-a844-77d2bb19545d

WordPress Amazon S3 Plugin <= 1.5 – Reflected Cross-Site Scripting

Affected Software: WordPress Amazon S3 Plugin
CVE ID: CVE-2023-0423
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab779713-7004-47f6-af16-2db2c7c1013b

WooCommerce JazzCash Gateway Plugin <= 2.0 – Unauthenticated Cross-Site Scripting

Affected Software: WooCommerce JazzCash Gateway Plugin
CVE ID: CVE-2022-46822
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6809f7f-4495-4185-b439-820010afc305

Open Graphite <= 1.6.0 – Reflected Cross-Site Scripting via topic parameter

Affected Software: Open Graphite
CVE ID: CVE-2022-47439
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd368b2c-ef40-453b-aeef-ad88d847c29b

Export Users Data Distinct <= 1.3 – Authenticated (Subscriber+) CSV Injection

Affected Software: Export Users Data Distinct
CVE ID: CVE-2022-46804
CVSS Score: 5.8 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03a1724c-8fea-4e9f-a4a1-9de236e1f15a

amr users <= 4.59.4 – Authenticated (Subscriber+) CSV Injection

Affected Software: amr users
CVE ID: CVE-2022-45348
CVSS Score: 5.8 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/879e7695-3a61-4e65-b102-fcdc63fac688

Simple Giveaways <= 2.45.0 – Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-1122
CVSS Score: 5.5 (Medium)
Researcher/s: Varun
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/240691c4-35c5-40e1-b1ab-a500ffcdac73

Wbcom Designs – BuddyPress Activity Social Share <= 3.5.0 – Cross-Site Request Forgery

Affected Software: Wbcom Designs – BuddyPress Activity Social Share
CVE ID: CVE-2023-28694
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c8152c5-7d72-48a1-9140-8b0341c86023

TH Variation Swatches <= 1.2.7 – Cross-Site Request Forgery via delete_settings

Affected Software: Variation Swatches for WooCommerce
CVE ID: CVE-2023-28688
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e98fb74-46f2-4a6a-8012-e2824bd77070

CBX Currency Converter <= 3.0.3 – Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes

Affected Software: CBX Currency Converter
CVE ID: CVE-2023-28747
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/711d2c4d-700d-4d6e-911f-99abf86eff32

Enhanced Plugin Admin <= 1.16 – Cross-Site Request Forgery via epa_options_page

Affected Software: Enhanced Plugin Admin
CVE ID: CVE-2023-28618
CVSS Score: 5.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b5bc030-7739-4eb4-b85d-99e5d0f2643a

Easy Table of Contents <= 2.0.45.2 – Missing Authorization via eztoc_reset_options_to_default

Affected Software: Easy Table of Contents
CVE ID: CVE-2023-25469
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff937860-c4e0-4172-9f0f-d66578fa7203

TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 – Missing Authorization

Affected Software: Floating Cart and Menu Cart for WooCommerce
CVE ID: CVE-2023-25969
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c0d18d3-8758-41ae-b104-dac69eee4ac9

Branded Social Images <= 1.1.0 – Missing Authorization leading to Unauthenticated Plugin Settings Updates

Affected Software: Branded Social Images – Open Graph Images with logo and extra text layer
CVE ID: CVE-2023-28536
CVSS Score: 5.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cbc0b70-c8a4-4924-a67f-cea81ab19cdc

Owl Carousel <= 0.5.3 – Missing Authorization via save_paramter.php

Affected Software: Owl Carousel
CVE ID: CVE-2022-44578
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/37aaf109-e04f-40d7-8303-a581b0b09d24

If Menu <= 0.16.3 – Missing Authorization to Admin Settings Modification

Affected Software: If Menu – Visibility control for Menus
CVE ID: CVE-2022-41698
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b5fc0ac-7a33-48da-8b0f-566b9eb0f17f

eRoom – Zoom Meetings & Webinar <= 1.4.6 – Missing Authorization via add_feedback

Affected Software: eRoom – Zoom Meetings & Webinars
CVE ID: CVE-2022-43472
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e0767a8-9e82-4ce4-9df9-19b458dc5ce0

GiveWP <= 2.25.2 – Cross-Site Request Forgery via give_ajax_delete_payment_note

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2dc1a04-5503-412b-92e7-ed86910abd92

GiveWP <= 2.25.2 – Cross-Site Request Forgery via give_ajax_store_payment_note

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d09a0b62-6556-4be5-a6f2-0cb0edcced3b

Hummingbird <= 3.4.1 – Unauthenticated Path Traversal

Affected Software: Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS
CVE ID: CVE-2023-1478
CVSS Score: 5.3 (Medium)
Researcher/s: Karol Mazurek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9b8e6dc-a9ac-4afb-ad47-4f51032bb1f4

Resoto <= 1.0.8 – Missing Authorization leading to Authenticated (Subscriber+) Arbitrary Plugin Activation

Affected Software: Resoto
CVE ID: CVE-2023-28619
CVSS Score: 5 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb5c5e82-d6e5-4237-958f-12fc4698e77e

Photo Gallery by 10Web <= 1.8.14 – Authenticated (Administrator+) Directory Traversal

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0f55f3e-9a9a-42a7-91b5-0d515519d545

Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Kanban Boards for WordPress
CVE ID: CVE-2023-23884
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/071b5c32-b6ac-402a-af74-6ecd05279d93

Userlike <= 2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Userlike – WordPress Live Chat plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14c94d47-c911-4874-a897-58f4c0800329

Store Locator WordPress <= 1.4.9 – Authenticated (Editor+) Stored Cross-Site Scripting via ‘category_name’, ‘description’, ‘description_2’ parameters

Affected Software: Store Locator WordPress
CVE ID: CVE-2023-27618
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dad9de0-5e43-4dfd-a56c-5e9efff35c0a

Klaviyo <= 3.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Klaviyo
CVE ID: CVE-2023-0874
CVSS Score: 4.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/294de862-716c-4e17-a1cf-cade53207013

VigilanTor <= 1.3.10 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: VigilanTor
CVE ID: CVE-2023-28695
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ea71d63-27ce-4f24-b3ef-de38e6f25e0d

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.6.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3adf6b20-110f-4057-9fab-5248e9c18555

Lazy Social Comments <= 2.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options

Affected Software: Lazy Social Comments
CVE ID: CVE-2023-23733
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/43f2c020-a531-4e25-948e-372bc7af3bab

Disqus Conditional Load <= 11.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.

Affected Software: Disqus Conditional Load
CVE ID: CVE-2023-23732
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/762190dc-cd19-4bc1-8204-9219881d95e9

Simple Giveaways <= 2.45.0 – Authenticated (Admin+) Stored Cross-Site Scripting via Settings

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-1120
CVSS Score: 4.4 (Medium)
Researcher/s: ipatelsumit
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86991143-d4e7-4114-b219-0deedd084858

Simple Giveaways <= 2.45.0 – Authenticated(Admin+) Stored Cross-Site Scripting via form fields

Affected Software: Simple Giveaways – Grow your business, email lists and traffic with contests
CVE ID: CVE-2023-1121
CVSS Score: 4.4 (Medium)
Researcher/s: Varun
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91552a9b-d46b-4a75-b096-8f28bdd9fb56

WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Content Filter – Censor All Offensive Content From Your Site
CVE ID: CVE-2023-23883
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95ffefff-80e1-4f5a-8939-47a00f75493d

Simple Custom Author Profiles <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Custom Author Profiles
CVE ID: CVE-2023-24372
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/986d16d5-f1f4-4ed9-9978-0f12ee22a543

All-In-One Security (AIOS) <= 5.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE-2023-0157
CVSS Score: 4.4 (Medium)
Researcher/s: Bartłomiej Marek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3ae55ad-b192-4dde-8a7c-3a4fd71d3475

Pagination by BestWebSoft < 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4572874-afd4-4e46-8a28-76a0a6cc8acb

Cyberus Key <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘uid’ in ‘cyberkey_settings’ Plugin Setting

Affected Software: Cyberus Key
CVE ID: CVE-2023-28620
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf5e5eaf-b42d-49b9-8f55-6025e64748c9

Event Manager for WooCommerce <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mep_get_option’ function

Affected Software: Event Manager and Tickets Selling Plugin for WooCommerce
CVE ID: CVE-2023-28422
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2f4c1de-7eeb-45c4-bbff-ec85f2cda5aa

Time Sheets <= 1.29.2 – Authenticated(Admin+) Stored Cross-Site Scripting

Affected Software: Time Sheets
CVE ID: CVE-2023-0893
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7e25e64-4504-4aad-aeb6-d58b5c36a4bd

Cyberus Key <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cyberus Key
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3944b2d-c431-4a53-b4e2-740480e746d6

TreePress – Easy Family Trees & Ancestor Profiles <= 2.0.22 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘post_title’ parameter

Affected Software: TreePress – Easy Family Trees & Ancestor Profiles
CVE ID: CVE-2023-23863
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbef8738-d639-48a5-98b7-abf9a7e9fec1

TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 – Cross-Site Request Forgery

Affected Software: Floating Cart and Menu Cart for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18f04566-3a63-41f3-aa9b-766304d56499

W4 Post List <= 2.4.5 – Information Disclosure via post_excerpt

Affected Software: W4 Post List
CVE ID: CVE-2023-1371
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ac7408d-8ec7-415b-bf52-024182888cb4

GiveWP <= 2.25.2 – Cross-Site Request Forgery

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ea02dd5-d837-471c-aa6a-264ffcedd55d

I Recommend This <= 3.8.3 – Cross-Site Request Forgery

Affected Software: I Recommend This
CVE ID: CVE-2023-28696
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a0ee9b26-4e7f-475f-b42b-5af40b78cbca

BigContact <= 1.5.8 – Cross-Site Request Forgery leading to Plugin Settings Updates

Affected Software: BigContact Contact Page
CVE ID: CVE-2023-22694
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0403adb-08c4-4697-a7d9-50e39d46cd43

Download Weather Station <= 3.8.11 – Cross-Site Request Forgery

Affected Software: Weather Station
CVE ID: CVE-2023-25478
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1e1db3f-1ebc-4f16-b2d8-8bce9c51b3db

Google XML Sitemap for Mobile <= 1.6.1 – Cross-Site Request Forgery via mobile_sitemap_generate

Affected Software: Google XML Sitemap for Mobile
CVE ID: CVE-2023-23869
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2b0c5f9-b734-41e6-8ecb-4cf3d891ddb7

Custom Field Template <= 2.5.8 – Cross-Site Request Forgery via Plugin Options Update

Affected Software: Custom Field Template
CVE ID: CVE-2023-22695
CVSS Score: 4.3 (Medium)
Researcher/s: NeginNrb
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b55853e1-2f20-417f-b07e-eda758eaed32

Stock Sync for WooCommerce <= 2.3.2 – Missing Authorization

Affected Software: Stock Sync for WooCommerce
CVE ID: CVE-2022-46807
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8faa34a-17fd-4a2e-b8bf-ed40fc7a88d9

Simple Mobile URL Redirect <= 1.7.2 – Cross-Site Request Forgery leading to Mobile Redirect Updates

Affected Software: Simple Mobile URL Redirect
CVE ID: CVE-2023-23897
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be8dcff9-1626-4919-b297-c423891f3d02

Product Feed PRO for WooCommerce <= 12.4.0 – Cross-Site Request Forgery via update_project

Affected Software: Product Feed PRO for WooCommerce
CVE ID: CVE-2022-46793
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5b0939a-1699-483c-9a4f-7978155e6ad1

Contact Form Email <= 1.3.31 – Cross-Site Request Forgery to Feedback Submission

Affected Software: Contact Form Email
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce6ea115-941e-482f-a2a4-95293ff10a69

Stock Sync for WooCommerce <= 2.3.2 – Cross-Site Request Forgery

Affected Software: Stock Sync for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf13732b-7c24-443a-bae9-d8cf70b5cb33

Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.0.13 – Cross-Site Request Forgery via send_email

Affected Software: Thank You Page Customizer for WooCommerce – Increase Your Sales
CVE ID: CVE-2022-46812
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ecd504ad-8812-46ec-be18-e98d05982312

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

4 Comments
  • Even though I am not a programmer, I really enjoy reading the reports (even though I don't understand some of it). I appreciate the seriousness the Wordfence takes with security. I like the full disclosure and the giving credit to the researchers who helped. Make me feel confident that my four small websites are protected by WF. Thanks for your hard work. Carla

    • You're very welcome, Carla. Thank you for trusting us to help keep your WordPress Sites Secure!

  • Yes, I totally agree with what Carla has said. Good work team.

  • Chloe you guys are keeping the plugin developers on their toes. Paid plugins need to have accountability and wordfence is doing just that. Good Job!