Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)

Last week, there were 152 vulnerabilities disclosed in 134 WordPress Plugins and 0 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. There were more unpatched vulnerabilities than patched last week, so it’s more important than ever to review those vulnerabilities in this report now to ensure your site is not affected and make the appropriate adjustments if your site is.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 81
Patched 71

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 134
High Severity 16
Critical Severity 2

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 93
Cross-Site Request Forgery (CSRF) 30
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 11
Missing Authorization 10
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Deserialization of Untrusted Data 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Information Exposure 1
Improper Access Control 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes 30
Marco Wotschka 11
Yuki Haruma 9
yuyudhn 7
Muhammad Daffa 6
LEE SE HYOUNG 6
Rio Darmawan 6
Sajjad Shariati 6
Shreya Pohekar 5
minhtuanact 5
Justiice 4
Ramuel Gall 4
TEAM WEBoB of BoB 11th 3
Mika 3
Ivan Kuzymchak 3
Le Ngoc Anh 3
Erwan LR 3
Cat 3
WPScanTeam 2
Lokesh Dachepalli 2
Nguyen Xuan Chien 2
Joshua Martinelle 1
Rafie Muhammad 1
Rafshanzani Suhada 1
Nguyen Huu Do 1
Ryo Sato 1
Skalucy 1
Shezad Master 1
zhangyunpei 1
Yeting Li VARAS@IIE 1
Ameen Alkurdy 1
Nithissh S 1
Chien Vuong 1
thiennv 1
Alexander Schmid 1
cydave 1
easyBug 1
Daniel Ruf 1
Alex Thomas 1
deokhunKim 1
Lucio Sá 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AI ChatBot chatbot
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup armember-membership
Accessibility Suite by Online ADA online-accessibility
Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin helpie-faq
Active Directory Integration / LDAP Integration ldap-login-for-intranet-sites
ActiveCampaign – Forms, Site Tracking, Live Chat activecampaign-subscription-forms
Ad Inserter – Ad Manager & AdSense Ads ad-inserter
Album Gallery – WordPress Gallery new-album-gallery
ApexChat apexchat
Avirato hotels online booking engine avirato-calendar
BBSpoiler bbspoiler
BadgeOS badgeos
Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra yatra
Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop woo-altcoin-payment-gateway
BizLibrary bizlibrary
Booking calendar, Appointment Booking System booking-calendar
Button Builder – Buttons X buttons-x
CMP – Coming Soon & Maintenance Plugin by NiteoThemes cmp-coming-soon-maintenance
CMS Tree Page View cms-tree-page-view
Cab Grid cab-grid
Captcha Them All captcha-them-all
Category Specific RSS feed Subscription category-specific-rss-feed-menu
Church Admin church-admin
Clock In Portal- Staff & Attendance Management clock-in-portal
Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db
Continuous announcement scroller continuous-announcement-scroller
Custom Post Type List Shortcode custom-post-type-list-shortcode
Customer Support Software, Live Chat, & Marketing Automation formilla-chat-and-marketing
Dave’s WordPress Live Search daves-wordpress-live-search
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress charitable
EZP Maintenance Mode easy-pie-maintenance-mode
Easy Ad Manager easy-ad-manager
Easy Slider Revolution easy-slider-revolution
Ebook Store ebook-store
Email posts to subscribers email-posts-to-subscribers
Enable/Disable Auto Login when Register auto-login-when-resister
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks
File Gallery file-gallery
Flyzoo Chat flyzoo
Form Block form-block
FormCraft – Contact Form Builder for WordPress formcraft-form-builder
Formilla Edge Targeted Messaging Platform for Sales and Marketing formilla-edge
Freshdesk (official) freshdesk-support
GDPR Compliance & Cookie Consent gdpr-compliance-cookie-consent
Gallery Metabox gallery-metabox
Google Analytics Top Content Widget google-analytics-top-posts-widget
Gps Plotter gps-plotter
Help Desk WP helpdeskwp
Image Optimizer by 10web – Image Optimizer and Compression plugin image-optimizer-wd
Japanized For WooCommerce woocommerce-for-japan
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation zero-bs-crm
Kaya QR Code Generator kaya-qr-code-generator
Kiwiz – Certification de facturation – Woocommerce woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz
Kodex Posts likes kodex-posts-likes
LIQUID SPEECH BALLOON liquid-speech-balloon
Layer Slider slider-slideshow
LearnPress Export Import – WordPress extension for LearnPress learnpress-import-export
Live Chat by Formilla – Real-time Chat & Chatbots Plugin formilla-live-chat
Locatoraid Store Locator locatoraid
Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login login-page-styler
Mail Subscribe List mail-subscribe-list
Mega Addons For WPBakery Page Builder mega-addons-for-visual-composer
Membership Database member-database
Modal Dialog modal-dialog
Motors – Car Dealer, Classifieds & Listing motors-car-dealership-classified-listings
NEX-Forms – Ultimate Form Builder – Contact forms and much more nex-forms-express-wp-form-builder
Ninja Tables – Best Data Table Plugin for WordPress ninja-tables
OoohBoi Steroids for Elementor ooohboi-steroids-for-elementor
Panorama – WordPress Project Management Plugin project-panorama-lite
Post Shortcode post-shortcode
PowerPress Podcasting plugin by Blubrry powerpress
Pretty Url pretty-url
Product Slider For WooCommerce Lite product-slider-for-woocommerce-lite
PropertyHive propertyhive
Query Wrangler query-wrangler
RapidExpCart rapidexpcart
Redirect After Login redirect-after-login
Reservation.Studio widget reservation-studio-widget
Responsive Filterable Portfolio responsive-filterable-portfolio
ReviewX – Multi-criteria Rating & Reviews for WooCommerce reviewx
Robokassa payment gateway for Woocommerce robokassa
Semalt Blocker semalt
ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution shopengine
Shortcode IMDB shortcode-imdb
Simple Share Buttons Adder simple-share-buttons-adder
Simple Tooltips simple-tooltips
SiteAlert – Uptime, Speed, and Security Monitoring for WordPress my-wp-health-check
Sloth Logo Customizer sloth-logo-customizer
Smart WooCommerce Search smart-woocommerce-search
Social Share Boost social-share-boost
SparkPost sparkpost
Stock Exporter for WooCommerce stock-exporter-for-woocommerce
Stream stream
Subscribers – Free Web Push Notifications subscribers-com
Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT ) tablesome
TaxoPress is the WordPress Tag, Category, and Taxonomy Manager simple-tags
The School Management – Education & Learning Management school-management-system
Themify Portfolio Post themify-portfolio-post
Thumbnail carousel slider wp-responsive-thumbnail-slider
Uji Popup uji-popup
Ultimate Carousel For Elementor ultimate-carousel-for-elementor
Ultimate Carousel For WPBakery Page Builder ultimate-carousel-for-visual-composer
Update Image Tag Alt Attribute update-alt-attribute
Verified Reviews (Avis Vérifiés) netreviews
Video Grid video-grid
Video List Manager video-list-manager
Visual CSS Style Editor yellow-pencil-visual-theme-customizer
WCP Contact Form wcp-contact-form
WP Cerber Security, Anti-spam & Malware Scan wp-cerber
WP Custom Author URL wp-custom-author-url
WP Docs wp-docs
WP Links Page wp-links-page
WP Login Box wp-login-box
WP Original Media Path wp-original-media-path
WP Popups – WordPress Popup builder wp-popups-lite
WP Responsive Tabs horizontal vertical and accordion Tabs responsive-horizontal-vertical-and-accordion-tabs
WP-FormAssembly formassembly-web-forms
WP-dTree wp-dtree-30
WPJAM Basic wpjam-basic
White Label Branding for Elementor Page Builder white-label-branding-elementor
WooCommerce Easy Duplicate Product woo-easy-duplicate-product
WooCommerce Order Status Change Notifier woocommerce-order-status-change-notifier
Woocommerce Email Report wooemailreport
Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals woocommerce-products-designer
WordPress Header Builder Plugin – Pearl pearl-header-builder
Wp-D3 wp-d3
YARPP – Yet Another Related Posts Plugin yet-another-related-posts-plugin
YML for Yandex Market yml-for-yandex-market
YourChannel: Everything you want in a YouTube plugin. yourchannel
Zendesk Support for WordPress zendesk
eRocket erocket
f(x) TOC fx-toc
miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login miniorange-2-factor-authentication
vSlider Multi Image Slider for WordPress vslider

Vulnerability Details

Email posts to subscribers <= 6.2 – Unauthenticated SQL Injection

Affected Software: Email posts to subscribers
CVE ID: CVE-2022-46818
CVSS Score: 9.8 (Critical)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51f73041-927d-42da-92cc-14242a397356

Bitcoin / AltCoin Payment Gateway for WooCommerce <= 1.7.1 – Unauthenticated SQL Injection

Affected Software: Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop
CVE ID: CVE-2022-4118
CVSS Score: 9.8 (Critical)
Researcher/s: cydave
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4e1315b-31e5-428c-9a48-6185b4eeb2fc

ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 – Authenticated (Subscriber+) SQL Injection

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
CVE ID: CVE-2023-26325
CVSS Score: 8.8 (High)
Researcher/s: Joshua Martinelle
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/072092ef-17bc-4b8b-bf8b-bd69a761c56a

YARPP <= 5.30.2 – Authenticated (Subscriber+) Local File Inclusion

Affected Software: YARPP – Yet Another Related Posts Plugin
CVE ID: CVE-2022-45374
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1091862b-784b-496f-a951-6784544cb51b

Accessibility Suite by Online ADA <= 4.11 – Authenticated (Subscriber+) SQL Injection

Affected Software: Accessibility Suite by Online ADA
CVE ID: CVE-2022-47420
CVSS Score: 8.8 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71c21af1-a007-4535-98ea-a6f25142bcf6

Avirato hotels online booking engine <= 5.0.5 – Authenticated (Subscriber+) SQL Injection

Affected Software: Avirato hotels online booking engine
CVE ID: CVE-2023-0768
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b62fb1a8-d62d-4d1f-bcce-a081432b9e61

Contact Form to DB by BestWebSoft <= 1.7.0 – Authenticated (Contributor+) SQL Injection via cntctfrmtdb_department

Affected Software: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
CVE ID: CVE-2023-29096
CVSS Score: 8.8 (High)
Researcher/s: easyBug
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba317acb-d45c-42c0-b5fb-b163bcd59340

Kiwiz – Certification de facturation – Woocommerce <= 2.1.3 – Unauthenticated Arbitrary File Download

Affected Software: Kiwiz – Certification de facturation – Woocommerce
CVE ID: CVE-2023-2180
CVSS Score: 7.5 (High)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603f0c9d-6964-4911-b4a5-bdad24a1a8dd

miniOrange’s Google Authenticator <= 5.6.5 – Missing Authorization to Plugin Settings Change

Affected Software: miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login
CVE ID: CVE-2022-4943
CVSS Score: 7.5 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23

Jetpack CRM <= 5.3.1 – Cross-Site Request Forgery and PHAR Deserialization

Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CVE ID: CVE-2022-3342
CVSS Score: 7.5 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80

The School Management – Education & Learning Management <= 4.1 – Authenticated (Administrator+) SQL Injection

Affected Software: The School Management – Education & Learning Management
CVE ID: CVE-2022-47430
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1268bdb9-7f80-4fdc-a95a-d51b0ab83e17

Ad Inserter <= 2.7.25 – Authenticated (Admin+) PHP Object Injection

Affected Software: Ad Inserter – Ad Manager & AdSense Ads
CVE ID: CVE-2023-1549
CVSS Score: 7.2 (High)
Researcher/s: Nguyen Huu Do
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c94028c-a774-45ac-817d-ad9b966a3b51

Shortcode IMDB <= 6.0.8 – Authenticated (Administrator+) SQL Injection

Affected Software: Shortcode IMDB
CVE ID: CVE-2022-47432
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ae6bf2e-b39a-4bb3-9203-22ff4c23ddf4

WP Cerber Security <= 9.1 – Unauthenticated Stored Cross-Site Scripting

Affected Software: WP Cerber Security, Anti-spam & Malware Scan
CVE ID: CVE-2022-4712
CVSS Score: 7.2 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd9cbba-10b0-4fb0-ad49-4593a307a615

Video List Manager <= 1.7 – Authenticated (Admin+) SQL Injection

Affected Software: Video List Manager
CVE ID: CVE-2023-1408
CVSS Score: 7.2 (High)
Researcher/s: zhangyunpei, Yeting Li VARAS@IIE
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b2d42ab-46c1-4c3e-b99a-1cdcade1b5bb

Help Desk WP <= 1.2.0 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Help Desk WP
CVE ID: CVE-2023-1019
CVSS Score: 7.2 (High)
Researcher/s: Ameen Alkurdy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ec5173b-7b0d-4887-8c13-f48137aa8593

Booking calendar, Appointment Booking System <= 3.2.6 – Authenticated (Administrator+) SQL Injection via *_selected

Affected Software: Booking calendar, Appointment Booking System
CVE ID: CVE-2022-47428
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9c44b6e5-7fb2-402e-8c8c-79d811ff0e9a

NEX-Forms <= 8.3.3 – Authenticated (Administrator+) SQL Injection

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2023-2114
CVSS Score: 7.2 (High)
Researcher/s: Alexander Schmid
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d19be8b-3e0b-4d74-97e0-f17132d2d34c

Ebook Store <= 5.775 – Missing Authorization via ebook_store_export_orders

Affected Software: Ebook Store
CVE ID: CVE-2023-22701
CVSS Score: 6.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4b17cce-bb52-4125-8c85-6da15517275f

f(x) TOC <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: f(x) TOC
CVE ID: CVE-2023-0490
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09479df1-ff7e-4df8-9aea-8c7622ecea4e

Easy Slider Revolution <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via esrcpt_slider_allow_iframes_filter

Affected Software: Easy Slider Revolution
CVE ID: CVE-2023-28622
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14a20f9c-cf5a-4d57-b723-ad29a12c8881

Button Builder – Buttons X <= 0.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Button Builder – Buttons X
CVE ID: CVE-2023-23867
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aea8fe3-7c75-4d3a-847a-ce0d1f9700f1

Uji Popup <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via uji_popup_code shortcode

Affected Software: Uji Popup
CVE ID: CVE-2023-23641
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e81208c-771f-409e-b665-b07def0ca774

WPJAM Basic <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WPJAM Basic
CVE ID: CVE-2023-23709
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a5ccc0b-a80a-41df-991c-5c356eb10512

ActiveCampaign – Forms, Site Tracking, Live Chat <= 8.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ActiveCampaign – Forms, Site Tracking, Live Chat
CVE ID: CVE-2023-0233
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47e25cfa-fedf-413a-bfe7-18a1de429bc3

Mail Subscribe List <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via smlsubform shortcode

Affected Software: Mail Subscribe List
CVE ID: CVE-2023-23657
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55b39859-b8a0-418b-ae7a-cd42d6e0bf00

BBSpoiler <= 2.01 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: BBSpoiler
CVE ID: CVE-2023-23873
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/789497b1-36cf-4de2-bca0-52c0c2a08f72

Product Slider For WooCommerce Lite <= 1.1.7 – Authenticated(Contributor+) Stored Cross-Site Scripting via Meta Keys

Affected Software: Product Slider For WooCommerce Lite
CVE ID: CVE-2023-0537
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8159ee7c-69ac-4422-ba8b-664f1fee8e07

Wp-D3 <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Wp-D3
CVE ID: CVE-2023-0536
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89409461-c87e-4882-bf53-cc789e459b4f

Social Share Boost <= 4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ssboost shortcode

Affected Software: Social Share Boost
CVE ID: CVE-2023-23688
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9290532f-58d7-4e7d-9fa0-89c7f82b0466

WP Links Page <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP Links Page
CVE ID: CVE-2023-22720
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ef3297d-8686-44aa-ac73-793b644be3f2

WP-FormAssembly <= 2.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP-FormAssembly
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3b164e0-de2e-40d5-935e-31f5bebd87cf

Mega Addons For WPBakery Page Builder <= 4.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Mega Addons For WPBakery Page Builder
CVE ID: CVE-2023-0268
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a443b20e-1686-4519-890d-e6f1838fb05c

WP Popups – WordPress Popup builder <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Popups – WordPress Popup builder
CVE ID: CVE-2023-1905
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9747cda-735c-4087-8c4d-9c445c6d1596

Ultimate Carousel For Elementor <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ultimate Carousel For Elementor
CVE ID: CVE-2023-0280
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0e35280-0c2a-4fe1-bfbe-3321338ff1a5

Custom Post Type List Shortcode <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Custom Post Type List Shortcode
CVE ID: CVE-2023-0542
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b702f507-475a-4d45-8bb1-635f5f377c88

File Gallery <= 1.8.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via file_gallery_shortcode

Affected Software: File Gallery
CVE ID: CVE-2023-23676
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c11be4ba-1bed-4234-b475-468394b7be90

Ultimate Carousel For WPBakery Page Builder <= 2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ultimate Carousel For WPBakery Page Builder
CVE ID: CVE-2023-0267
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c97fc289-1ee3-4401-a57e-b4c8d998259e

FormCraft <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via fcb shortcode

Affected Software: FormCraft – Contact Form Builder for WordPress
CVE ID: CVE-2023-22717
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf17a817-6f61-43d5-9da2-58fbbef458d9

Post Shortcode <= 2.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Post Shortcode
CVE ID: CVE-2023-0526
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3e1d66d-34cf-491c-8a07-0f9efd3c9669

Kaya QR Code Generator <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via qrCode attribute

Affected Software: Kaya QR Code Generator
CVE ID: CVE-2023-30784
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4f0bb58-d904-4bf4-9e15-4ee6289c2df4

vSlider Multi Image Slider <= 4.1.2 – Cross-Site Request Forgery

Affected Software: vSlider Multi Image Slider for WordPress
CVE ID: CVE-2023-22672
CVSS Score: 6.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14376064-13c4-4874-afea-395af2a1933d

WP Docs <= 1.9.8 – Missing Authorization via multiple AJAX actions

Affected Software: WP Docs
CVE ID: CVE-2023-30873
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45a870f4-7ad1-447b-81ea-5d9e9b67b1bb

Membership Database <= 1.0 – Reflected Cross-Site Scripting

Affected Software: Membership Database
CVE ID: CVE-2023-0514
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07ede585-c0d2-4643-9c36-7b5da5f721bd

CMS Tree Page View <= 1.6.7 – Reflected Cross-Site Scripting

Affected Software: CMS Tree Page View
CVE ID: CVE-2023-30868
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19796773-3d5f-458d-aab1-743b6835c71b

Church Admin <= 3.7.5 – Reflected Cross-Site Scripting

Affected Software: Church Admin
CVE ID: CVE-2023-30782
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2204017a-0363-4f2f-909a-e0826463477c

Update Image Tag Alt Attribute <= 2.4.5 – Reflected Cross-Site Scripting

Affected Software: Update Image Tag Alt Attribute
CVE ID: CVE-2023-27455
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25b13322-d305-45db-8ac7-20762398dc21

Charitable <= 1.7.0.10 – Reflected Cross-Site Scripting

Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
CVE ID: CVE-2022-47441
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b3b9576-7c7d-4665-92d5-03aa292cdbbe

WCP Contact Form <= 3.1.0 – Reflected Cross-Site Scripting via tab parameter

Affected Software: WCP Contact Form
CVE ID: CVE-2023-22703
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33fd4542-0a46-4779-be02-d713dcbc8f96

Google Analytics Top Content Widget <= 1.5.5 – Reflected Cross-Site Scripting

Affected Software: Google Analytics Top Content Widget
CVE ID: CVE-2015-10101
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4522480a-dfbf-4ff4-93c2-68b8cc15367c

RapidExpCart <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: RapidExpCart
CVE ID: CVE-2023-0520
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52fde632-f3a4-48d5-8c2c-c42b9d20dcb7

ChatBot <= 4.4.4 – Unauthenticated Stored Cross-Site Scripting via Cross-Site Request Forgery

Affected Software: AI ChatBot
CVE ID: CVE-2023-1011
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56fad8de-6646-4305-83a9-0ed443c3aa7d

WooCommerce Easy Duplicate Product <= 0.3.0.0 – Reflected Cross-Site Scripting via wedp_duplicated

Affected Software: WooCommerce Easy Duplicate Product
CVE ID: CVE-2023-30747
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b06d68e-153d-4cee-94d5-cbeac7468665

Tablesome <= 1.0.8 – Reflected Cross-Site Scripting

Affected Software: Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT )
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d769308-6273-4ed2-b64a-d9f065de4cce

YellowPencil Visual CSS Style Editor <= 7.5.8 – Reflected Cross-Site Scripting liveLink

Affected Software: Visual CSS Style Editor
CVE ID: CVE-2022-33961
CVSS Score: 6.1 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/967ff273-33f3-4580-928a-7764583429aa

Sloth Logo Customizer <= 2.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Sloth Logo Customizer
CVE ID: CVE-2023-0603
CVSS Score: 6.1 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/974f14e8-1a59-4ba5-8806-b4d8b135315e

Modal Dialog <= 3.5.14 – Reflected Cross-Site Scripting

Affected Software: Modal Dialog
CVE ID: CVE-2023-31071
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99140d47-88bb-48a1-863a-93a558541800

Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting

Affected Software: Thumbnail carousel slider
CVE ID: CVE-2023-1915
CVSS Score: 6.1 (Medium)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99711f41-d21b-4725-acc8-9542283daf12

Yml for Yandex Market <= 3.10.7 – Reflected Cross-Site Scripting

Affected Software: YML for Yandex Market
CVE ID: CVE-2023-30473
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a823a21e-78b5-4186-bb67-88799509970d

Woocommerce Email Report <= 2.4 – Unauthenticated Cross-Site Scripting

Affected Software: Woocommerce Email Report
CVE ID: CVE-2023-27627
CVSS Score: 6.1 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abdbee50-b8c3-4254-a828-37629a798c92

Stock Exporter for WooCommerce <= 1.1.0 – Reflected Cross-Site Scripting

Affected Software: Stock Exporter for WooCommerce
CVE ID: CVE-2023-30871
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b65184e6-8072-4dd7-8291-c92817e55beb

Query Wrangler <= 1.5.51 – Reflected Cross-Site Scripting via page parameter

Affected Software: Query Wrangler
CVE ID: CVE-2023-30779
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c79d781e-4c11-43e9-8c5f-aa89e8fbf635

Video Grid <= 1.21 – Reflected Cross-Site Scripting

Affected Software: Video Grid
CVE ID: CVE-2023-30785
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c92e166d-2ede-4280-a875-d30c0cf6f467

RapidExpCart <= 1.0 – Authenticated (Level 8/Administrator+) Stored Cross-Site Scripting

Affected Software: RapidExpCart
CVE ID: CVE-2023-0520
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc1e480c-577a-467a-8297-747512286a39

Video Grid <= 1.21 – Reflected Cross-Site Scripting

Affected Software: Video Grid
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5247ad-dbbf-4d8e-92f5-3a673b97d080

Responsive Filterable Portfolio <= 1.0.19 – Reflected Cross-Site Scripting

Affected Software: Responsive Filterable Portfolio
CVE ID: CVE-2023-2119
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e67dfe0f-ac1c-4a78-bfc9-0cfd6c3040d4

Japanized For WooCommerce <= 2.5.6 – Reflected Cross-Site Scripting

Affected Software: Japanized For WooCommerce
CVE ID: CVE-2023-0948
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea7d643c-3388-469f-b4a9-5c68341e2af0

PropertyHive <= 1.5.48 – Reflected Cross-Site Scripting via date_post_id

Affected Software: PropertyHive
CVE ID: CVE-2023-22706
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea82e978-a653-4ae3-94aa-bc77b94a176c

Thumbnail carousel slider <= 1.1.9 – Reflected Cross-Site Scripting

Affected Software: Thumbnail carousel slider
CVE ID: CVE-2023-2120
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4bf4e12-5cbb-45bc-938e-62163baaa15d

ARMember <= 4.0 – Reflected Cross-Site Scripting

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2022-47140
CVSS Score: 6.1 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd22babc-f1a9-4f50-9756-fe692105dca3

WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting

Affected Software: WP Responsive Tabs horizontal vertical and accordion Tabs
CVE ID: CVE-2023-2184
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe54c37f-1421-48aa-b502-045847d13ae3

Themify Portfolio Post <= 1.2.2 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Themify Portfolio Post
CVE ID: CVE-2022-32970
CVSS Score: 5.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3c3629-b7a9-4f83-a821-64119ed662ce

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
CVE ID: CVE-2023-2168
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c051bfd-2754-4faf-8062-91752555166c

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
CVE ID: CVE-2023-2169
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52574d99-1ffe-4152-bf13-9cdd11d7300a

YourChannel <= 1.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: YourChannel: Everything you want in a YouTube plugin.
CVE ID: CVE-2023-1869
CVSS Score: 5.5 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a81d5615-0b96-4d89-a525-7e80a10a9317

TaxoPress <= 3.6.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
CVE ID: CVE-2023-2170
CVSS Score: 5.5 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e98ed932-4e4c-4127-ae72-500e2a34f371

Motors – Car Dealer & Classified Ads <= 1.4.4 – Cross-Site Request Forgery via Multiple Functions

Affected Software: Motors – Car Dealer, Classifieds & Listing
CVE ID: CVE-2022-38716
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ca9e920-3c7a-4991-8c24-2e55c4f4767c

LearnPress – Export/Import Courses <= 4.0.2 – Reflected Cross-Site Scripting

Affected Software: LearnPress Export Import – WordPress extension for LearnPress
CVE ID: CVE-2023-30487
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1322e229-5e0b-4c3d-ae96-e211a2831842

PowerPress <= 10.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE-2023-30778
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c40c28f-554f-42d0-9f6d-a899d8f61519

Smart WooCommerce Search <= 2.5.0 – Missing Authorization

Affected Software: Smart WooCommerce Search
CVE ID: CVE-2023-30783
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59931266-766f-42d2-bcde-04d694a444b0

ShopEngine <= 4.1.1 – Cross-Site Request Forgery

Affected Software: ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution
CVE ID: CVE-2022-45371
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94abb34a-4451-4f41-ba23-d2a723e5a2e7

Freshdesk (official) <= 1.7 – Open Redirect

Affected Software: Freshdesk (official)
CVE ID: CVE-2015-10102
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6f20fc3-41e5-4220-ac8b-54eb11719f07

Locatoraid Store Locator <= 3.9.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Locatoraid Store Locator
CVE ID: CVE-2023-2031
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dba0a90b-f13c-4914-b6b7-278227ffc122

Active Directory Integration / LDAP Integration <= 4.1.0 – Unauthenticated Information Disclosure

Affected Software: Active Directory Integration / LDAP Integration
CVE ID: CVE-2023-0812
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2568018b-29f3-4261-ae0d-658ca9d96846

CMP – Coming Soon & Maintenance <= 4.1.7 – Maintenance Mode Bypass

Affected Software: CMP – Coming Soon & Maintenance Plugin by NiteoThemes
CVE ID: CVE-2023-2159
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af955f69-b18c-446e-b05e-6a57a5f16dfa

Helpie FAQ <= 1.9.6 – Reflected Cross-Site Scripting

Affected Software: Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f389f4bf-ffff-4862-b4e2-4465ca0556ef

Formilla Live Chat <= 1.3.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaID’

Affected Software: Live Chat by Formilla – Real-time Chat & Chatbots Plugin
CVE ID: CVE-2023-23727
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044e110d-2435-41b8-8aec-917c329b944c

Dave’s WordPress Live Search <= 4.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Dave’s WordPress Live Search
CVE ID: CVE-2023-30876
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/046ecbe5-4b2f-40d3-8585-4d4230ba33f0

Yatra <= 2.1.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra
CVE ID: CVE-2022-47436
CVSS Score: 4.4 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07372843-f7d3-4ae4-96b4-ef3f475504ff

Ebook Store <= 5.775 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Ebook Store
CVE ID: CVE-2023-22690
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/097f6887-e15f-4e35-ab12-1115630e13cc

WP Original Media Path <= 2.4.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP Original Media Path
CVE ID: CVE-2023-23674
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/277eb517-c949-41e9-becf-af056fd32f35

Verified Reviews (Avis Vérifiés) <= 2.3.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Verified Reviews (Avis Vérifiés)
CVE ID: CVE-2023-23720
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3044dbfc-e12d-47e0-a297-67ff0510eded

Login Page Styler <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login Page Styler | Custom Login | Custom WP Admin Login Page | Admin Security | Admin Protection | Login Page Customizer | Admin Login | Login Security | Login Redirect | Theme Login | Login Menu | Login Form | Admin Dashboard | Change Login Logo | Login
CVE ID: CVE-2022-46861
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d70cd0a-5c30-4a9b-81e8-e465d1e8f2b0

WP Custom Author URL <= 1.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Custom Author URL
CVE ID: CVE-2023-1614
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f3a57ce-eead-4631-93da-ba1a0a33ec2d

Formilla Edge <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaPluginID’

Affected Software: Formilla Edge Targeted Messaging Platform for Sales and Marketing
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59f7a1b2-f718-40e7-8030-b9212edf71b7

Captcha Them All <= 1.3.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Captcha Them All
CVE ID: CVE-2023-30786
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e2c83b6-3444-4cd1-82ec-567937c563b9

WP Login Box <= 2.0.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Login Box
CVE ID: CVE-2023-0544
CVSS Score: 4.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66c58d4c-8c36-40af-827d-0e86f2110e3c

Subscribers – Free Web Push Notifications <= 1.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Subscribers – Free Web Push Notifications
CVE ID: CVE-2023-22684
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e78219-b3fd-40e9-a58c-8e27ef3c5e4a

Pretty Url <= 1.5.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Pretty Url
CVE ID: CVE-2023-2009
CVSS Score: 4.4 (Medium)
Researcher/s: Shezad Master
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f54fb59-03c1-45e9-a498-1fa1409c4466

Flyzoo Chat <= 2.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Flyzoo Chat
CVE ID: CVE-2022-46817
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74ea8f1e-d6ff-4a32-b8bf-5d4c8e69433e

Robokassa payment gateway for Woocommerce <= 1.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Robokassa payment gateway for Woocommerce
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75824b96-8674-4340-9e56-b0cb0f52503d

White Label Branding for Elementor Page Builder <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: White Label Branding for Elementor Page Builder
CVE ID: CVE-2023-23683
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e187b71-860e-4404-bbe2-193c6ecfd485

Category Specific RSS feed Subscription <= v2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Category Specific RSS feed Subscription
CVE ID: CVE-2023-22685
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ac9c146-5065-46fc-b2ae-20b820a8016b

Formilla Chat and Marketing Automation <= 1.0 – Authenticated (Administrator+) Cross-Site Scripting via ‘FormillaToolsID’

Affected Software: Customer Support Software, Live Chat, & Marketing Automation
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5436d14-cbb5-420f-9f3a-698ce59c1e1e

Semalt Blocker <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Semalt Blocker
CVE ID: CVE-2023-23794
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a658d150-bcd5-4334-b07a-e09b3995169d

SparkPost <= 3.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: SparkPost
CVE ID: CVE-2023-23654
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab86ddc9-9b43-4949-b150-7b944bc40558

EZP Maintenance Mode <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: EZP Maintenance Mode
CVE ID: CVE-2023-23682
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac1239c9-72a6-44d8-911f-70a528c66c62

Redirect After Login <= 0.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Redirect After Login
CVE ID: CVE-2023-27624
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad1a79f3-274f-4a33-a752-669c09c2d47d

GPS Plotter <= 5.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Gps Plotter
CVE ID: CVE-2023-30874
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca449d15-b05e-4341-99b0-472a14cab8f4

WP-dTree <= 4.4.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP-dTree
CVE ID: CVE-2022-47423
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cde92185-d63a-47b3-a17e-3f2b2b20270c

Panorama – WordPress Project Management Plugin <= 1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Panorama – WordPress Project Management Plugin
CVE ID: CVE-2023-23810
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d131115b-e2c9-42c6-9262-a19272944652

Continuous announcement scroller <= 13.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Continuous announcement scroller
CVE ID: CVE-2022-46819
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d88eb628-09c9-451c-b5ae-f26a93514447

ApexChat <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: ApexChat
CVE ID: CVE-2023-28414
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbe8d164-85c7-444d-80ad-4d03151b939b

Simple Tooltips <= 2.1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Tooltips
CVE ID: CVE-2023-25958
CVSS Score: 4.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc7e4235-5f40-48c2-8474-cf57af5e35bd

Cab Grid <= 1.5.15 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cab Grid
CVE ID: CVE-2023-28533
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e09c629b-9908-4548-b828-9e6140ff5670

Image Optimizer WD <= 1.0.26 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5eea72d-f10b-460b-be00-bb5b1c4a1a62

BizLibrary <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: BizLibrary
CVE ID: CVE-2023-0892
CVSS Score: 4.4 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee7513d9-e76c-4da4-919b-ba376f0c4022

Easy Ad Manager <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Ad Manager
CVE ID: CVE-2023-25460
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7750f70-e79c-45fb-b792-ba6a4da59964

eRocket <= 1.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: eRocket
CVE ID: CVE-2023-28174
CVSS Score: 4.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb9b8f3a-6f49-455d-99c6-cdf5671af49d

Ninja Tables <= 4.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Ninja Tables – Best Data Table Plugin for WordPress
CVE ID: CVE-2022-47137
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc296c70-358e-4908-be49-5ffae83aca9b

GDPR Compliance & Cookie Consent <= 1.2 – Cross-Site Request Forgery

Affected Software: GDPR Compliance & Cookie Consent
CVE ID: CVE-2022-45815
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/052b345a-7b71-4de5-9bf8-8b81cc1b4e77

Image Optimizer by 10web <= 1.0.25 – Directory Traversal to Information Exposure

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b4a0dff-1054-4f50-8ff5-e3cc2b45d77b

Essential Blocks <= 4.0.6 – Missing Authorization via get

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2084
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be8c668-0f1c-4f83-8a71-49c8bb9b67ae

Album Gallery – WordPress Gallery <= 1.4.9 – Cross-Site Request Forgery via album-gallery-column-settings.php

Affected Software: Album Gallery – WordPress Gallery
CVE ID: CVE-2023-23646
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f3df75e-cf2f-4076-b5ff-b8540408044a

Layer Slider <= 1.1.9.6 – Cross-Site Request Forgery via save_slide_ajax

Affected Software: Layer Slider
CVE ID: CVE-2023-23671
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ad366f1-2369-4fb2-aeda-301c85cf6801

Enable/Disable Auto Login when Register <= 1.1.0 Cross-Site Request Forgery

Affected Software: Enable/Disable Auto Login when Register
CVE ID: CVE-2023-0522
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fa45fa7-b1da-42f0-945b-2a6b0db5ba91

Zendesk Support for WordPress <= 1.8.4 – Cross-Site Request Forgery

Affected Software: Zendesk Support for WordPress
CVE ID: CVE-2023-23716
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/212b7da7-bd3e-42df-8b50-a3eb472cf440

LIQUID SPEECH BALLOON <= 1.1.8 – Cross-Site Request Forgery to Settings Update

Affected Software: LIQUID SPEECH BALLOON
CVE ID: CVE-2023-27889
CVSS Score: 4.3 (Medium)
Researcher/s: Ryo Sato
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23980e13-b632-43ec-938e-8171884cb87b

Ninja Tables <= 4.3.4 – Cross-Site Request Forgery

Affected Software: Ninja Tables – Best Data Table Plugin for WordPress
CVE ID: CVE-2022-47136
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/338158b5-bbda-4cd8-b4ea-97a3926a0989

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Staff Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0761
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51ce7b71-0a19-48ef-8748-3848742c542b

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Holidays Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0763
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c852fa1-698b-4e72-b781-095e2a98df81

WP Docs <= 1.9.8 – Cross-Site Request Forgery to folder management

Affected Software: WP Docs
CVE ID: CVE-2023-30873
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6003b1bf-b176-4ca9-9de2-58133259e0f6

Pearl <= 1.3.4 – Cross-Site Request Forgery via stm_hb_save_settings

Affected Software: WordPress Header Builder Plugin – Pearl
CVE ID: CVE-2022-38356
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6058da9e-8ca3-4966-bb10-e5da526e8c7e

WooCommerce Order Status Change Notifier <= 1.1.0 – Authenticated (Subscriber+) Arbitrary Order Status Update

Affected Software: WooCommerce Order Status Change Notifier
CVE ID: CVE-2023-2179
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66bc83f5-0f6c-425f-a560-e79e777b76ca

Woocommerce Product Designer <= 4.3.3 – Cross-Site Request Forgery

Affected Software: Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals
CVE ID: CVE-2022-46856
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70d168a4-a659-4354-889e-7907215351a2

Kodex Posts likes <= 2.4.3 – Cross-Site Request Forgery

Affected Software: Kodex Posts likes
CVE ID: CVE-2022-46814
CVSS Score: 4.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77d56f61-7e45-405e-878d-fa3d53acede0

Reservation.Studio widget <= 1.0.9 – Cross-Site Request Forgery via plugin settings

Affected Software: Reservation.Studio widget
CVE ID: CVE-2023-25468
CVSS Score: 4.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/783e5794-0d74-4b7a-a1cd-2b834a50c50c

BadgeOS <= 3.7.1.6 – Cross-Site Request Forgery

Affected Software: BadgeOS
CVE ID: CVE-2022-41987
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bb1be6d-5af9-4b58-a641-05a913548fe7

Essential Blocks <= 4.0.6 – Missing Authorization via template_count

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2086
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9efc782a-ec61-4741-81fd-a263a2739e16

Gallery Metabox <= 1.5 – Cross-Site Request Forgery via gallery_remove

Affected Software: Gallery Metabox
CVE ID: CVE-2022-47134
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f8b1103-71b2-421e-bcbe-f2716b59e367

Essential Blocks <= 4.0.6 – Missing Authorization via templates

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2085
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad2c1ab6-5c78-4317-b5e7-c86e2eebeb4f

SiteAlert (Formerly WP Health) <= 1.9.7 – Cross-Site Request Forgery

Affected Software: SiteAlert – Uptime, Speed, and Security Monitoring for WordPress
CVE ID: CVE-2022-46857
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1870c6e-23b6-4f3b-adba-72633d62dfd0

OoohBoi Steroids for Elementor <= 2.1.4 – Missing Authorization leading to Authenticated (Subscriber+) Image Upload

Affected Software: OoohBoi Steroids for Elementor
CVE ID: CVE-2023-1169
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c56ed896-9267-49e6-a207-fe5362fe18cd

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Designation Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0762
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c6b17e90-42df-47ed-9e92-f5f1b990f921

Form Block <= 1.0.1 – Cross-Site Request Forgery

Affected Software: Form Block
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb18d6d8-28e5-4125-9209-a71403f678f0

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Designation Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0762
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc97109c-187f-43b7-b5ed-5afeec5ea8fd

Essential Blocks <= 4.0.6 – Cross-Site Request Forgery via save

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2087
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d38d41c7-8786-4145-9591-3e24eff3b79c

Clock In Portal <= 2.1 – Cross-Site Request Forgery to Staff Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0761
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d8ec03c6-6ea9-4017-915a-e10b757d98ff

Clock In Portal <= 2.1 – Cross-Site Request Forgery To Holiday Deletion

Affected Software: Clock In Portal- Staff & Attendance Management
CVE ID: CVE-2023-0763
CVSS Score: 4.3 (Medium)
Researcher/s: Sajjad Shariati
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddc0261d-56ed-47a6-a0b2-0ab5f9dee815

Simple Share Buttons Adder <= 8.4.6 – Cross-Site Request Forgery

Affected Software: Simple Share Buttons Adder
CVE ID: CVE-2022-47178
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e57bfae5-4cc0-4d97-9431-4c8ebb2f0882

Stream <= 3.9.2 – Cross-Site Request Forgery

Affected Software: Stream
CVE ID: CVE-2022-43490
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7203b5c-5753-453c-8fc2-26fcebdeea5b

Essential Blocks <= 4.0.6 – Missing Authorization via save

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-2083
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8bf0933-1c97-4374-b323-c55b91fe4d27

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments