Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024)


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 52 vulnerabilities disclosed in 42 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 15
Patched 37

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 46
High Severity 5
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 25
Cross-Site Request Forgery (CSRF) 8
Missing Authorization 5
Improper Access Control 5
Deserialization of Untrusted Data 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2
Use of Insufficiently Random Values 1
Improper Control of Generation of Code (‘Code Injection’) 1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
Inappropriate Source Code Style or Formatting 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Bob Matyas 8
Webbernaut 6
Francesco Carlucci 6
Krzysztof Zając 5
Daniel Ruf 4
Sh 2
Majed Refaea 2
Yuki Haruma 1
Tobias Weißhaar (kun_19) 1
Le Ngoc Anh 1
Byeongjun Jo 1
Pedro Cuco (Illex) 1
Bence Szalai 1
arpeetrathi 1
stealthcopter 1
Sam Pizzey (mopman) 1
Colin Xu 1
Ahmed Algohary 1
Akbar Kustirama 1
kodaichodai 1
Dipak Panchal (th3.d1p4k) 1
Nex Team 1
drop 1
Ma Long 1
SudoBash 1
Richard Telleng (stueotue) 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
(Simply) Guest Author Name guest-author-name
10Web AI Assistant – AI content writing assistant ai-assistant-by-10web
AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages
Add SVG Support for Media Uploader | inventivo add-svg-support-for-media-uploader-inventivo
Advanced Database Cleaner advanced-database-cleaner
Advanced Schedule Posts advanced-schedule-posts
Allow SVG allow-svg
Backuply – Backup, Restore, Migrate and Clone backuply
Better Follow Button for Jetpack better-follow-button-for-jetpack
Better Search Replace better-search-replace
Category Discount Woocommerce woo-product-category-discount
Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode) content-views-query-and-display-post-page
Elementor Addons by Livemesh addons-for-elementor
Exclusive Addons for Elementor exclusive-addons-for-elementor
File Manager wp-file-manager
File Manager Pro wp-file-manager-pro
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder formidable
InstaWP Connect – 1-click WP Staging & Migration instawp-connect
Mang Board WP mangboard
Marketing Twitter Bot wordpress-twitterbot
Meks Smart Social Widget meks-smart-social-widget
PDF Generator For Fluent Forms – The Contact Form Plugin fluentforms-pdf
PDF Poster – PDF Embedder Plugin for WordPress pdf-poster
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro
SVG Uploads Support svg-uploads-support
Sticky Buttons – floating buttons builder sticky-buttons
Ultimate Noindex Nofollow Tool ultimate-noindex-nofollow-tool
Views for WPForms – Display & Edit WPForms Entries on your site frontend views-for-wpforms-lite
WP Customer Area customer-area
WP Dashboard Notes wp-dashboard-notes
WP Go Maps (formerly WP Google Maps) wp-google-maps
WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator
WP-Reply Notify wp-reply-notify
WPFront Notification Bar wpfront-notification-bar
WebSub (FKA. PubSubHubbub) pubsubhubbub
WolfNet IDX for WordPress wolfnet-idx-for-wordpress
WordPress Button Plugin MaxButtons maxbuttons
WordPress Simple Shopping Cart wordpress-simple-paypal-shopping-cart
aBitGone CommentSafe abitgone-commentsafe
coreActivity: Activity Logging plugin for WordPress coreactivity
illi Link Party! link-party

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Better Search Replace <= 1.4.4 – Unauthenticated PHP Object Injection

Affected Software: Better Search Replace
CVE ID: CVE-2023-6933
CVSS Score: 9.8 (Critical)
Researcher/s: Sam Pizzey (mopman)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/895f2db1-a2ed-4a17-a4f6-cd13ee8f84af

File Manager Pro <= 8.3.4 – Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: File Manager Pro
CVE ID: CVE-2023-6846
CVSS Score: 8.8 (High)
Researcher/s: Tobias Weißhaar (kun_19)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e8e0257-a745-495f-a103-c032b95209fc

InstaWP Connect <= 0.1.0.9 – Authenticated (Subscriber+) SQL Injection

Affected Software: InstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE-2024-23507
CVSS Score: 8.8 (High)
Researcher/s: Majed Refaea
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/578cf704-e84d-469f-bf26-e60268506a78

File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames

Affected Software: File Manager
CVE ID: CVE-2024-0761
CVSS Score: 8.1 (High)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176

illi Link Party! <= 1.0 – Unauthenticated Stored Cross-Site Scripting

Affected Software: illi Link Party!
CVE ID: CVE-2023-7228
CVSS Score: 7.2 (High)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9df6d75b-a141-41a8-b965-6be7acee582d

coreActivity <= 1.8 – Unauthenticated Stored Cross-Site Scripting

Affected Software: coreActivity: Activity Logging plugin for WordPress
CVE ID: CVE-2024-0852
CVSS Score: 7.2 (High)
Researcher/s: Ahmed Algohary
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2432a0a-d262-4460-bd2d-2cb200d51f6f

Advanced Database Cleaner <= 3.1.3 – Authenticated(Administrator+) PHP Object Injection via process_bulk_action

Affected Software: Advanced Database Cleaner
CVE ID: CVE-2024-0668
CVSS Score: 6.6 (Medium)
Researcher/s: Richard Telleng (stueotue)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0b8c24b-3e51-4637-9d8e-da065077d082

10Web AI Assistant – AI content writing assistant <= 1.0.18 – Missing Authorization to Arbitrary Plugin Installation

Affected Software: 10Web AI Assistant – AI content writing assistant
CVE ID: CVE-2023-6985
CVSS Score: 6.5 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229245a5-468d-47b9-8f26-d23d593e91da

Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 – Authenticated (Administrator+) Directory Traversal

Affected Software: Backuply – Backup, Restore, Migrate and Clone
CVE ID: CVE-2024-0697
CVSS Score: 6.5 (Medium)
Researcher/s: Bence Szalai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70effa22-fbf6-44cb-9d1b-8625969c10ac

Elementor Addons by Livemesh <= 8.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addons by Livemesh
CVE ID: CVE-2024-0448
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/058d1aa0-2ef6-49a4-b978-43a91c8e55f3

(Simply) Guest Author Name <= 4.34 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: (Simply) Guest Author Name
CVE ID: CVE-2024-0254
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e9e2864-6624-497f-8bec-df8360ed3f4a

Add SVG Support for Media Uploader | inventivo <= 1.0.5 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: Add SVG Support for Media Uploader | inventivo
CVE ID: CVE-2023-7088
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ca2d1d4-fcf8-4943-b9c5-9560968ae2d8

Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything

Affected Software: Exclusive Addons for Elementor
CVE ID: CVE-2024-0824
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/925b0a86-ed23-471c-84e2-ae78a01b1876

SVG Uploads Support <= 2.1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: SVG Uploads Support
CVE ID: CVE-2023-7086
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad95f0b2-4d96-4f62-b495-050a89539177

WordPress Button Plugin MaxButtons <= 9.7.6 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WordPress Button Plugin MaxButtons
CVE ID: CVE-2023-7029
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bca0e8a0-d837-42d8-a9d3-35e0c820eb43

Allow SVG <= 1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: Allow SVG
CVE ID: CVE-2023-6541
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee725cff-959d-4078-9c2e-2d52bb904ca0

aBitGone CommentSafe <= 1.0.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Request Forgery

Affected Software: aBitGone CommentSafe
CVE ID: CVE-2023-7174
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2375027c-9619-40fc-811d-7f4ba02bee53

PDF Poster – PDF Embedder Plugin for WordPress <= 2.1.17 – Reflected Cross-Site Scripting

Affected Software: PDF Poster – PDF Embedder Plugin for WordPress
CVE ID: CVE-2024-23508
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/341516d3-b785-4daf-98de-76f4f94b8c96

Ultimate Noindex Nofollow Tool <= 1.1.2 – Cross-Site Request Forgery to Settings Update

Affected Software: Ultimate Noindex Nofollow Tool
CVE ID: CVE-2023-7196
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d7ca3ff-eae4-425f-8340-9d9b4952ce4a

Advanced Schedule Posts <= 2.1.8 – Reflected Cross-Site Scripting

Affected Software: Advanced Schedule Posts
CVE ID: CVE-2024-0249
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47122866-8e40-42bc-84ed-60fc81247320

WP Customer Area <= 8.2.2 – Reflected Cross-Site Scripting

Affected Software: WP Customer Area
CVE ID: CVE-2024-0665
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/567d62ec-e868-45e2-b07a-8cc661d7c5e1

Accelerated Mobile Pages <= 1.0.92.1 – Reflected Cross-Site Scripting

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2024-0587
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85ca96a6-7992-424b-8b88-9a0751925223

WP Go Maps (formerly WP Google Maps) <= 9.0.28 – Reflected Cross-Site Scripting

Affected Software: WP Go Maps (formerly WP Google Maps)
CVE ID: CVE-2023-6697
CVSS Score: 6.1 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5

Formidable Forms <= 6.7.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2024-0660
CVSS Score: 6.1 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b983d22b-6cd2-4450-99e2-88bb149091fe

Marketing Twitter Bot <= 1.11 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

Affected Software: Marketing Twitter Bot
CVE ID: CVE-2023-7197
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2795202-64e6-488b-a0e1-da2923f6f791

Exclusive Addons for Elementor <= 2.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Exclusive Addons for Elementor
CVE ID: CVE-2024-0823
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c5cdc3f-eaa6-4d0b-9e75-5483c723e15a

Form-Maker (twb_form-maker) <= 1.15.21 – Cross-Site Request Forgery to Limited Code Execution via Execute

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE ID: CVE-2024-0667
CVSS Score: 5.4 (Medium)
Researcher/s: SudoBash
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d55c832b-f558-4e8a-8301-33dd38d39ef1

illi Link Party! <= 1.0 – Missing Authorization to Unauthenticated Arbitrary Link Deletion

Affected Software: illi Link Party!
CVE ID: CVE-2023-7231
CVSS Score: 5.3 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d68293a-b98b-41e0-9f79-ccd2c0108e82

Category Discount Woocommerce <= 4.12 – Missing Authorization via wpcd_save_discount()

Affected Software: Category Discount Woocommerce
CVE ID: CVE-2024-0617
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/996b44bb-d1e0-4f82-b8ee-a98b0ae994f9

Paid Memberships Pro <= 2.12.7 – Cross-Site Request Forgery to Level Orders Update

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE-2024-0624
CVSS Score: 5.3 (Medium)
Researcher/s: kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae68d083-b6e2-409b-8c91-d4eb7e62dba9

Category Discount Woocommerce <= 4.11 – Cross-Site Request Forgery via wpcd_save_discount()

Affected Software: Category Discount Woocommerce
CVE ID: CVE-2024-0617
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f04dee5b-d16f-4ef0-88a4-1567e2287bd5

PDF Generator For Fluent Forms <= 1.1.7 – Cross-Site Scripting

Affected Software: PDF Generator For Fluent Forms – The Contact Form Plugin
CVE ID: CVE-2023-6953
CVSS Score: 4.9 (Medium)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6675c48-43d4-4394-a4a3-f753bdaa5c4e

WPFront Notification Bar <= 3.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]

Affected Software: WPFront Notification Bar
CVE ID: CVE-2024-0625
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19a5a9f3-637c-42af-9775-5651a14cf516

Mang Board WP <= 1.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Mang Board WP
CVE ID: CVE-2024-22306
CVSS Score: 4.4 (Medium)
Researcher/s: Byeongjun Jo
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d8cfcdc-6258-4629-a3b4-d65e44ac82f1

Meks Smart Social Widget <= 1.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Meks Smart Social Widget
CVE ID: CVE-2024-0664
CVSS Score: 4.4 (Medium)
Researcher/s: arpeetrathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/722aae99-fcfb-4234-9245-5db57aaa03c5

WP RSS Aggregator <= 4.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source

Affected Software: WP RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
CVE ID: CVE-2024-0630
CVSS Score: 4.4 (Medium)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93cb3b29-b1a0-4d40-a057-1b41f3b181f2

Content Views <= 3.6.2 – Authenticated(Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Content Views – Post Grid, Slider, Accordion (Gutenberg Blocks and Shortcode)
CVE ID: CVE-2024-0612
CVSS Score: 4.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa4377a8-bcf4-45ba-824b-3505bd8e8c61

WordPress Simple Shopping Cart <= 4.7.1 – Authenticated(Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Simple Shopping Cart
CVE ID: CVE-2023-6497
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac6201a1-7ca9-461b-b9ad-16407120dfae

Sticky Buttons <= 3.2.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Sticky Buttons – floating buttons builder
CVE ID: CVE-2024-0703
CVSS Score: 4.4 (Medium)
Researcher/s: Dipak Panchal (th3.d1p4k)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3c070be-e955-4076-9878-0b1044766397

WolfNet IDX for WordPress <= 1.19.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WolfNet IDX for WordPress
CVE ID: CVE-2023-6783
CVSS Score: 4.4 (Medium)
Researcher/s: Ma Long
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c226ca9a-8a2e-4e56-a039-96c31526a379

illi Link Party! <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: illi Link Party!
CVE ID: CVE-2023-7230
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbf193ef-e172-4fe3-9bff-b5cbac9adb54

WebSub (FKA. PubSubHubbub) <= 3.1.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WebSub (FKA. PubSubHubbub)
CVE ID: CVE-2024-0688
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f07b166b-3436-4797-a2df-096ff7c27a09

Better Follow Button for Jetpack <= 8.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Better Follow Button for Jetpack
CVE ID: CVE-2023-7168
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fec06875-f6b4-4e57-917f-e80ece3744e1

Views for WPForms <= 3.2.2 – Missing Authorization via get_form_fields

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0372
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ab58add-ab81-4c84-b773-7daf382492b0

Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via create_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0374
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34c0c676-37f9-49f2-ad50-2d70831fda53

Views for WPForms <= 3.2.2 – Missing Authorization via save_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0370
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c4c8113-4c46-4179-9c7f-9d5d4337254d

WP Dashboard Notes <= 1.0.10 – Missing Authorization to Arbitrary Private Notes Update

Affected Software: WP Dashboard Notes
CVE ID: CVE-2023-7239
CVSS Score: 4.3 (Medium)
Researcher/s: Pedro Cuco (Illex)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64a36778-c17c-44ee-8b09-c221d27184f8

WP-Reply Notify <= 1.1 – Cross-Site Request Forgery to Settings Update

Affected Software: WP-Reply Notify
CVE ID: CVE-2023-7195
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/837e596e-a4a7-4fcf-a761-aed35a789770

InstaWP Connect <= 0.1.0.9 – Missing Authorization to Sensitive Information Dislcosure

Affected Software: InstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE-2024-23506
CVSS Score: 4.3 (Medium)
Researcher/s: Majed Refaea
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a184384-9162-4509-957b-d97dd4089856

Views for WPForms <= 3.2.2 – Missing Authorization via create_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0371
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9565693-fd0b-4412-944c-81b3cd79492e

illi Link Party! <= 1.0 – Cross-Site Request Forgery to Settings Update

Affected Software: illi Link Party!
CVE ID: CVE-2023-7229
CVSS Score: 4.3 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/acd6b604-45dd-4688-a9b9-fabb12c418e2

Views for WPForms <= 3.2.2 – Cross-Site Request Forgery via save_view

Affected Software: Views for WPForms – Display & Edit WPForms Entries on your site frontend
CVE ID: CVE-2024-0373
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2273c53-bc8a-45c7-914d-a3b934c2cb18

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments