Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)

Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Individuals and Enterprises can use the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 52
Patched 51

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 91
High Severity 5
Critical Severity 7

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 46
Cross-Site Request Forgery (CSRF) 26
Missing Authorization 9
Information Exposure 6
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 3
Unrestricted Upload of File with Dangerous Type 2
Improper Control of Generation of Code (‘Code Injection’) 1
Improper Input Validation 1
Guessable CAPTCHA 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1
Improper Preservation of Consistency Between Independent Representations of Shared State 1
External Control of File Name or Path 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Mika 11
Rio Darmawan 8
thiennv 8
Marco Wotschka
(Wordfence Vulnerability Researcher)
7
Abdi Pranata 6
Rafie Muhammad 5
Lana Codes
(Wordfence Vulnerability Researcher)
5
minhtuanact 4
LEE SE HYOUNG 3
Satoo Nakano 2
DoYeon Park 2
Skalucy 2
yuyudhn 2
Phd 2
Lokesh Dachepalli 2
Prasanna V Balaji 2
Le Ngoc Anh 2
Elliot 2
Ala Arfaoui 1
Nguyen Xuan Chien 1
James Golovich 1
WhiteCyberSec 1
Karolis Narvilas 1
Marc-Alexandre Montpas 1
Francesco Marano 1
qilin_99 1
Nano 1
Vladislav Pokrovsky 1
Chloe Chamberland
(Wordfence Vulnerability Researcher)
1
Edourard L 1
Revan Arifio 1
Jb Audras 1
Jonas Höbenreich 1
SeungYongLee 1
Enrico Marcolini 1
Claudio Marchesini 1
mascara7784 1
Fioravante Souza 1
Jorge Costa 1
s5s 1
raouf_maklouf 1
Bob Matyas 1
Rafshanzani Suhada 1
Bae Song Hyun 1
Nguyen Anh Tien 1
Emili Castells 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AGP Font Awesome Collection agp-font-awesome-collection
AI ChatBot chatbot
AMP WP – Google AMP For WordPress amp-wp
Accessibility Suite by Online ADA online-accessibility
Add to Calendar Button add-to-calendar-button
Amministrazione Trasparente amministrazione-trasparente
ApplyOnline – Application Form Builder and Manager apply-online
BuddyPress Global Search buddypress-global-search
CITS Support svg, webp Media and TTF,OTF File Upload cits-support-svg-webp-media-upload
CPT Shortcode Generator cpt-shortcode
Campaign Monitor Forms by Optin Cat campaign-monitor-wp
Caret Country Access Limit caret-country-access-limit
Comments Ratings comments-ratings
Comments – wpDiscuz wpdiscuz
Constant Contact Forms by MailMunch constant-contact-forms-by-mailmunch
Contact Form Generator : Creative form builder for WordPress contact-form-generator
Contact Form With Captcha contact-form-with-captcha
Copy or Move Comments copy-or-move-comments
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress charitable
Easy Testimonial Slider and Form easy-testimonial-rotator
Ebook Store ebook-store
Embed Calendly embed-calendly-scheduling
Etsy Shop etsy-shop
Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
Fast WP Speed fast-wp-speed
Fattura24 fattura24
Feed Statistics wordpress-feed-statistics
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
GEO my WordPress geo-my-wp
Gallery – Image and Video Gallery with Thumbnails gallery-album
Get Custom Field Values get-custom-field-values
Gutenberg gutenberg
HTML5 Maps html5-maps
History Log by click5 history-log-by-click5
IMPress Listings wp-listings
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce email-subscribers
Image Regenerate & Select Crop image-regenerate-select-crop
Lazy Load for Videos lazy-load-for-videos
LeadSquared Suite leadsquared-suite
Libsyn Publisher Hub libsyn-podcasting
Login Screen Manager login-screen-manager
MailChimp Forms by MailMunch mailchimp-forms-by-mailmunch
Master Addons for Elementor master-addons
Migration, Backup, Staging – WPvivid wpvivid-backuprestore
Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress newsletter-bulk-email
Next Page next-page
Nexter Extension nexter-extension
PDF Block pdf-block
Peter’s Custom Anti-Spam peters-custom-anti-spam-image
PixFields pixfields
Poll Maker – Best WordPress Poll Plugin poll-maker
Post Gallery simple-post-gallery
Print, PDF, Email by PrintFriendly printfriendly
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages wplegalpages
Proofreading proofreading
QR Twitter Widget qr-twitter-widget
Remote Content Shortcode remote-content-shortcode
Responsive Column Widgets responsive-column-widgets
Responsive Tabs responsive-tabs
Royal Elementor Addons and Templates royal-elementor-addons
RumbleTalk Live Group Chat – HTML5 rumbletalk-chat-a-chat-with-themes
Scroll post excerpt scroll-post-excerpt
Sendle Shipping Plugin official-sendle-shipping-method
Simple File List simple-file-list
Simple Tweet simple-tweet
Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management simple-urls
Slick Contact Forms slick-contact-forms
Snap Pixel snap-pixel
Sort SearchResult By Title sort-searchresult-by-title
SpiderVPlayer player
Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics taggbox-widget
Thumbnail Slider With Lightbox wp-responsive-slider-with-lightbox
Tweeple tweeple
Ultimate Taxonomy Manager ultimate-taxonomy-manager
User Submitted Posts – Enable Users to Submit Posts from the Front End user-submitted-posts
Video Playlist For YouTube video-playlist-for-youtube
WP Attachments wp-attachments
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting erp
WP GoToWebinar wp-gotowebinar
WP Lightbox 2 wp-lightbox-2
WP Open Street Map wp-open-street-map
WP ULike – Most Advanced WordPress Marketing Toolkit wp-ulike
WordPress Backup & Migration wp-migration-duplicator
which template file which-template-file

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Accessibility Suite by Online ADA <= 4.11 – Authenticated (Subscriber+) SQL Injection

Affected Software: Accessibility Suite by Online ADA
CVE ID: CVE-2023-45830
CVSS Score: 9.8 (Critical)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/10590944-e08e-4980-846d-7a88880b2dcd

AI ChatBot <= 4.8.9 – Unauthenticated SQL Injection via qc_wpbo_search_response

Affected Software: AI ChatBot
CVE ID: CVE-2023-5204
CVSS Score: 9.8 (Critical)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ad12146-200b-48e5-82de-7572541edcc4

Royal Elementor Addons and Templates <= 1.3.78 – Unauthenticated Arbitrary File Upload

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2023-5360
CVSS Score: 9.8 (Critical)
Researcher/s: Fioravante Souza
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9d95af5-96da-4259-98c6-e2c4c574a896

User Submitted Posts <= 20230902 – Unauthenticated Arbitrary File Upload

Affected Software: User Submitted Posts – Enable Users to Submit Posts from the Front End
CVE ID: CVE-2023-45603
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/babbe506-3abd-462a-b5b8-5979696eb6e6

AI ChatBot <= 4.8.9 – Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file

Affected Software: AI ChatBot
CVE ID: CVE-2023-5241
CVSS Score: 9.6 (Critical)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25199281-5286-4d75-8d27-26ce215e0993

AI ChatBot <= 4.8.9 – Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file

Affected Software: AI ChatBot
CVE ID: CVE-2023-5212
CVSS Score: 9.6 (Critical)
Researcher/s: Marco Wotschka, Chloe Chamberland
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b3f4ccb-fcc6-42ec-8e9e-03d69ae7acf2

Icegram Express <= 5.6.23 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Read


Contact Form Generator <= 2.6.0 – Authenticated (Contributor+) SQL Injection

Affected Software: Contact Form Generator : Creative form builder for WordPress
CVE ID: CVE-2023-35911
CVSS Score: 8.8 (High)
Researcher/s: Emili Castells
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa586468-d6ff-46a3-97f3-e2e1d365e5b1

Migration, Backup, Staging – WPvivid <= 0.9.91 – Google Drive Client Secret Exposure

Affected Software: Migration, Backup, Staging – WPvivid
CVE ID: CVE-2023-5576
CVSS Score: 8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d

RumbleTalk Live Group Chat <= 6.1.9 – Missing Authorization via handleRequest

Affected Software: RumbleTalk Live Group Chat – HTML5
CVE ID: CVE-2023-45828
CVSS Score: 7.6 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9d6e168-a768-4062-9ef1-0be9d6c65c51

Nexter Extension <= 2.0.3 – Authenticated(Editor+) Remote Code Execution via metabox

Affected Software: Nexter Extension
CVE ID: CVE-2023-45751
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/188c4417-962a-4b28-b215-1c567b39ba7a

Campaign Monitor Forms <= 2.5.5 – Missing Authorization to Authenticated(Subscriber+) Options Update via ajax_dismiss_notice

Affected Software: Campaign Monitor Forms by Optin Cat
CVE ID: CVE-2023-5098
CVSS Score: 7.1 (High)
Researcher/s: Francesco Marano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f11416c-c981-4c85-822c-497ecfaa842d

History Log by click5 <= 1.0.12 – Authenticated(Administrator+) Time-Based Blind SQL Injection

Affected Software: History Log by click5
CVE ID: CVE-2023-5082
CVSS Score: 6.6 (Medium)
Researcher/s: Karolis Narvilas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2881e144-a109-4034-afe8-2f72efd70360

IMPress Listings <= 2.6.2 – Missing Authorization

Affected Software: IMPress Listings
CVE ID: CVE-2023-45633
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f426c32e-a376-4447-b83f-409a8eb0c499

Slick Contact Forms <= 1.3.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Slick Contact Forms
CVE ID: CVE-2023-5468
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22c63226-2bc6-40be-a5d1-1bd169fc78b8

PDF Block <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: PDF Block
CVE ID: CVE-2023-45646
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a1d8adf-c49c-4d88-83c7-4515b0ab1f35

QR Twitter Widget <= 0.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: QR Twitter Widget
CVE ID: CVE-2023-45628
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b16df88-7d9f-4ee2-90ab-6da50c69148e

Add to Calendar Button <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Add to Calendar Button
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60ba7f68-1fe1-4349-a3eb-11a63ae11e38

WordPress Core 5.9-6.3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via Navigation Attributes

Affected Software/s: WordPress, Gutenberg
CVE ID: CVE-2023-38000
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad, Edourard L
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66b1f597-f357-4525-8c67-e0be3a07bcfa

Get Custom Field Values <= 4.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via Custom Meta Widget

Affected Software: Get Custom Field Values
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Satoo Nakano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e55302-f889-4054-817f-aadbdd3c88de

Newsletter & Bulk Email Sender <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress
CVE ID: CVE-2023-45829
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7c19095-3c21-440f-aa28-0117aea29d97

GEO my WordPress <= 4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: GEO my WordPress
CVE ID: CVE-2023-5467
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a96ac71f-3dae-40eb-9268-d56688a5aa64

Master Addons for Elementor <= 2.0.3 – Authenticated(Contributor+) Stored Cross-Site Scripting

Affected Software: Master Addons for Elementor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abb7def7-df32-4901-b8ea-068ff1af664b

WordPress Core 6.3 – 6.3.1 – Authenticated(Contributor+) Cross-Site Scripting via Footnotes Block

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Jorge Costa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af77d642-d383-48f2-a59a-3a9c738cd47f

CITS Support svg, webp Media and TTF,OTF File Upload <= 2.1.0 – Authenticated(Author+) Stored Cross-Site Scripting via SVG Upload

Affected Software: CITS Support svg, webp Media and TTF,OTF File Upload
CVE ID: CVE-2023-5458
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7d3edf5-245f-42f2-9add-e87de6839ed1

Embed Calendly <= 3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Embed Calendly
CVE ID: CVE-2023-4995
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1bf83df-7a1f-4572-9c8d-1013750d51d7

WP ULike <= 4.6.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP ULike – Most Advanced WordPress Marketing Toolkit
CVE ID: CVE-2023-45640
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2f777b6-5872-4196-81fb-82a9b6aaef2e

Charitable <= 1.7.0.13 – Authenticated(Contributor+) Stored Cross-Site Scripting

Affected Software: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbaedb36-6710-48ab-8bb5-e6065fa8df51

Etsy Shop <= 3.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Etsy Shop
CVE ID: CVE-2023-5470
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4696f7a-8b87-4376-b4c9-596eca30b38c

Remote Content Shortcode <= 1.5 – Authenticated(Contributor+) Local File Inclusion via shortcode

Affected Software: Remote Content Shortcode
CVE ID: CVE-2023-45652
CVSS Score: 6.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d1568e8d-9ea5-4673-a657-03e89cfb6000

Ultimate Taxonomy Manager <= 2.0 – Unauthenticated Cross-Site Scripting

Affected Software: Ultimate Taxonomy Manager
CVE ID: CVE-2023-45837
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06f56834-e1e9-4a02-988a-df4c563182c4

EventPrime <= 3.1.5 – Reflected Cross-Site Scripting via ‘event_id’

Affected Software: EventPrime – Events Calendar, Bookings and Tickets
CVE ID: CVE-2023-45637
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/399848fd-e9f6-40e4-bfeb-08f53eb511c6

Libsyn Publisher Hub <= 1.4.4 – Unauthenticated Cross-Site Scripting

Affected Software: Libsyn Publisher Hub
CVE ID: CVE-2023-45835
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56b3d629-014c-47b3-9726-4086e544011b

ApplyOnline – Application Form Builder and Manager <= 2.5.2 – Reflected Cross-Site Scripting

Affected Software: ApplyOnline – Application Form Builder and Manager
CVE ID: CVE-2023-45756
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6c704356-e5f7-4b91-a162-647717cbbb7b

Copy Or Move Comments <= 5.0.4 – Reflected Cross-Site Scripting

Affected Software: Copy or Move Comments
CVE ID: CVE-2023-45634
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a7bf74b-1dc7-4159-a874-29694fe5895e

Peter’s Custom Anti-Spam <= 3.2.2 – Reflected Cross-Site Scripting

Affected Software: Peter’s Custom Anti-Spam
CVE ID: CVE-2023-45759
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cea7f17-743a-4dce-bd86-5713ff6d8520

Sendle Shipping <= 5.13 – Reflected Cross-Site Scripting

Affected Software: Sendle Shipping Plugin
CVE ID: CVE-2023-45761
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e227e25-3dd9-47fd-bba8-e076f7f92d56

Nexter Extension <= 2.0.3 – Reflected Cross-Site Scripting via post and post_id

Affected Software: Nexter Extension
CVE ID: CVE-2023-45750
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f4dc917-028c-451a-9b32-26ef2c488850

Video Player <= 1.5.22 – Reflected Cross-Site Scripting

Affected Software: SpiderVPlayer
CVE ID: CVE-2023-45632
CVSS Score: 6.1 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93d78063-238d-40c0-92c9-6870d85d29f7

Fattura24 <= 6.2.7 – Reflected Cross-Site Scripting via ‘id’

Affected Software: Fattura24
CVE ID: CVE-2023-5211
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a19bff99-b680-40a6-8a5c-7a0233b293ac

WordPress Core 5.6 – 6.3.1 – Reflected Cross-Site Scripting via Application Password Requests

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: mascara7784
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5368894-3277-47d0-8fad-adfb8df4fa93

Fast WP Speed <= 1.0.0 – Reflected Cross-Site Scripting

Affected Software: Fast WP Speed
CVE ID: CVE-2023-45770
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd5a3d4b-6e8b-4abe-9f38-58accada2f57

Ebook Store <= 5.785 – Reflected Cross-Site Scripting

Affected Software: Ebook Store
CVE ID: CVE-2023-45602
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e36eed5b-f76d-451e-a0f8-fd4b91bcf9f1

Proofreading <= 1.0.11 – Reflected Cross-Site Scripting

Affected Software: Proofreading
CVE ID: CVE-2023-45772
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e76e4c4c-3f84-46b0-b305-2513714a8525

Tweeple <= 0.9.5 – Reflected Cross-Site Scripting via id

Affected Software: Tweeple
CVE ID: CVE-2023-30781
CVSS Score: 6.1 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f9b1c96c-ab87-43a8-a3ac-17fea337b690

Responsive Image Gallery, Gallery Album <= 2.0.3 – Unauthenticated Cross-Site Scripting

Affected Software: Gallery – Image and Video Gallery with Thumbnails
CVE ID: CVE-2023-45630
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa9e4635-43f8-4f3c-b62c-628e74028f7e

Get Custom Field Values <= 4.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget

Affected Software: Get Custom Field Values
CVE ID: CVE-2023-45604
CVSS Score: 5.5 (Medium)
Researcher/s: Satoo Nakano
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e0fd85a-2164-4b83-822e-845662591a78

WP Lightbox 2 <= 3.0.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: WP Lightbox 2
CVE ID: CVE-2023-45747
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ef104ae-b67c-4669-adeb-e5397561c0ae

WPLegalPages <= 2.9.2 – Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

Affected Software: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
CVE ID: CVE-2023-4968
CVSS Score: 5.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68d7b5d0-c777-4ff9-bdef-a7762cfbdf1a

Simple Tweet <= 1.4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Simple Tweet
CVE ID: CVE-2023-45767
CVSS Score: 5.5 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de568a71-f51d-4948-839c-48e51d165a64

WordPress Core < 6.3.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via parse-media-shortcode

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: James Golovich, WhiteCyberSec
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fc3f65e-5fbe-403b-b7cd-dde16a7e5778

Simple URLs <= 120 – Cross-Site Request Forgery via Multiple AJAX Actions

Affected Software: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
CVE ID: CVE-2023-45606
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d03524-7a53-40cd-a3d5-dafea4fc9a33

wpDiscuz <= 7.6.3 – Missing Authorization via AJAX actions

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-45760
CVSS Score: 5.4 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e8ad3c1-549b-4401-8cf4-a8b7f81fbc11

Responsive Image Gallery, Gallery Album <= 2.0.3 – Cross-Site Request Forgery

Affected Software: Gallery – Image and Video Gallery with Thumbnails
CVE ID: CVE-2023-45629
CVSS Score: 5.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66efc65e-48d3-4ef9-a369-51448e47686a

WordPress Backup & Migration <= 1.4.1 – Missing Authorization to Settings and Schedule Modification

Affected Software: WordPress Backup & Migration
CVE ID: CVE-2023-45636
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/adfc5084-ed33-4600-bd34-d3516f1a1b96

Responsive Image Gallery, Gallery Album <= 2.0.3 – Missing Authorization via Multiple AJAX Actions

Affected Software: Gallery – Image and Video Gallery with Thumbnails
CVE ID: CVE-2023-45631
CVSS Score: 5.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb08cf02-4766-4093-9306-3b4581f54f77

MailChimp Forms by MailMunch <= 3.1.4 – Cross-Site Request Forgery via multiple AJAX actions

Affected Software: MailChimp Forms by MailMunch
CVE ID: CVE-2023-45748
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4f96877-406b-4ec0-ac6b-ee1ffdb436e5

Contact Form With Captcha <= 1.6.8 – Cross-Site Request Forgery

Affected Software: Contact Form With Captcha
CVE ID: CVE-2023-45771
CVSS Score: 5.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f618a350-e089-40f7-b731-7ffb9ece30b3

Image Regenerate & Select Crop 7.2.5 – Sensitive Information Exposure

Affected Software: Image Regenerate & Select Crop
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/307bfd18-840a-4cb4-86e6-33dc28e5514e

WordPress Core 4.7.0 – 6.3.1 – Sensitive Information Exposure via User Search REST Endpoint

Affected Software: WordPress
CVE ID: CVE-2023-5561
CVSS Score: 5.3 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38b63167-e1a6-4279-97cf-900df0651f20

Form Maker <= 1.15.20 – Captcha Bypass

Affected Software: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46525a06-f3a4-4c78-ba32-4b937e1dbac6

Poll Maker <= 4.7.1 – Missing Authorization

Affected Software: Poll Maker – Best WordPress Poll Plugin
CVE ID: CVE-2023-45766
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a27fcc6-b1ac-4649-892b-7e0dee3f0d08

Libsyn Publisher Hub <= 1.4.4 – Sensitive Information Exposure

Affected Software: Libsyn Publisher Hub
CVE ID: CVE-2023-45834
CVSS Score: 5.3 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bccefbe-2d20-40a7-b24f-d867d80250e3

AI ChatBot <= 4.8.9 – Missing Authorization on AJAX actions

Affected Software: AI ChatBot
CVE ID: CVE-2023-5533
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9db002f-ff41-493a-87b1-5f0b4b07cfc2

WordPress Core 4.7.0-6.3.1 – Denial of Service via Cache Poisoning

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: s5s, raouf_maklouf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bdc84664-2a04-4cc6-ac3f-48bfd432691f

AI ChatBot <= 4.8.9 – Unauthenticated Sensitive Information Exposure via qcld_wb_chatbot_check_user

Affected Software: AI ChatBot
CVE ID: CVE-2023-5254
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d897daf8-5320-4546-9a63-1d34a15b2a58

Responsive Column Widgets <= 1.2.7 – Open Redirect via responsive_column_widgets_link

Affected Software: Responsive Column Widgets
CVE ID: CVE-2023-45762
CVSS Score: 4.7 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a092266b-bd7f-424d-b8c4-d79e4811e6c9

Easy Testimonial Slider and Form <= 1.0.18 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Easy Testimonial Slider and Form
CVE ID: CVE-2023-45754
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01da1829-e3f4-4246-ae3d-72377c4b232e

Amministrazione Trasparente <= 8.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Amministrazione Trasparente
CVE ID: CVE-2023-45758
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ef02ecc-6a7b-4782-a891-a1d66d770c81

CPT Shortcode Generator <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: CPT Shortcode Generator
CVE ID: CVE-2023-45644
CVSS Score: 4.4 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4782d4ea-3d79-40d2-850d-1a7583267616

Login Screen Manager <= 3.5.2 – Authenticated(Admin+) Stored Cross-Site Scripting

Affected Software: Login Screen Manager
CVE ID: CVE-2023-5243
CVSS Score: 4.4 (Medium)
Researcher/s: Nano
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6c37ec-4a17-41b8-a29e-2a9adb382cea

Scroll post excerpt <= 8.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Scroll post excerpt
CVE ID: CVE-2023-45764
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6da00adc-8fc0-4d8f-9ff3-8c21223199f4

Next Page <= 1.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Next Page
CVE ID: CVE-2023-45768
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c592887c-718c-46d7-8dc3-d337711471ee

Print, PDF, Email by PrintFriendly <= 5.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Print, PDF, Email by PrintFriendly
CVE ID: CVE-2023-25032
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0403a76-86ce-4772-bc0b-22b183f0f684

WP GoToWebinar <= 14.45 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: WP GoToWebinar
CVE ID: CVE-2023-45832
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e40f07b5-9e6e-430b-86fc-3bb863a51b01

Simple File List <= 6.1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Simple File List
CVE ID: CVE-2023-39924
CVSS Score: 4.4 (Medium)
Researcher/s: Bae Song Hyun
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e61b6e54-b330-41a5-b13f-ba11c10d8bfe

LeadSquared Suite <= 0.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: LeadSquared Suite
CVE ID: CVE-2023-45833
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef1aafc2-e47b-49da-8a4e-9111209308c2

BuddyPress Global Search <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: BuddyPress Global Search
CVE ID: CVE-2023-45755
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f78cc71a-db22-4f5f-9231-52c66561df02

WP ERP <= 1.12.6 – Missing Authorization via admin notice dismissal


Thumbnail Slider With Lightbox <= 1.0 – Cross-Site Request Forgery

Affected Software: Thumbnail Slider With Lightbox
CVE ID: CVE-2023-5531
CVSS Score: 4.3 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/055b7ed5-268a-485e-ac7d-8082dc9fb2ad

Post Gallery <= 2.3.12 – Cross-Site Request Forgery

Affected Software: Post Gallery
CVE ID: CVE-2023-45752
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ac31c39-abbc-427f-aba3-d9ec3b51c4d2

WP Open Street Map <= 1.25 – Cross-Site Request Forgery via wp_openstreetmaps

Affected Software: WP Open Street Map
CVE ID: CVE-2023-45645
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1aa0fd9d-6c9f-4110-92a0-064fa4b9b589

Eupago Gateway For Woocommerce <= 3.1.9 – Cross-Site Request Forgery via eupago_page_content

Affected Software: Eupago Gateway For Woocommerce
CVE ID: CVE-2023-45638
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f1dcec6-1fcf-40e8-a15b-647b7161b6b5

which template file <= 4.8.0 – Cross-Site Request Forgery

Affected Software: which template file
CVE ID: CVE-2023-45753
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/279314a4-2d70-4036-ae9a-27bb694b03db

Constant Contact Forms by MailMunch <= 2.0.10 – Cross-Site Request Forgery

Affected Software: Constant Contact Forms by MailMunch
CVE ID: CVE-2023-45647
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f8dcbd2-af51-4cc9-9962-53fe644985e1

Sort SearchResult By Title <= 10.0 – Cross-Site Request Forgery via settings_page

Affected Software: Sort SearchResult By Title
CVE ID: CVE-2023-45639
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4147e973-5a17-41d8-b8d9-5e43a23c9bc9

AMP WP <= 1.5.15 – Cross-Site Request Forgery via multiple settings pages

Affected Software: AMP WP – Google AMP For WordPress
CVE ID: CVE-2023-45831
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44dd7b3f-5892-43e1-acf1-61f66db0b4a3

XYDAC Ultimate Taxonomy Manager <= 2.0 – Cross-Site Request Forgery

Affected Software: Ultimate Taxonomy Manager
CVE ID: CVE-2023-45836
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4baf39fd-4191-47eb-9b37-cdf290d6345b

HTML5 Maps <= 1.7.1.4 – Cross-Site Request Forgery

Affected Software: HTML5 Maps
CVE ID: CVE-2023-45650
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/502bc68d-778a-47df-a5c2-6bd0b4f130cc

CPT Shortcode Generator <= 1.0 – Cross-Site Request Forgery

Affected Software: CPT Shortcode Generator
CVE ID: CVE-2023-45643
CVSS Score: 4.3 (Medium)
Researcher/s: Lokesh Dachepalli
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6125a8e6-4c87-4136-ba39-c3a089948733

Snap Pixel <= 1.5.7 – Cross-Site Request Forgery

Affected Software: Snap Pixel
CVE ID: CVE-2023-45642
CVSS Score: 4.3 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6150fd60-069f-4ba6-8f0c-773039eaaec6

WordPress Core <= 6.3.1 – Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts

Affected Software: WordPress
CVE ID: CVE-2023-39999
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad, Jb Audras
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6bea6a77-79e8-4d3a-bd3e-2bb3d20b6fe9

Comments Ratings <= 1.1.7 – Cross-Site Request Forgery

Affected Software: Comments Ratings
CVE ID: CVE-2023-45654
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8035484b-dc2f-4d54-802b-b09bd88a8bf6

AI ChatBot <= 4.8.9 – Cross-Site Request Forgery on AJAX actions

Affected Software: AI ChatBot
CVE ID: CVE-2023-5534
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/846bd929-45cd-4e91-b232-ae16dd2b12a0

Taggbox <= 2.9 – Cross-Site Request Forgery

Affected Software: Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
CVE ID: CVE-2023-33214
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a27253d-bfc1-40b5-9da4-d16cc403ad41

Caret Country Access Limit <= 1.0.2 – Cross-Site Request Forgery

Affected Software: Caret Country Access Limit
CVE ID: CVE-2023-45641
CVSS Score: 4.3 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f8c5853-6e21-4a70-a547-e3f0f4b1d7d0

Lazy Load for Videos <= 2.18.2 – Cross-Site Request Forgery

Affected Software: Lazy Load for Videos
CVE ID: CVE-2023-45656
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a467ad30-8271-421c-8af4-8165fd60c03e

AGP Font Awesome Collection <= 3.2.4 – Cross-Site Request Forgery

Affected Software: AGP Font Awesome Collection
CVE ID: CVE-2023-45749
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abcb2e9f-a6f1-40c3-b419-e2f65ec5dd41

PixFields <= 0.7.0 – Cross-Site Request Forgery

Affected Software: PixFields
CVE ID: CVE-2023-45655
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3c6fb8b-9df8-4cf5-b9e6-702852bb1977

Video Playlist For YouTube <= 6.0 – Cross-Site Request Forgery

Affected Software: Video Playlist For YouTube
CVE ID: CVE-2023-45653
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d72c8140-90f1-49f5-bc42-925e29ecc0b1

Responsive Tabs < 4.0.6 – Authenticated (Contributor+) Content Injection

Affected Software: Responsive Tabs
CVE ID: CVE-2023-45635
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9af12ac-68ef-4c65-aecb-82ce7b927340

WP Attachments <= 5.0.6 – Cross-Site Request Forgery

Affected Software: WP Attachments
CVE ID: CVE-2023-45651
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f23b144e-4380-4099-89b5-816c8c2f710f

Feed Statistics <= 4.1 – Cross-Site Request Forgery via init

Affected Software: Feed Statistics
CVE ID: CVE-2023-45605
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5740c07-28b3-40ce-997e-e4ec76348cf4

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023) appeared first on Wordfence.

More great articles

20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM – WooCommerce Frontend Manager WordPress Plugin

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to…

Read Story

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 2, 2024 to September 8, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors?…

Read Story

28,000 WordPress Sites Affected by Arbitrary File Read and Deletion Vulnerability in WPLMS WordPress Theme

🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.