Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Over the last two weeks, there were 263 vulnerabilities disclosed in 217 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 42 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Two Weeks

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Directory Traversal via HTTP Headers

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	43
Patched	220

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	212
High Severity	30
Critical Severity	20

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	77
Missing Authorization	51
Cross-Site Request Forgery (CSRF)	47
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	30
Unrestricted Upload of File with Dangerous Type	9
Deserialization of Untrusted Data	7
Information Exposure Through Log Files	7
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	5
Information Exposure	4
Protection Mechanism Failure	3
Authorization Bypass Through User-Controlled Key	3
Server-Side Request Forgery (SSRF)	2
URL Redirection to Untrusted Site (‘Open Redirect’)	2
Storage of Sensitive Data in a Mechanism without Access Control	2
Weak Password Recovery Mechanism for Forgotten Password	2
Improper Input Validation	2
Improper Privilege Management	1
Reliance on IP Address for Authentication	1
External Control of File Name or Path	1
Information Exposure Through Debug Information	1
Use of Less Trusted Source	1
Improper Authentication	1
Improper Authorization	1
Improper Access Control	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	61
Brandon James Roldan (tomorrowisnew)	24
Muhammad Daffa	23
Ngô Thiên An (ancorn_)	16
LVT-tholv2k	14
emad	11
Abdi Pranata	10
Joshua Chan	10
Nguyen Xuan Chien	9
Abu Hurayra (HurayraIIT)	9
Mika	6
Skalucy	6
Dave Jong	6
thiennv	5
resecured.io	5
Revan Arifio	5
Huynh Tien Si	3
wpdabh	3
Le Ngoc Anh	3
Dmitrii Ignatyev	3
DoYeon Park (p6rkdoye0n)	3
Hiroho Shimada	2
Kyle Sanchez	2
Hung -mov Nguyen	2
Webbernaut	2
Nguyen Anh Tien	2
Jeongwoo-Lee(Roronoa)	2
Elliot	1
István Márton (Wordfence Vulnerability Researcher)	1
Taihei Shimamine	1
Rein Daelman (trein)	1
Robert DeVore	1
Marc-Alexandre Montpas	1
Vladislav Pokrovsky (ΞX.MI)	1
Yuchen Ji	1
Fariq Fadillah Gusti Insani (fariqfgi)	1
Yudistira Arya	1
Lucio Sá	1
Francesco Carlucci	1
Benmalek Aymen (centaurus)	1
Nex Team	1
Françoa Taffarel	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
404 Solution	404-solution
AI Power: Complete AI Pack – Powered by GPT-4	gpt3-ai-content-generator
AMP for WP – Accelerated Mobile Pages	accelerated-mobile-pages
ARI Stream Quiz – WordPress Quizzes Builder	ari-stream-quiz
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
Accredible Certificates & Open Badges	accredible-certificates
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store	profit-products-tables-for-woocommerce
Add Any Extension to Pages	add-any-extension-to-pages
Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More	advanced-access-manager
Advanced Category Template	advanced-category-template
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms	advanced-form-integration
Affiliates Manager	affiliates-manager
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements	mystickyelements
Apollo13 Framework Extensions	apollo13-framework-extensions
Appointment & Event Booking Calendar Plugin – Webba Booking	webba-booking-lite
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments
Author Box, Guest Author and Co-Authors for Your Posts – Molongui	molongui-authorship
Auto Amazon Links – Amazon Associates Affiliate Plugin	amazon-auto-links
Awesome Support – WordPress HelpDesk & Support Plugin	awesome-support
BERTHA AI. Your AI co-pilot for WordPress and Chrome	bertha-ai-free
Back Button Widget	back-button-widget
Backup Migration	backup-backup
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Block IPs for Gravity Forms	gf-block-ips
Booking Calendar \| Appointment Booking \| BookIt	bookit
Booking Manager	booking-manager
Booking for Appointments and Events Calendar – Amelia	ameliabooking
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin	bookingpress-appointment-booking
Booster Elite for WooCommerce	booster-elite-for-woocommerce
Branda – White Label WordPress, Custom Login Page Customizer	branda-white-labeling
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content	brave-popup-builder
BuddyPress	buddypress
Build App Online	build-app-online
BulkGate SMS Plugin for WooCommerce	woosms-sms-module-for-woocommerce
Business Directory Plugin – Easy Listing Directories for WordPress	business-directory-plugin
CBX Bookmark & Favorite	cbxwpbookmark
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
CSS & JavaScript Toolbox	css-javascript-toolbox
CURCY – Multi Currency for WooCommerce	UNKNOWN-CVE-2023-50831-1
Calculated Fields Form	calculated-fields-form
Checkout Mestres WP	checkout-mestres-wp
Clockwork SMS Notfications	mediaburst-email-to-sms
Clone	wp-clone-by-wp-academy
Colibri Page Builder	colibri-page-builder
Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce	enhanced-e-commerce-for-woocommerce-store
Crowdsignal Dashboard – Polls, Surveys & more	polldaddy
Currency Converter Widget – Exchange Rates	currency-converter-widget
Custom 404 Pro	custom-404-pro
Custom Post Carousels with Owl	dd-post-carousel
Custom Twitter Feeds – A Tweets Widget or X Feed Widget	custom-twitter-feeds
Customer Reviews for WooCommerce	customer-reviews-woocommerce
Customize My Account for WooCommerce	customize-my-account-for-woocommerce
Dan’s Embedder for Google Calendar	dans-gcal
Database Cleaner: Clean, Optimize & Repair	database-cleaner
Defender Security – Malware Scanner, Login Security & Firewall	defender-security
Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan	antihacker
Doofinder WP & WooCommerce Search	doofinder-for-woocommerce
Duplicator – WordPress Migration & Backup Plugin	duplicator
Dynamic Content for Elementor	dynamic-content-for-elementor
E2Pdf – Export To Pdf Tool for WordPress	e2pdf
Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)	easy-digital-downloads
Easy PayPal & Stripe Buy Now Button	wp-ecommerce-paypal
Easy Video Player	easy-video-player
Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress	plugins-on-steroids
Enable Media Replace	enable-media-replace
EnvíaloSimple: Email Marketing y Newsletters	envialosimple-email-marketing-y-newsletters-gratis
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Event Monster – Event Management, Tickets Booking, Upcoming Event	event-monster
Events Shortcodes For The Events Calendar	template-events-calendar
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin	everest-backup
Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!	everest-forms
Export Media URLs	export-media-urls
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
FastDup – Fastest WordPress Migration & Duplicator	fastdup
Floating Button	floating-button
Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin	fluent-support
Form plugin for WordPress – Zoho Forms	zoho-forms
Frontend Admin by DynamiApps	acf-frontend-form-element
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits	funnel-builder
FunnelKit Checkout	woofunnels-aero-checkout
GEO my WordPress	geo-my-wp
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory	geodirectory
Google Photos Gallery with Shortcodes	google-picasa-albums-viewer
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
HTML Forms	html-forms
HUSKY – Products Filter for WooCommerce Professional	woocommerce-products-filter
Happy Addons for Elementor	happy-elementor-addons
HashBar – WordPress Notification Bar	hashbar-wp-notification-bar
Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building	icegram
If-So Dynamic Content Personalization	if-so
Image Optimizer, Resizer and CDN – Sirv	sirv
Image Source Control Lite – Show Image Credits and Captions	image-source-control-isc
Impreza – WordPress Website and WooCommerce Builder	impreza
Inline Image Upload for BBPress	image-upload-for-bbpress
Insert or Embed Articulate Content into WordPress	insert-or-embed-articulate-content-into-wordpress
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site	integrate-google-drive
JS Help Desk – Best Help Desk & Support Plugin	js-support-ticket
JSM file_get_contents() Shortcode	wp-file-get-contents
JVM Gutenberg Rich Text Icons	jvm-rich-text-icons
Job Manager & Career – Manage job board listings, and recruitments	job-manager-career
LA-Studio Element Kit for Elementor	lastudio-element-kit
Limit Login Attempts Reloaded	limit-login-attempts-reloaded
Loan Repayment Calculator and Application Form	quick-interest-slider
Local Delivery Drivers for WooCommerce	local-delivery-drivers-for-woocommerce
Login Lockdown – Protect Login Form	login-lockdown
Login as User or Customer	login-as-customer-or-user
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation	gs-logo-slider
MC4WP: Mailchimp for WordPress	mailchimp-for-wp
MF Gig Calendar	mf-gig-calendar
MStore API	mstore-api
Mail logging – WP Mail Catcher	wp-mail-catcher
Malware Scanner	miniorange-malware-protection
Media File Renamer: Rename Files (Manual, Auto & AI)	media-file-renamer
Menu Image, Icons made easy	menu-image
Metform Elementor Contact Form Builder	metform
Most And Least Read Posts Widget	most-and-least-read-posts-widget
Multi Step Form	multi-step-form
MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution	dc-woocommerce-multi-vendor
My Agile Privacy – The only GDPR solution for WordPress that you can truly trust	myagileprivacy
NEX-Forms – Ultimate Form Builder – Contact forms and much more	nex-forms-express-wp-form-builder
New User Approve	new-user-approve
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images	nitropack
Page Generator	page-generator
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
Pay with Vipps for WooCommerce	woo-vipps
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Piotnet Forms	piotnetforms
Poll Maker – Best WordPress Poll Plugin	poll-maker
Pre* Party Resource Hints	pre-party-browser-hints
Product Catalog Simple	post-type-x
Product Code for WooCommerce	product-code-for-woocommerce
Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces	best-woocommerce-feed
Product Filter by WBW	woo-product-filter
Product Table by WBW	woo-product-tables
Product Vendors	woocommerce-product-vendors
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Rate my Post – WP Rating System	rate-my-post
Recipe Maker For Your Food Blog from Zip Recipes	zip-recipes
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit	wp-marketing-automations
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Rencontre – Dating Site	rencontre
Republish Old Posts	republish-old-posts
Restaurant Reservations	nd-restaurant-reservations
Rise Blocks – A Complete Gutenberg Page Builder	rise-blocks
Schema & Structured Data for WP & AMP	schema-and-structured-data-for-wp
Send Users Email	send-users-email
Sensei LMS – Online Courses, Quizzes, & Learning	sensei-lms
Seos Contact Form	seos-contact-form
Simple Counter	abwp-simple-counter
Simple Job Board	simple-job-board
Simple Membership	simple-membership
Simple Staff List	simple-staff-list
Slider by Soliloquy – Responsive Image Slider for WordPress	soliloquy-lite
Spam protection, Anti-Spam, FireWall by CleanTalk	cleantalk-spam-protect
Split Test For Elementor	split-test-for-elementor
Squirrly SEO – Advanced Pack	squirrly-seo-pack
Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons	sticky-chat-widget
Stock Ticker	stock-ticker
Store Locator WordPress	agile-store-locator
Strong Testimonials	strong-testimonials
Stylish Price List – Price Table Builder & QR Code Restaurant Menu	stylish-price-list
SureFeedback Client Site	projecthuddle-child-site
TerraClassifieds – Simple Classifieds Plugin	terraclassifieds
Theme per user	theme-per-user
Themify Icons	themify-icons
Thrive Automator	thrive-automator
Ultimate Addons for Beaver Builder	bb-ultimate-addon
Ultimate Addons for WPBakery	Ultimate_VC_Addons
Ultimate Dashboard – Custom WordPress Dashboard	ultimate-dashboard
Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin	uncanny-automator
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds	userfeedback-lite
Verge3D Publishing and E-Commerce	verge3d
WP Adminify – WordPress Dashboard Customization \| Custom Login \| Admin Columns \| Dashboard Widget \| Media Library Folders	adminify
WP Affiliate Disclosure	wp-affiliate-disclosure
WP Chat App	wp-whatsapp
WP Crowdfunding	wp-crowdfunding
WP Edit Username	wp-edit-username
WP Frontend Profile	wp-front-end-profile
WP Go Maps (formerly WP Google Maps)	wp-google-maps
WP Job Portal – A Complete Job Board	wp-job-portal
WP MLM SOFTWARE PLUGIN	wp-mlm
WP Mail Log	wp-mail-log
WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce	wp-optin-wheel
WP Remote Site Search	wp-remote-site-search
WP Review Slider	wp-facebook-reviews
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
WP Simple Booking Calendar	wp-simple-booking-calendar
WP Stripe Checkout	wp-stripe-checkout
WP Tabs – Responsive Tabs Plugin for WordPress	wp-expand-tabs-free
WP User Profile Avatar	wp-user-profile-avatar
WPC Product Bundles for WooCommerce	woo-product-bundle
WPCS – WordPress Currency Switcher Professional	currency-switcher
WS Form LITE – Drag & Drop Contact Form Builder for WordPress	ws-form
Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings \| WebinarIgnition	webinar-ignition
Welcart e-Commerce	usc-e-shop
White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard	white-label
WooCommerce Easy Duplicate Product	woo-easy-duplicate-product
WooCommerce Menu Extension	woocommerce-menu-extension
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more	woo-pdf-invoice-builder
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels	print-invoices-packing-slip-labels-for-woocommerce
WooCommerce Per Product Shipping	woocommerce-shipping-per-product
WooCommerce Ship to Multiple Addresses	woocommerce-shipping-multiple-addresses
WooCommerce Stripe Payment Gateway	woocommerce-gateway-stripe
WooCommerce Warranty Requests	woocommerce-warranty
WooPayments – Fully Integrated Solution Built and Supported by Woo	woocommerce-payments
Woocommerce Shipping Canada Post	woocommerce-shipping-canada-post
WordPress Infinite Scroll – Ajax Load More	ajax-load-more
WordPress.com Editing Toolkit	full-site-editing
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons
ZeroBounce Email Verification & Validation	zerobounce
eCommerce Product Catalog Plugin for WordPress	ecommerce-product-catalog
iframe	iframe
iframe Shortcode	iframe-shortcode
uncode-core	uncode-core
weForms – Easy Drag & Drop Contact Form Builder For WordPress	weforms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
BuddyBoss Theme	buddyboss-theme
Divi	Divi
TheGem	thegem

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

BERTHA AI Plugin <= 1.11.10.7 – Unauthenticated Arbitrary File Upload

Affected Software: BERTHA AI. Your AI co-pilot for WordPress and Chrome
CVE ID: CVE-2023-51419
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b4630f7-74db-46c4-bf86-f1ff64be3463

WebinarIgnition <= 3.05.0 – Missing Authorization to Unauthenticated Privilege Escalation

Affected Software: Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
CVE ID: CVE-2023-51424
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24517dc6-4995-48ee-9b02-5c7c29d359f6

Piotnet Forms Plugin <= 1.0.25 – Unauthenticated Arbitrary File Upload

Affected Software: Piotnet Forms
CVE ID: CVE-2023-51412
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f52298b-344b-4561-b1bf-93bea95a3e53

WP Clone <= 2.4.2 – Sensitive Information Exposure

Affected Software: Clone
CVE ID: CVE-2023-6750
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44a921e7-cce3-4347-968d-76dab243fcd6

Rencontre – Dating Site <= 3.10.1 – Unauthenticated Arbitrary File Upload

Affected Software: Rencontre – Dating Site
CVE ID: CVE-2023-51468
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59be1fc7-2854-404d-8e9d-dd9bd26e6a2c

Login as User or Customer (User Switching) <= 3.8 – Authentication Bypass

Affected Software: Login as User or Customer
CVE ID: CVE-2023-51484
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b07ea6a-511d-44ab-b0b7-5124702ad47d

Build App Online <= 1.0.19 – Account Takeover via Weak Password Reset Mechanism

Affected Software: Build App Online
CVE ID: CVE-2023-51478
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/743e40f6-dde3-4d8f-938e-b2a0dcdfb901

Frontend Admin by DynamiApps Plugin <= 3.18.3 – Unauthenticated Arbitrary File Upload

Affected Software: Frontend Admin by DynamiApps
CVE ID: CVE-2023-51411
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7815322d-a240-4855-b458-60caa3cec96c

JS Help Desk <= 2.8.1 – Unauthenticated SQL Injection via email and trackingid

Affected Software: JS Help Desk – Best Help Desk & Support Plugin
CVE ID: CVE-2023-50839
CVSS Score: 9.8 (Critical)
Researcher/s: Fariq Fadillah Gusti Insani (fariqfgi)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a3e89cc-56cb-42d7-b4f6-bfc7ca0e03e6

Checkout Mestres WP <= 7.1.9.6 – Authentication Bypass via Password Reset

Affected Software: Checkout Mestres WP
CVE ID: CVE-2023-51472
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ad16d1e-e778-4cb4-a15d-ddb906f27762

Checkout Mestres WP <= 7.1.9.6 – Missing Authorization to Unauthenticated Arbitrary Options Update

Affected Software: Checkout Mestres WP
CVE ID: CVE-2023-51471
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a52bf70-667b-400f-8912-75fae20a3f5b

WP Frontend Profile <= 1.3.1 – Unauthenticated Privilege Escalation

Affected Software: WP Frontend Profile
CVE ID: CVE-2023-51483
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91de6cf4-e5df-4130-bb96-92b89717a678

WP MLM Unilevel <= 4.0 – Unauthenticated Privilege Escalation

Affected Software: WP MLM SOFTWARE PLUGIN
CVE ID: CVE-2023-51476
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abcc1ed6-1871-4e8c-9469-c44dbfca5a17

TerraClassifieds <= 2.0.3 Unauthenticated Arbitrary File Upload

Affected Software: TerraClassifieds – Simple Classifieds Plugin
CVE ID: CVE-2023-51473
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0399b60-6e40-4f35-985f-845a32f69d64

Rencontre – Dating Site <= 3.10.1 – Privilege Escalation

Affected Software: Rencontre – Dating Site
CVE ID: CVE-2023-51425
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1278291-9fef-40f5-a432-d96f4bed31fe

WP MLM <= 4.0 – Unauthenticated Arbitrary File Upload

Affected Software: WP MLM SOFTWARE PLUGIN
CVE ID: CVE-2023-51475
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3451ed9-9a9a-443f-b1ce-dcd07bd3e6ce

Theme per user <= 1.0.1 – Unauthenticated PHP Object Injection

Affected Software: Theme per user
CVE ID: CVE-2023-52181
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc7e6844-23e2-4523-8261-21d4cba87db3

Active Products Tables for WooCommerce <= 1.0.6 – Unauthenticated PHP Object Injection

Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store
CVE ID: CVE-2023-51505
CVSS Score: 9.8 (Critical)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5519d4e-84b5-4901-b55c-a0a919f4b6c9

Checkout Mestres WP <= 7.1.9.6 – Unauthenticated SQL Injection

Affected Software: Checkout Mestres WP
CVE ID: CVE-2023-51469
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e068573d-bc3e-48de-b4e7-6a0666086ac3

WebinarIgnition <= 3.05.0 – Unauthenticated SQL Injection

Affected Software: Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
CVE ID: CVE-2023-51423
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4ea6044-bf7b-469d-89ec-a9b89ef5715e

Recipe Maker For Your Food Blog from Zip Recipes <= 8.1.0 – Authenticated(Contributor+) SQL Injection

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE-2023-52180
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01ab2ed8-ff2f-41ac-bbbd-d8878fd067d6

WP Mail Log Plugin <= 1.1.2 – Authenticated(Contributor+) Arbitrary File Upload

Affected Software: WP Mail Log
CVE ID: CVE-2023-51410
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0542f8bf-8fb1-4c47-89b7-106a6feacca1

Ultimate Addons for Beaver Builder <= 1.35.14 – Authenticated(Contributor+) Privilege Escalation

Affected Software: Ultimate Addons for Beaver Builder
CVE ID: CVE-2023-51398
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b29048e-cf06-463c-82e0-f1d973e50232

ARI Stream Quiz <= 1.3.0 – Authenticated (Contributor+) PHP Object Injection

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-52182
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36ad7fe2-0dc9-427d-811b-8fb1fdb78579

TerraClassifieds <= 2.0.3 – Cross-Site Request Forgery

Affected Software: TerraClassifieds – Simple Classifieds Plugin
CVE ID: CVE-2023-51474
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a6e5f89-ebc0-413a-a76e-3cf4339430ba

Verge3D <= 4.5.2 – Authenticated(Subscriber+) Arbitrary File Upload

Affected Software: Verge3D Publishing and E-Commerce
CVE ID: CVE-2023-51421
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71dd864f-1975-4cee-be26-0cdb0d54be95

Rencontre – Dating Site <= 3.11.1 – Authenticated (Subscriber+) PHP Object Injection

Affected Software: Rencontre – Dating Site
CVE ID: CVE-2023-51470
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/722c35e5-4084-46a4-a3d4-c73f8e7a1882

MF Gig Calendar <=1.2.1 – Authenticated(Contributor+) SQL Injection

Affected Software: MF Gig Calendar
CVE ID: CVE-2023-50842
CVSS Score: 8.8 (High)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d977636-a509-4f32-9ad3-762720fdb433

Job Manager & Career – Manage job board listings, and recruitments <= 1.4.4 – Cross-Site Request Forgery to PHP Object Injection

Affected Software: Job Manager & Career – Manage job board listings, and recruitments
CVE ID: CVE-2023-51545
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8558cd96-3b2a-4282-950b-6d9753698291

Booking Manager <= 2.1.5 – Authenticated(Contributor+) SQL Injection via Shortcode

Affected Software: Booking Manager
CVE ID: CVE-2023-50840
CVSS Score: 8.8 (High)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9829ec10-ad37-4345-b4d6-cd0429b2d8f7

JVM rich text icons <= 1.2.6 – Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion

Affected Software: JVM Gutenberg Rich Text Icons
CVE ID: CVE-2023-51418
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3e54f9b-db12-42ef-a0fa-2d40c0f7908c

Uncode Core <= 2.8.8 – Privilege Escalation

Affected Software: uncode-core
CVE ID: CVE-2023-51515
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb5e6767-d0a9-4ac4-816f-6fb57b1e5f9b

Events Shortcodes & Templates For The Events Calendar <= 2.3.1 – Authenticated (Contributor+) SQL Injection via shortcode

Affected Software: Events Shortcodes For The Events Calendar
CVE ID: CVE-2023-52142
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1d9ee9f-d8d0-4a9d-b414-bc79c4255b4e

ARMember <= 4.0.10 – Authenticated(Subscriber+) Privilege Escalation

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2023-51356
CVSS Score: 8.8 (High)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c681d1ac-a5d0-43f2-a1e4-0684cd56a3b8

JVM rich text icons <= 1.2.3 – Authenticated(Subscriber+) Arbitrary File Upload

Affected Software: JVM Gutenberg Rich Text Icons
CVE ID: CVE-2023-51417
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca064db0-2718-4521-9467-335b59208858

BookingPress <= 1.0.72 – Authenticated (Contributor+) SQL Injection

Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
CVE ID: CVE-2023-50841
CVSS Score: 8.8 (High)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1a3cc98-3bee-4d52-a4bf-2a1a284b9311

Build App Online <= 1.0.19 – Missing Authorization Authenticated(Subscriber+) Arbitrary Options Update

Affected Software: Build App Online
CVE ID: CVE-2023-51479
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3551218-e272-4c96-94fe-9db0aee0d4f4

Most And Least Read Posts Widget <=2.5.16 – Authenticated(Contributor+) SQL Injection via Widget settings

Affected Software: Most And Least Read Posts Widget
CVE ID: CVE-2023-52133
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9fa55cc-c686-43e4-a028-dd2721d2db85

Uncode Core <= 2.8.8 – Authenticated (Subscriber+) Arbitrary File Deletion

Affected Software: uncode-core
CVE ID: CVE-2023-51500
CVSS Score: 8.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74ab025d-4e76-46e5-b8f8-963eeea5b802

Backup Migration 1.0.8 – 1.3.9 – Remote File Inclusion via content-dir

Affected Software: Backup Migration
CVE ID: CVE-2023-6971
CVSS Score: 8.1 (High)
Researcher/s: Hiroho Shimada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427

Backup Migration <= 1.3.9 – Unauthenticated Path Traversal to Arbitrary File Deletion

Affected Software: Backup Migration
CVE ID: CVE-2023-6972
CVSS Score: 7.5 (High)
Researcher/s: Hiroho Shimada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c

Everest Backup <= 2.1.9 – Sensitive Information Exposure via Log File

Affected Software: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
CVE ID: CVE-2023-52185
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31a54705-99e8-4e41-bf57-9365ab387228

WP Stripe Checkout <= 1.2.2.37 – Sensitive Information Exposure via Debug Log

Affected Software: WP Stripe Checkout
CVE ID: CVE-2023-52143
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f244b8e-94ae-4d95-83a7-53b826e98656

WC Marketplace <= 4.0.23 – Missing Authorization via mvx_save_dashpages

Affected Software: MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution
CVE ID: CVE-2023-51355
CVSS Score: 7.5 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cdc0096-8e21-4b82-b9d0-961f48907a09

WebinarIgnition <= 3.05.0 – Authenticated(Subscriber+) PHP Object Injection

Affected Software: Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
CVE ID: CVE-2023-51422
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aa4244d3-a611-416d-8159-2f6a8cf61b30

Local Delivery Drivers for WooCommerce <= 1.9.0 – Missing Authorization to Driver Account Takeover

Affected Software: Local Delivery Drivers for WooCommerce
CVE ID: CVE-2023-51481
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99f4f1dc-13a9-4fa0-bdb1-77a0d416c80f

Custom 404 Pro <= 3.10.0 – Unauthenticated Stored Cross-Site Scripting via logging

Affected Software: Custom 404 Pro
CVE ID: CVE-2023-51540
CVSS Score: 7.2 (High)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1106e7b2-eac7-459d-8eb3-fe84c76f3b67

WooCommerce PDF Invoices <= 4.2.1 – Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import

Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
CVE ID: CVE-2023-51546
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7927edf2-b092-4b56-83aa-038f99ea658e

Welcart e-Commerce <= 2.9.3 – Authenticated(Editor+) SQL Injection

Affected Software: Welcart e-Commerce
CVE ID: CVE-2023-50847
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a328643a-ab12-427e-9bcd-2d40738afb61

Backup Migration <= 1.3.9 – Authenticated (Admin+) OS Command Injection via url

Affected Software: Backup Migration
CVE ID: CVE-2023-7002
CVSS Score: 7.2 (High)
Researcher/s: Françoa Taffarel
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc49db10-988d-42bd-a9cf-9a86f4c79568

Clockwork SMS Notfications <= 3.0.4 – Authenticated(Administrator+) SQL Injection

Affected Software: Clockwork SMS Notfications
CVE ID: CVE-2023-50843
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08fb51d6-30c1-4a48-b626-a8c6f203ac83

Media File Renamer <= 5.7.7 – Authenticated(Administrator+) Remote Code Execution

Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI)
CVE ID: CVE-2023-50897
CVSS Score: 6.6 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32b2b8e9-aa49-4cc3-97b7-249695969461

E2Pdf <= 1.20.23 – Authenticated(Administrator+) SQL Injection

Affected Software: E2Pdf – Export To Pdf Tool for WordPress
CVE ID: CVE-2023-50849
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f0ed355-b5c8-4143-b391-7436d67ba0de

404 Solution <= 2.34.0 – Authenticated(Administrator+) SQL Injection

Affected Software: 404 Solution
CVE ID: CVE-2023-50848
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/477d3d7a-6028-4dd3-b713-6098bfe32832

Mail logging – WP Mail Catcher <= 2.1.3 – Authenticated(Administrator+) SQL Injection

Affected Software: Mail logging – WP Mail Catcher
CVE ID: CVE-2023-50844
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47aed582-efb6-4caf-a65b-57995907ecaa

WP Adminify <= 3.1.6 – Authenticated(Administrator+) SQL Injection

Affected Software: WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders
CVE ID: CVE-2023-52132
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/555dce5e-9868-464a-9cb4-67644cc6a61c

Page Generator <= 1.7.1 – Authenticated(Administrator+) SQL Injection

Affected Software: Page Generator
CVE ID: CVE-2023-52131
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73ea7672-4e3f-4a26-a59e-043c2cd10a7a

Simply Schedule Appointments <= 1.6.5.27 – Authenticated(Administrator+) SQL Injection

Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
CVE ID: CVE-2023-50851
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/775d4ba7-7198-493c-bae0-7f3f78741b90

Pre* Party Resource Hints <= 1.8.18 – Authenticated(Administrator+) SQL Injection

Affected Software: Pre* Party Resource Hints
CVE ID: CVE-2023-50855
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c043945-d327-4f26-98b4-99ac5b4761f1

Login Lockdown – Protect Login Form <= 2.06 – Authenticated(Administrator+) SQL Injection

Affected Software: Login Lockdown – Protect Login Form
CVE ID: CVE-2023-50837
CVSS Score: 6.6 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c9d088c-e71a-4e73-a7e3-d99f3511e519

YITH WooCommerce Product Add-Ons <= 4.3.0 – Authenticated(Shop Manager+) PHP Object Injection

Affected Software: YITH WooCommerce Product Add-Ons
CVE ID: CVE-2023-49777
CVSS Score: 6.6 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7edd06d9-3897-4644-a77e-e58ab6d14c95

Fluent Support <= 1.7.6 – Authenticated(Administrator+) SQL Injection

Affected Software: Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin
CVE ID: CVE-2023-51547
CVSS Score: 6.6 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8909dafa-3383-405e-a264-f0770e6714a4

Automation By Autonami <= 2.6.1 – Authenticated(Administrator+) SQL Injection

Affected Software: Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
CVE ID: CVE-2023-50857
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8af44af4-ea56-4686-ad35-5bcdd98ba2cc

Store Locator WordPress <= 1.4.14 – Authenticated(Administrator+) Directory Traversal to Arbitrary File Deletion

Affected Software: Store Locator WordPress
CVE ID: CVE-2023-50885
CVSS Score: 6.6 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cb5c386-eee3-4e88-a827-766a4901f432

Squirrly SEO – Advanced Pack <= 2.3.8 – Authenticated(Administrator+) SQL Injection

Affected Software: Squirrly SEO – Advanced Pack
CVE ID: CVE-2023-50854
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ce4204f-3ee3-4877-8e9d-123d01ae80f5

GEO my WordPress <= 4.0.2 – Authenticated(Administrator+) SQL Injection

Affected Software: GEO my WordPress
CVE ID: CVE-2023-52134
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94f118c3-d470-43c4-a61a-1ec998694880

RegistrationMagic Plugin <= 5.2.4.5 – Authenticated(Administrator+) SQL Injection

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-50846
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b378df7-b182-4a56-a7fa-3228c06f960f

WS Form LITE <= 1.9.170 – Authenticated(Administrator+) SQL Injection

Affected Software: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
CVE ID: CVE-2023-52135
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3171015-227d-420a-ba3a-e6e2dc17ba8c

GeoDirectory <= 2.3.28 – Authenticated(Administrator+) SQL Injection

Affected Software: GeoDirectory – WordPress Business Directory Plugin, or Classified Directory
CVE ID: CVE-2023-50845
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3d48aca-3db5-4585-bd71-5548f3b36ea1

Funnel Builder for WordPress by FunnelKit <= 2.14.3 – Authenticated(Administrator+) SQL Injection

Affected Software: Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits
CVE ID: CVE-2023-50856
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf172a41-31dc-4864-9385-53decdc70aeb

Advanced Form Integration <= 1.75.0 – Authenticated(Administrator+) SQL Injection

Affected Software: Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms
CVE ID: CVE-2023-50853
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5782b71-3234-4e53-9b26-225472f604c5

BookIt <= 2.4.3 – Authenticated(Administrator+) SQL Injection

Affected Software: Booking Calendar | Appointment Booking | BookIt
CVE ID: CVE-2023-50852
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4e97c01-7e8a-41b7-90ad-029d8c5fd37c

EnvíaloSimple <= 2.1 Unauthenticated PHP Object Injection

Affected Software: EnvíaloSimple: Email Marketing y Newsletters
CVE ID: CVE-2023-51414
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13245eab-9a72-44d7-bbcd-a0d3e2879814

WooCommerce Stripe Payment Gateway <= 7.6.1 – Insecure Direct Object Reference via update_payment_intent_ajax

Affected Software: WooCommerce Stripe Payment Gateway
CVE ID: CVE-2023-51502
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ee04e4d-4385-4854-9bfe-1b957ca13963

Affiliates Manager <= 2.9.31 – Cross-Site Request Forgery via multiple AJAX actions

Affected Software: Affiliates Manager
CVE ID: CVE-2023-52130
CVSS Score: 6.5 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/756b5e3e-46fa-483e-945a-86166e79d989

FunnelKit Checkout <= 3.10.3 – Unauthenticated Arbitrary Content Deletion

Affected Software: FunnelKit Checkout
CVE ID: CVE-2023-51672
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9d07faf-cc88-4233-a552-55e3376a2fc4

Piotnet Forms <= 1.0.25 – Missing Authorization via multiple AJAX actions

Affected Software: Piotnet Forms
CVE ID: CVE-2023-51413
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f119c6c2-cd4e-415a-b717-2bfc90ed729e

weForms <= 1.6.18 – Missing Authorization via export_form_entries

Affected Software: weForms – Easy Drag & Drop Contact Form Builder For WordPress
CVE ID: CVE-2023-51524
CVSS Score: 6.5 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2b7258e-c594-415a-a872-d5b28397e40d

Sensei LMS <= 4.17.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Sensei LMS – Online Courses, Quizzes, & Learning
CVE ID: CVE-2023-50875
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/031995fb-48c4-4f56-8b64-d66a47b2fbe9

Schema & Structured Data for WP & AMP <= 1.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Schema & Structured Data for WP & AMP
CVE ID: CVE-2023-51677
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0752b4f3-b9f0-4c39-8e4c-2db188600087

Product Code for WooCommerce <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Product Code for WooCommerce
CVE ID: CVE-2023-51669
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be84866-2a49-42da-b498-962fc1bcb811

Icegram <= 3.1.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message

Affected Software: Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building
CVE ID: CVE-2023-51532
CVSS Score: 6.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0feeca6b-b611-44d3-90a6-569e4d2ccf5a

Insert or Embed Articulate Content into WordPress <= 4.3000000021 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Insert or Embed Articulate Content into WordPress
CVE ID: CVE-2023-50824
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/128d3046-94a0-465c-9225-a3ce652f5282

WooCommerce Menu Extension <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Menu Extension
CVE ID: CVE-2023-50834
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/173c8c8a-a015-4522-b957-1805f520a77d

Active Products Tables for WooCommerce <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store
CVE ID: CVE-2023-51480
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f18147d-60e6-447d-a6f5-6ad7b633e62c

WP Crowdfunding <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Crowdfunding
CVE ID: CVE-2023-50859
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/294b5bd1-a7c8-4c06-b107-e80bf3b35da8

Pay with Vipps for WooCommerce <= 1.14.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Pay with Vipps for WooCommerce
CVE ID: CVE-2023-51485
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2950a264-b60c-48ad-b8e0-6d0e1a230982

Colibri Page Builder <= 1.0.239 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Colibri Page Builder
CVE ID: CVE-2023-6988
CVSS Score: 6.4 (Medium)
Researcher/s: Hung -mov Nguyen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b

Booking for Appointments and Events Calendar – Amelia <= 1.0.85 – Stored Cross-Site Scripting via Shortcode

Affected Software: Booking for Appointments and Events Calendar – Amelia
CVE ID: CVE-2023-50860
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33398af8-7b7f-47e5-b95b-c9faa33d0c80

My Agile Privacy <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode

Affected Software: My Agile Privacy – The only GDPR solution for WordPress that you can truly trust
CVE ID: CVE-2023-51404
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35c40c81-c7b4-4453-bd2f-7910fcb7f13e

WP Tabs <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Tabs – Responsive Tabs Plugin for WordPress
CVE ID: CVE-2023-52124
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/433c8908-587e-4086-9d0c-c9b1819b26e8

Currency Converter Widget <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Currency Converter Widget – Exchange Rates
CVE ID: CVE-2023-50822
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47f051dd-138c-4c71-8a92-150c9ffd3601

Colibri Page Builder <= 1.0.240 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Colibri Page Builder
CVE ID: CVE-2023-50833
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/532d185c-4384-4b15-a104-42f8d2a1ca23

Zoho Forms <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Form plugin for WordPress – Zoho Forms
CVE ID: CVE-2023-50891
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57e9b09c-adfb-4fc2-8d2b-41cfc1f73e22

Advanced Access Manager <= 6.9.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
CVE ID: CVE-2023-50881
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c50b451-519c-4da8-93ce-b84e594e6775

WP Affiliate Disclosure <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via $id

Affected Software: WP Affiliate Disclosure
CVE ID: CVE-2023-52178
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e38ee27-30a4-45be-bab6-a3e65ada215f

Seos Contact Form <= 1.8.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Seos Contact Form
CVE ID: CVE-2023-50830
CVSS Score: 6.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62b2113a-70a2-4223-8c6c-6cd15057d72d

HashBar – WordPress Notification Bar <= 1.4.1 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: HashBar – WordPress Notification Bar
CVE ID: CVE-2023-51372
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f3e4e53-3a4a-4b9d-845c-927a59e03488

WPCS – WordPress Currency Switcher Professional <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WPCS – WordPress Currency Switcher Professional
CVE ID: CVE-2023-51506
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72a06690-f40a-472b-b9d1-985a49b914b3

WP Remote Site Search <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Remote Site Search
CVE ID: CVE-2023-51397
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79d4e5a8-028a-488e-b419-77a0981a28a9

CURCY – Multi Currency for WooCommerce <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CURCY – Multi Currency for WooCommerce
CVE ID: CVE-2023-50831
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b7dee9e-1272-4e70-926c-a73e2897968c

If-So Dynamic Content Personalization <= 1.6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: If-So Dynamic Content Personalization
CVE ID: CVE-2023-51492
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8407b678-76c5-4232-b17e-8db05f9e7b12

Auto Amazon Links <= 5.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Auto Amazon Links – Amazon Associates Affiliate Plugin
CVE ID: CVE-2023-52175
CVSS Score: 6.4 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b2a5938-232e-487c-b31b-f48e2b9acb65

Limit Login Attempts Reloaded <= 2.25.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Limit Login Attempts Reloaded
CVE ID: CVE-2023-6934
CVSS Score: 6.4 (Medium)
Researcher/s: Hung -mov Nguyen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/906049c0-4710-47aa-bf44-cdf29032dc1f

Divi <= 4.23.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Divi
CVE ID: CVE-2023-6744
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/999475c5-5f17-47fa-a0d0-47cb5a8a0eb4

iframe Shortcode <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: iframe Shortcode
CVE ID: CVE-2023-50825
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3c323d5-59bc-4ecc-8211-2104fd22639f

Restaurant Reservations <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Restaurant Reservations
CVE ID: CVE-2023-51403
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4fa8aa9-0af8-4202-b219-863bbef8d02c

CSS & JavaScript Toolbox <= 11.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: CSS & JavaScript Toolbox
CVE ID: CVE-2023-50823
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ace85b25-251b-4549-8f6e-1a1494cbabb6

WordPress.com Editing Toolkit <= 3.78784 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WordPress.com Editing Toolkit
CVE ID: CVE-2023-50879
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b54307fb-ecbc-4742-9deb-59dbb85b4a7c

BuddyPress <= 11.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BuddyPress
CVE ID: CVE-2023-50880
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b824cab6-d340-487d-90ba-5b554db1da14

Stock Ticker <= 3.23.4 – Authenticated (Contributor+) Stored Cross-Site Scritping

Affected Software: Stock Ticker
CVE ID: CVE-2023-51541
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8e921f4-d889-490f-a817-53d132a56f83

Back Button Widget <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Back Button Widget
CVE ID: CVE-2023-51399
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcd28bc3-f893-4eb7-946f-34a2e9c7ff27

Easy Video Player <= 1.2.2.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Easy Video Player
CVE ID: CVE-2023-51689
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd28f7f0-ed52-45d0-8d97-5ff95d17eb26

AMP for WP – Accelerated Mobile Pages <= 1.0.92 – Authenticated (Contributor+) Cross-Site Scripting via Shortcode

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2023-6782
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1cae64e-caed-43c0-9a75-9aa4234946a0

WP User Profile Avatar <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP User Profile Avatar
CVE ID: CVE-2023-52118
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c291aa80-f1cd-4933-b522-73ec115a3a68

Dan’s Embedder for Google Calendar <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Dan’s Embedder for Google Calendar
CVE ID: CVE-2023-51504
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbca88e0-1563-43cb-adf4-4f89856a07d0

CBX Bookmark & Favorite <= 1.7.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CBX Bookmark & Favorite
CVE ID: CVE-2023-51514
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cddda02e-c36f-4ed8-b3ac-6cb3f17c6ce2

Easy Digital Downloads <= 3.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
CVE ID: CVE-2023-51684
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d19a9c96-918f-4f19-82a9-badd5765cea3

WordPress Infinite Scroll – Ajax Load More <= 6.1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WordPress Infinite Scroll – Ajax Load More
CVE ID: CVE-2023-50874
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3bcc0aa-281f-4c59-b3de-dde4277cc989

Themify Icons <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Themify Icons
CVE ID: CVE-2023-51693
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/efa156b7-ab18-414d-80a5-3a1c2a977b3b

Advanced Access Manager <= 6.9.18 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
CVE ID: CVE-2023-51674
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1bf4f77-9539-4a9f-afec-f43f602c684f

Simple Membership <= 4.3.8 – Reflected Cross-Site Scripting

Affected Software: Simple Membership
CVE ID: CVE-2023-50376
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18fe9769-3681-4a5e-866a-640b4cc76199

Simple Membership <= 4.3.8 – Reflected Cross-Site Scripting Vulnerability via environment_mode

Affected Software: Simple Membership
CVE ID: CVE-2023-6882
CVSS Score: 6.1 (Medium)
Researcher/s: Rein Daelman (trein)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/366165fe-93e5-49ab-b2e5-1de624f22286

WP Google Maps <= 9.0.27 – Unauthenticated Stored Cross-Site Scripting via REST API

Affected Software: WP Go Maps (formerly WP Google Maps)
CVE ID: CVE-2023-6627
CVSS Score: 6.1 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a468814-ecb7-4414-9472-6c2aaa5f5c2c

New User Approve <= 2.5.1 – Cross-Site Request Forgery via admin_notices

Affected Software: New User Approve
CVE ID: CVE-2023-50902
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3abde27c-8234-4146-9e55-ea20b275ca48

HT Mega – Absolute Addons For Elementor <= 2.3.8 – Reflected Cross-Site Scripting

Affected Software: HT Mega – Absolute Addons For Elementor
CVE ID: CVE-2023-50901
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6745be2e-d151-452a-8e65-0db2409dd54d

Impreza <= 8.17.4 – Reflected Cross-Site Scripting

Affected Software: Impreza – WordPress Website and WooCommerce Builder
CVE ID: CVE-2023-50893
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bd931a9-18ec-48fa-9382-d4c2d99258c5

TheGem <= 5.9.1 – Reflected Cross-Site Scripting

Affected Software: TheGem
CVE ID: CVE-2023-50892
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a243fbde-951b-43e0-a432-c92ae4b04c26

Crowdsignal Dashboard – Polls, Surveys & more <= 3.0.11 – Reflected Cross-Site Scripting

Affected Software: Crowdsignal Dashboard – Polls, Surveys & more
CVE ID: CVE-2023-51488
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78da5c5-fb12-4fc9-8c51-6d9f6f7a4043

Google Photos Gallery with Shortcodes <= 4.0.2 – Reflected Cross-Site Scripting

Affected Software: Google Photos Gallery with Shortcodes
CVE ID: CVE-2023-51373
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5ab6a1f-181c-4bc2-bcc3-e19f94fc5e46

Uncode Core <= 2.8.6 – Reflected Cross-Site Scripting

Affected Software: uncode-core
CVE ID: CVE-2023-51501
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4efe60a-d8e3-4e51-95b2-246e30e90e89

HTML Forms <= 1.3.28 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: HTML Forms
CVE ID: CVE-2023-50836
CVSS Score: 5.5 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2921ea67-e88a-489a-8c45-cfe458f29d2b

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.5 – Authenticated (Admin+) SQL Injection

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2023-50838
CVSS Score: 5.5 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b5964a7-410b-4fea-9de2-22ffda80c8e8

ZeroBounce Email Verification & Validation <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ZeroBounce Email Verification & Validation
CVE ID: CVE-2023-51374
CVSS Score: 5.5 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7d215e9-e615-46ab-b0b8-b37f10cfae98

Stylish Price List <= 7.0.17 – Missing Authorization

Affected Software: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
CVE ID: CVE-2023-51673
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d9cea4e-b619-4935-bb7c-a64ddf52d480

JSM file_get_contents() Shortcode <= 2.7.0 – Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

Affected Software: JSM file_get_contents() Shortcode
CVE ID: CVE-2023-6991
CVSS Score: 5.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/191d5bcc-70d8-430b-9215-00ffdc04be87

Simple Staff List <= 2.2.4 – Missing Authorization via ajax_flush_rewrite_rules and staff_member_export

Affected Software: Simple Staff List
CVE ID: CVE-2023-51526
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ef8bf84-768f-4ef1-8037-4e51ccc20c83

ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-51487
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45180c8e-0625-4a21-b3a1-673abe52d78f

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6488
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50a89ad1-a3d0-49e3-8d2e-4cb81ac115ba

Happy Addons for Elementor <= 3.9.1.1 – Server Side Request Forgery (SSRF)

Affected Software: Happy Addons for Elementor
CVE ID: CVE-2023-51676
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64ae36a3-d102-4d51-b685-395283155101

Molongui <= 4.7.3 – Missing Authorization

Affected Software: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
CVE ID: CVE-2023-50876
CVSS Score: 5.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f01ecab-2dfe-45d2-9d9a-ba1e30c7d75f

FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.6 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: FOX – Currency Switcher Professional for WooCommerce
CVE ID: CVE-2023-6556
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47

Doofinder for WooCommerce <= 2.0.33 – Missing Authorization via multiple AJAX actions

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-51678
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad50e216-f522-4294-a4dc-7f3bd52820b3

Business Directory Plugin <= 6.3.9 – Missing Authorization via dispatch

Affected Software: Business Directory Plugin – Easy Listing Directories for WordPress
CVE ID: CVE-2023-51516
CVSS Score: 5.4 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea3c5188-4570-4958-8b2d-69048b10c5f9

Essential Blocks for Gutenberg <= 4.2.0 – Incorrect Authorization Checks

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-51359
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eca703ec-645c-4d12-ae57-75db14e08f3e

WooCommerce Warranty Requests <= 2.2.7 – Missing Authorization

Affected Software: WooCommerce Warranty Requests
CVE ID: CVE-2023-51496
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03e96aea-30a2-4cd3-8967-52e1870cc293

Block IPs for Gravity Forms <= 1.0.1 – Cross-Site Request Forgery

Affected Software: Block IPs for Gravity Forms
CVE ID: CVE-2023-51358
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19958187-7eb1-479e-bd36-d40974ae65ca

WP Optin Wheel <= 1.4.2 – Sensitive Information Exposure via Log File

Affected Software: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce
CVE ID: CVE-2023-51408
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a83ade5-5e53-4d53-ada0-43d487e5e23f

Rate my Post – WP Rating System <= 3.4.2 – IP Address Spoofing

Affected Software: Rate my Post – WP Rating System
CVE ID: CVE-2023-51667
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d24aa7e-bbf1-4a54-b53b-7a37e613e0e6

Customer Reviews for WooCommerce <= 5.38.1 – Missing Authorization via CR_Manual

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE-2023-51692
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e093d1f-9c5a-44f8-bc27-9c320e220358

Poll Maker <= 4.8.0 – Missing Authorization

Affected Software: Poll Maker – Best WordPress Poll Plugin
CVE ID: CVE-2023-50904
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/345097c7-8f0e-46ed-9a1d-7c8a4a589e3f

Paid Memberships Pro <= 2.12.5 – Missing Authorization via API

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE-2023-6855
CVSS Score: 5.3 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2

AI Power: Complete AI Pack – Powered by GPT-4 <= 1.8.1 – Missing Authorization to Sensitive Data Exposure

Affected Software: AI Power: Complete AI Pack – Powered by GPT-4
CVE ID: CVE-2023-51527
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f95c288-7710-46aa-898b-a923afa7a4ab

Database Cleaner <= 0.9.8 – Sensitive Information Exposure via Log File

Affected Software: Database Cleaner: Clean, Optimize & Repair
CVE ID: CVE-2023-51508
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4031f857-9712-4f4a-93e8-0b01f9a9c32d

Beaver Builder – WordPress Page Builder <= 2.7.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Beaver Builder – WordPress Page Builder
CVE ID: CVE-2023-50889
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a13c7a1-f904-41b1-ab7f-2df95c9b2880

RegistrationMagic <= 5.2.5.0 – IP Spoofing

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-51543
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b37b57c-4a11-4971-b38f-12c70d71b76b

MC4WP <= 4.9.9 – Missing Authorization via listen

Affected Software: MC4WP: Mailchimp for WordPress
CVE ID: CVE-2023-51682
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f289527-3a89-4db9-887d-fb0980848734

Product Catalog Simple <= 1.7.6 – Sensitive Information Exposure via Product CSV

Affected Software: Product Catalog Simple
CVE ID: CVE-2023-51687
CVSS Score: 5.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f4099b3-6c79-42c2-be41-4ad8d73cc2b8

Uncanny Automator <= 5.1.0.2 – Sensitive Information Exposure via Log File

Affected Software: Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin
CVE ID: CVE-2023-52151
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5098e74a-9a99-48b3-9f44-b780bfdeb24e

LA-Studio Element Kit for Elementor <= 1.1.5 – Missing Authorization

Affected Software: LA-Studio Element Kit for Elementor
CVE ID: CVE-2023-50884
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523f7a8a-d06d-4778-be14-d0b7ca32dab3

WooCommerce Canada Post Shipping <= 2.8.3 – Missing Authorization

Affected Software: Woocommerce Shipping Canada Post
CVE ID: CVE-2023-51498
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/549788e3-e31a-46a6-a2de-361747c98514

Branda <= 3.4.14 – IP Address Spoofing

Affected Software: Branda – White Label WordPress, Custom Login Page Customizer
CVE ID: CVE-2023-51542
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/552bc1cc-df98-4608-a50e-db1381ca8e0a

Send Users Email <= 1.4.3 – Sensitive Information Exposure via Error Logs

Affected Software: Send Users Email
CVE ID: CVE-2023-52126
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d50e9bb-e357-42d3-b131-468511b8e98a

User Feedback <= 1.0.10 – Missing Authorization

Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
CVE ID: CVE-2023-50887
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63c7bb29-c8b2-49ee-8ac4-1046b61b7e6a

WooPayments – Fully Integrated Solution Built and Supported by Woo <= 6.6.2 – Unauthenticated Insecure Direct Object Reference

Affected Software: WooPayments – Fully Integrated Solution Built and Supported by Woo
CVE ID: CVE-2023-51503
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68f5bc13-b0b2-48b6-82ac-ff02367f4780

404 Solution <= 2.33.0 – Sensitive Information Exposure via Log File

Affected Software: 404 Solution
CVE ID: CVE-2023-52146
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73643d45-9542-4372-a7a2-0a443819b8a2

WP User Profile Avatar <= 1.0.0 – Authenticated (Author+) Insecure Direct Object Reference to Avatar Deletion/Update

Affected Software: WP User Profile Avatar
CVE ID: CVE-2023-6384
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75c325a1-1a88-4b67-a5f8-6307627d8c6a

Metform Elementor Contact Form Builder <= 3.4.0 – Missing Authorization via submit

Affected Software: Metform Elementor Contact Form Builder
CVE ID: CVE-2023-50903
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6425d39-cc8b-4130-8f67-2d6de7954934

Affiliates Manager <= 2.9.30 – Sensitive Information Exposure via Log File

Affected Software: Affiliates Manager
CVE ID: CVE-2023-52148
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abc3f352-8568-4649-bf3c-dd0ce0295589

Conversios.io <= 6.5.0 – Missing Authorization

Affected Software: Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce
CVE ID: CVE-2023-51357
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae007dc0-9ac7-459d-bfe6-bcde87028b14

eCommerce Product Catalog <= 3.3.26 – Sensitive Information Exposure via CSV Files

Affected Software: eCommerce Product Catalog Plugin for WordPress
CVE ID: CVE-2023-51688
CVSS Score: 5.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b48b9170-4dd9-4004-a081-488cafbc7597

FastDup <= 2.1.7 – Sensitive Information Exposure via Log File

Affected Software: FastDup – Fastest WordPress Migration & Duplicator
CVE ID: CVE-2023-51406
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8261317-462b-49c5-9526-20b695895e49

All-in-one Floating Contact Form – My Sticky Elements <= 2.1.3 – Missing Authorization

Affected Software: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
CVE ID: CVE-2023-51362
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4098a47-986c-4b2c-b27a-18ff81da0f58

WooCommerce Warranty Requests <= 2.2.7 – Missing Authorization

Affected Software: WooCommerce Warranty Requests
CVE ID: CVE-2023-51495
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8970d08-6c75-4dbb-ad24-6d9ba4c07530

Everest Forms <= 2.0.3 – Unauthorized Form Submission via Disabled Forms

Affected Software: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
CVE ID: CVE-2023-51377
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc3d49c5-3054-4e1f-b571-6591a0b31d69

BuddyBoss Theme <= 2.4.60 – Missing Authorization

Affected Software: BuddyBoss Theme
CVE ID: CVE-2023-51477
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ccbeb69e-6476-42a6-86ac-723947c70301

Easy Digital Downloads <= 3.1.5 – Missing Authorization

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
CVE ID: CVE-2023-40005
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbce48b2-aa7c-4c92-8df8-ee3a17336e97

Image Source Control <= 2.17.0 – Sensitive Information Exposure via Log File

Affected Software: Image Source Control Lite – Show Image Credits and Captions
CVE ID: CVE-2023-52187
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3b3ce65-b226-4b93-ab0c-984f774454f7

WooCommerce Product Vendors <= 2.2.2 – Missing Authorization

Affected Software: Product Vendors
CVE ID: CVE-2023-52186
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4457df6-81ca-4149-bcca-623cff2cbeef

Malware Scanner <= 4.7.1 – IP Spoofing

Affected Software: Malware Scanner
CVE ID: CVE-2023-52176
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb19fd06-7b2c-41a1-a470-230da7ce944d

WooCommerce Product Vendors <= 2.2.1 – Missing Authorization

Affected Software: Product Vendors
CVE ID: CVE-2023-51494
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcce0a92-520d-45ac-845e-a1635f763eed

iFrame <= 4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via srcdoc

Affected Software: iframe
CVE ID: CVE-2023-52125
CVSS Score: 5 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66f392d0-d5fb-4a8c-b972-becfac6cf6e7

Enable Media Replace <= 4.1.4 – Reflected Cross-Site Scripting

Affected Software: Enable Media Replace
CVE ID: CVE-2023-6737
CVSS Score: 4.7 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c37d8218-6059-46f2-a5d9-d7c22486211e

Menu Image, Icons made easy <= 3.10 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Menu Image, Icons made easy
CVE ID: CVE-2023-50826
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ff001c2-95f9-42a2-b5a3-74937be41756

Ultimate Dashboard <= 3.7.11 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE-2023-50828
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/10c1b000-537a-4009-a740-19666505989e

Accredible Certificates & Open Badges <= 1.4.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Accredible Certificates & Open Badges
CVE ID: CVE-2023-50827
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d5ac3df-ddaf-4c78-acd3-baddea42443f

Photo Gallery by 10Web <= 1.8.18 – Authenticated (Administrator+) Stored Cross-Site Scripting via Widget

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVE ID: CVE-2023-6924
CVSS Score: 4.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21b4d1a1-55fe-4241-820c-203991d724c4

Everest Forms <= 2.0.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
CVE ID: CVE-2023-51695
CVSS Score: 4.4 (Medium)
Researcher/s: Robert DeVore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/381ec612-2086-4925-98cd-652a6c2ac081

WP Review Slider <= 12.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Review Slider
CVE ID: CVE-2023-51685
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62233370-3b54-4d89-93e7-07afdae4a413

WP Chat App <= 3.4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Chat App
CVE ID: CVE-2023-51370
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73232bff-b11a-4580-8cde-5bf085ba749c

weForms – Easy Drag & Drop Contact Form Builder For WordPress <= 1.6.17 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: weForms – Easy Drag & Drop Contact Form Builder For WordPress
CVE ID: CVE-2023-50896
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c44efe0-bdc0-42e0-9bdd-cf25bff1d2d5

Brave Popup Builder <= 0.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
CVE ID: CVE-2023-51534
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88cf21c3-52d7-472f-8f55-8e1a5819f133

Sticky Chat Widget <= 1.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons
CVE ID: CVE-2023-51361
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/892fe839-57ca-45bc-aa9b-f1bf87994a77

Event Management Tickets Booking <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Event Monster – Event Management, Tickets Booking, Upcoming Event
CVE ID: CVE-2023-47525
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee(Roronoa)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f4f2317-945e-4fd8-8a0b-981b88a8412c

Multi Step Form <= 1.7.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Multi Step Form
CVE ID: CVE-2023-50832
CVSS Score: 4.4 (Medium)
Researcher/s: Benmalek Aymen (centaurus)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5e6b508-35ef-45da-bf17-c038d3b7ce52

Custom Post Carousels with Owl <= 1.4.6 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Custom Post Carousels with Owl
CVE ID: CVE-2023-51493
CVSS Score: 4.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a89f795d-246d-4a3c-a7a7-5c9867d7a01e

CRM Perks Forms <= 1.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: CRM Perks Forms – WordPress Form Builder
CVE ID: CVE-2023-51536
CVSS Score: 4.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca954d68-18a5-47e2-af56-261c7a55b017

Simple Counter <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Simple Counter
CVE ID: CVE-2023-50377
CVSS Score: 4.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb4eb28a-3dd5-4d8d-bef0-53cee7285180

WP Edit Username <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: WP Edit Username
CVE ID: CVE-2023-47527
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee(Roronoa)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f445de97-b6fd-4180-b63e-5b8da40dae6a

Loan Repayment Calculator and Application Form <= 2.9.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Loan Repayment Calculator and Application Form
CVE ID: CVE-2023-50829
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8756fb7-ee15-4fc7-b5bd-b4f2e64f8e6f

WooCommerce Easy Duplicate Product <= 0.3.0.7 – Missing Authorization via wedp_duplicate_product_action

Affected Software: WooCommerce Easy Duplicate Product
CVE ID: CVE-2023-51523
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02d11be0-2e2e-4c76-8a8e-f3f637b99809

EnvíaloSimple <= 2.1 – Cross-Site Request Forgery

Affected Software: EnvíaloSimple: Email Marketing y Newsletters
CVE ID: CVE-2023-51416
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c533277-5cea-419f-93ec-e510c0fbd75d

Simple Job Board <= 2.10.6 – Cross-Site Request Forgery

Affected Software: Simple Job Board
CVE ID: CVE-2023-52122
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/100b6786-7cad-4d65-b457-9beb179e293a

Webba Booking <= 4.5.33 – Cross-Site Request Forgery

Affected Software: Appointment & Event Booking Calendar Plugin – Webba Booking
CVE ID: CVE-2023-51354
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a195a0-f992-462d-9b4e-69e8a2975635

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.20 – Cross-Site Request Forgery via apbct_settings__update_account_email

Affected Software: Spam protection, Anti-Spam, FireWall by CleanTalk
CVE ID: CVE-2023-51696
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19dd6670-2813-4944-abcd-c26fb9b82092

Custom Twitter Feeds (Tweets Widget) <= 2.1.2 – Cross-Site Request Forgery

Affected Software: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CVE ID: CVE-2023-52136
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ab56d29-7e35-4bc3-812e-d82890f60c8e

Republish Old Posts <= 1.21 – Cross-Site Request Forgery via rop_options_page

Affected Software: Republish Old Posts
CVE ID: CVE-2023-52145
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e1db52a-3966-4e04-b0ed-08bda9ba1ff6

Advanced Access Manager <= 6.9.18 – Authenticated (Author+) Open Redirect

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
CVE ID: CVE-2023-51675
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1eb25ef3-28ea-4f8f-932a-e90ca1914e8d

Floating Button <= 6.0 – Cross-Site Request Forgery via process_bulk_action

Affected Software: Floating Button
CVE ID: CVE-2023-52149
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20151f80-c25f-482e-a2b0-34607dba9d1e

Rise Blocks – A Complete Gutenberg Page Builder <= 3.1 – Cross-Site Request Forgery

Affected Software: Rise Blocks – A Complete Gutenberg Page Builder
CVE ID: CVE-2023-51378
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b249842-c480-495a-8eec-6c7d0893ef1c

WP Simple Booking Calendar <= 2.0.8.4 – Cross-Site Request Forgery

Affected Software: WP Simple Booking Calendar
CVE ID: CVE-2023-51525
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f72e5bb-e076-4379-8699-e399761c043f

Icegram <= 3.1.18 – Cross-Site Request Forgery via save_campaign_preview

Affected Software: Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building
CVE ID: CVE-2023-52119
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3000b140-2e38-463d-9128-b486293e3cf6

White Label <= 2.9.0 – Cross-Site Request Forgery via white_label_reset_wl_admins

Affected Software: White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard
CVE ID: CVE-2023-52128
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/383da457-b930-470c-a68a-db3e87af7a80

Ultimate Addons for Beaver Builder <= 1.35.13 – Authenticated(Contributor+) Directory Traversal to Arbitrary File Download

Affected Software: Ultimate Addons for Beaver Builder
CVE ID: CVE-2023-51401
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38a5be0c-f905-4e27-b5c3-8c0606d71a61

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.3 – Cross-Site Request Forgery

Affected Software: HUSKY – Products Filter for WooCommerce Professional
CVE ID: CVE-2023-50861
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d9179d2-2e90-4de7-8178-073a0ce5865b

Duplicator <= 1.5.7 – Cross-Site Request Forgery via views/tools/diagnostics/information.php

Affected Software: Duplicator – WordPress Migration & Backup Plugin
CVE ID: CVE-2023-51681
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/416da5d4-3d47-443b-a82c-c059c38f5218

Quiz And Survey Master <= 8.1.18 – Cross-Site Request Forgery

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE-2023-51521
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4cfdbf80-3733-4d5c-9bc6-01e543ee08b1

Thrive Automator <= 1.17 – Cross-Site Request Forgery

Affected Software: Thrive Automator
CVE ID: CVE-2023-51531
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d5b1a3d-ce7f-4d5d-b72b-61024d5c5378

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.20 – Cross-Site Request Forgery

Affected Software: Spam protection, Anti-Spam, FireWall by CleanTalk
CVE ID: CVE-2023-51535
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4eb4400d-d629-4c88-9ec5-06da9089f6d1

WPC Product Bundles for WooCommerce <= 7.3.1 – Cross-Site Request Forgery

Affected Software: WPC Product Bundles for WooCommerce
CVE ID: CVE-2023-52127
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5188dc72-a00d-4a07-b178-3f3ef26d7fc1

GPT3 AI Content Writer <= 1.8.12 – Cross-Site Request Forgery

Affected Software: AI Power: Complete AI Pack – Powered by GPT-4
CVE ID: CVE-2023-51528
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5511c5f4-b71c-484b-ab6f-2389a29809cd

Apollo13 Framework Extensions <= 1.9.1 – Cross-Site Request Forgery

Affected Software: Apollo13 Framework Extensions
CVE ID: CVE-2023-51539
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/575b51f4-fed4-4057-9e8b-762fda275ef3

WooCommerce Ship to Multiple Addresses <= 3.8.9 – Missing Authorization

Affected Software: WooCommerce Ship to Multiple Addresses
CVE ID: CVE-2023-51497
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63ab255f-e061-447b-a2b6-21a85eed9d57

WooCommerce PDF Invoice Builder <= 1.2.101 – Cross-Site Request Forgery

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-51486
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/652367a0-fca2-4313-8217-d8811ada0ab5

Paid Member Subscriptions <= 2.10.4 – Cross-Site Request Forgery via ajax_add_log_entry

Affected Software: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
CVE ID: CVE-2023-51522
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69ab17fc-8290-4230-8c44-25d12009c08a

HT Mega <= 2.3.3 – Cross-Site Request Forgery via Several Functions

Affected Software: HT Mega – Absolute Addons For Elementor
CVE ID: CVE-2023-51529
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f26b04f-2a25-40a6-9b2c-27d9970acb8f

FunnelKit Checkout <= 3.10.3 – Authenticated(Subscriber+) Missing Authorization to Arbitrary Plugin Activation

Affected Software: FunnelKit Checkout
CVE ID: CVE-2023-51670
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f789ff9-5d86-4911-8b2f-2a425393c61d

ProfileGrid <= 5.6.6 – Missing Authorization

Affected Software: ProfileGrid – User Profiles, Memberships, Groups and Communities
CVE ID: CVE-2023-52117
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71fb1cef-6e01-4bd7-b0bc-5d21295f119a

Dynamic Content for Elementor < 2.12.5 – Cross-Site Request Forgery

Affected Software: Dynamic Content for Elementor
CVE ID: CVE-2023-52150
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77a85024-33ff-4056-89f6-991182d71b80

Product Filter by WBW <= 2.5.0 – Missing Authorization via getListForTbl

Affected Software: Product Filter by WBW
CVE ID: CVE-2023-50877
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77acb885-1776-4a74-96d0-4edbf1a92917

Export Media URLs <= 1.0 – Cross-Site Request Forgery

Affected Software: Export Media URLs
CVE ID: CVE-2023-51510
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b121abf-3842-43ac-a3dc-bde6d5e0b263

Calculated Fields Form <= 1.2.28 – Authenticated (Contributor+) Open Redirect via Shortcode

Affected Software: Calculated Fields Form
CVE ID: CVE-2023-51517
CVSS Score: 4.3 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85555a8f-5d23-458d-9166-d30f8f0551e0

Inline Image Upload for BBPress <= 1.1.18 – Cross-Site Request Forgery via hm_bbpui_admin_page

Affected Software: Inline Image Upload for BBPress
CVE ID: CVE-2023-51668
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86bd6ae1-e74d-4aab-98e1-3c47cb484fe9

WooCommerce Shipping Per Product <= 2.5.4 – Missing Authorization

Affected Software: WooCommerce Per Product Shipping
CVE ID: CVE-2023-51499
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b0504f3-f8df-4b37-bafa-5320920e9571

Easy PayPal Buy Now Button <= 1.8.1 – Cross-Site Request Forgery

Affected Software: Easy PayPal & Stripe Buy Now Button
CVE ID: CVE-2023-51683
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f6fd0bb-d37b-40b6-b84e-9b21aae891cc

BulkGate SMS Plugin for WooCommerce <= 3.0.2 – Missing Authorization via Multiple AJAX Actions

Affected Software: BulkGate SMS Plugin for WooCommerce
CVE ID: CVE-2023-51679
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93e590f8-5f8d-4ee5-bcff-96bcb8daf4b7

FunnelKit Checkout <= 3.10.3 – Authenticated(Subscriber+) Missing Authorization to Settings Change

Affected Software: FunnelKit Checkout
CVE ID: CVE-2023-51671
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9603e394-b358-4599-8610-ef5737a39de0

Booster Elite for WooCommerce <= 7.1.2 – Authenticated(Subscriber+) Content Injection

Affected Software: Booster Elite for WooCommerce
CVE ID: CVE-2023-51511
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/995a086a-4795-4092-823c-b941445dc361

MStore API <= 4.10.1 – Cross-Site Request Forgery

Affected Software: MStore API
CVE ID: CVE-2023-50878
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d32bda7-2d2d-4364-8ac9-e32950f889ed

Add Any Extension to Pages <= 1.4 – Cross-Site Request Forgery via aaetp_options_page

Affected Software: Add Any Extension to Pages
CVE ID: CVE-2023-50873
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f49e727-cac4-4a46-b649-5ca48d5e2402

Sirv <= 7.1.2 – Missing Authorization via sirv_disconnect

Affected Software: Image Optimizer, Resizer and CDN – Sirv
CVE ID: CVE-2023-50898
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4a67ec6-ee13-4532-8213-d17dbf5f2c55

Integrate Google Drive <= 1.3.3 – Missing Authorization via save_settings

Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
CVE ID: CVE-2023-52177
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4c8d390-145a-4926-99e9-b386dfe5e6ac

Anti Hacker <= 4.34 – Cross-Site Request Forgery via antihacker_ajax_scan

Affected Software: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
CVE ID: CVE-2023-50858
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8ae5712-09a8-45a4-9f79-3e5b7786e652

NEX-Forms – Ultimate Form Builder <= 8.5.2 – Cross-Site Request Forgery

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2023-52120
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9b45e9b-57a6-4bfd-b9e4-d07780370f02

Split Test For Elementor <= 1.6.9 – Cross-Site Request Forgery

Affected Software: Split Test For Elementor
CVE ID: CVE-2023-51407
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be23388e-9371-4ea0-974b-80f76de90012

GS Logo Slider <= 3.5.1 – Cross-Site Request Forgery

Affected Software: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
CVE ID: CVE-2023-51530
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c89a8001-ab50-466c-aa51-62c0ff5f86dc

WP Job Portal <= 2.0.6 – Cross-Site Request Forgery

Affected Software: WP Job Portal – A Complete Job Board
CVE ID: CVE-2023-52184
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0aa1fad-1ff4-4bc5-a584-99b528470990

ProjectHuddle Client Site <= 1.0.34 – Missing Authorization via ph_child_ajax_notice_handler

Affected Software: SureFeedback Client Site
CVE ID: CVE-2023-51376
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d484500f-c8c1-4278-8a38-82a7fd5674f9

Slider by Soliloquy <= 2.7.2 – Missing Authorization

Affected Software: Slider by Soliloquy – Responsive Image Slider for WordPress
CVE ID: CVE-2023-51519
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6331b42-f15b-46c6-b8bd-7f65c28c4a12

Awesome Support <= 6.1.5 – Cross-Site Request Forgery

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-51538
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d69915e9-af9b-4c07-ac43-21c6e350c3c4

Advanced Category Template <= 0.1 – Cross-Site Request Forgery

Affected Software: Advanced Category Template
CVE ID: CVE-2023-50835
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da09b158-3626-455b-b3bc-b1109d0fab2e

NitroPack <= 1.10.2 – Cross-Site Request Forgery

Affected Software: NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images
CVE ID: CVE-2023-52121
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/daa30370-0d11-45b7-8ca3-b2a3b9046127

Crowdsignal Dashboard – Polls, Surveys & more <= 3.0.11 – Cross-Site Request Forgery via update_rating

Affected Software: Crowdsignal Dashboard – Polls, Surveys & more
CVE ID: CVE-2023-51489
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e03390e5-5604-4b9d-ab1b-dac2b19270cd

Strong Testimonials <= 3.1.10 – Cross-Site Request Forgery

Affected Software: Strong Testimonials
CVE ID: CVE-2023-52123
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0ccdc0d-7c38-4dd3-be39-2359d63b2b6c

Eazy Plugin Manager <= 4.1.2 – Missing Authorization via update_options

Affected Software: Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress
CVE ID: CVE-2023-51482
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e214fadf-73fd-430f-8608-6630ce82b78c

Ultimate Addons for WPBakery <= 3.19.17 – Cross-Site Request Forgery

Affected Software: Ultimate Addons for WPBakery
CVE ID: CVE-2023-51402
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ece4eca1-9dc1-4f17-92e4-8b2e3e1a7306

Product Table by WBW <= 1.8.6 – Cross-Site Request Forgery via saveGroup

Affected Software: Product Table by WBW
CVE ID: CVE-2023-51512
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eff03dbc-1bb7-4a72-b57c-f1bde966c286

Customize My Account for WooCommerce <= 1.8.3 – Cross-Site Request Forgery via restore_my_account_tabs

Affected Software: Customize My Account for WooCommerce
CVE ID: CVE-2023-51369
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f79f9385-f8d1-44a0-9e53-7576a9453163

Product Feed Manager <= 7.3.15 – Authenticated (Admin+) Directory Traversal

Affected Software: Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces
CVE ID: CVE-2023-52144
CVSS Score: 2.7 (Low)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a20b65a-6d3a-41fc-80c5-94cce0459a6b

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023) appeared first on Wordfence.