Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!

Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week:

wp-autoload.php backdoor – while we typically write firewall rules for vulnerabilities, we wrote a firewall rule to block successful exploitation of this piece of malware we wrote about here.
Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	66
Patched	58

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	113
High Severity	10
Critical Severity	1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	53
Missing Authorization	24
Cross-Site Request Forgery (CSRF)	21
Information Exposure	7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	4
Unrestricted Upload of File with Dangerous Type	3
Server-Side Request Forgery (SSRF)	2
Incorrect Authorization	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Authorization Bypass Through User-Controlled Key	1
Guessable CAPTCHA	1
Use of Less Trusted Source	1
Protection Mechanism Failure	1
Improper Access Control	1
Improper Authorization	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Reliance on Untrusted Inputs in a Security Decision	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	9
Abdi Pranata	8
emad	7
Mika	7
DoYeon Park (p6rkdoye0n)	6
Ngô Thiên An (ancorn_)	6
Joshua Chan	5
Le Ngoc Anh	4
LEE SE HYOUNG	4
qilin_99	4
LVT-tholv2k	4
Rafshanzani Suhada	3
Vladislav Pokrovsky (ΞX.MI)	3
Abu Hurayra (HurayraIIT)	3
Skalucy	3
resecured.io	2
Revan Arifio	2
Francesco Carlucci	2
yuyudhn	2
István Márton (Wordfence Vulnerability Researcher)	2
thiennv	2
Elliot	2
SeungYongLee	2
Phd	2
Abdullah Hussam	1
Sebastian Neef	1
Yudistira Arya	1
Nguyen Xuan Chien	1
Brandon James Roldan (tomorrowisnew)	1
Alex Thomas (Wordfence Vulnerability Researcher)	1
Shahzaib Ali Khan	1
Dmitrii Ignatyev	1
Bob Matyas	1
Krzysztof Zając	1
Truoc Phan	1
Dave Jong	1
Nguyen Anh Tien	1
Yuchen Ji	1
Arvandy	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
12 Step Meeting List	12-step-meeting-list
360 Javascript Viewer	360deg-javascript-viewer
AMP for WP – Accelerated Mobile Pages	accelerated-mobile-pages
Abandoned Cart Lite for WooCommerce	woocommerce-abandoned-cart
AdFoxly – Ad Manager, AdSense Ads & Ads.txt	adfoxly
Add to Cart Text Changer and Customize Button, Add Custom Icon	woo-add-to-cart-text-change
Ads by datafeedr.com	ads-by-datafeedrcom
Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates	affiliatebooster-blocks
Antispam Bee	antispam-bee
Aparat	aparat
Aruba HiSpeed Cache	aruba-hispeed-cache
Author Box, Guest Author and Co-Authors for Your Posts – Molongui	molongui-authorship
Automatic Youtube Video Posts Plugin	automatic-youtube-video-posts
BSK Forms Blacklist	bsk-gravityforms-blacklist
Backup Migration	backup-backup
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss	bp-better-messages
BigCommerce For WordPress	bigcommerce
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin	bookingpress-appointment-booking
BrainCert – HTML5 Virtual Classroom	html5-virtual-classroom
Bravo Translate	bravo-translate
Button Generator – easily Button Builder	button-generation
CF7 Google Sheets Connector	cf7-google-sheets-connector
Campaign Monitor for WordPress	forms-for-campaign-monitor
Chartify – WordPress Chart Plugin	chart-builder
Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back	chat-bubble
Client Dash	client-dash
Coming soon and Maintenance mode	coming-soon-page
CommentLuv	commentluv
Contact Form 7	contact-form-7
Contact Form – Custom Builder, Payment Form, and More	powr-pack
Credit Tracker	credit-tracker
Crypto Converter Widget	crypto-converter-widget
Currency Converter Calculator	currency-converter-calculator
Database for CF7	database-for-cf7
Debug Log Manager	debug-log-manager
Delete Post Revisions In WordPress	delete-post-revisions-on-single-click
Doofinder WP & WooCommerce Search	doofinder-for-woocommerce
Ecwid Ecommerce Shopping Cart	ecwid-shopping-cart
Email Address Encoder	email-address-encoder
Enhanced Text Widget	enhanced-text-widget
Event post	event-post
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media	evergreen-content-poster
Export WP Page to Static HTML/CSS	export-wp-page-to-static-html
File Gallery	file-gallery
Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms	happyforms
Forms by CaptainForm – Form Builder for WordPress	captainform
Formzu WP	formzu-wp
GDPR Cookie Consent by Supsystic	gdpr-compliance-by-supsystic
Gift Up Gift Cards for WordPress and WooCommerce	gift-up
GoDaddy Email Marketing	godaddy-email-marketing-sign-up-forms
Guest Author	guest-author
HDW Player Plugin (Video Player & Video Gallery)	hdw-player-video-player-video-gallery
HUSKY – Products Filter for WooCommerce Professional	woocommerce-products-filter
Hubbub Lite (formerly Grow Social)	social-pug
IdeaPush	ideapush
Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More	importify
Innovs HR – Complete Human Resource Management System for Your Business	innovs-hr-manager
JetBlocks for Elementor	jet-blocks
JetBlog for Elementor	jet-blog
JetCompareWishlist for Elementor	jet-compare-wishlist
JetElements	jet-elements
JetEngine	jet-engine
JetFormBuilder — Dynamic Blocks Form Builder	jetformbuilder
JetMenu for Elementor	jet-menu
JetPopup	jet-popup
JetProductGallery	jet-woo-product-gallery
JetReviews for Elementor	jet-reviews
JetSearch	jet-search
JetSmartFilters for Elementor	jet-smart-filters
JetTabs for Elementor	jet-tabs
JetThemeCore for Elementor	jet-theme-core
JetTricks for Elementor	jet-tricks
JetWooBuilder for Elementor	jet-woo-builder
KP Fastest Tawk.to Chat	kp-fastest-tawk-to-chat
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…	ladipage
List all posts by Authors, nested Categories and Titles	list-all-posts-by-authors-nested-categories-and-titles
MSync	msync
Media File Renamer: Rename Files (Manual, Auto & AI)	media-file-renamer
MkRapel Regiones y Ciudades de Chile para WC	wc-ciudades-y-regiones-de-chile
Mollie Payments for WooCommerce	mollie-payments-for-woocommerce
Multiple Post Passwords	multiple-post-passwords
MyTube PlayList	mytube
Nested Pages	wp-nested-pages
NextScripts: Social Networks Auto-Poster	social-networks-auto-poster-facebook-twitter-g
Ocean Extra	ocean-extra
Page Builder: Pagelayer – Drag and Drop website builder	pagelayer
Parallax Slider Block	parallax-slider-block
Participants Database	participants-database
Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)	wp-retina-2x
PowerPack Pro for Elementor	powerpack-elements
Prevent Landscape Rotation	prevent-landscape-rotation
Product Size Chart For WooCommerce	product-size-chart-for-woo
Qode Essential Addons	qode-essential-addons
Quotes for WooCommerce	quotes-for-woocommerce
Razorpay for WooCommerce	woo-razorpay
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Related Post	related-post
Responsive Lightbox & Gallery	responsive-lightbox
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share	wp-scheduled-posts
Seraphinite Accelerator	seraphinite-accelerator
Sign In Scheduling Online Appointment Booking System	10to8-online-booking
Simple Long Form	simple-long-form
Site Offline Or Coming Soon Or Maintenance Mode	site-offline
SiteOrigin Widgets Bundle	so-widgets-bundle
Social Share Buttons & Analytics Plugin – GetSocial.io	wp-share-buttons-analytics-by-getsocial
SoundCloud Shortcode	soundcloud-shortcode
SpeedyCache – Cache, Optimization, Performance	speedycache
Spiffy Calendar	spiffy-calendar
Swift Performance Lite	swift-performance-lite
Track Geolocation Of Users Using Contact Form 7	track-geolocation-of-users-using-contact-form-7
UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping	wc-multishipping
WP Catalogue	wp-catalogue
WP CleanFix	wp-cleanfix
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce	wp-event-manager
WP Forms Puzzle Captcha	wp-forms-puzzle-captcha
WP Pocket URLs	wp-pocket-urls
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
WordPress Brute Force Protection – Stop Brute Force Attacks	guardgiant
YASR – Yet Another Star Rating Plugin for WordPress	yet-another-stars-rating
affiliate-toolkit – WordPress Affiliate Plugin	affiliate-toolkit-starter
canvasio3D Light	canvasio3d-light
teachPress	teachpress
which template file	which-template-file

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
adifier	adifier
restricted-site-access	restricted-site-access

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Unauthenticated SQL Injection via search terms

Affected Software: HUSKY – Products Filter for WooCommerce Professional
CVE ID: CVE-2023-40010
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba

JetEngine <= 3.2.4 – Authenticated (Contributor+) Privilege Escalation

Affected Software: JetEngine
CVE ID: CVE-2023-48757
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b

CommentLuv <= 3.0.4 – Server Side Request Forgery via do_click

Affected Software: CommentLuv
CVE ID: CVE-2023-49159
CVSS Score: 8.2 (High)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c

Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure

Affected Software: Backup Migration
CVE ID: CVE-2023-6266
CVSS Score: 7.5 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612

CF7 Google Sheets Connector <= 5.0.5 – Unauthenticated Sensitive Information Exposure via Debug Log

Affected Software: CF7 Google Sheets Connector
CVE ID: CVE-2023-44989
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4

Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization to Unauthenticated Unauthorized Action

Affected Software/s: JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetWooBuilder for Elementor, JetReviews for Elementor, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor
CVE ID: CVE-2023-48760
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7addc83b-cde5-4f91-b286-70db6f384a9f

MSync <= 1.0.0 – Authenticated (Administrator+) SQL Injection

Affected Software: MSync
CVE ID: CVE-2023-49166
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf

Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload

Affected Software: Mollie Payments for WooCommerce
CVE ID: CVE-2023-6090
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c

BookingPress <= 1.0.76 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
CVE ID: CVE-2023-6219
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29

JetEngine <= 3.2.4 – Missing Authorization

Affected Software: JetEngine
CVE ID: CVE-2023-48758
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c

WP Cleanfix <= 5.5.0 – Missing Authorization via register

Affected Software: WP CleanFix
CVE ID: CVE-2023-48775
CVSS Score: 7.1 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac

WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: WordPress Brute Force Protection – Stop Brute Force Attacks
CVE ID: CVE-2023-48764
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056

Contact Form 7 <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload

Affected Software: Contact Form 7
CVE ID: CVE-2023-6449
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6

Bravo Translate <= 1.2 – Authenticated (Administrator+) SQL Injection

Affected Software: Bravo Translate
CVE ID: CVE-2023-49161
CVSS Score: 6.6 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d

Chat Bubble <= 2.3 – Cross-Site Request Forgery via cbb_submit_settings_data

Affected Software: Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
CVE ID: CVE-2023-48769
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/206261fa-58b6-4407-b8e1-2315836b6c88

Prevent Landscape Rotation <= 2.0 – Cross-Site Request Forgery via adminpage.php

Affected Software: Prevent Landscape Rotation
CVE ID: CVE-2023-48772
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6

Database for CF7 <= 1.2.4 – Missing Authorization via wpcf7db_delete AJAX action

Affected Software: Database for CF7
CVE ID: CVE-2023-49167
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61

MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 – Cross-Site Request Forgery via multiple functions

Affected Software: MkRapel Regiones y Ciudades de Chile para WC
CVE ID: CVE-2023-48781
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487

Product Size Chart For WooCommerce <= 1.1.5 – Cross-Site Request Forgery via get_save_option

Affected Software: Product Size Chart For WooCommerce
CVE ID: CVE-2023-48778
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46

Guest Author <= 2.3 – Authenticated Stored Cross-Site Scripting

Affected Software: Guest Author
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455

Powr Pack <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Contact Form – Custom Builder, Payment Form, and More
CVE ID: CVE-2023-45609
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a

Responsive Lightbox <= 2.4.5 – Authenticated (Author+) Stored Cross-Site Scripting via name

Affected Software: Responsive Lightbox & Gallery
CVE ID: CVE-2023-49174
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08

12 Step Meeting List <= 3.14.24 – Authenticated (Contributor+) Server-Side Request Forgery

Affected Software: 12 Step Meeting List
CVE ID: CVE-2023-46641
CVSS Score: 6.4 (Medium)
Researcher/s: Shahzaib Ali Khan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6225
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574

WP Catalogue <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Catalogue
CVE ID: CVE-2023-48780
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66

Ads by datafeedr.com <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ads by datafeedr.com
CVE ID: CVE-2023-49169
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f

Event post <= 5.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Event post
CVE ID: CVE-2023-49179
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131

Formzu WP <= 1.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id

Affected Software: Formzu WP
CVE ID: CVE-2023-49160
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd

Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2023-48321
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1

Currency Converter Calculator <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Currency Converter Calculator
CVE ID: CVE-2023-49149
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe

10to8 Online Appointment Booking System <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Sign In Scheduling Online Appointment Booking System
CVE ID: CVE-2023-49173
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510

BP Better Messages <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
CVE ID: CVE-2023-49168
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ccc7f8-c8e0-457a-b437-2a23530a9df4

Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Email Address Encoder
CVE ID: CVE-2023-48765
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e

Parallax Slider Block <= 1.2.4 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: Parallax Slider Block
CVE ID: CVE-2023-49184
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8

Credit Tracker <= 1.1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Credit Tracker
CVE ID: CVE-2023-49152
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955

Crypto Converter Widget <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Crypto Converter

Widget
CVE ID: CVE-2023-49150
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2

Aparat <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Aparat
CVE ID: CVE-2023-48770
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4

Spiffy Calendar <= 4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Spiffy Calendar
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5

Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization

Affected Software/s: JetSearch, JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetPopup, JetWooBuilder for Elementor, JetReviews for Elementor, JetEngine, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor
CVE ID: CVE-2023-48761
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/893500ba-cc16-4429-bbe1-725aa65589c9

File Gallery <= 1.8.5.4 – Reflected Cross-Site Scripting via post_id

Affected Software: File Gallery
CVE ID: CVE-2023-48771
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64

affiliate-toolkit – WordPress Affiliate Plugin <= 3.4.3 – Reflected Cross-Site Scripting via keyword

Affected Software: affiliate-toolkit – WordPress Affiliate Plugin
CVE ID: CVE-2023-46086
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752

NextScripts <= 4.4.2 – Reflected Cross-Site Scripting via code

Affected Software: NextScripts: Social Networks Auto-Poster
CVE ID: CVE-2023-49183
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1

Adifier (Premium Theme) < 3.1.4 – Reflected Cross-Site Scripting

Affected Software: adifier
CVE ID: CVE-2023-49187
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30

JetBlocks For Elementor <= 1.3.8 – Reflected Cross Site Scripting

Affected Software: JetBlocks for Elementor
CVE ID: CVE-2023-48756
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1

WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting

Affected Software: WP Forms Puzzle Captcha
CVE ID: CVE-2023-48278
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc

PowerPack Pro for Elementor <= 2.9.23 – Reflected Cross-Site Scripting

Affected Software: PowerPack Pro for Elementor
CVE ID: CVE-2023-49739
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504

MyTube PlayList <= 2.0.3 – Reflected Cross-Site Scripting via addplaylistid

Affected Software: MyTube PlayList
CVE ID: CVE-2023-48767
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792

Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via rt

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2023-49740
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f

List all posts by Authors, nested Categories and Title <= 2.7.10 – Cross-Site Scripting

Affected Software: List all posts by Authors, nested Categories and Titles
CVE ID: CVE-2023-49182
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10

BrainCert – HTML5 Virtual Classroom <= 1.30 – Reflected Cross-Site Scripting

Affected Software: BrainCert – HTML5 Virtual Classroom
CVE ID: CVE-2023-49172
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea

HDW Player Plugin (Video Player & Video Gallery) <= 5.0 – Cross-Site Scripting

Affected Software: HDW Player Plugin (Video Player & Video Gallery)
CVE ID: CVE-2023-49178
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd

Forms by CaptainForm <= 2.5.3 – Reflected Cross-Site Scripting via REQUEST_URI

Affected Software: Forms by CaptainForm – Form Builder for WordPress
CVE ID: CVE-2023-49170
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62

WP Pocket URLs <= 1.0.2 – Reflected Cross-Site Scripting

Affected Software: WP Pocket URLs
CVE ID: CVE-2023-49176
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920

Campaign Monitor for WordPress <= 2.8.12 – Reflected Cross-Site Scripting

Affected Software: Campaign Monitor for WordPress
CVE ID: CVE-2023-38474
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b

which template file <= 4.9.0 – Unauthenticated Cross-Site Scripting

Affected Software: which template file
CVE ID: CVE-2023-49177
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d

Doofinder for WooCommerce <= 2.1.4 – Reflected Cross-Site Scripting

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-49185
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90

Innovs HR <= 1.0.3.4 – Reflected Cross-Site Scripting

Affected Software: Innovs HR – Complete Human Resource Management System for Your Business
CVE ID: CVE-2023-49171
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b

Happyforms <= 1.25.9 – Reflected Cross-Site Scripting

Affected Software: Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms
CVE ID: CVE-2023-48752
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff986a66-93f7-4926-8818-7af745c0166c

SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion

Affected Software: SiteOrigin Widgets Bundle
CVE ID: CVE-2023-6295
CVSS Score: 5.9 (Medium)
Researcher/s: Sebastian Neef
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda

Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Automatic Youtube Video Posts Plugin
CVE ID: CVE-2023-49180
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b

Client Dash <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Client Dash
CVE ID: CVE-2023-49165
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441

WP Event Manager <= 3.1.39 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
CVE ID: CVE-2023-49181
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f

Download canvasio3D Light <= 2.4.6 – Missing Authorization

Affected Software: canvasio3D Light
CVE ID: CVE-2023-48776
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b

Export WP Page to Static HTML/CSS <= 2.1.9 – Missing Authorization via Multiple AJAX Actions

Affected Software: Export WP Page to Static HTML/CSS
CVE ID: CVE-2023-6369
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1

Abandoned Cart Lite for WooCommerce <= 5.16.1 – Missing Authorization via multiple AJAX functions

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE-2023-41671
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86

Chronopost & Mondial relay pour WooCommerce – WCMultiShipping <= 2.3.7 – Incorrect Authorization

Affected Software: UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5

Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726

Social Pug <= 1.20.3 – Missing Authorization via multiple admin_init actions

Affected Software: Hubbub Lite (formerly Grow Social)
CVE ID: CVE-2023-49193
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5

Enhanced Text Widget <= 1.6.2 – Missing Authorization via etw_hide_admin_notification_callback

Affected Software: Enhanced Text Widget
CVE ID: CVE-2023-49192
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc

360 Javascript Viewer <= 1.7.11 – Missing Authorization

Affected Software: 360 Javascript Viewer
CVE ID: CVE-2023-48779
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead

Yet Another Stars Rating <= 3.4.3 – Missing Authorization via init

Affected Software: YASR – Yet Another Star Rating Plugin for WordPress
CVE ID: CVE-2023-39305
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c

PageLayer <= 1.7.7 – Cross-Site Request Forgery via pagelayer_load_plugin

Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0

Participants Database <= 2.5.5 – Missing Authorization

Affected Software: Participants Database
CVE ID: CVE-2023-48751
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4

WP Retina 2x <= 6.4.5 – Sensitive Information Exposure

Affected Software: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
CVE ID: CVE-2023-44982
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7

WP Forms Puzzle Captcha <= 4.1 – Captcha Bypass

Affected Software: WP Forms Puzzle Captcha
CVE ID: CVE-2023-48276
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917

Media File Renamer <= 5.6.9 – Sensitive Information Exposure via Log File

Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI)
CVE ID: CVE-2023-44991
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba

Aruba HiSpeed Cache <= 2.0.6 – Sensitive Information Exposure via Log File

Affected Software: Aruba HiSpeed Cache
CVE ID: CVE-2023-44983
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0

Button Generator – easily Button Builder <= 2.3.8 – Missing Authorization

Affected Software: Button Generator – easily Button Builder
CVE ID: CVE-2023-49154
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56

Restricted Site Access <= 7.4.1 – IP Spoofing to Protection Mechanism Bypass

Affected Software: restricted-site-access
CVE ID: CVE-2023-48753
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4

Importify <= 1.0.4 – Unauthenticated Sensitive Information Exposure

Affected Software: Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More
CVE ID: CVE-2023-49194
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52

Swift Performance Lite <= 2.3.6.14 – Missing Authorization to Unauthenticated Settings Export

Affected Software: Swift Performance Lite
CVE ID: CVE-2023-6289
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7

Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post

Affected Software: Gift Up Gift Cards for WordPress and WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f

teachPress <= 9.0.4 – Cross-Site Request Forgery

Affected Software: teachPress
CVE ID: CVE-2023-48755
CVSS Score: 5.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f

Coming soon and Maintenance mode <= 3.7.3 – IP Address Spoofing via get_real_ip

Affected Software: Coming soon and Maintenance mode
CVE ID: CVE-2023-49741
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2

JetElements For Elementor <= 2.6.13 – Missing Authorization to Unauthenticated Arbitrary Attachment Download

Affected Software: JetElements
CVE ID: CVE-2023-48759
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d

BigCommerce <= 5.0.6 – Unauthenticated Sensitive Information Exposure

Affected Software: BigCommerce For WordPress
CVE ID: CVE-2023-49162
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df

JetFormBuilder <= 3.1.4 – Unauthenticated Content Injection

Affected Software: JetFormBuilder — Dynamic Blocks Form Builder
CVE ID: CVE-2023-48763
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635

Antispam Bee <= 2.11.3 – IP Address Spoofing via get_client_ip

Affected Software: Antispam Bee
CVE ID: CVE-2023-41134
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b

KP Fastest Tawk.to Chat <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: KP Fastest Tawk.to Chat
CVE ID: CVE-2023-49175
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69

GDPR Cookie Consent by Supsystic <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: GDPR Cookie Consent by Supsystic
CVE ID: CVE-2023-49191
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2

Molongui <= 4.6.19 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
CVE ID: CVE-2023-39921
CVSS Score: 4.4 (Medium)
Researcher/s: Abdullah Hussam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d

Chart Builder <= 1.9.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Chartify – WordPress Chart Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9

SoundCloud Shortcode <= 3.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SoundCloud Shortcode
CVE ID: CVE-2023-34018
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82

Social Share Buttons & Analytics Plugin – GetSocial.io <= 4.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Social Share Buttons & Analytics Plugin – GetSocial.io
CVE ID: CVE-2023-49189
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c

Simple Long Form <= 2.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Long Form
CVE ID: CVE-2023-41136
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d

Track Geolocation Of Users Using Contact Form 7 <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Track Geolocation Of Users Using Contact Form 7
CVE ID: CVE-2023-49188
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6

BSK Forms Blacklist <= 3.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: BSK Forms Blacklist
CVE ID: CVE-2023-5980
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7

Multiple Post Passwords <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Multiple Post Passwords
CVE ID: CVE-2023-49157
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366

Site Offline <= 1.5.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Site Offline Or Coming Soon Or Maintenance Mode
CVE ID: CVE-2023-49190
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c

Evergreen Content Poster <= 1.3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media
CVE ID: CVE-2023-41127
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7b67c83-7fb7-4bac-a8eb-7fc318f2ff50

Nested Pages <= 3.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Nested Pages
CVE ID: CVE-2023-49195
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9

Multiple Plugins by Crocoblock <= (Various Versions) – Cross-Site Request Forgery

Affected Software/s: JetSearch, JetTabs for Elementor, JetBlog for Elementor, JetThemeCore for Elementor, JetCompareWishlist for Elementor, JetElements, JetPopup, JetWooBuilder for Elementor, JetReviews for Elementor, JetEngine, JetTricks for Elementor, JetMenu for Elementor, JetBlocks for Elementor, JetProductGallery, JetSmartFilters for Elementor
CVE ID: CVE-2023-48762
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c85e5e0-d8ee-46d3-99b1-df6c6744f020

teachPress <= 9.0.5 – Cross-Site Request Forgery via delete_database()

Affected Software: teachPress
CVE ID: CVE-2023-49163
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d

Qode Essential Addons <= 1.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Affected Software: Qode Essential Addons
CVE ID: CVE-2023-47840
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Insecure Direct Object Reference to Information Disclosure

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6226
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7

IdeaPush <= 8.53 – Missing Authorization

Affected Software: IdeaPush
CVE ID: CVE-2023-48774
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72

Quotes for WooCommerce <= 2.0.1 – Missing Authorization

Affected Software: Quotes for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8

Quotes for WooCommerce <= 2.0.1 – Cross-Site Request Forgery

RegistrationMagic <= 5.2.2.6 – Cross-Site Request Forgery

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-47645
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521

Debug Log Manager <= 2.2.0 – Cross-Site Request Forgery

Affected Software: Debug Log Manager
CVE ID: CVE-2023-5772
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a

LadiApp <= 4.3 – Missing Authorization

Affected Software: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
CVE ID: CVE-2023-49158
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6

Ocean Extra <= 2.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation

Affected Software: Ocean Extra
CVE ID: CVE-2023-49164
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca

SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache

Affected Software: SpeedyCache – Cache, Optimization, Performance
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812

Button Generator – easily Button Builder <= 2.3.8 – Cross-Site Request Forgery

Affected Software: Button Generator – easily Button Builder
CVE ID: CVE-2023-49155
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b

Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 – Cross-Site Request Forgery via wactc_text_form

Affected Software: Add to Cart Text Changer and Customize Button, Add Custom Icon
CVE ID: CVE-2023-49153
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5

GoDaddy Email Marketing <= 1.4.3 – Missing Authorization

Affected Software: GoDaddy Email Marketing
CVE ID: CVE-2023-49156
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618

SchedulePress <= 5.0.4 – Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications

Affected Software: SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd

Ecwid Ecommerce Shopping Cart <= 6.12.4 – Cross-Site Request Forgery

Affected Software: Ecwid Ecommerce Shopping Cart
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed

AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 – Cross-Site Request Forgery

Affected Software: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
CVE ID: CVE-2023-46617
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569

Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 – Cross-Site Request Forgery via process_bulk_action

Affected Software: Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
CVE ID: CVE-2023-49148
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a

Razorpay for WooCommerce <= 4.5.6 – Cross-Site Request Forgery

Affected Software: Razorpay for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e

Delete Post Revisions In WordPress <= 4.6 – Cross-Site Request Forgery

Affected Software: Delete Post Revisions In WordPress
CVE ID: CVE-2023-48754
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36

Razorpay for WooCommerce <= 4.5.6 – Missing Authorization

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023) appeared first on Wordfence.