Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)

Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 47
Patched 92

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 119
High Severity 13
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 64
Cross-Site Request Forgery (CSRF) 31
Missing Authorization 23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 8
Deserialization of Untrusted Data 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
URL Redirection to Untrusted Site (‘Open Redirect’) 2
Use of Less Trusted Source 1
Incorrect Authorization 1
Unrestricted Upload of File with Dangerous Type 1
Improper Authorization 1
Authorization Bypass Through User-Controlled Key 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Unverified Password Change 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Lana Codes
Wordfence Vulnerability Researcher
14
Rafie Muhammad 12
minhtuanact 7
thiennv 6
Dave Jong 5
Mika 5
apple502j 4
Rio Darmawan 4
Abdi Pranata 4
yuyudhn 4
Marco Wotschka
Wordfence Vulnerability Researcher
4
Taihei Shimamine 4
Alex Thomas
Wordfence Vulnerability Researcher
4
Pavak Tiwari 3
Lokesh Dachepalli 3
Darius Sveikauskas 2
OZ1NG (TOOR, LISA) 2
Justiice 2
konagash 2
Jonas Höbenreich 2
Yash Kanchhal 2
Nguyen Xuan Chien 2
Chloe Chamberland 
Wordfence Vulnerability Researcher
2
Yuki Haruma 1
Taurus Omar 1
Nguyen Anh Tien 1
Ilyase Dehy 1
Aymane Mazguiti 1
Emili Castells 1
LEE SE HYOUNG 1
rezaduty 1
Le Ngoc Anh 1
Monkey Wrench Inc. 1
deokhunKim 1
Simone Onofri 1
Donato Onofri 1
Skalucy 1
Badromance 1337 1
Johan Kragt 1
Felipe Restrepo Rodriguez 1
WPScanTeam 1
Erwan LR 1
Mahesh Nagabhairava 1
rSolutions Security Team 1
easyBug 1
Shuya Ota 1
TEAM WEBoB of BoB 11th 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
10Web Social Post Feed wd-facebook-feed
Active Directory Integration / LDAP Integration ldap-login-for-intranet-sites
Add Posts to Pages add-posts-to-pages
Announcement & Notification Banner – Bulletin bulletin-announcements
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection stopbadbots
Block Referer Spam block-referer-spam
Booking Ultra Pro Appointments Booking Calendar Plugin booking-ultra-pro
Brands for WooCommerce brands-for-woocommerce
Button button
CALL ME NOW lokalyze-call-now
CM On Demand Search And Replace cm-on-demand-search-and-replace
Column-Matic column-matic
Community by PeepSo – Social Network, Membership, Registration, User Profiles peepso-core
Complianz – GDPR/CCPA Cookie Consent complianz-gdpr
Custom Base Terms custom-base-terms
Custom Field Suite custom-field-suite
DBargain d-bargain
DevBuddy Twitter Feed devbuddy-twitter-feed
Directorist – WordPress Business Directory Plugin with Classified Ads Listings directorist
Don8 don8
Donations Made Easy – Smart Donations smart-donations
Download Manager download-manager
Download Monitor download-monitor
Dyslexiefont Free dyslexiefont
Easy Form by AYS easy-form
Easy Hide Login easy-hide-login
Elementor Website Builder elementor
Essential Addons for Elementor essential-addons-for-elementor-lite
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) google-analytics-dashboard-for-wp
Featured Image Pro Post Grid featured-image-pro
Forget About Shortcode Buttons forget-about-shortcode-buttons
Free WordPress Lead Generation Opt in, Free Popups, Generated Lead Email Popup, Exit-Intent Popup – NotifyVisitors notifyvisitors-lead-form
Frontend Post WordPress Plugin – AccessPress Anonymous Post accesspress-anonymous-post
GTmetrix for WordPress gtmetrix-for-wordpress
Get your number get-your-number
GiveWP – Donation Plugin and Fundraising Platform give
Google Site Verification plugin using Meta Tag google-site-verification-using-meta-tag
Hide My WP Ghost – Security Plugin hide-my-wp
Hostel hostel
Hyphenator hyphenator
Injection Guard injection-guard
LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress letterpress
Link Whisper Free link-whisper
Locatoraid Store Locator locatoraid
MW WP Form mw-wp-form
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder mailchimp-subscribe-sm
Manager for Icomoon manager-for-icomoon
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) google-analytics-for-wordpress
My WP Customize Admin/Frontend my-wp
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue mailin
Order Your Posts Manually order-your-posts-manually
Owl Carousel owl-carousel
Pinterest RSS Widget pinterest-rss-widget
Portfolio Gallery – Responsive Image Gallery gallery-portfolio
Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions buddyforms
Post Snippets – Custom WordPress Code Snippets Customizer post-snippets
Post State Tags post-state-tags
Pricing Table Builder – AP Pricing Tables Lite ap-pricing-tables-lite
Pro Mime Types pro-mime-types
Product page shipping calculator for WooCommerce product-page-shipping-calculator-for-woocommerce
QuBot – Chatbot Builder with Templates qubotchat
Quick Page/Post Redirect Plugin quick-pagepost-redirect-plugin
Radio Station by netmix® – Manage and play your Show Schedule in WordPress! radio-station
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager
Restaurant Menu – Food Ordering System – Table Reservation menu-ordering-reservations
SALERT – Fake Sales Notification WooCommerce salert
SEO by 10Web seo-by-10web
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization shortpixel-adaptive-images
Simple Calendar – Google Calendar Plugin google-calendar-events
Slimstat Analytics wp-slimstat
Snow Monkey Forms snow-monkey-forms
SoundCloud Is Gold soundcloud-is-gold
Sunny Search fast-search-powered-by-solr
Team Circle Image Slider With Lightbox circle-image-slider-with-lightbox
Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7
VK All in One Expansion Unit vk-all-in-one-expansion-unit
VK Blocks vk-blocks
VK Blocks Pro vk-blocks-pro
WCP Contact Form wcp-contact-form
WP Abstracts wp-abstracts-manuscripts-manager
WP All Backup wp-all-backup
WP Category Post List Widget wp-category-posts-list
WP Chinese Conversion wp-chinese-conversion
WP Multi Store Locator wp-multi-store-locator
WP Reactions Lite wp-reactions-lite
WP Register Profile With Shortcode wp-register-profile-with-shortcode
WP Replicate Post wp-replicate-post
WP Responsive Tabs horizontal vertical and accordion Tabs responsive-horizontal-vertical-and-accordion-tabs
WP-Chatbot for Messenger wp-chatbot
WPCS – WordPress Currency Switcher Professional currency-switcher
Web Stories for WordPress UNKNOWN-CVE-2023-1979-1
Whydonate – FREE Donate button – Crowdfunding – Fundraising wp-whydonate
Wise Chat wise-chat
Woo Custom Emails woo-custom-emails
Woodmart Core woodmart-core
WordPress Online Booking and Scheduling Plugin – Bookly bookly-responsive-appointment-booking-tool
YITH WooCommerce Gift Cards Premium yith-woocommerce-gift-cards-premium
Yoast SEO Premium wordpress-seo-premium
Yoast SEO: Local wpseo-local
Zero Spam for WordPress zero-spam
eBecas ebecas
iframe popup iframe-popup
itemprop WP for SERP/SEO Rich snippets itempropwp
weebotLite weebotlite
wordpress vertical image slider plugin wp-vertical-image-slider

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Divi Divi
Woodmart woodmart

Vulnerability Details

Woodmart Core <= 1.0.36 – Missing Authorization to Privilege Escalation

Affected Software: Woodmart Core
CVE ID: CVE-2023-32244
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60f043e9-7947-4fff-a9a8-94a1f421db7c

Manager for Icomoon <= 2.0 – Unauthenticated Arbitrary File Upload via ‘upload’

Affected Software: Manager for Icomoon
CVE ID: CVE-2023-29386
CVSS Score: 9.8 (Critical)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/854ab1f3-5f7c-40a4-85a5-db4e20dc72cc

Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation

Affected Software: Essential Addons for Elementor
CVE ID: CVE-2023-32243
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e988d042-147c-4782-b728-71f5a50cecd8

Woodmart Core <= 1.0.36 – PHP Object Injection

Affected Software: Woodmart Core
CVE ID: CVE-2023-32242
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef79e5a8-8bac-42b3-a064-6eea597701c9

Ultimate Addons for Contact Form 7 <= 3.1.23 – Unauthenticated SQL Injection via form_id

Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2022-47586
CVSS Score: 9.8 (Critical)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f10e5eef-1ccf-4f98-b0e9-5ed05b3881a6

WP Replicate Post <= 4.0.2 – Authenticated (Contributor+) SQL Injection

Affected Software: WP Replicate Post
CVE ID: CVE-2023-2237
CVSS Score: 8.8 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/916e6f8b-cb29-4062-9a05-0337cfdb382a

Bookly <= 21.7.1 – Arbitrary File Deletion

Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly
CVE ID: CVE-2023-26526
CVSS Score: 8.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a7609bf-5b20-440c-9984-eeb26962ada8

Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Booking Ultra Pro Appointments Booking Calendar Plugin
CVE ID: CVE-2023-32511
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01370a71-2611-4826-b08b-485839ca606a

Zero Spam for WordPress <= 5.4.4 – Authenticated(Administrator+) SQL Injection

Affected Software: Zero Spam for WordPress
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03d8b8e7-5702-42d4-8cd9-ae3ff1a74a7e

Active Directory Integration / LDAP Integration <= 4.1.4 – Authenticated (Administrator+) SQL Injection

Affected Software: Active Directory Integration / LDAP Integration
CVE ID: CVE-2023-2484
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3eedc57b-79cc-4569-b6d6-676a22aa1e06

Slimstat Analytics <= 5.0.4 – Authenticated (Administrator+) SQL Injection

Affected Software: Slimstat Analytics
CVE ID: CVE-2022-45373
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6334b02e-ffab-49f9-969b-d015c2babc29

Order Your Posts Manually <= 2.2.5 – Authenticated (Administrator+) SQL Injection via ‘sortdata’

Affected Software: Order Your Posts Manually
CVE ID: CVE-2023-32508
CVSS Score: 7.2 (High)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66da0ad7-18a3-42b9-b59a-5927c6bc836b

AP Pricing Tables Lite <= 1.1.6 – Authenticated (Admin+) SQL Injection

Affected Software: Pricing Table Builder – AP Pricing Tables Lite
CVE ID: CVE-2023-0900
CVSS Score: 7.2 (High)
Researcher/s: Simone Onofri, Donato Onofri
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/869e57f8-7524-497a-8d24-bb9f2ee3898b

WP Chinese Conversion <= 1.1.16 – Unauthenticated Stored Cross-Site Scripting

Affected Software: WP Chinese Conversion
CVE ID: CVE-2023-32518
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95c47c7b-df83-43ee-9091-136b6622e88c

Zero Spam <= 5.4.4 – Authenticated (Administrator+) SQL Injection

Affected Software: Zero Spam for WordPress
CVE ID: CVE-2023-32121
CVSS Score: 7.2 (High)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7576dd9-198b-49a7-950e-fc301e4bc5f8

QuBotChat <= 1.1.5 – Unauthenticated Stored Cross-Site Scripting

Affected Software: QuBot – Chatbot Builder with Templates
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd27aeb9-4257-4b15-8f14-8a8c89522c32

Directorist <= 7.5.3 – Authenticated (Administrator+) Local File Inclusion


Booking Ultra Pro <= 1.1.4 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Booking Ultra Pro Appointments Booking Calendar Plugin
CVE ID: CVE-2023-32236
CVSS Score: 7.2 (High)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd8fb3e9-34eb-4b37-9a7e-00309a1ca81d

GiveWP <= 2.25.3 – Authenticated (Admin+) PHP Object Injection

Affected Software: GiveWP – Donation Plugin and Fundraising Platform
CVE ID: CVE-2023-32513
CVSS Score: 6.6 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fa8c406-e64d-4093-a102-436ecfb7dd76

RegistrationMagic <= 5.2.0.5 – Authenticated (Admin+) Insecure Direct Object Reference to Arbitrary User Password Change


YITH WooCommerce Gift Cards Premium <= 3.23.1 – Missing Authorization

Affected Software: YITH WooCommerce Gift Cards Premium
CVE ID: CVE-2022-44633
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e77760b-4e61-462c-9245-0e40f161d565

Portfolio Gallery – Responsive Image Gallery <= 1.4.5 – Missing Authorization to Arbitrary Gallery Deletion

Affected Software: Portfolio Gallery – Responsive Image Gallery
CVE ID: CVE-2023-32585
CVSS Score: 6.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a4e66e0-85a6-4e9f-8ed7-b7ee8e75aae6

Hide My WP Ghost – Security Plugin <= 5.0.18 – IP Address Spoofing to Protection Mechanism Bypass

Affected Software: Hide My WP Ghost – Security Plugin
CVE ID: CVE-2022-4537
CVSS Score: 6.5 (Medium)
Researcher/s: rezaduty
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba

Pro Mime Types – Manage file media types <= 1.0.7 – Cross-Site Request Forgery via pmt_settings_section_callback_tab_1

Affected Software: Pro Mime Types
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68ac2b8-33dc-4cc2-b0f3-8777450e39f9

VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Post

Affected Software/s: VK Blocks Pro, VK Blocks
CVE ID: CVE-2023-27925
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03d05c74-da50-4175-86f5-f39a89dbffd4

Add Posts to Pages <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Add Posts to Pages
CVE ID: CVE-2023-23826
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/139b081d-17b1-4e1f-9d22-cf3f9de123f5

WP Category Post List Widget <= 2.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Category Post List Widget
CVE ID: CVE-2023-23828
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15d61530-5ef9-4dce-8ace-6d8cc07c7b5e

VK All in One Expansion Unit <= 9.88.1.0 – Stored (Contributor+) Cross-Site Scripting in CTA Post

Affected Software: VK All in One Expansion Unit
CVE ID: CVE-2023-28367
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1da39f3d-512c-49e0-89cb-672783e5ca4e

Pinterest RSS Widget <= 2.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Pinterest RSS Widget
CVE ID: CVE-2023-23877
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ec186b0-72f0-4017-ad24-1c82247a23ec

Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode


VK All in One Expansion Unit <= 9.88.1.0 – Stored (Contributor+) Cross-Site Scripting in Profile Setting

Affected Software: VK All in One Expansion Unit
CVE ID: CVE-2023-27926
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/40c5dd26-6063-4ab2-a370-464e84d806b7

SALERT <= 1.2.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: SALERT – Fake Sales Notification WooCommerce
CVE ID: CVE-2023-32118
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6748841a-0984-4840-90ba-0eeff8564198

ExactMetrics <= 7.14.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
CVE ID: CVE-2023-23880
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/687c86af-915e-4028-910e-ab83bcd86a1a

Brands for WooCommerce <= 3.7.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Brands for WooCommerce
CVE ID: CVE-2023-23667
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b6dc426-7066-46fb-886a-0bf005829abf

Owl Carousel <= 0.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Owl Carousel
CVE ID: CVE-2023-23829
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92bcdbd9-1f41-4990-9bea-587fb0e7355a

Download Manager <= 3.2.70 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Download Manager
CVE ID: CVE-2023-2305
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a66bc196-e5f8-46b4-a81c-c888eb64021c

WP Multi Store Locator <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Multi Store Locator
CVE ID: CVE-2023-0152
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9da31ff-4173-4aee-a3a6-8eebaa0d71ab

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WPCS – WordPress Currency Switcher Professional
CVE ID: CVE-2023-2558
CVSS Score: 6.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be054481-89b4-47d8-ad06-8622edea367f

Divi <= 4.20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Divi
CVE ID: CVE-2023-29099
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c01cbc25-bdf7-4525-8c7b-194bd0aeb32b

Google Analytics by Monster Insights <= 8.14.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
CVE ID: CVE-2023-23999
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c87a80ad-27bf-404d-8adf-9acc91354515

VK Blocks <= 1.53.0.1 – Stored (Contributor+) Cross-Site Scripting in Tag Edit

Affected Software/s: VK Blocks Pro, VK Blocks
CVE ID: CVE-2023-27923
CVSS Score: 6.4 (Medium)
Researcher/s: apple502j
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e01f5bd8-de0f-48aa-8007-61a0ebd0ebf3

Locatoraid Store Locator <= 3.9.18 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Locatoraid Store Locator
CVE ID: CVE-2023-32576
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e40cba5c-455c-44ba-bba2-c825697b837a

WoodMart <= 7.2.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Woodmart
CVE ID: CVE-2023-32239
CVSS Score: 6.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9a60c4e-a524-4a99-858a-14787f37d60c

Announcement & Notification Banner – Bulletin <= 3.7.0 – Cross-Site Request Forgery

Affected Software: Announcement & Notification Banner – Bulletin
CVE ID: CVE-2023-2067
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b808450f-0ebf-4c49-a9e3-f1c1f2b1f632

Announcement & Notification Banner – Bulletin <= 3.6.0 – Missing Authorization Checks

Affected Software: Announcement & Notification Banner – Bulletin
CVE ID: CVE-2023-2066
CVSS Score: 6.3 (Medium)
Researcher/s: Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d242a466-0611-4e64-8145-29f64100e62b

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_script_save

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1034f0f4-52e4-4f4c-81fc-51b4720f306a

Featured Image Pro Post Grid <= 5.14 – Reflected Cross-Site Scripting via page

Affected Software: Featured Image Pro Post Grid
CVE ID: CVE-2023-32598
CVSS Score: 6.1 (Medium)
Researcher/s: OZ1NG (TOOR, LISA)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1efb9215-542b-46a1-b358-f3d27339a920

Team Circle Image Slider With Lightbox <= 1.0.17 – Reflected Cross-Site Scripting

Affected Software: Team Circle Image Slider With Lightbox
CVE ID: CVE-2023-2604
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2627ac2b-25a8-480d-ac83-ee0ca323b3a1

Radio Station <= 2.4.0.9 – Reflected Cross-Site Scripting

Affected Software: Radio Station by netmix® – Manage and play your Show Schedule in WordPress!
CVE ID: CVE-2023-32499
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36b2992d-4d1b-456d-94a0-54794ba59435

WP Abstracts <= 2.6.1 – Reflected Cross-Site Scripting

Affected Software: WP Abstracts
CVE ID: CVE-2023-29385
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/495df695-864e-4a77-bcd1-d1845c55a6c9

wordpress vertical image slider plugin <= 1.2.16 – Reflected Cross-Site Scripting

Affected Software: wordpress vertical image slider plugin
CVE ID: CVE-2023-24413
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59c40a86-ea1c-4015-ac47-2b7b91cc3519

Menu – Ordering – Reservations <= 2.3.6 – Reflected Cross-Site Scripting via ‘redirect’

Affected Software: Restaurant Menu – Food Ordering System – Table Reservation
CVE ID: CVE-2023-32516
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/640f0b06-9af2-4b79-8f87-97f93b2c51c0

Donations Made Easy – Smart Donations <= 4.0.12 – Reflected Cross-Site Scripting

Affected Software: Donations Made Easy – Smart Donations
CVE ID: CVE-2023-32603
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cce2f9f-5f47-4e10-a846-0aab4bcad616

Slimstat Analytics <= 5.0.4 – Reflected Cross-Site Scripting

Affected Software: Slimstat Analytics
CVE ID: CVE-2022-45366
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/875c6474-5bf3-4556-b529-299cd2f65afe

Order Your Posts Manually <= 2.2.5 – Reflected Cross-Site Scripting via ‘_user_request’

Affected Software: Order Your Posts Manually
CVE ID: CVE-2023-32510
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8d98a961-bef3-4bce-b493-410eee688bc6

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_script_add

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9ef8f39e-6e5d-4ef6-a81d-0b2be3506ec1

MailChimp Subscribe Forms <= 4.0.9.1 – Open Redirect

Affected Software: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
CVE ID: CVE-2023-32517
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aba1ca3a-a937-400b-b175-2ca4e67a107d

GTmetrix for WordPress <= 0.4.6 – Reflected Cross-Site Scripting via ‘report_id’ and ‘event_id’

Affected Software: GTmetrix for WordPress
CVE ID: CVE-2023-32503
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abe50539-f6a9-476a-a408-4f94f7f31fcc

Yoast SEO: Local <= 14.8 – Reflected Cross-Site Scripting

Affected Software: Yoast SEO: Local
CVE ID: CVE-2023-32300
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b239185f-c368-4768-8f6a-ef9bc593929d

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 – Reflected Cross-Site Scripting via ‘lang’

Affected Software: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6ad08fb-d029-4f84-818c-911ae2d97f33

10Web Social Post Feed <= 1.2.8 – Reflected Cross-Site Scripting

Affected Software: 10Web Social Post Feed
CVE ID: CVE-2023-2503
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db959eaf-300c-4ecd-ac15-216a17ec5a50

WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 – Reflected Cross-Site Scripting

Affected Software: WP Responsive Tabs horizontal vertical and accordion Tabs
CVE ID: CVE-2023-24409
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de331d1d-b2f8-4cc6-a998-779595eca70c

Post State Tags <= 2.0.6 – Cross-Site Request Forgery to Settings Reset

Affected Software: Post State Tags
CVE ID: CVE-2023-32588
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a938325-45f5-455b-b2b7-e19e6e22cd0c

WP-Chatbot for Messenger <= 4.7 – Missing Authorization

Affected Software: WP-Chatbot for Messenger
CVE ID: CVE-2023-32581
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/432df51f-2855-4bf2-8be1-77a893e3aa29

Hyphenator <= 5.1.5 – Cross-Site Request Forgery to Settings Update

Affected Software: Hyphenator
CVE ID: CVE-2023-32594
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b87f741-4115-4ded-8dff-dc36cfdf1df1

ShortPixel Adaptive Images <= 3.7.1 – Cross-Site Request Forgery via shortpixel_ai_handle_page_action

Affected Software: ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization
CVE ID: CVE-2023-32512
CVSS Score: 5.4 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94ed918c-8f6f-4e1f-ab1d-e16632831951

Elementor <= 3.13.1 – Missing Authorization to Settings Update

Affected Software: Elementor Website Builder
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b66e2537-f187-4237-b248-f8a361f9cb00

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_delete_snapshot

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1c106e8-9642-4294-90fd-6838cc551b90

Order Your Posts Manually <= 2.2.5 – Reflected Cross-Site Scripting via ‘cat_id’

Affected Software: Order Your Posts Manually
CVE ID: CVE-2023-32509
CVSS Score: 5.4 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5688bb7-cd2d-42c6-b8cf-d908448ccfc1

Download Monitor <= 4.7.60 – Sensitive Information Exposure via REST API

Affected Software: Download Monitor
CVE ID: CVE-2022-45354
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddf67d69-f362-4380-a396-300c7edbd9f3

WP All Backup <= 2.4.3 – Cross-Site Request Forgery to Backup Storage Modification

Affected Software: WP All Backup
CVE ID: CVE-2023-32583
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e087817e-9edb-4c93-96c6-e8d8e99d4d9b

WCP Contact Form <= 3.1.0 – Missing Authorization

Affected Software: WCP Contact Form
CVE ID: CVE-2023-32519
CVSS Score: 5.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9844b47-427a-4f2f-9f42-00adcbcf133c

WCP Contact Form <= 3.1.0 – Missing Authorization via downloadCsv

Affected Software: WCP Contact Form
CVE ID: CVE-2023-32520
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17a4bd5c-0cd3-46e4-b6ee-edf87f0e92ca

Link Whisper Free <= 0.6.3 – Missing Authorization via init()

Affected Software: Link Whisper Free
CVE ID: CVE-2023-32506
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29b09367-6a27-4024-a71c-233aaee6c310

Woo Custom Emails <= 2.2 – Missing Authorization to Unauthenticated Settings Change

Affected Software: Woo Custom Emails
CVE ID: CVE-2023-32507
CVSS Score: 5.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee1660e-10c0-447b-8562-c3af07997f56

Snow Monkey Forms <= 5.0.6 – Directory Traversal via ‘view’ REST endpiont

Affected Software: Snow Monkey Forms
CVE ID: CVE-2023-28413
CVSS Score: 5.3 (Medium)
Researcher/s: Monkey Wrench Inc.
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/83d935fc-7d7b-4c25-97f8-d3fe35307c7a

Injection Guard <= 1.2.1 – Missing Authorization to Whitelist Update

Affected Software: Injection Guard
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Darius Sveikauskas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9c41797-b256-47de-a783-18df36dd2234

Yoast SEO Premium <= 20.4 – Missing Authorization to Zapier Key Reset

Affected Software: Yoast SEO Premium
CVE ID: CVE-2023-28775
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c54770f1-1409-4208-a4ab-0ff3dbc3835d

MW WP Form <= 4.4.2 – Directory Traversal via _file_upload

Affected Software: MW WP Form
CVE ID: CVE-2023-28409
CVSS Score: 5.3 (Medium)
Researcher/s: Shuya Ota
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f7adeee0-30ff-4759-b42e-1ac2dea5a8a4

WP Register Profile With Shortcode <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Register Profile With Shortcode
CVE ID: CVE-2023-23818
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c20f87e-3670-444c-aa8a-28988dfe2fd9

Post Snippets <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘snippet_content’

Affected Software: Post Snippets – Custom WordPress Code Snippets Customizer
CVE ID: CVE-2023-25459
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d10f5cd-d449-46f1-a347-f45a1db65999

SEO By 10Web <= 1.2.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: SEO by 10Web
CVE ID: CVE-2023-2224
CVSS Score: 4.4 (Medium)
Researcher/s: Taurus Omar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a850176-973c-49aa-a420-e379223b6dc3

iframe popup <= 3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: iframe popup
CVE ID: CVE-2023-24394
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d2c6f19-025e-4c17-b5d9-4bbddbaf66d1

Get Your Number <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Get your number
CVE ID: CVE-2023-2634
CVSS Score: 4.4 (Medium)
Researcher/s: Ilyase Dehy, Aymane Mazguiti
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fb9dc9f-1ba5-4a2c-bead-3c3a6deb61b1

eBecas <= 3.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: eBecas
CVE ID: CVE-2023-32584
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33770bfd-c481-4e18-838b-89a5fb5b15f0

Product page shipping calculator for WooCommerce <= 1.3.25 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

Affected Software: Product page shipping calculator for WooCommerce
CVE ID: CVE-2023-32575
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3663b35d-13ac-4d65-80bd-5800ed74f759

StopBadBots <= 7.31 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection
CVE ID: CVE-2023-32496
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38e536a5-b538-498c-b19d-adda36f76164

itemprop WP for SERP/SEO Rich snippets <= 3.5.201706131 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: itemprop WP for SERP/SEO Rich snippets
CVE ID: CVE-2023-23819
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5975a107-8083-4f9e-b2b2-8c6ae1ac8f39

weebotLite <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: weebotLite
CVE ID: CVE-2023-32596
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66518929-d5e7-4b4d-a04c-a96ad0df308c

My WP Customize Admin/Frontend <= 1.21.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: My WP Customize Admin/Frontend
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a830fb8-de5f-40c7-bb6c-464ed916b440

Easy Hide Login <= 1.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Hide Login
CVE ID: CVE-2023-32505
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/745cf98c-ad3a-4ec9-9ee8-ae817d5d7358

Easy Form by AYS <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Easy Form by AYS
CVE ID: CVE-2023-32498
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/765b09ef-dd6d-4c4e-a381-7bb0dc8d6652

DevBuddy Twitter Feed <= 4.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: DevBuddy Twitter Feed
CVE ID: CVE-2023-32577
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92a20a1f-6403-4561-acd8-5b076fe2999f

Button <= 1.1.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Button
CVE ID: CVE-2023-23871
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9905517f-236c-4e98-8026-8d54bf64c7c9

Custom Field Suite <= 2.6.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom Field Suite
CVE ID: CVE-2023-32515
CVSS Score: 4.4 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a15946b-c4df-43e8-9e1d-7a8367cfda6b

Column-Matic <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Column-Matic
CVE ID: CVE-2023-32578
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dc640c8-3740-4770-b729-fb45ecec2b45

Don8 <= 0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Don8
CVE ID: CVE-2023-32582
CVSS Score: 4.4 (Medium)
Researcher/s: Yash Kanchhal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9b2b094-9a2d-4c73-be5f-b2a6f3da9233

Sunny Search <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Sunny Search
CVE ID: CVE-2023-32595
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b977e3f8-46e7-4294-ab5c-e42e81c900e0

Hostel <= 1.1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Hostel
CVE ID: CVE-2023-0545
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb98b2ee-5c51-453f-9e55-52027237e732

Quick Page/Post Redirect <= 5.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Quick Page/Post Redirect Plugin
CVE ID: CVE-2023-25063
CVSS Score: 4.4 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be841d6b-e3b6-46d2-aba8-fee20c21e933

LetterPress <= 1.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: LetterPress – E-Mail campaigns, marketing and newsletter Plugin for WordPress
CVE ID: CVE-2023-27415
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3f9e624-c176-403c-a3c5-7bd11027ebe5

NotifyVisitors <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings


DBargain <= 3.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: DBargain
CVE ID: CVE-2023-32591
CVSS Score: 4.4 (Medium)
Researcher/s: Mahesh Nagabhairava
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3ab817c-3677-4251-adaf-f340bf4c5336

Custom Base Terms <= 1.0.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’

Affected Software: Custom Base Terms
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6292935-a67e-4b59-9b3c-0b71365193b7

CALL ME NOW <= 3.0 – Cross-Site Request Forgery

Affected Software: CALL ME NOW
CVE ID: CVE-2023-32602
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05828bdc-74aa-4477-9178-f8cc6a34da42

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via maybe_install_suggested_plugins

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07300429-c445-4d2a-90aa-5072a17f8113

WoodMart <= 7.2.1 – Missing Authorization

Affected Software: Woodmart
CVE ID: CVE-2023-32240
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e0e0c15-caf6-4166-a365-a2a73cd9ebc4

Soundcloud Is Gold <= 2.5.1 – Missing Authorization to Soundcloud User Add

Affected Software: SoundCloud Is Gold
CVE ID: CVE-2023-32586
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14b2fa77-dc51-47b4-913a-9129f95ba766

Injection Guard <= 1.2.1 – Cross-Site Request Forgery to Whitelist Update

Affected Software: Injection Guard
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Darius Sveikauskas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a6bc58f-9cf3-4d3f-a10e-0ccde0b890a3

Forget About Shortcode Buttons <= 2.1.2 – Missing Authorization via fasc_buttons

Affected Software: Forget About Shortcode Buttons
CVE ID: CVE-2023-32579
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/212dd123-42d4-4dd2-a2e2-bf0c43e805bf

Simple Calendar <= 3.1.43 – Cross-Site Request Forgery to Transient Cache Clearing

Affected Software: Simple Calendar – Google Calendar Plugin
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/248b74d3-5228-473d-a79a-743566898606

Wise Chat <= 3.1.3 – Cross-Site Request Forgery

Affected Software: Wise Chat
CVE ID: CVE-2023-32504
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a9ed6f2-3def-420c-b6d5-6343fcd7b147

Easy Hide Login <= 1.0.8 – Cross-Site Request Forgery

Affected Software: Easy Hide Login
CVE ID: CVE-2023-31075
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/42fff63c-62ec-466e-9a05-60d76f80039e

Injection Guard <= 1.2.1 – Cross-Site Request Forgery via ig_update

Affected Software: Injection Guard
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a5c4bef-f871-4e6b-9b6e-85079f1233a2

WP Reactions Lite <= 1.3.8 – Cross-Site Request Forgery via AJAX action

Affected Software: WP Reactions Lite
CVE ID: CVE-2023-32587
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558b4b31-fd4f-4265-bddc-baf484d48fc5

Injection Guard <= 1.2.1 – Missing Authorization via ig_update

Affected Software: Injection Guard
CVE ID: CVE-2023-32574
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c6a9cfc-0b30-456e-bac5-4ad79cd08dce

Web Stories for WordPress <= 1.31.0 – Insufficient Authorization

Affected Software: Web Stories for WordPress
CVE ID: CVE-2023-1979
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63f2e02c-baa4-446c-bf1c-96ce099ad02e

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_create_pages

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74f92bd4-c752-4620-b506-d7588ff2e586

Yoast SEO: Local <= 14.8 – Cross-Site Request Forgery

Affected Software: Yoast SEO: Local
CVE ID: CVE-2023-28780
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d536acc-b297-4acd-97e2-87eae2e2b95a

Community by PeepSo <= 6.0.9.0 – Cross-Site Request Forgery to Field Duplication

Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles
CVE ID: CVE-2023-32092
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a8ac15a-9f9b-4bb8-81a4-1fdd11670a07

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via ajax_edit_item

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8edaf5ce-6a26-44cc-b4d8-e3b0ccfa9c11

Sunny Search <= 1.0.2 – Cross-Site Request Forgery to Settings Update

Affected Software: Sunny Search
CVE ID: CVE-2023-32592
CVSS Score: 4.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f1902e7-66e9-417f-97ba-4db766cf29f1

Booking Ultra Pro <= 1.1.4 – Missing Authorization via save_fields_settings

Affected Software: Booking Ultra Pro Appointments Booking Calendar Plugin
CVE ID: CVE-2023-32601
CVSS Score: 4.3 (Medium)
Researcher/s: Badromance 1337
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1c0f8f3-22fe-4139-93bb-0e9bacf9dafb

Download Manager <= 3.2.70 – Insufficient Authorization to Information Disclosure

Affected Software: Download Manager
CVE ID: CVE-2023-1524
CVSS Score: 4.3 (Medium)
Researcher/s: Johan Kragt
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b48bc632-c825-48e0-8766-3ac59e5b87c6

Pro Mime Types <= 1.0.7 – Cross-Site Request Forgery

Affected Software: Pro Mime Types
CVE ID: CVE-2023-32502
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7db3d45-2b96-4ba4-b258-08ee5e0b947b

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion

Affected Software: WPCS – WordPress Currency Switcher Professional
CVE ID: CVE-2023-2556
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc44c95e-9ca0-46d0-8315-72612ef3f855

SALERT <= 1.2.1 – Missing Authorization via salert_save_settings_with_ajax()

Affected Software: SALERT – Fake Sales Notification WooCommerce
CVE ID: CVE-2023-32126
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9e45ae8-e5b5-460b-80f8-de562ae7c56a

AccessPress Anonymous Post <= 2.8.4 – Authenticated (Contributor+) Arbitrary Redirect

Affected Software: Frontend Post WordPress Plugin – AccessPress Anonymous Post
CVE ID: CVE-2022-4946
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc727156-28dc-4b0a-b777-52a1bbc72f79

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Editing

Affected Software: WPCS – WordPress Currency Switcher Professional
CVE ID: CVE-2023-2557
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4c79242-5c89-40c0-abcc-c112f7a64a74

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via run_sync

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5c704f9-4fcb-455e-a1c7-f48d47b12dec

Dyslexiefont Free <= 1.0.0 – Cross-Site Request Forgery

Affected Software: Dyslexiefont Free
CVE ID: CVE-2023-32589
CVSS Score: 4.3 (Medium)
Researcher/s: Yash Kanchhal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d75f6c80-ffbf-47a5-9180-5153b705cb28

WPCS – WordPress Currency Switcher Professional <= 1.1.9 – Missing Authorization to Custom Drop-Down Currency Switcher Creation

Affected Software: WPCS – WordPress Currency Switcher Professional
CVE ID: CVE-2023-2555
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd6b5d6d-5f5b-4b38-a25a-02cc1c041d37

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via cmplz_duplicate_cookiebanner

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7b81559-93a2-4e50-b213-0e22eea8a219

Whydonate – FREE Donate button <= 3.12.13 – Cross-Site Request Forgery

Affected Software: Whydonate – FREE Donate button – Crowdfunding – Fundraising
CVE ID: CVE-2023-29238
CVSS Score: 4.3 (Medium)
Researcher/s: easyBug
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec1461a9-4504-4e60-9e38-a7257666e699

Google Site Verification plugin using Meta Tag <= 1.2 – Cross-Site Request Forgery

Affected Software: Google Site Verification plugin using Meta Tag
CVE ID: CVE-2023-32514
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ecfdd114-b7bb-45bf-84df-a92f10b2fd81

Complianz – GDPR/CCPA Cookie Consent <= 6.4.4 – Cross-Site Request Forgery via cmplz_delete_cookiebanner

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f55af49e-82c8-462b-8c0b-a25e966a27af

CM On Demand Search And Replace <= 1.3.0 – Cross-Site Request Forgery

Affected Software: CM On Demand Search And Replace
CVE ID: CVE-2023-28749
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fde1157b-5b99-4e9c-9c51-ebaa0eddfd73

Block Referer Spam <= 1.1.9.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Block Referer Spam
CVE ID: CVE-2023-32497
CVSS Score: 3.3 (Low)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd97fba9-513b-46e1-9613-2f64c4272f34

Active Directory Integration / LDAP Integration <= 4.1.4 – Cross-Site Request Forgery to SQL Injection

Affected Software: Active Directory Integration / LDAP Integration
CVE ID: CVE-2023-2599
CVSS Score: 3.1 (Low)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74089b16-76fa-4654-9007-3f0c2e894894

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments