Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2023 to January 7, 2023)

🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 33
Patched 52

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 67
High Severity 13
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 27
Missing Authorization 18
Cross-Site Request Forgery (CSRF) 13
Deserialization of Untrusted Data 7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 5
Authorization Bypass Through User-Controlled Key 3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3
Improper Input Validation 2
Information Exposure 2
Argument Injection or Modification 1
Use of Less Trusted Source 1
Improper Access Control 1
Storing Passwords in a Recoverable Format 1
Path Traversal: ‘../filedir’ 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Rafie Muhammad 11
Ngô Thiên An (ancorn_) 9
Lucio Sá 6
Dave Jong 5
Webbernaut 4
Daniel Ruf 4
Francesco Carlucci 4
Ulyses Saicha 3
Le Ngoc Anh 3
Krzysztof Zając 3
hir0ot 2
Nex Team 2
Mika 2
Abu Hurayra (HurayraIIT) 2
Abdi Pranata 2
Colin Xu 2
Kang SeoHee 1
Huynh Tien Si 1
xEHLE 1
Bob Matyas 1
lttn 1
Akbar Kustirama 1
Joshua Chan 1
drop 1
emad 1
Matan Berson (matanber) 1
Sean Murphy 1
Pedro Cuco (illex) 1
Friday 1
Angelo Delicato 1
Dimas Maulana 1
Arvandy 1
István Márton 1
Rafshanzani Suhada 1
Debangshu Kundu 1
Arpeet Rathi 1
Dhabaleshwar Das 1
Dmitrii Ignatyev 1
Nguyen Xuan Chien 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
3D FlipBook – PDF Flipbook WordPress interactive-3d-flipbook-powered-physics-engine
ActivityPub activitypub
Ads Invalid Click Protection ads-invalid-click-protection
Ajax Search Lite ajax-search-lite
Autotitle for WordPress autotitle-for-wordpress
Booster Elite for WooCommerce booster-elite-for-woocommerce
Booster Plus for WooCommerce booster-plus-for-woocommerce
CPT Bootstrap Carousel cpt-bootstrap-carousel
Complianz – GDPR/CCPA Cookie Consent complianz-gdpr
Constant Contact Forms constant-contact-forms
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder arforms-form-builder
Coupon Referral Program coupon-referral-program
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider depicter
Easy SVG Allow easy-svg-image-allow
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box easy-facebook-likebox
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor embedpress
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite
Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) mystickymenu
FooGallery Premium foogallery-premium
Gecka Terms Thumbnails gecka-terms-thumbnails
HTML5 MP3 Player with Folder Feedburner Playlist Free html5-mp3-player-with-mp3-folder-feedburner-playlist
HTML5 MP3 Player with Playlist Free html5-mp3-player-with-playlist
HTML5 SoundCloud Player with Playlist Free html5-soundcloud-player-with-playlist
Happy Addons for Elementor happy-elementor-addons
Happy Addons for Elementor Pro happy-elementor-addons-pro
Hostinger hostinger
Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building icegram
Ideal Interactive Map ideal-interactive-map
Infogram – Add charts, maps and infographics infogram
JS & CSS Script Optimizer js-css-script-optimizer
Keap Official Opt-in Forms infusionsoft-official-opt-in-forms
Laybuy Payment Extension for WooCommerce laybuy-gateway-for-woocommerce
LearnPress – WordPress LMS Plugin learnpress
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder wp-maintenance-mode
MapPress Maps for WordPress mappress-google-maps-for-wordpress
Mapster WP Maps mapster-wp-maps
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) google-analytics-for-wordpress
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. host-webfonts-local
Orbit Fox by ThemeIsle themeisle-companion
Oxygen Builder oxygenbuilder
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications post-smtp
Page Builder: Live Composer live-composer-page-builder
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Posts to Page posts-to-page
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor
Private Google Calendars private-google-calendars
Product Delivery Date for WooCommerce – Lite product-delivery-date-for-woocommerce-lite
Product Expiry for WooCommerce product-expiry-for-woocommerce
Quiz Maker quiz-maker
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds
Randomize randomize
Rate Star Review – AJAX Reviews for Content, with Star Ratings rate-star-review
Site Notes site-notes
TJ Shortcodes theme-junkie-shortcodes
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics taggbox-widget
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder
Void Contact Form 7 Widget For Elementor Page Builder cf7-widget-elementor
WP 2FA – Two-factor authentication for WordPress wp-2fa
WP Compress – Image Optimizer [All-In-One] wp-compress-image-optimizer
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting erp
WP Job Manager wp-job-manager
WP Plugin Lister wp-plugin-lister
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms
WP SOCIAL BOOKMARK MENU wp-social-bookmark-menu
WP Ultimate Review wp-ultimate-review
WP-Members Membership Plugin wp-members
WooCommerce woocommerce
WooCommerce Conversion Tracking woocommerce-conversion-tracking
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels print-invoices-packing-slip-labels-for-woocommerce
Woocommerce Tranzila Payment Gateway woo-tranzila-gateway
WordPress Users wordpress-users
cformsII cforms2
oEmbed Gist oembed-gist
pTypeConverter ptypeconverter

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Meris meris
Weaver Xtreme weaver-xtreme

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WooCommerce Tranzila Gateway <= 1.0.8 – Unauthenticated PHP Object Injection

Affected Software: Woocommerce Tranzila Payment Gateway
CVE ID: CVE-2023-52218
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed30ebb-cb06-428c-a60e-676f36e75fa9

LearnPress <= 4.2.5.7 – Unauthenticated SQL Injection via order_by

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE-2023-6567
CVSS Score: 9.8 (Critical)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ab578cd-3a0b-43d3-aaa7-0a01f431a4e2

Taggbox <= 3.1 – Unauthenticated PHP Object Injection

Affected Software: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
CVE ID: CVE-2023-52225
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cae6e8b9-a8a9-41d3-83e8-d833515a0244

WP Compress – Image Optimizer [All-In-One] <= 6.10.33 – Unauthenticated Directory Traversal via css

Affected Software: WP Compress – Image Optimizer [All-In-One]
CVE ID: CVE-2023-6699
CVSS Score: 9.1 (Critical)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44

Gecka Terms Thumbnails <= 1.1 – Authenticated (Subscriber+) PHP Object Injection

Affected Software: Gecka Terms Thumbnails
CVE ID: CVE-2023-52219
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07abe182-370f-4241-9631-387a7930f2f6

HTML5 SoundCloud Player <= 2.8.0 – Authenticated (Author+) PHP Object Injection

Affected Software: HTML5 SoundCloud Player with Playlist Free
CVE ID: CVE-2023-52205
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229235de-03c6-4560-b0ea-ab21fde256be

Page Builder: Live Composer <= 1.5.25 – Authenticated (Author+) PHP Object Injection

Affected Software: Page Builder: Live Composer
CVE ID: CVE-2023-52206
CVSS Score: 8.8 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a0f9f80-e338-4afd-9a4b-e421865c8b0b

HTML5 MP3 Player with Playlist Free <= 3.0.0 – Authenticated (Author+) PHP Object Injecton

Affected Software: HTML5 MP3 Player with Playlist Free
CVE ID: CVE-2023-52207
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2eac991e-fc34-456c-a9a6-d30fde39fd42

Randomize <= 1.4.3 – Authenticated (Contributor+) SQL Injection

Affected Software: Randomize
CVE ID: CVE-2023-52204
CVSS Score: 8.8 (High)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b971ae0-624d-416e-b2f2-92ce44e96418

HTML5 MP3 Player with Folder Feedburner <= 2.8.0 – Authenticated (Author+) PHP Object Injection

Affected Software: HTML5 MP3 Player with Folder Feedburner Playlist Free
CVE ID: CVE-2023-52202
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b7321e8-153c-4586-8114-65583e06573e

OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting

Affected Software: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
CVE ID: CVE-2023-6600
CVSS Score: 8.6 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c

LearnPress <= 4.2.5.7 – Command Injection

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE-2023-6634
CVSS Score: 8.1 (High)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed

Hostinger <= 1.9.7 – Missing Authorization to Maintenance Mode Activation

Affected Software: Hostinger
CVE ID: CVE-2023-6751
CVSS Score: 7.3 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89cf759-5e5f-43e2-90a9-a8e554653ee1

ARForms <= 1.5.8 – Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url

Affected Software: Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder
CVE ID: CVE-2023-6828
CVSS Score: 7.2 (High)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e349cae-a996-4a32-807a-a98ebcb01edd

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device


WP ERP <= 1.12.8 – Authenticated (Accounting manager+) SQL Injection

Affected Software: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
CVE ID: CVE-2024-21747
CVSS Score: 7.2 (High)
Researcher/s: Arvandy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7d85921-9d70-4812-9c5f-11ee1d0821be

pTypeConverter <= 0.2.8.1 – Authenticated (Editor+) SQL Injection

Affected Software: pTypeConverter
CVE ID: CVE-2023-52201
CVSS Score: 7.2 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3c26454-a91d-4141-9b31-5c902c5e8eec

WP-Members Membership Plugin <= 3.4.8 – Missing Authorization to Sensitive Information Exposure

Affected Software: WP-Members Membership Plugin
CVE ID: CVE-2023-6733
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46c61f38-553e-43b2-a666-b160db40e66d

Coupon Referral Program <= 1.7.2 – Sensitive Information Disclosure

Affected Software: Coupon Referral Program
CVE ID: CVE-2023-52190
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6015e204-1e07-4c75-ad22-969045934468

Ideal Interactive Map <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ideal Interactive Map
CVE ID: CVE-2023-52189
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/019c5e06-1345-4c8e-abb9-dc0ea5d55ef5

Page Builder: Live Composer <= 1.5.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Page Builder: Live Composer
CVE ID: CVE-2023-52193
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09631637-55e2-4e1e-9dcb-bba205be5f43

Easy SVG Allow <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

Affected Software: Easy SVG Allow
CVE ID: CVE-2023-7089
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a766b5b-e21e-4009-86d9-7f0a5c91ed51

Orbit Fox Companion <= 2.10.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields

Affected Software: Orbit Fox by ThemeIsle
CVE ID: CVE-2023-6781
CVSS Score: 6.4 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23e39019-c322-4027-84f2-faabd9ca4983

MapPress Maps for WordPress <= 2.88.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: MapPress Maps for WordPress
CVE ID: CVE-2023-6524
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a8f025-c2ab-4a5f-a99e-a2d19b14a190

Posts to Page <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Posts to Page
CVE ID: CVE-2023-52195
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e5fdaae-3ef2-477e-b79b-0b6e415edb40

Laybuy Payment Extension for WooCommerce <= 5.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Laybuy Payment Extension for WooCommerce
CVE ID: CVE-2024-21745
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c91caaa-9bdd-4170-98f1-0d686d3ffcba

3D Flipbook <= 1.15.2 – Authenticated (Contributor+) Cross-Site Scripting via Ready Function

Affected Software: 3D FlipBook – PDF Flipbook WordPress
CVE ID: CVE-2023-6776
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/500fd8aa-9ad1-41ee-bbeb-cda9c80c4fcb

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting


Infogram <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Infogram – Add charts, maps and infographics
CVE ID: CVE-2023-52191
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72e1482c-0f55-4f43-8590-d4f2758f0eea

Keap Official Opt-in Forms <= 1.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Keap Official Opt-in Forms
CVE ID: CVE-2023-52192
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a0f1006-8015-4e67-9b03-16d3ad3c0e77

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Authenticated (Author+) Stored Cross-Site Scripting


EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode


Mapster WP Maps <= 1.2.38 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Mapster WP Maps
CVE ID: CVE-2024-21744
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d38ee896-8cdd-45c5-b393-bdcb7baa7bd3

FooGallery Premium <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: FooGallery Premium
CVE ID: CVE-2023-6747
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut, Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dce8ac32-cab8-4e05-bf6f-cc348d0c9472

Private Google Calendars <= 20231125 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Private Google Calendars
CVE ID: CVE-2023-52198
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e276cc49-2da1-4e2f-bb64-28ffe6ec9acf

Oxygen Builder <= 4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

Affected Software: Oxygen Builder
CVE ID: CVE-2023-6938
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee069cb3-370e-48ea-aa35-c30fe83c2498

TJ Shortcodes 0.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: TJ Shortcodes
CVE ID: CVE-2023-6530
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f88ef4cf-3f22-40e0-b651-59cb40f148fd

oEmbed Gist <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: oEmbed Gist
CVE ID: CVE-2023-52194
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fed0e3bc-1401-410a-805d-1ea3e423024b

Rate Star Review <= 1.5.1 – Reflected Cross-Site Scripting

Affected Software: Rate Star Review – AJAX Reviews for Content, with Star Ratings
CVE ID: CVE-2023-52213
CVSS Score: 6.1 (Medium)
Researcher/s: Kang SeoHee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/025a13e6-5f0a-49ca-bd63-44e4095072bd

Autotitle for WordPress <= 1.0.3 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

Affected Software: Autotitle for WordPress
CVE ID: CVE-2023-6946
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/062d906d-5a6e-4180-a2f2-18411334b9a1

Happy Addons for Elementor <= 3.9.1.1 – Reflected Cross-Site Scripting

Affected Software/s: Happy Addons for Elementor Pro, Happy Addons for Elementor
CVE ID: CVE-2023-6632
CVSS Score: 6.1 (Medium)
Researcher/s: xEHLE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06ef69f0-34d3-4389-8a81-a4d9922f1468

Ajax Search Lite <= 4.11.4 – Reflected Cross-Site Scripting

Affected Software: Ajax Search Lite
CVE ID: CVE-2024-21752
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19418da4-bef4-4cbc-901c-f2aeee39b3cf

WP Plugin Lister <= 2.1.0 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

Affected Software: WP Plugin Lister
CVE ID: CVE-2023-6503
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b819e88-111a-4611-ae23-87ac7a878b4a

POST SMTP Mailer <= 2.8.6 – Reflected Cross-Site Scripting via msg


Meris <= 1.1.2 – Reflected Cross-Site Scripting

Affected Software: Meris
CVE ID: CVE-2023-7194
CVSS Score: 6.1 (Medium)
Researcher/s: Angelo Delicato
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a627f10a-1463-4e4b-98a9-2008fa76e25a

CPT Bootstrap Carousel <= 1.12 – Reflected Cross-Site Scripting

Affected Software: CPT Bootstrap Carousel
CVE ID: CVE-2023-52196
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78321b7-b62b-40ab-a15d-037ebd905d8b

WP SMS <= 6.5 – Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting


Weaver Xtreme <= 6.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Weaver Xtreme
CVE ID: CVE-2023-6990
CVSS Score: 5.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc7384d7-c2fd-4d63-9b80-bb5bde9a23d5

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Missing Authorization


Product Expiry for WooCommerce <= 2.5 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

Affected Software: Product Expiry for WooCommerce
CVE ID: CVE-2024-0201
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4006612-770a-482f-a8c2-e62f607914a9

PageLayer <= 1.7.8 – Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields

Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE-2023-6738
CVSS Score: 5.4 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d14c8890-482c-4d43-a68f-0d04c4feca8f

Constant Contact Forms <= 2.4.2 – Information Disclosure via Log Files

Affected Software: Constant Contact Forms
CVE ID: CVE-2023-52208
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2990b307-2b07-4daf-917b-d9587253cbeb

Wp Ultimate Review <= 2.2.5 – IP Spoofing

Affected Software: WP Ultimate Review
CVE ID: CVE-2024-21746
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31418a45-7dae-4cd4-8f85-0498a285ef6d

ActivityPub <= 1.0.5 – Missing Authorization

Affected Software: ActivityPub
CVE ID: CVE-2023-52199
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3666a841-711d-4ecf-bb77-f2db4d5817ea

Product Delivery Date for WooCommerce – Lite <= 2.7.0 – Missing Authorization

Affected Software: Product Delivery Date for WooCommerce – Lite
CVE ID: CVE-2023-52210
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a32ae77-3d4e-4fd4-a43a-7d1a52dcfa77

WP Job Manager <= 2.0.0 – Missing Authorization

Affected Software: WP Job Manager
CVE ID: CVE-2023-52211
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b1af76a-3836-4527-9ea6-8bffa173a84e

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 – Cross-Site Request Forgery

Affected Software: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
CVE ID: CVE-2023-6984
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe2cfc96-63f4-4e4b-bf49-6031594a4805

Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE-2023-6498
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01c1458d-3e38-4dbf-bb65-80465ea6d0ad

CformsII <= 15.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: cformsII
CVE ID: CVE-2023-52203
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72800e9b-8e2c-4725-9a87-a9b187ad5967

Ads Invalid Click Protection <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Ads Invalid Click Protection
CVE ID: CVE-2023-52197
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0fa8050-6318-4528-8dd4-a3ca5467cfaa

Icegram <= 3.1.20 – Missing Authorization


WP 2FA – Two-factor authentication for WordPress <= 2.5.0 – Cross-Site Request Forgery

Affected Software: WP 2FA – Two-factor authentication for WordPress
CVE ID: CVE-2023-6520
CVSS Score: 4.3 (Medium)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0af451be-2477-453c-a230-7f3fb804398b

WP Social Bookmark Menu <= 1.2 – Cross-Site Request Forgery to Settings Update

Affected Software: WP SOCIAL BOOKMARK MENU
CVE ID: CVE-2023-7074
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/120a75c5-4fff-4a77-b376-d6968853b40e

LearnPress <= 4.2.5.7 – Insecure Direct Object Reference to Information Disclosure

Affected Software: LearnPress – WordPress LMS Plugin
CVE ID: CVE-2023-6223
CVSS Score: 4.3 (Medium)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/215d5d9e-dabb-462d-8c51-952f8c497b78

Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure

Affected Software: Booster Plus for WooCommerce
CVE ID: CVE-2023-52231
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38a90190-569f-46d8-bef4-fe28caf5e2fc

WordPress Users <= 1.4 – Cross-Site Request Forgery to Settings Update

Affected Software: WordPress Users
CVE ID: CVE-2023-6390
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c1a7bda-29c5-4b4b-bbd8-71187609892e

Easy Social Feed <= 6.5.2 – Missing Authorization to Settings Modification

Affected Software: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
CVE ID: CVE-2023-6883
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3deee9b5-2e36-447d-a492-e22e3dc6a5ab

Quiz Maker <= 6.5.1.1 – Missing Authorization

Affected Software: Quiz Maker
CVE ID: CVE-2024-21743
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e62f27b-c6b0-48ed-bfd7-a1893552eb3e

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 – Missing Authorization to Order Export

Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
CVE ID: CVE-2023-7068
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5abc282d-68c9-423c-a15c-d4d3f7035661

WP Job Manager <= 2.0.0 – Cross-Site Request Forgery

Affected Software: WP Job Manager
CVE ID: CVE-2023-52212
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69430e1a-db2f-4715-84aa-5a1dfd712180

Google Analytics by Monster Insights <= 8.21.0 – Missing Authorization

Affected Software: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
CVE ID: CVE-2023-52220
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81099cdc-bce6-4ee6-b819-c3925acf96a8

Site Notes <= 2.0.0 – Cross-Site Request Forgery to Admin Note Deletion

Affected Software: Site Notes
CVE ID: CVE-2023-6633
CVSS Score: 4.3 (Medium)
Researcher/s: Pedro Cuco (illex)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89cbe41d-3765-4061-8ef6-b63556a5677c

Void Contact Form 7 Widget For Elementor Page Builder <= 2.3 – Missing Authorization

Affected Software: Void Contact Form 7 Widget For Elementor Page Builder
CVE ID: CVE-2023-52214
CVSS Score: 4.3 (Medium)
Researcher/s: Friday
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93784c84-93b3-4f43-84a0-5aeed3ba9cfd

WP SMS <= 6.5 – Cross-Site Request Forgery to Subscriber Deletion


LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 – Missing Authorization

Affected Software: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
CVE ID: CVE-2023-7019
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b57d3d1d-dcdb-4f11-82d8-183778baa075

WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization

Affected Software: WooCommerce Conversion Tracking
CVE ID: CVE-2023-52217
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf798142-4daf-41f5-8416-701d03476520

Depicter Slider – Responsive Image Slider, Video Slider & Post Slider <= 2.0.6 – Cross-Site Request Forgery via save

Affected Software: Depicter Slider – Responsive Image Slider, Video Slider & Post Slider
CVE ID: CVE-2023-6493
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c907ea-3ab4-4674-8945-ade4f6ff2679

WP 2FA <= 2.5.0 – Insecure Direct Object Reference to Arbitrary Email Sending

Affected Software: WP 2FA – Two-factor authentication for WordPress
CVE ID: CVE-2023-6506
CVSS Score: 4.3 (Medium)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40

Booster Plus for WooCommerce < 7.1.3 – Missing Authorization to Arbitrary Options Disclosure

Affected Software: Booster Plus for WooCommerce
CVE ID: CVE-2023-52230
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd0a4212-fe04-4c3b-9d78-b1a0bf97e274

Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Arbitrary Page/Post Deletion

Affected Software: Booster Plus for WooCommerce
CVE ID: CVE-2023-52232
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df65af54-ce55-4c50-8a62-5541a1879ad4

WooCommerce <= 8.2.2 – Cross-Site Request Forgery

Affected Software: WooCommerce
CVE ID: CVE-2023-52222
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb8517bc-f45f-40a1-ae80-ed227c8b32d7

Booster Elite for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure

Affected Software: Booster Elite for WooCommerce
CVE ID: CVE-2023-52234
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4afcb16-9c97-483f-be48-31b5156bcca3

Profile Builder <= 3.10.7 – Insecure Direct Object Reference to Sensitive Information Exposure via user_meta Shortcode


JS & CSS Script Optimizer <= 0.3.3 – Cross-Site Request Forgery

Affected Software: JS & CSS Script Optimizer
CVE ID: CVE-2023-52216
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb863896-5a5a-4c65-b2a5-0901de7961f2

My Sticky Bar <= 2.6.6 – Cross-Site Request Forgery to Sensitive Information Exposure


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2023 to January 7, 2023) appeared first on Wordfence.

More great articles

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023)

Note: We accidentally sent out an email for this report with last weeks subject line. Due to the subject line…

Read Story

Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence – More to Come!

Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000,…

Read Story

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.