Note: We accidentally sent out an email for this report with last weeks subject line. Due to the subject line not being very different week to week for this report, we opted to just leave it as is and not send a follow-up email. We apologize for this error on our part!
Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-618 – Information redacted while we work with the developer to ensure this gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
| Unpatched | 16 |
| Patched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
| Low Severity | 0 |
| Medium Severity | 52 |
| High Severity | 17 |
| Critical Severity | 0 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 25 |
| Cross-Site Request Forgery (CSRF) | 14 |
| Missing Authorization | 14 |
| Server-Side Request Forgery (SSRF) | 3 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
| Information Exposure | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Unprotected Storage of Credentials | 1 |
| Incorrect Authorization | 1 |
| Use of Less Trusted Source | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
| Incorrect Privilege Assignment | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
| Rafie Muhammad | 8 |
| Mika | 6 |
| Lana Codes (Wordfence Vulnerability Researcher) |
5 |
| LEE SE HYOUNG | 3 |
| Erwan LR | 3 |
| Phd | 3 |
| Alex Thomas (Wordfence Vulnerability Researcher) |
3 |
| Abdi Pranata | 3 |
| Yuki Haruma | 2 |
| emad | 2 |
| Nguyen Xuan Chien | 2 |
| Le Hong Minh | 2 |
| Dave Jong | 2 |
| Andreas Damen | 1 |
| yuyudhn | 1 |
| Fariq Fadillah Gusti Insani | 1 |
| Nithissh S | 1 |
| Ullash Raj | 1 |
| Emili Castells | 1 |
| Rafshanzani Suhada | 1 |
| Bob Matyas | 1 |
| Ravi Dharmawan | 1 |
| Paul Goodchild | 1 |
| Skalucy | 1 |
| Cat | 1 |
| WPScanTeam | 1 |
| Kindaichi Hiro | 1 |
| Shreya Pohekar | 1 |
| Rio Darmawan | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
| ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
| All-In-One Security (AIOS) – Security and Firewall | all-in-one-wp-security-and-firewall |
| Art Direction | art-direction |
| Authors List | authors-list |
| BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin | bookingpress-appointment-booking |
| BuddyPress Builder for Elementor – BuddyBuilder | stax-buddy-builder |
| Buy Me a Coffee – Button and Widget Plugin | buymeacoffee |
| Checkout with Zelle on Woocommerce | wc-zelle |
| Coming Soon Chop Chop | cc-coming-soon |
| Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms | fluentform |
| Custom Field For WP Job Manager | custom-field-for-wp-job-manager |
| Custom Fields for WooCommerce | addify-custom-fields-for-woocommerce |
| Custom Registration Forms Builder for WooCommerce | addify-custom-registration-forms-builder |
| DirectoryPress – Business Directory And Classified Ad Listing | directorypress |
| Dovetail | dovetail |
| Drag & Drop Sales Funnel Builder for WordPress – WPFunnels | wpfunnels |
| Export and Import Users and Customers | users-customers-import-export-for-wp-woocommerce |
| Falang multilanguage for WordPress | falang |
| Forminator – Contact Form, Payment Form & Custom Form Builder | forminator |
| Grid Kit Premium | grid-kit-premium |
| HTTP Headers | http-headers |
| IP2Location Country Blocker | ip2location-country-blocker |
| Image Watermark for WooCommerce | addify-image-watermark-for-woocommerce |
| Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site | integrate-google-drive |
| Integration for Contact Form 7 and Salesforce | cf7-salesforce |
| JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
| KB Support – WordPress Help Desk | kb-support |
| MF Gig Calendar | mf-gig-calendar |
| Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking | mail-control |
| MailArchiver | mailarchiver |
| Media Library Assistant | media-library-assistant |
| OptiMonk: Popups, Personalization & A/B Testing | exit-intent-popups-by-optimonk |
| POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress | post-smtp |
| Premium Addons Pro for Elementor | premium-addons-pro |
| Price Calculator for WooCommerce | addify-price-calculator-for-woocommerce |
| Product Dynamic Pricing and Discounts for WooCommerce | addify-product-dynamic-pricing-and-discounts |
| Radio Forge Muses Player with Skins | radio-forge |
| Replace Word | replace-word |
| School Management System – WPSchoolPress | wpschoolpress |
| Short URL | shorten-url |
| Shortcode IMDB | shortcode-imdb |
| Social Media Icons Widget | spoontalk-social-media-icons-widget |
| Social Share, Social Login and Social Comments Plugin – Super Socializer | super-socializer |
| Spectra – WordPress Gutenberg Blocks | ultimate-addons-for-gutenberg |
| Terms descriptions | terms-descriptions |
| Twittee Text Tweet | twittee-text-tweet |
| User Activity Log | user-activity-log |
| Variation Images Gallery for WooCommerce | woo-product-variation-gallery |
| Variation Swatches for WooCommerce | woo-product-variation-swatches |
| WP Default Feature Image | wp-default-feature-image |
| WP Social AutoConnect | wp-fb-autoconnect |
| WP Testimonials | testimonial-widgets |
| WPAdmin AWS CDN | aws-cdn-by-wpadmin |
| WooCommerce Abandoned Cart Recovery | addify-abandoned-cart-recovery |
| WooCommerce Advanced Free Gifts | addify-free-gifts-woocommerce |
| WooCommerce Checkout Field Manager | addify-checkout-fields-manager |
| WooCommerce Custom Order Number | addify-custom-order-number |
| WooCommerce Gift Registry | addify-gift-registry-for-woocommerce |
| WooCommerce GoCardless Gateway | woocommerce-gateway-gocardless |
| WooCommerce Order Approval | addify-order-approval-woocommerce |
| WooCommerce Order Tracking | addify-order-tracking-for-woocommerce |
| WooCommerce Pre-Orders | woocommerce-pre-orders |
| WooCommerce Product Labels and Stickets | addify-product-labels-and-stickers |
| WooCommerce Product Stock Alert | woocommerce-product-stock-alert |
| WooCommerce Ship to Multiple Addresses | woocommerce-shipping-multiple-addresses |
| WooCommerce Warranty Requests | woocommerce-warranty |
| Zippy | zippy |
| cartflows-pro | cartflows-pro |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
| RealHomes | realhomes |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
JetFormBuilder <= 3.0.8 – Authenticated (Author+) Privilege Escalation
Affected Software: JetFormBuilder — Dynamic Blocks Form Builder
CVE ID: CVE-2023-37866
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d58191-769c-4632-a086-4dbce9bfb6ad
CVE ID: CVE-2023-37866
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d58191-769c-4632-a086-4dbce9bfb6ad
Spectra <= 2.6.6 – Authenticated (Contributor+) Server-Side Request Forgery in import_wpforms
Affected Software: Spectra – WordPress Gutenberg Blocks
CVE ID: CVE-2023-36679
CVSS Score: 8.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5886128e-e72f-4d84-8c17-1ed4a0fcc17e
CVE ID: CVE-2023-36679
CVSS Score: 8.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5886128e-e72f-4d84-8c17-1ed4a0fcc17e
User Activity Log <= 1.6.2 – Unauthenticated SQL Injection via username
Affected Software: User Activity Log
CVE ID: CVE Unknown
CVSS Score: 8.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8483196e-f476-41e5-a988-bcd8a9952a64
CVE ID: CVE Unknown
CVSS Score: 8.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8483196e-f476-41e5-a988-bcd8a9952a64
Checkout with Zelle on Woocommerce <= 3.1 – Missing Authorization
Affected Software: Checkout with Zelle on Woocommerce
CVE ID: CVE-2023-37969
CVSS Score: 7.3 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ad5544a-6694-41e4-940f-fa96daf4b41d
CVE ID: CVE-2023-37969
CVSS Score: 7.3 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ad5544a-6694-41e4-940f-fa96daf4b41d
Integrate Google Drive <= 1.1.99 – Missing Authorization via REST API Endpoints
Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
CVE ID: CVE-2023-32117
CVSS Score: 7.3 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fe8b2c8-3bb1-463a-a64c-15d7bcc29985
CVE ID: CVE-2023-32117
CVSS Score: 7.3 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fe8b2c8-3bb1-463a-a64c-15d7bcc29985
Buy Me a Coffee – Button and Widget Plugin <= 3.7 – Missing Authorization
Affected Software: Buy Me a Coffee – Button and Widget Plugin
CVE ID: CVE-2023-2078
CVSS Score: 7.3 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1c218c6-1599-4dc9-846f-e0ef74821488
CVE ID: CVE-2023-2078
CVSS Score: 7.3 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1c218c6-1599-4dc9-846f-e0ef74821488
RealHomes <= 4.0.2 – Missing Authorization
Affected Software: RealHomes
CVE ID: CVE-2023-37885
CVSS Score: 7.3 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d918b6ae-a72c-48dc-885b-19be49d578dc
CVE ID: CVE-2023-37885
CVSS Score: 7.3 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d918b6ae-a72c-48dc-885b-19be49d578dc
DirectoryPress <= 3.6.2 – Missing Authorization
Affected Software: DirectoryPress – Business Directory And Classified Ad Listing
CVE ID: CVE-2023-37967
CVSS Score: 7.3 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f75f83bf-3c86-44e9-b535-cd721061ee93
CVE ID: CVE-2023-37967
CVSS Score: 7.3 (High)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f75f83bf-3c86-44e9-b535-cd721061ee93
Export and Import Users and Customers <= 2.4.1 – Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
Affected Software: Export and Import Users and Customers
CVE ID: CVE-2023-3459
CVSS Score: 7.2 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47337214-9cc3-4b12-bb71-9acbab3649b7
CVE ID: CVE-2023-3459
CVSS Score: 7.2 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47337214-9cc3-4b12-bb71-9acbab3649b7
User Activity Log <= 1.6.2 – Authenticated (Administrator+) SQL Injection
Affected Software: User Activity Log
CVE ID: CVE-2023-37966
CVSS Score: 7.2 (High)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64be6e85-00c9-49f5-9ee2-08dbe434a848
CVE ID: CVE-2023-37966
CVSS Score: 7.2 (High)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64be6e85-00c9-49f5-9ee2-08dbe434a848
Post SMTP <= 2.5.7 – Unauthenticated Stored Cross-Site Scripting via Email
Affected Software: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
CVE ID: CVE-2023-3082
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ecd0fa6-4fdb-4780-9560-0bb126800685
CVE ID: CVE-2023-3082
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ecd0fa6-4fdb-4780-9560-0bb126800685
Mail Control <= 0.2.8 – Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: Mail Control – Email Customizer, SMTP Deliverability, logging, open and click Tracking
CVE ID: CVE-2023-3158
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77537eb8-1c84-4702-aba1-727b0de1c3e1
CVE ID: CVE-2023-3158
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77537eb8-1c84-4702-aba1-727b0de1c3e1
FluentForm <= 4.3.25 – Authenticated (Administrator+) SQL Injection
Affected Software: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
CVE ID: CVE-2023-24410
CVSS Score: 7.2 (High)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/954e7509-3ebf-429a-8c65-9825ea190d53
CVE ID: CVE-2023-24410
CVSS Score: 7.2 (High)
Researcher/s: Ravi Dharmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/954e7509-3ebf-429a-8c65-9825ea190d53
Radio Forge Muses Player with Skins <= 2.5 – Reflected Cross-Site Scripting
Affected Software: Radio Forge Muses Player with Skins
CVE ID: CVE-2023-37976
CVSS Score: 7.2 (High)
Researcher/s: Le Hong Minh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad20ddd2-33d0-4d49-bca0-ea2a829da6c8
CVE ID: CVE-2023-37976
CVSS Score: 7.2 (High)
Researcher/s: Le Hong Minh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad20ddd2-33d0-4d49-bca0-ea2a829da6c8
MailArchiver <= 2.10.1 – Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: MailArchiver
CVE ID: CVE-2023-3136
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce330cae-c2f8-42f3-822b-ca24bf46e433
CVE ID: CVE-2023-3136
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce330cae-c2f8-42f3-822b-ca24bf46e433
Buy Me a Coffee – Button and Widget Plugin <= 3.7 – Cross-Site Request Forgery
Affected Software: Buy Me a Coffee – Button and Widget Plugin
CVE ID: CVE-2023-2079
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6309258e-e4fc-4edf-a771-2d82a9a85a5c
CVE ID: CVE-2023-2079
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6309258e-e4fc-4edf-a771-2d82a9a85a5c
Integration for Contact Form 7 and Salesforce <= 1.3.3 – Open Redirect
Affected Software: Integration for Contact Form 7 and Salesforce
CVE ID: CVE-2023-37982
CVSS Score: 7.1 (High)
Researcher/s: Le Hong Minh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e64a688c-c150-4b10-81ef-bbe7f6dd1b8e
CVE ID: CVE-2023-37982
CVSS Score: 7.1 (High)
Researcher/s: Le Hong Minh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e64a688c-c150-4b10-81ef-bbe7f6dd1b8e
Zippy <= 1.6.2 – Missing Authorization via adminInit
Affected Software: Zippy
CVE ID: CVE-2023-34381
CVSS Score: 6.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ffb078c-2a92-4682-aaa9-c519e28e7e18
CVE ID: CVE-2023-34381
CVSS Score: 6.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ffb078c-2a92-4682-aaa9-c519e28e7e18
Download IP2Location Country Blocker <= 2.29.1 – Bypass via IP Spoofing
Affected Software: IP2Location Country Blocker
CVE ID: CVE-2023-37865
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/814fd060-8781-46ad-86e6-e2b75a7fffc0
CVE ID: CVE-2023-37865
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/814fd060-8781-46ad-86e6-e2b75a7fffc0
WooCommerce GoCardless Gateway <= 2.5.6 – Unauthenticated Insecure Direct Object Reference
Affected Software: WooCommerce GoCardless Gateway
CVE ID: CVE-2023-37871
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa174135-d7aa-44f1-8924-44313fc70a75
CVE ID: CVE-2023-37871
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa174135-d7aa-44f1-8924-44313fc70a75
Art Direction <= 0.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Art Direction
CVE ID: CVE-2023-37983
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31a145d5-3c0c-436f-a1ee-afff14ef2140
CVE ID: CVE-2023-37983
CVSS Score: 6.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31a145d5-3c0c-436f-a1ee-afff14ef2140
Super Socializer <= 7.13.53 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/755454cc-b1a8-4a38-9e73-c47a6ef562a2
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/755454cc-b1a8-4a38-9e73-c47a6ef562a2
MF Gig Calendar <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via event_title and event_time
Affected Software: MF Gig Calendar
CVE ID: CVE-2023-37970
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93029d39-adaa-4cf6-9081-28c9e84ec2e5
CVE ID: CVE-2023-37970
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93029d39-adaa-4cf6-9081-28c9e84ec2e5
Spectra <= 2.6.6 – Authenticated (Contributor+) Server-Side Request Forgery in template_importer
Affected Software: Spectra – WordPress Gutenberg Blocks
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b139260b-7741-4e35-b23f-896f23719739
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b139260b-7741-4e35-b23f-896f23719739
Buy Me a Coffee – Button and Widget Plugin <= 3.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting
Affected Software: Buy Me a Coffee – Button and Widget Plugin
CVE ID: CVE-2023-2082
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed9f8948-085b-4ac5-befd-c70085aa23cd
CVE ID: CVE-2023-2082
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ed9f8948-085b-4ac5-befd-c70085aa23cd
WooCommerce Warranty Requests <= 2.1.9 – Missing Authorization
Affected Software: WooCommerce Warranty Requests
CVE ID: CVE-2023-37870
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59b09f36-79e8-4f14-b970-a7994d193782
CVE ID: CVE-2023-37870
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59b09f36-79e8-4f14-b970-a7994d193782
WooCommerce Ship to Multiple Addresses <= 3.8.5 – Missing Authorization
Affected Software: WooCommerce Ship to Multiple Addresses
CVE ID: CVE-2023-37872
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b32c517-ef6b-4cc9-8316-6289676d8222
CVE ID: CVE-2023-37872
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b32c517-ef6b-4cc9-8316-6289676d8222
RealHomes <= 4.0.2 – Missing Authorization
Affected Software: RealHomes
CVE ID: CVE-2023-37886
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3ee6004-03d1-4216-b22e-0aadc1f4d9de
CVE ID: CVE-2023-37886
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3ee6004-03d1-4216-b22e-0aadc1f4d9de
Forminator <= 1.24.1 – Reflected Cross-Site Scripting
Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE-2023-3134
CVSS Score: 6.1 (Medium)
Researcher/s: Andreas Damen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00272fe2-52aa-4183-8b57-6b51ad57c657
CVE ID: CVE-2023-3134
CVSS Score: 6.1 (Medium)
Researcher/s: Andreas Damen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00272fe2-52aa-4183-8b57-6b51ad57c657
Shortcode IMDB <= 6.0.8 – Cross-Site Request Forgery
Affected Software: Shortcode IMDB
CVE ID: CVE-2023-37892
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/088e0d77-06bf-4420-88fb-2c6f8051ece5
CVE ID: CVE-2023-37892
CVSS Score: 6.1 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/088e0d77-06bf-4420-88fb-2c6f8051ece5
Authors List <= 2.0.2 – Reflected Cross-Site Scripting via al_id
Affected Software: Authors List
CVE ID: CVE-2023-37981
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09f590ad-c99a-4577-a709-98c88d3acc87
CVE ID: CVE-2023-37981
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09f590ad-c99a-4577-a709-98c88d3acc87
Grid Kit Premium < 2.2.0 – Reflected Cross-Site Scripting
Affected Software: Grid Kit Premium
CVE ID: CVE-2023-3292
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b3029c6-3a0f-4c83-8faf-f74d03852278
CVE ID: CVE-2023-3292
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b3029c6-3a0f-4c83-8faf-f74d03852278
WPFunnels <= 2.7.16 – Reflected Cross-Site Scripting
Affected Software: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels
CVE ID: CVE-2023-37977
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c1464ab-217e-4c66-94f8-49376755dba7
CVE ID: CVE-2023-37977
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c1464ab-217e-4c66-94f8-49376755dba7
Media Library Assistant <= 3.07 – Reflected Cross-Site Scripting
Affected Software: Media Library Assistant
CVE ID: CVE-2023-34010
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/639009f6-9877-45a9-b9f3-7256bc6f3360
CVE ID: CVE-2023-34010
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/639009f6-9877-45a9-b9f3-7256bc6f3360
Variation Swatches for WooCommerce <= 2.3.7 – Reflected Cross-Site Scripting
Affected Software: Variation Swatches for WooCommerce
CVE ID: CVE-2023-37975
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72a0df23-38cd-4926-9099-8eb652e05a15
CVE ID: CVE-2023-37975
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72a0df23-38cd-4926-9099-8eb652e05a15
CartFlows Pro <= 1.11.11 – Reflected Cross-Site Scripting
Affected Software: cartflows-pro
CVE ID: CVE-2023-36686
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85ba90ae-8144-42f0-90db-e7f2638fec47
CVE ID: CVE-2023-36686
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85ba90ae-8144-42f0-90db-e7f2638fec47
Coming Soon Chop Chop <= 2.2.4 – Reflected Cross-Site Scripting
Affected Software: Coming Soon Chop Chop
CVE ID: CVE-2023-37893
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ae4ffe1-ecb6-4bde-8ac4-baeea82a0299
CVE ID: CVE-2023-37893
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ae4ffe1-ecb6-4bde-8ac4-baeea82a0299
Variation Images Gallery for WooCommerce <= 2.3.3 – Reflected Cross-Site Scripting via style
Affected Software: Variation Images Gallery for WooCommerce
CVE ID: CVE-2023-37894
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaf7107c-1e9f-4020-aed3-a6a687a0cf6c
CVE ID: CVE-2023-37894
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaf7107c-1e9f-4020-aed3-a6a687a0cf6c
Terms Descriptions <= 3.4.4 – Reflected Cross-Site Scripting via term_search
Affected Software: Terms descriptions
CVE ID: CVE-2023-28779
CVSS Score: 6.1 (Medium)
Researcher/s: Kindaichi Hiro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6a44d36-43e6-4785-b2bc-0b4b98d847e7
CVE ID: CVE-2023-28779
CVSS Score: 6.1 (Medium)
Researcher/s: Kindaichi Hiro
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6a44d36-43e6-4785-b2bc-0b4b98d847e7
Twittee Text Tweet <= 1.0.8 – Reflected Cross-Site Scripting
Affected Software: Twittee Text Tweet
CVE ID: CVE-2023-0602
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e16d8d28-e1e5-46ab-a64c-1da07747559e
CVE ID: CVE-2023-0602
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e16d8d28-e1e5-46ab-a64c-1da07747559e
All In One WP Security 5.1.9 – Plaintext Storage of Credentials
Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE Unknown
CVSS Score: 5.9 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02066dcd-1f2f-4ed3-b1f4-7ea8711918e8
CVE ID: CVE Unknown
CVSS Score: 5.9 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02066dcd-1f2f-4ed3-b1f4-7ea8711918e8
HTTP Headers <= 1.18.11 – Server-Side Request Forgery
Affected Software: HTTP Headers
CVE ID: CVE-2023-37978
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69971673-e317-452c-8c54-97de006a214f
CVE ID: CVE-2023-37978
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69971673-e317-452c-8c54-97de006a214f
WooCommerce Product Stock Alert <= 2.0.1 – Missing Authorization via API
Affected Software: WooCommerce Product Stock Alert
CVE ID: CVE-2023-37971
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09bdfade-85d0-4922-a83a-3e213adfa4ed
CVE ID: CVE-2023-37971
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09bdfade-85d0-4922-a83a-3e213adfa4ed
WPSchoolPress <= 2.2.3 – Missing Authorization
Affected Software: School Management System – WPSchoolPress
CVE ID: CVE-2023-37887
CVSS Score: 5.4 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1410d37a-fa8d-41e1-bed7-1c1436b52a83
CVE ID: CVE-2023-37887
CVSS Score: 5.4 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1410d37a-fa8d-41e1-bed7-1c1436b52a83
WPFunnels <= 2.7.15 – Insecure Direct Object Reference
Affected Software: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50b26952-bf59-4236-93b4-6b4928609c15
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50b26952-bf59-4236-93b4-6b4928609c15
KB Support <= 1.5.88 – Missing Authorization to Sensitive Data Exposure
Affected Software: KB Support – WordPress Help Desk
CVE ID: CVE-2023-37890
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b24fe1d-1b21-4f8f-b66e-6df3bfc0e180
CVE ID: CVE-2023-37890
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b24fe1d-1b21-4f8f-b66e-6df3bfc0e180
Falang multilanguage <= 1.3.39 – Cross-Site Request Forgery via add_language
Affected Software: Falang multilanguage for WordPress
CVE ID: CVE-2023-37968
CVSS Score: 5.4 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac10b30d-1fe3-46f4-a4fc-fa2acd7f9db4
CVE ID: CVE-2023-37968
CVSS Score: 5.4 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac10b30d-1fe3-46f4-a4fc-fa2acd7f9db4
Premium Addons PRO <= 2.9.0 – Missing Authorization
Affected Software: Premium Addons Pro for Elementor
CVE ID: CVE-2023-37869
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df6e5aee-e79d-4c3f-a0c4-47436ae7c1da
CVE ID: CVE-2023-37869
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df6e5aee-e79d-4c3f-a0c4-47436ae7c1da
WP-FB-AutoConnect <= 4.6.1 – Cross-Site Request Forgery via jfb_admin_page
Affected Software: WP Social AutoConnect
CVE ID: CVE-2023-37974
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eab1fe39-dda2-49c9-9c76-c1127626a85c
CVE ID: CVE-2023-37974
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eab1fe39-dda2-49c9-9c76-c1127626a85c
WooCommerce Product Stock Alert <= 2.0.1 – Information Disclosure
Affected Software: WooCommerce Product Stock Alert
CVE ID: CVE-2023-37972
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91e1a199-f062-4555-ae7b-ed8732686303
CVE ID: CVE-2023-37972
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91e1a199-f062-4555-ae7b-ed8732686303
BookingPress <= 1.0.64 – Unauthenticated Sensitive Information Exposure
Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
CVE ID: CVE-2023-36507
CVSS Score: 5.3 (Medium)
Researcher/s: Paul Goodchild
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a720ad0e-6194-4df4-951e-e818518e79b5
CVE ID: CVE-2023-36507
CVSS Score: 5.3 (Medium)
Researcher/s: Paul Goodchild
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a720ad0e-6194-4df4-951e-e818518e79b5
Premium Addons PRO <= 2.9.0 – Sensitive Information Exposure
Affected Software: Premium Addons Pro for Elementor
CVE ID: CVE-2023-37868
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1fa1999-685c-4b68-927d-617abf9143d7
CVE ID: CVE-2023-37868
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1fa1999-685c-4b68-927d-617abf9143d7
WP Default Feature Image <= 1.0.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP Default Feature Image
CVE ID: CVE-2023-25488
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/380024dc-ed2a-4a7b-b5f8-47879ad2d659
CVE ID: CVE-2023-25488
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/380024dc-ed2a-4a7b-b5f8-47879ad2d659
Dovetail <= 1.2.13 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Dovetail
CVE ID: CVE-2023-25984
CVSS Score: 4.4 (Medium)
Researcher/s: Ullash Raj
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52983bf6-908a-4287-b89e-cd09b4c48efe
CVE ID: CVE-2023-25984
CVSS Score: 4.4 (Medium)
Researcher/s: Ullash Raj
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52983bf6-908a-4287-b89e-cd09b4c48efe
Short URL <= 1.6.4 – Authenticated(Admin+) Stored Cross-Site Scripting
Affected Software: Short URL
CVE ID: CVE-2023-3130
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/814fcd67-9788-4392-8910-7a2bc8782fd8
CVE ID: CVE-2023-3130
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/814fcd67-9788-4392-8910-7a2bc8782fd8
WooCommerce Ship to Multiple Addresses <= 3.8.5 – Reflected Cross-Site Scripting
Affected Software: WooCommerce Ship to Multiple Addresses
CVE ID: CVE-2023-37873
CVSS Score: 4.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0ac43ba-cc49-4688-9efa-585551f3c40c
CVE ID: CVE-2023-37873
CVSS Score: 4.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0ac43ba-cc49-4688-9efa-585551f3c40c
Custom Field For WP Job Manager <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Custom Field For WP Job Manager
CVE ID: CVE-2023-37980
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e651766b-705d-415d-90bc-8b4f4418222c
CVE ID: CVE-2023-37980
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e651766b-705d-415d-90bc-8b4f4418222c
HTTP Headers <= 1.18.11 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: HTTP Headers
CVE ID: CVE-2023-37874
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fed4dd54-7a7e-483b-a623-3cf3392572b8
CVE ID: CVE-2023-37874
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fed4dd54-7a7e-483b-a623-3cf3392572b8
WooCommerce Pre-Orders <= 2.0.2 – Cross-Site Request Forgery to Order Cancellation
Affected Software: WooCommerce Pre-Orders
CVE ID: CVE-2023-3507
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14e6e06c-edc0-44ef-ba07-50fcfc4fd7b1
CVE ID: CVE-2023-3507
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14e6e06c-edc0-44ef-ba07-50fcfc4fd7b1
BuddyBuilder – BuddyPress Builder for Elementor <= 1.7.3 – Cross-Site Request Forgery
Affected Software: BuddyPress Builder for Elementor – BuddyBuilder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23924342-3b1d-4360-bd87-104091283e35
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23924342-3b1d-4360-bd87-104091283e35
WP Testimonials <= 1.4.2 – Cross-Site Request Forgery to Widget Deletion
Affected Software: WP Testimonials
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ff59aa5-a2f2-4fe1-a0b6-d9b07b0fdb1a
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ff59aa5-a2f2-4fe1-a0b6-d9b07b0fdb1a
KB Support <= 1.5.88 – Missing Authorization to Authenticated (Subscriber+) User Data Retrieval
Affected Software: KB Support – WordPress Help Desk
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55bb3620-c182-46c4-bc22-8526cf410cdb
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55bb3620-c182-46c4-bc22-8526cf410cdb
Replace Word <= 2.1 – Cross-Site Request Forgery
Affected Software: Replace Word
CVE ID: CVE-2023-37973
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75ddf732-ddb2-47ba-884a-477fcc6595b4
CVE ID: CVE-2023-37973
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75ddf732-ddb2-47ba-884a-477fcc6595b4
WPAdmin AWS CDN <= 2.0.13 – Cross-Site Request Forgery
Affected Software: WPAdmin AWS CDN
CVE ID: CVE-2023-37889
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b039c23-51d4-422a-a57b-59abaeca682c
CVE ID: CVE-2023-37889
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b039c23-51d4-422a-a57b-59abaeca682c
Social Media Icons Widget <= 1.6 – Cross-Site Request Forgery
Affected Software: Social Media Icons Widget
CVE ID: CVE-2023-25036
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bb5abff-d762-459a-b96c-5cbbb9f5a22e
CVE ID: CVE-2023-25036
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bb5abff-d762-459a-b96c-5cbbb9f5a22e
ARMember <= 4.0.5 – Cross-Site Request Forgery
Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2022-47424
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae865f91-4c2a-4a6b-84a8-bd45c1febdb1
CVE ID: CVE-2022-47424
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae865f91-4c2a-4a6b-84a8-bd45c1febdb1
Exit Popups & Onsite Retargeting by OptiMonk <= 2.0.4 – Cross-Site Request Forgery
Affected Software: OptiMonk: Popups, Personalization & A/B Testing
CVE ID: CVE-2023-37891
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfa8328b-5932-4396-b0ef-e16a7ec3b365
CVE ID: CVE-2023-37891
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfa8328b-5932-4396-b0ef-e16a7ec3b365
Multiple Addify Plugins <= (Various Versions) – Cross-Site Request Forgery
Affected Software/s: Custom Registration Forms Builder for WooCommerce, Custom Fields for WooCommerce, WooCommerce Product Labels and Stickets, Product Dynamic Pricing and Discounts for WooCommerce, WooCommerce Abandoned Cart Recovery, WooCommerce Checkout Field Manager, WooCommerce Order Tracking, WooCommerce Advanced Free Gifts, Image Watermark for WooCommerce, WooCommerce Gift Registry, WooCommerce Order Approval, Price Calculator for WooCommerce, WooCommerce Custom Order Number
CVE ID: CVE-2022-4888
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8065d25-2ded-4021-a53d-204242db0915
CVE ID: CVE-2022-4888
CVSS Score: 4.3 (Medium)
Researcher/s: WPScanTeam
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8065d25-2ded-4021-a53d-204242db0915
WooCommerce Pre-Orders <= 2.0.2 – Cross-Site Request Forgery
Affected Software: WooCommerce Pre-Orders
CVE ID: CVE-2023-3508
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1436ca4-933b-426a-987d-c5cbbc29353b
CVE ID: CVE-2023-3508
CVSS Score: 4.3 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1436ca4-933b-426a-987d-c5cbbc29353b
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023) appeared first on Wordfence.
