Chloe Chamberland
April 20, 2023

Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023)

Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 30
Patched 39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 60
High Severity 6
Critical Severity 3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 31
Cross-Site Request Forgery (CSRF) 16
Missing Authorization 10
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Authorization Bypass Through User-Controlled Key 2
Improper Privilege Management 1
Information Exposure 1
Authentication Bypass Using an Alternate Path or Channel 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Improper Neutralization of Formula Elements in a CSV File 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Mika 4
Lana Codes 4
yuyudhn 3
Erwan LR 3
Dave Jong 3
Shreya Pohekar 3
Rio Darmawan 2
Maurice Fielenbach 2
Alex Thomas 2
Prasanna V Balaji 2
Muhammad Daffa 2
Pavak Tiwari 2
Cat 2
Ivy 2
Abdi Pranata 2
Rafie Muhammad 2
Mahesh Nagabhairava 1
TEAM WEBoB of BoB 11th 1
Skalucy 1
Marc-Alexandre Montpas 1
Fariq Fadillah Gusti Insani 1
qilin_99 1
dc11 1
Pavitra Tiwari 1
Johan Kragt 1
Sajjad Shariati 1
Justiice 1
Yuki Haruma 1
LOURCODE 1
Ramuel Gall 1
Padavishree 1
Ameen Alkurdy 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AFFILIATE Solution affiliate-solution
AI ChatBot chatbot
AdFoxly – Ad Manager, AdSense Ads & Ads.txt adfoxly
Affiliate Links Lite affiliate-links
Article Directory Redux article-directory-redux
Best WordPress Gallery Plugin – FooGallery foogallery
Better Search – Relevant search results for WordPress better-search
Blocksy Companion blocksy-companion
Booqable Rental Plugin booqable-rental-reservations
Cloud Manager cloud-manager
CoSchedule coschedule-by-todaymade
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db
Coupon Affiliates – WooCommerce Affiliate Plugin woo-coupon-usage
Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce
Cyr to Lat enhanced cyr3lat
Database Collation Fix database-collation-fix
Download Manager Pro download-manager
Easy Appointments easy-appointments
ElasticPress elasticpress
Electric Studio Client Login electric-studio-client-login
Enable Accessibility enable-accessibility
External Videos external-videos
Fantastic Content Protector Free fantastic-content-protector-free
Featured Post Creative featured-post-creative
Forminator – Contact Form, Payment Form & Custom Form Builder forminator
Kaya QR Code Generator kaya-qr-code-generator
Landing Page Builder – Free Landing Page Templates ultimate-landing-page
Limit Login Attempts limit-login-attempts
Motor Racing League motor-racing-league
Neshan Maps neshan-maps
Newsletters newsletters-lite
Optima Express + MarketBoost IDX Plugin optima-express
Paytm – Donation Plugin paytm-donation
Pickup | Delivery | Dine-in date time restaurant-pickup-delivery-dine-in
PowerPress Podcasting plugin by Blubrry powerpress
Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin pretty-link
Product Catalog Feed by PixelYourSite product-catalog-feed
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress quiz-master-next
Restricted Site Access restricted-site-access
ReviewX – Multi-criteria Rating & Reviews for WooCommerce reviewx
Ruby Help Desk ruby-help-desk
ShiftController Employee Shift Scheduling shiftcontroller
Shortcodes by Angie Makes wc-shortcodes
Simple PopUp simple-popup
Stamped.io Product Reviews & UGC for WooCommerce stampedio-product-reviews
Stock Exporter for WooCommerce stock-exporter-for-woocommerce
SupportCandy – Helpdesk & Support Ticket System supportcandy
Ultimate Noindex Nofollow Tool II ultimate-noindex-nofollow-tool-ii
User registration & user profile – UserPlus userplus
Vimeotheque / Vimeo codeflavors-vimeo-video-post-lite
WP EasyPay – Square for WordPress wp-easy-pay
WP Inventory Manager wp-inventory-manager
WP Reroute Email wp-reroute-email
WP Roles at Registration wp-roles-at-registration
Watu Quiz watu
WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation) smart-wishlist-for-more-convert
ZM Ajax Login & Register zm-ajax-login-register
a3 Portfolio a3-portfolio
hiWeb Migration Simple hiweb-migration-simple
tencentcloud-cos tencentcloud-cos

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Betheme betheme
Blogger Buzz blogger-buzz
Educenter educenter
Square square

Vulnerability Details

SupportCandy <= 3.1.4 – Unauthenticated SQL Injection via parse_user_filters

Affected Software: SupportCandy – Helpdesk & Support Ticket System
CVE ID: CVE-2023-1730
CVSS Score: 9.8 (Critical)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ca1c55a-cd4e-429a-ab74-dd1bad1a65f5

ZM Ajax Login & Register <= 2.0.2 – Authentication Bypass

Affected Software: ZM Ajax Login & Register
CVE ID: CVE-2023-2027
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d01ec-54ef-456b-9410-ed013343a962

Quiz and Survey Master <= 8.1.4 – Unauthenticated SQL Injection

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE-2023-28787
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b29dcd7a-a0bc-4983-85ba-6ebf2c405ceb

Cyr to Lat <= 3.5 – Authenticated SQL Injection

Affected Software: Cyr to Lat enhanced
CVE ID: CVE-2022-4290
CVSS Score: 8.8 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c29130-1b42-4edd-ad62-6f635e03ae31

webpack JS package <= 5.75.0 – Sandbox Bypass

Affected Software/s: Restricted Site Access, ElasticPress
CVE ID: CVE-2023-28154
CVSS Score: 8.3 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1cda31a4-4c79-4567-a527-6510c31d2843

WP Reroute Email <= 1.4.6 – Authenticated (Administrator+) SQL Injection

Affected Software: WP Reroute Email
CVE ID: CVE-2023-27605
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395a8ca6-78b8-43f2-8e8c-896702b5da0d

Paytm Payment Donation <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Paytm – Donation Plugin
CVE ID: CVE-2023-28535
CVSS Score: 7.2 (High)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/534e6f80-b162-4a4b-a979-72ed63a8b0dc

Landing Page Builder – Free Landing Page Templates <= 3.1.9.8 – Local File Inclusion

Affected Software: Landing Page Builder – Free Landing Page Templates
CVE ID: CVE-2023-24379
CVSS Score: 7.2 (High)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c40bf215-81c1-423a-9d41-9a231dfc8053

Neshan Maps <= 1.1.4 – Authenticated (Administrator+) SQL Injection

Affected Software: Neshan Maps
CVE ID: CVE-2022-47426
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee7eb754-27f0-47b0-a82f-4781cfbb0fa6

Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 – Missing Authorization

Affected Software: Stamped.io Product Reviews & UGC for WooCommerce
CVE ID: CVE-2023-30479
CVSS Score: 6.5 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/490061dc-11f7-48f2-bc9a-974bedf16621

ReviewX <= 1.6.6 – Unauthenticated CSV Injection

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
CVE ID: CVE-2022-46809
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc465757-4295-4a75-90f6-92c4be4e8944

Limit Login Attempts <= 1.7.1 – Authenticated(Subscriber+) Stored Cross-Site Scripting

Affected Software: Limit Login Attempts
CVE ID: CVE-2023-1861
CVSS Score: 6.4 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3334fc78-48c5-4cfa-ac83-5690fdbf590a

Affiliate Links Lite <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Affiliate Links Lite
CVE ID: CVE-2023-22696
CVSS Score: 6.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9511d8f1-ab96-4695-aa8c-16a3482a6de4

a3 Portfolio <= 3.1.0 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: a3 Portfolio
CVE ID: CVE-2023-29097
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a190909-4b0f-4a44-8371-d79f64d323c2

Kaya QR Code Generator <= 1.5.2 – Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter

Affected Software: Kaya QR Code Generator
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad8b5fd2-ba92-4afa-9b4a-a95936b9a18d

Product Catalog Feed by PixelYourSite <= 2.1.0 – Reflected Cross-Site Scripting via 'page'

Affected Software: Product Catalog Feed by PixelYourSite
CVE ID: CVE-2023-1805
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18d33d68-9719-4e74-a594-bc4add38ceee

Contact Form to DB <= 1.7.0 – Multiple Cross-Site Scripting

Affected Software: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19b21013-136a-41b0-a667-39f23ccedf2e

Watu Quiz <= 3.3.9.2 – Reflected Cross-Site Scripting via 'question'

Affected Software: Watu Quiz
CVE ID: CVE-2023-30483
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d24dbdf-8fb0-41c3-8c35-e0d65c6b96f5

WP Inventory Manager <= 2.1.0.11 – Reflected Cross-Site Scripting via 'message'

Affected Software: WP Inventory Manager
CVE ID: CVE-2023-1806
CVSS Score: 6.1 (Medium)
Researcher/s: Maurice Fielenbach
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/363ece80-1fa6-4019-84c9-e0a65f02625d

AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.4 – Unauthenticated Cross-Site Scripting

Affected Software: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
CVE ID: CVE-2023-30754
CVSS Score: 6.1 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d13ae87-f632-4eb0-bc71-5132ba6a9b13

Cloud Manager <= 1.0 – Reflected Cross-Site Scripting

Affected Software: Cloud Manager
CVE ID: CVE-2023-0421
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d896366-a85d-49c9-9509-3f7454712474

Coupon Affiliates <= 5.4.5 – Reflected Cross-Site Scripting via 'page'

Affected Software: Coupon Affiliates – WooCommerce Affiliate Plugin
CVE ID: CVE-2023-30475
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c6fc6be-7e9a-40cb-b9cd-bb71d4f487f7

Vimeotheque <= 2.2.1 – Reflected Cross-Site Scripting via 'view' and 'page'

Affected Software: Vimeotheque / Vimeo
CVE ID: CVE-2023-30498
CVSS Score: 6.1 (Medium)
Researcher/s: Ivy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72256ac2-72a7-4c3c-a892-1f1795671c5d

FooGallery <= 2.2.35 – Reflected Cross-Site Scripting

Affected Software: Best WordPress Gallery Plugin – FooGallery
CVE ID: CVE-2023-29439
CVSS Score: 6.1 (Medium)
Researcher/s: LOURCODE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7181056-d2ee-4c0f-b9a8-fdb7ad042a6b

UserPlus <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: User registration & user profile – UserPlus
CVE ID: CVE-2023-0824
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd0349b-7864-4e4e-84ba-6f0ec5b585f3

ShiftController Employee Shift Scheduling <= 4.9.25 – Reflected Cross-Site Scripting via Query String

Affected Software: ShiftController Employee Shift Scheduling
CVE ID: CVE-2023-1978
CVSS Score: 6.1 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5c61212-e68e-4198-b078-18121576b767

hiWeb Migration Simple <= 2.0.0.1 – Reflected Cross-Site Scripting

Affected Software: hiWeb Migration Simple
CVE ID: CVE-2023-0769
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9aacc69-aa46-4cdb-a301-c0bf2836d441

Betheme <= 26.7.5 – Reflected Cross-Site Scripting

Affected Software: Betheme
CVE ID: CVE-2023-29101
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c14b948f-129d-4223-b3ee-0bef1f9fc703

Product Catalog Feed by PixelYourSite <= 2.1.0 – Reflected Cross-Site Scripting via 'edit'

Affected Software: Product Catalog Feed by PixelYourSite
CVE ID: CVE-2023-1804
CVSS Score: 6.1 (Medium)
Researcher/s: Maurice Fielenbach
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d82d1dd2-b5b5-490a-92e5-1a4d4ab0085d

Booqable Rental Plugin <= 2.4.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Booqable Rental Plugin
CVE ID: CVE-2023-30746
CVSS Score: 5.5 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16f183a6-b8db-461e-b17d-2faa528ff0ff

Newsletters <= 4.8.8 – Cross-Site Request Forgery

Affected Software: Newsletters
CVE ID: CVE-2023-30478
CVSS Score: 5.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cd6474f-72e1-4ec2-a056-3c05a0dfa173

PowerPress <= 10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE-2023-1917
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44583cb7-bc32-4e62-8431-f5f1f6baeff2

Custom Order Numbers for WooCommerce <= 1.4.0 – Cross-Site Request Forgery

Affected Software: Custom Order Numbers for WooCommerce
CVE ID: CVE-2022-45367
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d19800a-bff3-414f-a809-0159f49d263a

Featured Post Creative <= 1.2.7 – Missing Authorization via wpfp_update_featured_post

Affected Software: Featured Post Creative
CVE ID: CVE-2023-30488
CVSS Score: 5.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61585a02-fe7b-4a54-959f-346e4e0d6658

Blogger Buzz <= 1.2.1 – Missing Authorization via activate_plugin

Affected Software: Blogger Buzz
CVE ID: CVE-2023-30476
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/823dce74-2688-4573-b0c8-353f1789ea48

Download Manager Pro <= 6.2.9 – Unauthenticated Information Disclosure

Affected Software: Download Manager Pro
CVE ID: CVE-2023-1809
CVSS Score: 5.3 (Medium)
Researcher/s: Johan Kragt
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88d80702-a987-4b12-a003-2fa564fda409

Fantastic Content Protector Free <= 2.6 – Missing Authorization via update_setting_fantastic_content_protector

Affected Software: Fantastic Content Protector Free
CVE ID: CVE-2023-25048
CVSS Score: 5.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b93f8036-4a89-45e6-b86f-9d57e1662a35

Shortcodes by Angie Makes <= 3.46 – Missing Authorization

Affected Software: Shortcodes by Angie Makes
CVE ID: CVE-2023-23725
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e20feb23-f78e-42e7-8922-e7cf37dbdcb1

Optima Express + MarketBoost IDX Plugin <= 7.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optima Express + MarketBoost IDX Plugin
CVE ID: CVE-2023-30749
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/059e262b-ee63-4f8b-82ab-c12bcf70f879

External Videos <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: External Videos
CVE ID: CVE-2023-30752
CVSS Score: 4.4 (Medium)
Researcher/s: Mahesh Nagabhairava
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/168e8512-d551-47f9-bc2b-c458180a6d13

Simple Popup Images <= 1.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple PopUp
CVE ID: CVE-2023-24406
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18c0ecc5-b3e2-4ac0-b901-dae397e2d57c

WP Roles at Registration <= 0.23 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Roles at Registration
CVE ID: CVE-2023-27609
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a4eeb77-7a8b-489f-8ded-bbe09e881758

Article Directory Redux <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Article Directory Redux
CVE ID: CVE-2023-30751
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63c681e5-3110-4790-a075-4996fa1f2129

Motor Racing League <= 1.9.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Motor Racing League
CVE ID: CVE-2023-27614
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8876ecc4-1a50-43ac-9c8d-354f6de4abdd

Pickup | Delivery | Dine-in date time <= 1.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Pickup | Delivery | Dine-in date time
CVE ID: CVE-2023-0894
CVSS Score: 4.4 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/936803ab-93d5-4808-8758-6b8f7c01b3c2

Easy Appointments <= 3.11.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Appointments
CVE ID: CVE-2023-30748
CVSS Score: 4.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfe8d13b-f387-4c82-ba9f-efadda18c882

AI ChatBot <= 4.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: AI ChatBot
CVE ID: CVE-2023-1649
CVSS Score: 4.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdb3fbaa-4d33-4754-848b-77e902ea4a85

Electric Studio Client Login <= 0.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Electric Studio Client Login
CVE ID: CVE-2023-27425
CVSS Score: 4.4 (Medium)
Researcher/s: Padavishree
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e797c0ca-f348-4d9c-815e-0c1756686690

AFFILIATE Solution <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: AFFILIATE Solution
CVE ID: CVE-2023-30477
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef778a1d-d4ce-47fd-932b-9e86b38e2681

tencentcloud-cos <= 1.0.7 – Cross-Site Request Forgery

Affected Software: tencentcloud-cos
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be21ac7-4f61-44fc-9ffc-ab65faa549f6

Forminator <= 1.22.1 – Missing Authorization on 'load_hcaptcha_preview' AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef15cb1-b320-42d9-a2fd-afff2ec8a93b

Database Collation Fix <= 1.2.7 – Cross-Site Request Forgery via admin_page

Affected Software: Database Collation Fix
CVE ID: CVE-2023-23997
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31612b4b-a75f-4fa4-831b-43f62a8d5fad

Featured Post Creative <= 1.2.7 – Cross-Site Request Forgery via wpfp_update_featured_post

Affected Software: Featured Post Creative
CVE ID: CVE-2023-30488
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33a47156-ee93-4b59-9f73-56be5c9e3b00

Educenter <= 1.5.1 – Missing Authorization via activate_plugin

Affected Software: Educenter
CVE ID: CVE-2023-30480
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/344ad959-038a-46d1-b515-ae3473af8209

Shortlinks by Pretty Links <= 3.4.0 – Cross-Site Request Forgery via route

Affected Software: Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
CVE ID: CVE-2022-47149
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5304da48-5d42-47ce-b1b1-dc04b8fa9dff

Stock Exporter for WooCommerce <= 1.1.0 – Cross-Site Request Forgery

Affected Software: Stock Exporter for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c4a9092-fd49-42fe-a84d-a9f7fe708122

Forminator <= 1.22.1 – Missing Authorization on 'load_recaptcha_preview' AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/718e54f5-f040-42d6-958d-255d905615d5

Ultimate Noindex Nofollow Tool II <= 1.3.3 – Cross-Site Request Forgery

Affected Software: Ultimate Noindex Nofollow Tool II
CVE ID: CVE-2023-30474
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7761fe7c-e7f5-4bab-8820-42e6fcabcb2f

Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 – Cross-Site Request Forgery

Affected Software: Stamped.io Product Reviews & UGC for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a8c4232-2e1e-4c99-83d5-d70f7ca1c879

MC Woocommerce Wishlist <= 1.5.4 – Cross-Site Request Forgery

Affected Software: WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c7f6ef2-6c50-4739-8844-0db7d9ffe7f7

WP Reroute Email <= 1.4.6 – Cross-Site Request Forgery

Affected Software: WP Reroute Email
CVE ID: CVE-2023-27606
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c3a047f-be12-4308-a4a5-fbbbc37f674d

Enable Accessibility <= 1.4 – Cross-Site Request Forgery

Affected Software: Enable Accessibility
CVE ID: CVE-2023-30484
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0b8c4c3-eba2-4c20-b790-48eceeba898e

CoSchedule <= 3.3.8 – Cross-Site Request Forgery

Affected Software: CoSchedule
CVE ID: CVE-2022-47165
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca55a7a0-da31-4d3f-845b-80f89ffbadf5

Forminator <= 1.22.1 – Missing Authorization on 'hubspot_support_request' AJAX function

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0cb4434-94c5-42a9-bd86-869058dcbf67

Blocksy Companion <= 1.8.81 – Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode

Affected Software: Blocksy Companion
CVE ID: CVE-2023-1911
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d31aad1c-89d4-4f71-bfed-a795f7a4f209

Square <= 2.0.0 – Missing Authorization via activate_plugin

Affected Software: Square
CVE ID: CVE-2023-30486
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3ca4c3c-2b20-42d4-8dcf-77f4d52c25a3

Better Search <= 3.1.0 – Cross-Site Request Forgery

Affected Software: Better Search – Relevant search results for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7a02502-bc3c-4fd1-b6db-7b3c476c141f

WP EasyPay <= 4.0.4 – Cross-Site Request Forgery

Affected Software: WP EasyPay – Square for WordPress
CVE ID: CVE-2022-47177
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2c1606e-b6b6-4f7d-8473-1015677ded7c

Ruby Help Desk <= 1.3.3 – Missing Authorization to Arbitrary Ticket Modification

Affected Software: Ruby Help Desk
CVE ID: CVE-2023-1125
CVSS Score: 4.3 (Medium)
Researcher/s: Ameen Alkurdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd741e2d-5478-4b9a-83ab-7ccafdc5d12f

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.