Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-675 – data redacted while we work with the vendor on a patch.
  • WAF-RULE-676 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 13
Patched 82

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 82
High Severity 7
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 30
Cross-Site Request Forgery (CSRF) 21
Missing Authorization 18
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Information Exposure 3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3
Deserialization of Untrusted Data 2
Authorization Bypass Through User-Controlled Key 2
Improper Access Control 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 1
Uncontrolled Resource Consumption (‘Resource Exhaustion’) 1
Server-Side Request Forgery (SSRF) 1
Insecure Storage of Sensitive Information 1
Incorrect Authorization 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1
Improper Authorization 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Francesco Carlucci 24
Lucio Sá 10
Dhabaleshwar Das 7
Webbernaut 6
Dimas Maulana 3
Ngô Thiên An (ancorn_) 3
Krzysztof Zając 3
beluga 2
Sh 2
Rhynorater 2
kodaichodai 2
Kyle Sanchez 2
Felipe Restrepo Rodriguez (pfelilpe) 2
István Márton
(Wordfence Vulnerability Researcher)
2
Rafie Muhammad 2
Sean Murphy 2
stealthcopter 2
hir0ot 1
Dave Jong 1
Le Ngoc Anh 1
villu164 1
Colin Xu 1
Christian Angel 1
LVT-tholv2k 1
wesley (wcraft) 1
Dmitrii Ignatyev 1
Abu Hurayra (HurayraIIT) 1
Muhammad Hassham Nagori 1
Abdi Pranata 1
Skalucy 1
Pham Ho Anh Dung 1
Savphill 1
Scott Kingsley Clark 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
3D Tag Cloud cardoza-3d-tag-cloud
AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages
Admin Menu Editor admin-menu-editor
Advanced Forms for ACF advanced-forms
All 404 Pages Redirect to Homepage all-404-pages-redirect-to-homepage
All-In-One Security (AIOS) – Security and Firewall all-in-one-wp-security-and-firewall
Apollo13 Framework Extensions apollo13-framework-extensions
Awesome Support – WordPress HelpDesk & Support Plugin awesome-support
Backuply – Backup, Restore, Migrate and Clone backuply
Basic Log Viewer wpsimpletools-log-viewer
Before After Image Slider WP before-after-image-slider
Buttons Shortcode and Widget buttons-shortcode-and-widget
Contact Form 7 Connector ari-cf7-connector
Content Cards content-cards
Coupon Referral Program coupon-referral-program
Custom Twitter Feeds – A Tweets Widget or X Feed Widget custom-twitter-feeds
Customer Reviews for WooCommerce customer-reviews-woocommerce
Elementor Addon Elements addon-elements-for-elementor-page-builder
Elementor Addons by Livemesh addons-for-elementor
Elementor Website Builder – More than Just a Page Builder elementor
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin wp-event-solution
Honeypot for WP Comment honeypot-for-wp-comment
ImageRecycle pdf & image compression imagerecycle-pdf-image-compression
InfiniteWP Client iwp-client
Insert PHP Code Snippet insert-php-code-snippet
Internal Link Juicer: SEO Auto Linker for WordPress internal-links
Link Library link-library
Login Lockdown – Protect Login Form login-lockdown
Matomo Analytics – Ethical Stats. Powerful Insights. matomo
Meta Box – WordPress Custom Fields Framework meta-box
Minimal Coming Soon – Coming Soon Page minimal-coming-soon-maintenance-mode
My Calendar my-calendar
NextMove Lite – Thank You Page for WooCommerce woo-thank-you-page-nextmove-lite
PPWP – Password Protect Pages password-protect-page
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro
Passster – Password Protect Pages and Content content-protector
Payment Forms for Paystack payment-forms-for-paystack
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress contest-gallery
Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress
Podlove Subscribe button podlove-subscribe-button
Polls CP cp-polls
Portugal CTT Tracking for WooCommerce portugal-ctt-tracking-woocommerce
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) bdthemes-prime-slider-lite
Product Labels For Woocommerce (Sale Badges) aco-product-labels-for-woocommerce
Quiz Maker quiz-maker
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator
Royal Elementor Addons and Templates royal-elementor-addons
Shariff Wrapper shariff
Shield Security – Smart Bot Blocking & Intrusion Prevention Security wp-simple-firewall
Simple Page Access Restriction simple-page-access-restriction
Starbox – the Author Box for Humans starbox
Themify Builder themify-builder
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) timeline-widget-addon-for-elementor
VK Poster Group vk-poster-group
WP 404 Auto Redirect to Similar Post wp-404-auto-redirect-to-similar-post
WP Booking Calendar booking
WP Club Manager – WordPress Sports Club Plugin wp-club-manager
WP Contact Form wp-contact-form
WP Recipe Maker wp-recipe-maker
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
Wonder Slider Lite wonderplugin-slider-lite
Woocommerce Vietnam Checkout woo-vietnam-checkout

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Blocksy blocksy
Royal Elementor Kit royal-elementor-kit
brooklyn brooklyn

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention Security
CVE ID: CVE-2023-6989
CVSS Score: 9.8 (Critical)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c

Coupon Referral Program <= 1.7.2 – Unauthenticated PHP Object Injection

Affected Software: Coupon Referral Program
CVE ID: CVE-2024-25100
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e556ca2-1b83-4589-bff8-64323eb594e7

Booking Calendar <= 9.9 – Unauthenticated SQL Injection

Affected Software: WP Booking Calendar
CVE ID: CVE-2024-1207
CVSS Score: 9.8 (Critical)
Researcher/s: Muhammad Hassham Nagori
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2

Honeypot for WP Comment <= 2.2.3 – Directory Traversal to Unauthenticated Arbitrary File Deletion

Affected Software: Honeypot for WP Comment
CVE ID: CVE-2024-1350
CVSS Score: 9.1 (Critical)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6b0bb48-eb61-4236-a03f-19d5d2084a75

Elementor <= 3.19.0 – Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2024-24934
CVSS Score: 8.8 (High)
Researcher/s: Rhynorater
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4915b769-9499-40ac-835e-279e3a910558

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Authenticated (Subscriber+) SQL Injection

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2024-0594
CVSS Score: 8.8 (High)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a

WP Recipe Maker <= 9.1.2 – Missing Authorization to Authenticated (Subscriber+) SQL Injecton

Affected Software: WP Recipe Maker
CVE ID: CVE-2024-1206
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362

RSS Aggregator by Feedzy <= 4.4.2 – Authenticated(Contributor+) SQL Injection


Podlove Subscribe button <= 1.3.10 – Authenticated (Contributor+) SQL Injection

Affected Software: Podlove Subscribe button
CVE ID: CVE-2024-1118
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f234f05f-e377-4e89-81e1-f47ff44eebc5

Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service

Affected Software: Backuply – Backup, Restore, Migrate and Clone
CVE ID: CVE-2024-0842
CVSS Score: 7.5 (High)
Researcher/s: villu164
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716

Brooklyn <= 4.9.7.6 – PHP Object Injection

Affected Software: brooklyn
CVE ID: CVE-2024-24926
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd962a5-ec0e-415f-8efa-91e78bb80d16

NextMove Lite <= 2.17.0 – Missing Authorization to Authenticated(Subscriber+) Plugin Activation

Affected Software: NextMove Lite – Thank You Page for WooCommerce
CVE ID: CVE-2024-25092
CVSS Score: 6.5 (Medium)
Researcher/s: beluga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b04ab77-880b-423a-bba6-59822f0463bc

RSS Aggregator by Feedzy <= 4.4.2 – Missing Authorization to Arbitrary Page Creation and Publication


AMP for WP <= 1.0.93.1 – Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2024-1043
CVSS Score: 6.5 (Medium)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffb70e82-355b-48f3-92d0-19659ed2550e

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2024-0792
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d8c043c-e347-4dc8-8a72-943a7e6c4394

Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings

Affected Software: Starbox – the Author Box for Humans
CVE ID: CVE-2023-6806
CVSS Score: 6.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f413fc2-8543-4478-987d-d983581027bf

Royal Elementor Addons and Templates <= 1.3.87 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0442
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/256b4818-290b-4660-8e83-c18b068a8959

Meta Box – WordPress Custom Fields Framework <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Meta Box – WordPress Custom Fields Framework
CVE ID: CVE-2023-6526
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc

Apollo13 Framework Extensions <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Apollo13 Framework Extensions
CVE ID: CVE-2024-24880
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33386b7b-fae3-42a4-96d3-df3cdc342317

Content Cards <= 0.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Content Cards
CVE ID: CVE-2024-24928
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e7d10ab-2525-407b-b814-ef7d884d5287

Elementor Website Builder – More than Just a Page Builder <= 3.18.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2024-0506
CVSS Score: 6.4 (Medium)
Researcher/s: wesley (wcraft)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4473d3f6-e324-40f5-b92b-167f76b17332

Elementor Addon Elements <= 1.12.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addon Elements
CVE ID: CVE-2024-0834
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ebb5654-ba3e-4f18-8720-a6595a771964

Elementor Addons by Livemesh <= 8.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addons by Livemesh
CVE ID: CVE-2024-1235
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bda4b7-e442-4956-b3cb-8df96043bcde

Payment Forms for Paystack <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Payment Forms for Paystack
CVE ID: CVE-2023-5665
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f

Before After Image Slider WP <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Before After Image Slider WP
CVE ID: CVE-2024-24931
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af76e32b-ba7d-4eaa-97c8-ed6a25e8f387

My Calendar <= 3.4.23 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: My Calendar
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d039ba8f-0452-4c14-a655-7f6880c1f1b4

Buttons Shortcode and Widget <= 1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Buttons Shortcode and Widget
CVE ID: CVE-2024-24930
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea6e0856-ba3d-4fa1-ac90-45a51ff994ef

VK Poster Group <= 2.0.3 – Reflected Cross-Site Scripting via vkp_repost

Affected Software: VK Poster Group
CVE ID: CVE-2024-24932
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14f030bd-8d8d-4152-817d-d72c9b7a0152

Matomo <= 4.15.3 – Reflected Cross-Site Scripting via idsite

Affected Software: Matomo Analytics – Ethical Stats. Powerful Insights.
CVE ID: CVE-2023-6923
CVSS Score: 6.1 (Medium)
Researcher/s: Felipe Restrepo Rodriguez (pfelilpe)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e2d54eb-c176-49c4-a4fc-833e17189cad

WP SMS <= 6.5.2 – Reflected Cross-Site Scripting via ‘page’

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE-2024-24881
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31f7dc1e-2008-4672-85ba-56fa35f4f0e1

WP 404 Auto Redirect to Similar Post <= 1.0.3 – Reflected Cross-Site Scripting via request

Affected Software: WP 404 Auto Redirect to Similar Post
CVE ID: CVE-2024-0509
CVSS Score: 6.1 (Medium)
Researcher/s: kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eef5549-3f89-4d6f-8c4e-6e4ee6082042

Wonder Slider Lite <= 13.9 – Reflected Cross-Site Scripting via ‘page’

Affected Software: Wonder Slider Lite
CVE ID: CVE-2024-24877
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/712d2d8b-2103-4262-807e-bb26cabb771c

Brooklyn <= 4.9.7.6 – Reflected Cross-Site Scripting

Affected Software: brooklyn
CVE ID: CVE-2024-24927
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8382-cef3-4584-a255-c2ecc7c986b3

Link Library <= 7.5.13 – Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’

Affected Software: Link Library
CVE ID: CVE-2024-24879
CVSS Score: 6.1 (Medium)
Researcher/s: beluga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d5f9d2e-6719-4ce7-bbdd-afaf437bd080

Portugal CTT Tracking for WooCommerce <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Portugal CTT Tracking for WooCommerce
CVE ID: CVE-2024-24878
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a69e6ca8-efd6-4b89-ae63-b320f9936842

All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 – Reflected Cross-Site Scripting

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE-2024-1037
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba

Honeypot for WP Comment <= 2.2.3 – Reflected Cross-Site Scripting via page

Affected Software: Honeypot for WP Comment
CVE ID: CVE-2024-24933
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1441e68-5c41-4c90-ba99-1656af87a29d

All 404 Pages Redirect to Homepage <= 1.9 – Unauthenticated Stored Cross-Site Scripting

Affected Software: All 404 Pages Redirect to Homepage
CVE ID: CVE-2024-24889
CVSS Score: 6.1 (Medium)
Researcher/s: Pham Ho Anh Dung
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de5d5ffc-e76a-4ea9-be68-9ca5f847a363

InfiniteWP Client <= 1.12.3 – Unauthenticated Sensitive Information Exposure

Affected Software: InfiniteWP Client
CVE ID: CVE-2023-6565
CVSS Score: 5.9 (Medium)
Researcher/s: Christian Angel
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
CVE ID: CVE-2024-1055
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/036cf299-80c2-48a8-befc-02899ab96e3c

Basic Log Viewer <= 1.0.4 – Cross-Site Request Forgery via wpst_lw_viewer

Affected Software: Basic Log Viewer
CVE ID: CVE-2024-24935
CVSS Score: 5.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18acd104-a5a5-4811-9aea-abc227a1712c

Login Lockdown – Protect Login Form <= 2.08 – Missing Authorization

Affected Software: Login Lockdown – Protect Login Form
CVE ID: CVE-2024-1340
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c

3D Tag Cloud <= 3.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: 3D Tag Cloud
CVE ID: CVE-2022-41990
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfa825c-b0f7-4588-9bf8-cd186a5fc0ff

Prime Slider – Addons For Elementor <= 3.11.10 – Incorrect Authorization via bdt_duplicate_as_draft


Passster – Password Protect Pages and Content <= 4.2.6.2 – Missing Authorization to Sensitive Information Exposure

Affected Software: Passster – Password Protect Pages and Content
CVE ID: CVE-2024-0616
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00b81467-8d00-4816-895a-89d67c541c17

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 – Missing Authorization to Unauthenticated Events Export

Affected Software: Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
CVE ID: CVE-2024-1122
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be

CP Polls <= 1.0.71 – Unauthenticated Poll Limit Bypass

Affected Software: Polls CP
CVE ID: CVE-2024-24873
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c80de83-3996-4048-8aa3-3611b002fc01

Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Settings Import

Affected Software: Podlove Podcast Publisher
CVE ID: CVE-2024-1110
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c9cf461-572c-4be8-96e6-659acf3208f3

PPWP – Password Protect Pages <= 1.8.9 – Protection Mechanism Bypass

Affected Software: PPWP – Password Protect Pages
CVE ID: CVE-2024-0620
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58

Customer Reviews for WooCommerce <= 5.38.12 – Improper Authorization via submit_review

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE-2024-1044
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8

Quiz Maker <= 6.5.2.4 – Missing Authorization to Unauthenticated Quiz Data Retrieval

Affected Software: Quiz Maker
CVE ID: CVE-2024-1079
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/602df370-cd5b-46dc-a653-6522aef0c62f

WP Club Manager – WordPress Sports Club Plugin <= 2.2.10 – Missing Authorization to Unauthenticated Event Permalink Update

Affected Software: WP Club Manager – WordPress Sports Club Plugin
CVE ID: CVE-2024-1177
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64c2c8c2-58f5-4b7d-b226-39ba39e887d5

Advanced Forms for ACF <= 1.9.3.2 – Missing Authorization to Unauthenticated Form Settings Export

Affected Software: Advanced Forms for ACF
CVE ID: CVE-2024-1121
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b33f2ee-3f20-4494-bdae-3f8cc3c6dc73

Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Unauthenticated Data Export

Affected Software: Podlove Podcast Publisher
CVE ID: CVE-2024-1109
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635

Royal Elementor Addons and Templates <= 1.3.87 – Missing Authorization via wpr_update_form_action_meta

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0516
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3457b87-c860-4cf2-ac3d-2c6521b629ea

Simple Page Access Restriction <= 1.0.21 – Improper Access Control to Sensitive Information Exposure via REST API

Affected Software: Simple Page Access Restriction
CVE ID: CVE-2024-0965
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d99dc270-1b28-4e76-9346-38b2b96be01c

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via editor_html()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2024-0596
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd

CP Polls <= 1.0.71 – Unauthenticated Content Injection

Affected Software: Polls CP
CVE ID: CVE-2024-24874
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f28d7659-9244-4da8-97e9-4539d7d874f7

Paid Memberships Pro <= 2.12.8 – Authenticated (Contributor+) User Meta Disclosure


Woocommerce Vietnam Checkout <= 2.0.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Woocommerce Vietnam Checkout
CVE ID: CVE-2024-24885
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02402620-89db-448d-9028-379856735a2a

Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)
CVE ID: CVE-2024-0977
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03073726-58d0-45b3-b7a6-7d12dbede919

Product Labels For Woocommerce <= 1.5.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Product Labels For Woocommerce (Sale Badges)
CVE ID: CVE-2024-24886
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24226595-6ae7-44c2-a159-5b69808273fa

Internal Link Juicer <= 2.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Internal Link Juicer: SEO Auto Linker for WordPress
CVE ID: CVE-2024-0657
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d39fe4-b114-4612-92f6-75d6597610f7

Shariff Wrapper <= 4.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Shariff Wrapper
CVE ID: CVE-2024-1106
CVSS Score: 4.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ab9c383-14da-479d-9709-1ae154dae398

My Calendar <= 3.4.23 – Authenticated (Admin+) Stored Cross-Site Scripting via Events

Affected Software: My Calendar
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad98db62-4253-4fd5-90b3-c28a563c7697

Insert PHP Code Snippet <= 1.3.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Insert PHP Code Snippet
CVE ID: CVE-2024-0658
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez (pfelilpe)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4a6b786-d0ef-41f6-b2bf-83307ec02b91

Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Blocksy
CVE ID: CVE-2024-24871
CVSS Score: 4.4 (Medium)
Researcher/s: Savphill
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e781e1aa-7fa2-4cea-913b-4aa582ec6a4f

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in enableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1334
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0318ec4a-185a-405d-90f8-008ba373114b

All In One WP Security <= 5.2.6 – Cross-Site Request Forgery to IP Blocking

Affected Software: All-In-One Security (AIOS) – Security and Firewall
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05991bf2-ee61-4bf7-89df-c2f66db7caec

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in enableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-0983
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/175dd04d-ce06-45a0-8cfe-14498e2f9198

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 – Cross-Site Request Forgery to Plugin Options Update

Affected Software: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CVE ID: CVE-2024-0379
CVSS Score: 4.3 (Medium)
Researcher/s: Rhynorater, kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29e2ff11-053b-45cc-adf1-d276f1ee576e

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Plugin Data Removal in reinitialize

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1339
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d08e462-8297-477e-89da-47f26bd6beae

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Plugin Data Removal in reinitialize

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1091
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb8b08c-a028-48bd-acad-c00313fe06b8

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_wishlist

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0513
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d3516e7-cce4-4def-be38-d16be3110d59

Admin Menu Editor <= 1.12 – Cross-Site Request Forgery via ajax_hide_hint()

Affected Software: Admin Menu Editor
CVE ID: CVE-2024-24876
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53fa9be4-a2b3-458c-af6e-d3ada639a622

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in stopOptimizeAll

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1338
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e3dd131-dbd8-431c-96f4-4ab2c3be4dbd

Royal Elementor Kit <= 1.0.116 – Missing Authorization to Arbitrary Transient Update

Affected Software: Royal Elementor Kit
CVE ID: CVE-2024-0835
CVSS Score: 4.3 (Medium)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c

Themify Builder <= 7.0.5 – Cross-Site Request Forgery

Affected Software: Themify Builder
CVE ID: CVE-2024-24872
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6840c91f-a5d9-4940-8a08-d62acc5d43eb

Quiz Maker <= 6.5.2.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification

Affected Software: Quiz Maker
CVE ID: CVE-2024-1078
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in optimizeAllOn

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1089
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff16906-2516-4b3c-8217-e3fb24924e27

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_compare

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0515
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4178271-c09e-4094-a616-5a00d28f39a3

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_compare

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0514
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0955689-43a0-442c-974b-5db5e4171f6a

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_wishlist

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0512
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ff2954-f494-4cd7-9f29-ee0e8551e339

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in disableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1335
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3900e4f-4ae4-4026-89df-b63bd869a763

Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery

Affected Software: Contact Form 7 Connector
CVE ID: CVE-2024-24884
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b74a5a4c-250a-46bc-bf08-2dd720de41ae

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via wpas_get_users()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2024-0595
CVSS Score: 4.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982

WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage

Affected Software: WP Contact Form
CVE ID: CVE-2024-24929
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5decbb3-05a0-403f-918a-9b516df85778

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in optimizeAllOn

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1336
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4cf299-9dee-4ebf-83f3-4c3471bd9fb0

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in disableOptimization

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-0984
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc9dd55d-3c37-4f24-81a1-fdc8ca284566

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via wpr_update_form_action_meta

Affected Software: Royal Elementor Addons and Templates
CVE ID: CVE-2024-0511
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc8bef03-51e0-4448-bddd-85300104e875

Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery


ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in stopOptimizeAll

Affected Software: ImageRecycle pdf & image compression
CVE ID: CVE-2024-1090
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3fae909-5564-4e0a-9114-edd0e45865e5

Link Library <= 7.5.13 – Cross-Site Request Forgery via action_admin_init

Affected Software: Link Library
CVE ID: CVE-2024-24875
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fefe4499-8b03-4c07-b248-ae0ae5153b4f

WP RSS Aggregator <= 4.23.5 – Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source

Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
CVE ID: CVE-2024-0628
CVSS Score: 3.8 (Low)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb

Minimal Coming Soon – Coming Soon Page <= 2.37 – Unauthenticated Maintenance Mode Bypass

Affected Software: Minimal Coming Soon – Coming Soon Page
CVE ID: CVE-2024-1075
CVSS Score: 3.7 (Low)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) appeared first on Wordfence.

More great articles

$197 Bounty Awarded for Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to…

Read Story

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates…

Read Story

Stored XSS in MyBB

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.