Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th.

Last week, there were 135 vulnerabilities disclosed in 119 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	99
Patched	36

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	124
High Severity	9
Critical Severity	1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	70
Cross-Site Request Forgery (CSRF)	29
Missing Authorization	21
Information Exposure	5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	4
Improper Authorization	2
Deserialization of Untrusted Data	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
István Márton (Wordfence Vulnerability Researcher)	20
LEE SE HYOUNG (hackintoanetwork)	11
Abdi Pranata	10
Emili Castells	9
Le Ngoc Anh	8
Rafie Muhammad	7
Mika	7
thiennv	7
Nguyen Xuan Chien	4
yuyudhn	4
Skalucy	3
minhtuanact	3
Elliot	3
Krzysztof Zając	3
Dmitrii Ignatyev	3
Ala Arfaoui	2
Enrico Marcolini	2
Claudio Marchesini (Dottormarc)	2
Joshua Chan	2
Huynh Tien Si	1
Robert DeVore	1
Jeongwoo-Lee	1
BuShiYue	1
Nithissh S	1
lttn	1
Robin Wood	1
Fariq Fadillah Gusti Insani	1
Abu Hurayra (HurayraIIT)	1
Vaishnav Rajeevan	1
Luqman Hakim Y	1
DoYeon Park (p6rkdoye0n)	1
Brandon Roldan	1
qilin_99	1
Erwan LR	1
SeungYongLee	1
Taihei Shimamine	1
Nguyen Anh Tien	1
Nicolas Decayeux	1
Rafshanzani Suhada	1
Alex Thomas (Wordfence Vulnerability Researcher)	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
ANAC XML Bandi di Gara	avcp
ANAC XML Viewer	anac-xml-viewer
ARI Stream Quiz – WordPress Quizzes Builder	ari-stream-quiz
Actueel Financieel Nieuws – Denk Internet Solutions	denk-internet-solutions
Add Local Avatar	add-local-avatar
Additional Order Filters for WooCommerce	additional-order-filters-for-woocommerce
Advanced iFrame	advanced-iframe
Amazonify	amazonify
Animator – Scroll Triggered Animations	scroll-triggered-animations
Arigato Autoresponder and Newsletter	bft-autoresponder
Auto Affiliate Links	wp-auto-affiliate-links
Auto Tag Creator	auto-tag-creator
BZScore – Live Score	bzscore-live-score
BadgeOS	badgeos
Best Restaurant Menu by PriceListo	best-restaurant-menu-by-pricelisto
Bitly’s WordPress Plugin	wp-bitly
Brizy – Page Builder	brizy
CBX Map for Google Map & OpenStreetMap	cbxgooglemap
Category Post List Widget	category-post-list-widget
Checkout Field Manager (Checkout Manager) for WooCommerce	woocommerce-checkout-manager
Cloud Templates & Patterns collection	templates-patterns-collection
CoCart – Decoupling WooCommerce Made Easy	cart-rest-api-for-woocommerce
Code Snippets	code-snippets
CodeBard’s Patron Button and Widgets for Patreon	patron-button-and-widgets-by-codebard
Contact Form – Custom Builder, Payment Form, and More	powr-pack
Countdown and CountUp, WooCommerce Sales Timer	countdown-wpdevart-extended
Custom post types, Custom Fields & more	custom-post-types
Direct Checkout – Quick View – Buy Now For WooCommerce	quick-view-and-buy-now-for-woocommerce
Donations Made Easy – Smart Donations	smart-donations
Dragfy Addons for Elementor	dragfy-addons-for-elementor
Droit Dark Mode	droit-dark-mode
Easy Social Icons	easy-social-icons
EasyRotator for WordPress – Slider Plugin	easyrotator-for-wordpress
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase)	eazydocs
Ecwid Ecommerce Shopping Cart	ecwid-shopping-cart
Edit WooCommerce Templates	woo-edit-templates
Elementor Website Builder – More than Just a Page Builder	elementor
Email Marketing for WooCommerce by Omnisend	omnisend-connect
Essential Grid Portfolio – Photo Gallery	essential-grid
Extra Product Options for WooCommerce	extra-product-options-for-woocommerce
Featured Image Caption	featured-image-caption
Flo Forms – Easy Drag & Drop Form Builder	flo-forms
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List	mailchimp-wp
Foyer – Digital Signage for WordPress	foyer
Front End PM	front-end-pm
Garden Gnome Package	garden-gnome-package
Image Hover Effects – WordPress Plugin	image-hover-effects
ImageMapper	imagemapper
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site	integrate-google-drive
Japanized For WooCommerce	woocommerce-for-japan
Job Manager & Career – Manage job board listings, and recruitments	job-manager-career
Korea SNS	korea-sns
Lava Directory Manager	lava-directory-manager
LearnPress – WordPress LMS Plugin	learnpress
Live Gold Price & Silver Price Charts Widgets	gold-price-chart-widget
Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic	martins-link-network
Membership Plugin – Restrict Content	restrict-content
Mmm Simple File List	mmm-file-list
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images	nitropack
OneClick Chat to Order	oneclick-whatsapp-order
Patreon WordPress	patreon-connect
Photo Feed	photo-feed
Pinyin Slugs	so-pinyin-slugs
Plainview Protect Passwords	plainview-protect-passwords
Plugin Name: Device Theme Switcher	device-theme-switcher
Podlove Web Player	podlove-web-player
Post Pay Counter	post-pay-counter
Preloader Matrix	matrix-pre-loader
Product Catalog Simple	post-type-x
Product Enquiry for WooCommerce	gm-woocommerce-quote-popup
Product Visibility by Country for WooCommerce	product-visibility-by-country-for-woocommerce
Products, Order & Customers Export for WooCommerce	export-woocommerce
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Q2W3 Post Order	q2w3-post-order
QR Code Tag	qr-code-tag
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Recently viewed and most viewed products	recently-viewed-and-most-viewed-products
Redirect 404 Error Page to Homepage or Custom Page with Logs	redirect-404-error-page-to-homepage-or-custom-page
Rename Media Files	rename-media-files
Responsive Column Widgets	responsive-column-widgets
Responsive Pricing Table	dk-pricr-responsive-pricing-table
Restrict Categories	restrict-categories
SEO by 10Web	seo-by-10web
Seers \| GDPR & CCPA Cookie Consent & Compliance	seers-cookie-consent-banner-privacy-policy
SendPress Newsletters	sendpress
Simple Like Page Plugin	simple-facebook-plugin
Social Feed \| All social media in one place	add-facebook
Social Sharing Plugin – Social Warfare	social-warfare
Solid Central – Site Management, Backups, Security, and Reporting	ithemes-sync
Sponsors	wp-sponsors
Star CloudPRNT for WooCommerce	star-cloudprnt-for-woocommerce
TWB Woocommerce Reviews	twb-woocommerce-reviews
Team Members Showcase	dazzlersoft-teams
Telephone Number Linker	telephone-number-linker
Ultimate Addons for Contact Form 7	ultimate-addons-for-contact-form-7
Under Construction / Maintenance Mode from Acurax	coming-soon-maintenance-mode-from-acurax
UpdraftPlus: WordPress Backup & Migration Plugin	updraftplus
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	profile-builder
UserHeat Plugin	userheat
Visitor Traffic Real Time Statistics	visitors-traffic-real-time-statistics
Visual Website Collaboration, Feedback & Project Management – Atarim	atarim-visual-collaboration
WD WidgetTwitter	widget-twitter
WP Crowdfunding	wp-crowdfunding
WP Discord Invite	wp-discord-invite
WP Edit Username	wp-edit-username
WP Full Stripe Free	wp-full-stripe-free
WP Links Page	wp-links-page
WP MapIt	wp-mapit
WPDBSpringClean	wpdbspringclean
Web Push Notifications – Webpushr	webpushr-web-push-notifications
Who Hit The Page – Hit Counter	who-hit-the-page-hit-counter
Woo Custom and Sequential Order Number	woo-custom-and-sequential-order-number
WooCommerce Product Enquiry	woo-product-enquiry
WooCommerce Product Table Lite	wc-product-table-lite
WordPress Backup & Migration	wp-migration-duplicator
Youtube SpeedLoad	youtube-speedload
Ziteboard Online Whiteboard	ziteboard-online-whiteboard
masterslider	masterslider
코드엠샵 마이사이트 – MSHOP MY SITE	mshop-mysite

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Master Slider Pro <= 3.6.5 – Unauthenticated PHP Object Injection

Affected Software: masterslider
CVE ID: CVE-2023-47507
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66749606-e76f-41fb-bcf1-c06681de2ee3

WD WidgetTwitter <= 1.0.9 – Authenticated (Contributor+) SQL Injection via Shortcode

Affected Software: WD WidgetTwitter
CVE ID: CVE-2023-5709
CVSS Score: 8.8 (High)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86cdbfec-b1af-48ec-ae70-f97768694e44

Rename Media Files <= 1.0.1 – Authenticated (Contributor+) Remote Code Execution

Affected Software: Rename Media Files
CVE ID: CVE-2023-32095
CVSS Score: 8.8 (High)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c22c2c17-c9c5-46eb-877a-a49ccf1a74ef

Mmm Simple File List <= 2.3 – Authenticated (Subscriber+) Directory Traversal

Affected Software: Mmm Simple File List
CVE ID: CVE-2023-4297
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f33a13dc-ebff-4033-9b8d-10076b1c2d0d

Brizy <= 2.4.29 – Cross-Site Scripting

Affected Software: Brizy – Page Builder
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/546cd218-3f6d-4e8f-83d5-e9aceb6f33ed

Who Hit The Page – Hit Counter <= 1.4.14.3 – Authenticated (Administrator+) SQL Injection

Affected Software: Who Hit The Page – Hit Counter
CVE ID: CVE-2023-47558
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54c94de4-59b4-4f0b-85db-2074a41d04f8

Redirect 404 Error Page to Homepage or Custom Page with Logs <= 1.8.7 – Authenticated (Administrator+) SQL Injection

Affected Software: Redirect 404 Error Page to Homepage or Custom Page with Logs
CVE ID: CVE-2023-47530
CVSS Score: 7.2 (High)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59ec4bbd-5192-45f8-8cfc-d43858b46901

Webpushr <= 4.34.0 – Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Affected Software: Web Push Notifications – Webpushr
CVE ID: CVE-2023-5620
CVSS Score: 7.2 (High)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e092d67-ab81-4366-824c-cfb240ba3042

Master Slider Pro <= 3.6.5 – Authenticated (Editor+) SQL Injection

Affected Software: masterslider
CVE ID: CVE-2023-47506
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a69a5249-f9ab-4489-a032-33dd482fdc96

Profile Builder <= 3.10.3 – Cross-Site Request Forgery via pms-cross-promotion.php

Affected Software: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
CVE ID: CVE-2023-47669
CVSS Score: 7.1 (High)
Researcher/s: Brandon Roldan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0b2bdb3-713c-47c6-8907-ac0f86038dc2

EazyDocs <= 2.3.3 – Missing Authorization via doc_one_page and edit_doc_one_page

Affected Software: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase)
CVE ID: CVE-2023-47648
CVSS Score: 6.5 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ec64507-b77e-4685-978f-7408fe8db5ee

Japanized For WooCommerce <= 2.6.4 – Missing Authorization

Affected Software: Japanized For WooCommerce
CVE ID: CVE-2023-47698
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0fc675e8-8ba1-40b0-829e-7a48d5eb586d

Podlove Web Player <= 5.7.1 – Missing Authorization

Affected Software: Podlove Web Player
CVE ID: CVE-2023-47691
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fd8a952-d723-45a2-9027-12e3d99f715b

Elementor Website Builder <= 3.16.4 – Missing Authorization to Arbitrary Attachment Read

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2023-47504
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c873c76a-144e-4945-8fa2-c9ffe0e3c061

WooCommerce Checkout Manager <= 7.3.0 – Missing Authorization

Affected Software: Checkout Field Manager (Checkout Manager) for WooCommerce
CVE ID: CVE-2023-47681
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fffd7d50-6563-4652-8fae-3fe698125c59

Telephone Number Linker <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Telephone Number Linker
CVE ID: CVE-2023-5743
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06424d9f-0064-4101-b819-688489a18eee

Featured Image Caption <= 0.8.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Featured Image Caption
CVE ID: CVE-2023-5669
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c43a88c-6374-414f-97ae-26ba15d75cdc

ANAC XML Bandi di Gara <= 7.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: ANAC XML Bandi di Gara
CVE ID: CVE-2023-47242
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/101945f6-d709-4c99-8c80-def9dd2fa636

EasyRotator for WordPress <= 1.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: EasyRotator for WordPress – Slider Plugin
CVE ID: CVE-2023-5742
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3041e28e-d965-4672-ab10-8b1f3d874f19

Bitly’s WordPress Plugin <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Bitly’s WordPress Plugin
CVE ID: CVE-2023-5577
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31522e54-f260-46d0-8d57-2d46af7d3450

BZScore – Live Score <= 1.03 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: BZScore – Live Score
CVE ID: CVE-2023-47654
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/438a94c4-a7f2-4c08-960b-e18c19196169

Sponsors <= 3.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Sponsors
CVE ID: CVE-2023-5662
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4af04219-26c5-401d-94ef-11d2321f98bf

WP MapIt <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WP MapIt
CVE ID: CVE-2023-5658
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ef6f598-e1a7-4036-9485-1aad0416349a

Social Feed <= 1.5.4.6 – Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

Affected Software: Social Feed | All social media in one place
CVE ID: CVE-2023-5661
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b145772-624e-4af0-9156-03c483bf8381

Garden Gnome Package <= 2.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Garden Gnome Package
CVE ID: CVE-2023-5664
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c7385c7-47de-4511-b474-7415c3977aa8

Social Sharing Plugin – Social Warfare <= 4.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Social Sharing Plugin – Social Warfare
CVE ID: CVE-2023-4842
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91

Donations Made Easy – Smart Donations <= 4.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Donations Made Easy – Smart Donations
CVE ID: CVE-2023-47550
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92aae1f6-e624-4619-8195-ee3c443a31fc

WordPress Backup & Migration <= 1.4.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: WordPress Backup & Migration
CVE ID: CVE-2023-5738
CVSS Score: 6.4 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93de1604-2494-4c51-a93d-b01bf7ed4c07

ImageMapper <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: ImageMapper
CVE ID: CVE-2023-5507
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6e687e9-6ffe-4457-8d57-3c03f657eb74

CBX Map for Google Map & OpenStreetMap <= 1.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: CBX Map for Google Map & OpenStreetMap
CVE ID: CVE-2023-47240
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa5505b7-2d9e-4a03-9655-75d004f53259

Elementor Website Builder <= 3.16.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_inline_svg()

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2023-47505
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b44ef21f-464e-487a-ba5a-fe889e4c488c

QR Code Tag <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: QR Code Tag
CVE ID: CVE-2023-5567
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be004002-a3ac-46e9-b0c1-258f05f97b2a

Mmm Simple File List <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Mmm Simple File List
CVE ID: CVE-2023-4514
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c064227f-6332-40c8-9e96-337c608da832

POWR <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Contact Form – Custom Builder, Payment Form, and More
CVE ID: CVE-2023-5741
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2967eae-82bb-4556-a21a-c5bb6b905c62

SendPress Newsletters <= 1.22.3.31 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: SendPress Newsletters
CVE ID: CVE-2023-5660
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbce42a0-29a7-40df-973c-1fe7338f6c94

Lava Directory Manager <= 1.1.34 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Lava Directory Manager
CVE ID: CVE-2023-47659
CVSS Score: 6.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3d21ebb-52de-4b25-b9e9-5d6f3284cf94

Advanced iFrame <= 2023.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced iFrame
CVE ID: CVE-2023-4775
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9944443-2e71-45c4-8a19-d76863cf66df

Ziteboard Online Whiteboard <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode

Affected Software: Ziteboard Online Whiteboard
CVE ID: CVE-2023-5076
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton, Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5608f50-e17a-471f-b644-dceb64d82f0c

Simple Like Page Plugin <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Simple Like Page Plugin
CVE ID: CVE-2023-4888
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f81df26f-4390-4626-8539-367a52f8a027

NitroPack <= 1.9.2 – Missing Authorization via multiple AJAX functions

Affected Software: NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images
CVE ID: CVE Unknown
CVSS Score: 6.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb6f4b0b-25b8-4dcd-b002-293ce8ab307e

Category Post List Widget <= 2.0 – Unauthenticated Stored Cross-Site Scripting via custom_css

Affected Software: Category Post List Widget
CVE ID: CVE-2023-47516
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0182ca6c-23f8-4212-bfd8-cb898e98b37b

Essential Grid <= 3.1.0 – Reflected Cross-Site Scripting

Affected Software: Essential Grid Portfolio – Photo Gallery
CVE ID: CVE-2023-47684
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02eadae8-7aa6-42f5-b807-9ed82332fa72

Category Post List Widget <= 2.0 – Cross-Site Request Forgery via get_cplw_settings

SendPress Newsletters <= 1.23.11.6 – Reflected Cross-Site Scripting

Affected Software: SendPress Newsletters
CVE ID: CVE-2023-47517
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cd6e69b-f927-4cea-a838-5c73f52233a2

Edit WooCommerce Templates <= 1.1.1 – Unauthenticated Cross-Site Scripting

Affected Software: Edit WooCommerce Templates
CVE ID: CVE-2023-47509
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34f7ab72-a4e3-4264-b6d3-530dd255dc87

Under Construction / Maintenance Mode from Acurax <= 2.6 – Unauthenticated Cross-Site Scripting

Affected Software: Under Construction / Maintenance Mode from Acurax
CVE ID: CVE-2023-39926
CVSS Score: 6.1 (Medium)
Researcher/s: Robert DeVore
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/359b8977-6d0d-4856-8d72-17091a420f67

EazyDocs <= 2.3.3 – Unauthenticated Stored Cross-Site Scripting via edit_doc_one_page

Affected Software: EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin (easy docs, knowledgebase)
CVE ID: CVE-2023-47549
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38145ad1-f441-40a4-9e92-6837cfeba656

Restrict Categories <= 2.6.4 – Reflected Cross-Site Scripting via rc-search

Affected Software: Restrict Categories
CVE ID: CVE-2023-47518
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45671cab-f719-4ee6-af81-7c19b37b8d91

Post Pay Counter <= 2.789 – Reflected Cross-Site Scripting

Affected Software: Post Pay Counter
CVE ID: CVE-2023-47673
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a9fce6d-d5c2-4ab7-87ea-8dd6e4d92e07

Atarim <= 3.12 – Unauthenticated Cross-Site Scripting

Affected Software: Visual Website Collaboration, Feedback & Project Management – Atarim
CVE ID: CVE-2023-47544
CVSS Score: 6.1 (Medium)
Researcher/s: lttn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f5919eb-ac74-4926-9ede-e651bb4463b2

Product Enquiry for WooCommerce <= 3.0 – Unauthenticated Stored Cross-Site Scripting via name

Affected Software: Product Enquiry for WooCommerce
CVE ID: CVE-2023-47512
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6840add4-62db-4b99-b48b-0b51aa2451b8

Martins Free & Easy SEO BackLink Link Building Network <= 1.2.29 – Reflected Cross-Site Scripting via _wpnonce

Affected Software: Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic
CVE ID: CVE-2023-5641
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/773b5a79-017a-4e16-b563-3aa2939fa179

WP Crowdfunding <= 2.1.6 – Reflected Cross-Site Scripting via postid

Affected Software: WP Crowdfunding
CVE ID: CVE-2023-47532
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f13a432-e37d-4183-85ff-e2a04b40cda8

LearnPress <= 4.2.5.3 – Reflected Cross-Site Scripting via add_internal_scripts_to_head

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81fd3ac1-91af-4cfa-ac4e-712beb4236c0

Photo Feed <= 2.2.1 – Reflected Cross-Site Scripting via pf-gid

Affected Software: Photo Feed
CVE ID: CVE-2023-47522
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a36b98b-7197-434e-88ac-6fcfa34d6abb

Auto Affiliate Links <= 6.4.2.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Auto Affiliate Links
CVE ID: CVE-2023-47652
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c84ffd3-e000-4d67-9789-e439e7c128e8

CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Reflected Cross-Site Scripting via cb_p6_tab

Affected Software: CodeBard’s Patron Button and Widgets for Patreon
CVE ID: CVE-2023-47524
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96649aa6-f3ba-4e9e-9fa5-a5fbd52c3836

Master Slider Pro <= 3.6.5 – Reflected Cross-Site Scripting

Affected Software: masterslider
CVE ID: CVE-2023-47508
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f77755a-9b28-4e31-8a01-42e96b5698bf

Star CloudPRNT for WooCommerce <= 2.0.3 – Unauthenticated Cross-Site Scripting

Affected Software: Star CloudPRNT for WooCommerce
CVE ID: CVE-2023-47514
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f850644-4923-46c1-90f6-d29088c9cb1a

WPDBSpringClean <= 1.6 – Reflected Cross-Site Scripting

Affected Software: WPDBSpringClean
CVE ID: CVE-2023-47510
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6627f96-63d6-4f22-9eb7-fb42e748ae38

Q2W3 Post Order <= 1.2.8 – Reflected Cross-Site Scripting

Affected Software: Q2W3 Post Order
CVE ID: CVE-2023-47521
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/affc9dff-75a1-4cb3-8465-55254db6441b

Seo By 10Web <= 1.2.9 – Reflected Cross-Site Scripting

Affected Software: SEO by 10Web
CVE ID: CVE-2023-34375
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4533554-52e4-44b4-9230-b6e3feb2e4a1

Plainview Protect Passwords <= 1.4 – Reflected Cross-Site Scripting

Affected Software: Plainview Protect Passwords
CVE ID: CVE-2023-47665
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b63d8238-267f-4a40-9af0-37ae8b9ba26b

Additional Order Filters for WooCommerce <= 1.10 – Reflected Cross-Site Scripting

Affected Software: Additional Order Filters for WooCommerce
CVE ID: CVE-2023-47690
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/baa8b5ce-7ef8-4ca8-9957-2c3469f55dda

ImageMapper <= 1.2.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title

Affected Software: ImageMapper
CVE ID: CVE-2023-5532
CVSS Score: 6.1 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbb67f02-87e8-4ca3-8a9d-6663a700ab5b

Responsive Column Widgets <= 1.2.7 – Reflected Cross-Site Scripting via tab

Affected Software: Responsive Column Widgets
CVE ID: CVE-2023-47520
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d749c24c-0ed9-423b-872a-4771e9d8a2eb

Products, Order & Customers Export for WooCommerce <= 2.0.7 – Reflected Cross-Site Scripting via date parameters

Affected Software: Products, Order & Customers Export for WooCommerce
CVE ID: CVE-2023-47547
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eac8685b-8ed9-432d-8912-b66bd62c950f

Extra Product Options for WooCommerce <= 3.0.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

Affected Software: Extra Product Options for WooCommerce
CVE ID: CVE-2023-47658
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/393a856e-dc13-4fb6-8ff3-5880631953c4

Actueel Financieel Nieuws – Denk Internet Solutions <= 5.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Actueel Financieel Nieuws – Denk Internet Solutions
CVE ID: CVE-2023-6107
CVSS Score: 5.5 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e0ad29a-b7a0-407e-8fb0-0917b8671afb

Direct Checkout – Quick View – Buy Now For WooCommerce <= 1.5.8 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code

Affected Software: Direct Checkout – Quick View – Buy Now For WooCommerce
CVE ID: CVE-2023-47657
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/514aa001-24c8-4624-8e25-f17b8454354c

Responsive Pricing Table < 5.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Responsive Pricing Table
CVE ID: CVE-2023-4810
CVSS Score: 5.5 (Medium)
Researcher/s: Vaishnav Rajeevan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fb7dd8f-6258-46e1-9cc5-87ec73d5736c

Forms for Mailchimp by Optin Cat <= 2.5.4 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
CVE ID: CVE-2023-47545
CVSS Score: 5.5 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7d5edee-04fb-41e0-be5e-ca3681956d2d

Countdown and CountUp, WooCommerce Sales Timer <= 1.8.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Countdown and CountUp, WooCommerce Sales Timer
CVE ID: CVE-2023-47533
CVSS Score: 5.5 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1ec113c-d11f-4b0b-8d4a-46d37687b3b2

Live Gold Price & Silver Price Charts Widgets <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Live Gold Price & Silver Price Charts Widgets
CVE ID: CVE-2023-47662
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c53ebf2f-44ab-4d0f-ac3d-c08806c07343

ANAC XML Bandi di Gara <= 7.5 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: ANAC XML Bandi di Gara
CVE ID: CVE-2023-47656
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb610baa-093d-4a41-8e28-c65fdb0e32aa

Add Local Avatar <= 12.1 – Cross-Site Request Forgery via manage_avatar_cache

Affected Software: Add Local Avatar
CVE ID: CVE-2023-47650
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/241da621-b892-4263-8409-a40ac5a1ade3

Code Snippets <= 3.5.0 – Cross-Site Request Forgery via load

Affected Software: Code Snippets
CVE ID: CVE-2023-47666
CVSS Score: 5.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28aae3d4-c4c4-4cda-9f4b-7f2ea58629aa

ImageMapper <= 1.2.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Page/Post Deletion via imgmap_delete_area_ajax

Affected Software: ImageMapper
CVE ID: CVE-2023-5506
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31dff395-c3ce-4ebe-8d38-5243fc4510d6

Solid Central <= 3.0.0 – Stored Cross-Site Scripting via packages

Affected Software: Solid Central – Site Management, Backups, Security, and Reporting
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Robin Wood
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55234307-9d51-4fe8-bc22-78d32a5fed11

Quiz And Survey Master <= 8.1.18 – Multiple Cross-Site Request Forgery

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91c5a83a-679c-405b-973d-a2255d2bced2

WP Discord Invite < 2.5.1 – Cross-Site Request Forgery to Settings Update

Affected Software: WP Discord Invite
CVE ID: CVE-2023-5006
CVSS Score: 5.4 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d92bfa61-7ae2-427a-8f3a-82709471735b

UpdraftPlus <= 1.23.10 – Cross-Site Request Forgery to Google Drive Storage Update

Affected Software: UpdraftPlus: WordPress Backup & Migration Plugin
CVE ID: CVE-2023-5982
CVSS Score: 5.4 (Medium)
Researcher/s: Nicolas Decayeux
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1be11c5-0a44-4816-b6bf-d330cb51dbf3

Ecwid Ecommerce Shopping Cart <= 6.12.3 – Missing Authorization on multiple functions

Affected Software: Ecwid Ecommerce Shopping Cart
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3d5bc99-2b55-4e19-8304-e56f3d4a2f1a

Ultimate Addons for Contact Form 7 <= 3.2.6 – Missing Authorization

Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2023-47693
CVSS Score: 5.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73720e67-79e5-4b4c-8720-e28ad718b2b3

Front End PM < 11.4.3 – Sensitive Information Exposure via Directory Listing

Affected Software: Front End PM
CVE ID: CVE-2023-4930
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8250c277-200a-4808-98ae-ede169aad3fd

CoCart – Headless ecommerce <= 3.9.0 – Missing Authorization

Affected Software: CoCart – Decoupling WooCommerce Made Easy
CVE ID: CVE-2023-47241
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98e8e09c-f2fe-40ab-b1ce-62a1627b6b65

Restrict Content <= 3.2.7 – Information Exposure via legacy log file

Affected Software: Membership Plugin – Restrict Content
CVE ID: CVE-2023-47668
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad2d5070-ddc6-4478-abe5-776e197a4507

Cloud Templates & Patterns collection <= 1.2.2 – Sensitive Information Exposure via Log File

Affected Software: Cloud Templates & Patterns collection
CVE ID: CVE-2023-47529
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c59baad8-b888-4475-8371-645811a6b569

Email Marketing for WooCommerce by Omnisend <= 1.13.8 – Sensitive Information Exposure

Affected Software: Email Marketing for WooCommerce by Omnisend
CVE ID: CVE-2023-47244
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc2cd74d-b828-4524-b33d-c806bfd970b9

Seers <= 8.0.6 – Missing Authorization via multiple AJAX actions

Affected Software: Seers | GDPR & CCPA Cookie Consent & Compliance
CVE ID: CVE-2023-47515
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d300288e-f100-4c02-ba65-d728e3b1522e

Animator <= 3.0.9 – Missing Authorization to Plugin Settings Update

Affected Software: Animator – Scroll Triggered Animations
CVE ID: CVE-2023-47689
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8457aeb-867b-4185-8271-a5452b7c5365

WooCommerce Product Enquiry <= 2.3.4 – Unauthenticated Self-Based Cross-Site Scripting

Affected Software: WooCommerce Product Enquiry
CVE ID: CVE-2023-32796
CVSS Score: 4.7 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97c68df7-69fd-4817-9473-3d3e1fd6d348

Integrate Google Drive <= 1.3.1 – Open Redirect via state

Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
CVE ID: CVE-2023-47548
CVSS Score: 4.7 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bccceb2d-2087-4ee6-8118-eb3fb53654dc

Amazonify <= 0.8.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Amazonify
CVE ID: CVE-2023-5819
CVSS Score: 4.4 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41adfb58-d79f-40a3-8a7e-f3f08f64659f

WP Edit Username <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Edit Username
CVE ID: CVE-2023-47528
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47461b7b-e986-4048-88aa-175242305795

Pinyin Slugs <= 2.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Pinyin Slugs
CVE ID: CVE-2023-47511
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65e76681-80e0-40aa-a68b-87cb0c42b4f8

OneClick Chat to Order <= 1.0.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: OneClick Chat to Order
CVE ID: CVE-2023-47546
CVSS Score: 4.4 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94f338c2-95c9-4ce8-8579-0b2b66547aa0

ANAC XML Viewer <= 1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ANAC XML Viewer
CVE ID: CVE-2023-47245
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9af963ed-8bc5-4b5e-bacd-30a2ef429ce8

Team Members Showcase <= 1.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Team Members Showcase
CVE ID: CVE-2023-32957
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad88c661-601c-411f-9495-2c3b8a568c6b

Product Visibility by Country for WooCommerce <= 1.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Product Visibility by Country for WooCommerce
CVE ID: CVE-2023-47660
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e56b11a1-dd40-461b-9624-b60367c0c727

Custom post types <= 4.0.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Custom post types, Custom Fields & more
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb94520e-a99d-4e34-b174-e01898de0978

TWB Woocommerce Reviews <= 1.7.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: TWB Woocommerce Reviews
CVE ID: CVE-2023-47653
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f85df8f1-9283-48d0-8f19-88a4a839d501

Flo Forms <= 1.0.41 – Missing Authorization via flo_send_test_email

Affected Software: Flo Forms – Easy Drag & Drop Form Builder
CVE ID: CVE-2023-47692
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04401d7e-996d-4b46-b391-bfb0b065900b

Arigato Autoresponder and Newsletter <= 2.7.2.2 – Cross-Site Request Forgery

Affected Software: Arigato Autoresponder and Newsletter
CVE ID: CVE-2023-47686
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bf798b5-2a5c-42d9-a4b3-d3ed056e1fdb

Best Restaurant Menu by PriceListo <= 1.3.1 – Cross-Site Request Forgery via menu_page

Affected Software: Best Restaurant Menu by PriceListo
CVE ID: CVE-2023-47649
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c24f881-52bc-4210-9037-bcdd1e4aa895

Amazonify <= 0.8.1 – Cross-Site Request Forgery to Amazon Tracking ID Update

Affected Software: Amazonify
CVE ID: CVE-2023-5818
CVSS Score: 4.3 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33f3c466-bdeb-402f-bf34-bc703f35e1e2

ANAC XML Bandi di Gara <= 7.5 – Cross-Site Request Forgery via settings.php

Affected Software: ANAC XML Bandi di Gara
CVE ID: CVE-2023-47655
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36cf102b-bff1-4516-9a76-030ddc98c207

WooCommerce Product Table Lite <= 2.6.2 – Cross-Site Request Forgery

Affected Software: WooCommerce Product Table Lite
CVE ID: CVE-2023-47519
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4528f805-bbf3-4a0f-a06f-879c6e607bfa

Patreon WordPress <= 1.8.6 – Cross-Site Request Forgery

Affected Software: Patreon WordPress
CVE ID: CVE-2023-41129
CVSS Score: 4.3 (Medium)
Researcher/s: BuShiYue
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/481121b2-4ea9-489e-b582-ec8bbf87c902

Product Catalog Simple <= 1.7.5 – Cross-Site Request Forgery via ic_system_status

Affected Software: Product Catalog Simple
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a134509-8dc0-41ac-9b5c-5b173a1e3c68

BadgeOS <= 3.7.1.6 – Missing Authorization

Affected Software: BadgeOS
CVE ID: CVE-2023-47647
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/515e62ba-c3b8-42d0-95e3-be347b8851a5

Korea SNS <= 1.6.3 – Cross-Site Request Forgery via kon_tergos_options

Affected Software: Korea SNS
CVE ID: CVE-2023-47670
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51d07d2a-74e6-499e-8d66-90893faedeaf

Woo Custom and Sequential Order Number <= 2.6.0 – Cross-Site Request Forgery

Affected Software: Woo Custom and Sequential Order Number
CVE ID: CVE-2023-47687
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/67279c70-c416-4d18-9951-470773b9221a

WP Links Page <= 4.9.4 – Cross-Site Request Forgery via wplf_ajax_update_screenshots

Affected Software: WP Links Page
CVE ID: CVE-2023-47651
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fa70ddc-9a5c-4001-967a-5aad789c862c

Dragfy Addons for Elementor <= 1.0.2 – Missing Authorization via save_settings

Affected Software: Dragfy Addons for Elementor
CVE ID: CVE-2023-47661
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7caaaaef-075b-44f6-8809-a02d5f034f26

WordPress Backup & Migration <= 1.4.3 – Missing Authorization to Settings Update

Affected Software: WordPress Backup & Migration
CVE ID: CVE-2023-5737
CVSS Score: 4.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7de132d5-51c9-464c-b687-8e367dd8d846

Donations Made Easy – Smart Donations <= 4.0.12 – Cross-Site Request Forgery

Affected Software: Donations Made Easy – Smart Donations
CVE ID: CVE-2023-47551
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f5d3973-5bbb-4c85-9790-e12f3fc14f30

Foyer <= 1.7.5 – Content Injection via Improper Access Control

Affected Software: Foyer – Digital Signage for WordPress
CVE ID: CVE-2023-47663
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97344674-15df-45e6-9906-f21a9920a6e1

Preloader Matrix <= 2.0.1 – Cross-Site Request Forgery

Affected Software: Preloader Matrix
CVE ID: CVE-2023-47685
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97548879-f015-4adc-8a84-535d210ae0de

Youtube SpeedLoad <= 0.6.3 – Cross-Site Request Forgery

Affected Software: Youtube SpeedLoad
CVE ID: CVE-2023-47688
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d11c022-9938-4a9e-be16-db986fdfa1c8

Plugin Name: Device Theme Switcher <= 3.0.2 – Cross-Site Request Forgery

Affected Software: Plugin Name: Device Theme Switcher
CVE ID: CVE-2023-47556
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d64d711-f2d9-4447-9ac1-80c5ea51c23e

ImageMapper <= 1.2.6 – Cross-Site Request Forgery to Plugin Settings Change via ajax

Affected Software: ImageMapper
CVE ID: CVE-2023-5975
CVSS Score: 4.3 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a128018b-f19b-4b18-a53c-cf1310d3d0e7

WP Full Stripe Free <= 1.6.1 – Cross-Site Request Forgery

Affected Software: WP Full Stripe Free
CVE ID: CVE-2023-47667
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4f7211b-0ff0-406e-9a0a-2dd7b1314d6d

MSHOP MY SITE <= 1.1.6 – Missing Authorization via update_settings

Affected Software: 코드엠샵 마이사이트 – MSHOP MY SITE
CVE ID: CVE-2023-47243
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc2cbf43-3e8a-4364-9355-6d6587204c1c

Plainview Protect Passwords <= 1.4 – Cross-Site Request Forgery

Affected Software: Plainview Protect Passwords
CVE ID: CVE-2023-47664
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc59b997-a8e2-4c75-aa5f-36cc5a66326e

UserHeat Plugin <= 1.1.6 – Cross-Site Request Forgery

Affected Software: UserHeat Plugin
CVE ID: CVE-2023-47553
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG (hackintoanetwork)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c03b5670-9f7e-4001-ba90-197559b794a1

Easy Social Icons <= 3.2.4 – Missing Authorization via cnss_save_ajax_order

Affected Software: Easy Social Icons
CVE ID: CVE-2023-33998
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3bdc0c4-34fb-43cc-ba2b-340347bca146

Auto Tag Creator <= 1.0.2 – Missing Authorization via tag_save_settings_callback

Affected Software: Auto Tag Creator
CVE ID: CVE-2023-47523
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4b6d2c6-d157-4c4c-b6e1-557b8353c742

Droit Dark Mode <= 1.1.2 – Cross-Site Request Forgery

Affected Software: Droit Dark Mode
CVE ID: CVE-2023-47531
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3afaa85-9eb5-4cc4-883a-11d42504a8e1

Visitors Traffic Real Time Statistics <= 7.2 – Missing Authorization via multiple AJAX actions

Affected Software: Visitor Traffic Real Time Statistics
CVE ID: CVE-2023-47557
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4aac424-abf3-4d6c-a0a4-a95e2cf89864

ProfileGrid <= 5.6.6 – Cross-Site Request Forgery

Affected Software: ProfileGrid – User Profiles, Memberships, Groups and Communities
CVE ID: CVE-2023-47644
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f58efd6c-58f2-464b-8aaf-f4f5c4c52f09

ARI Stream Quiz <= 1.3.0 – Authenticated(Contributor+) Content Injection

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-47513
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa6fc22e-0d30-4c4b-8c8d-13f04ed1aa7c

Image Hover Effects <= 5.5 – Cross-Site Request Forgery

Affected Software: Image Hover Effects – WordPress Plugin
CVE ID: CVE-2023-47552
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb947f1f-8cce-448d-9c86-1d3c01a4637d

Job Manager & Career <= 1.4.3 – Sensitive Information Exposure

Affected Software: Job Manager & Career – Manage job board listings, and recruitments
CVE ID: CVE-2023-5906
CVSS Score: 3.7 (Low)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c66bc0b1-c157-4c05-ae9d-0927863c6b95

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

Vulnerability Details

Comments

Breaking WordPress Security Research in your inbox as it happens.

Cookie Options

Strictly Necessary

Performance/Analytical

Targeting