Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.6 – Authorization Bypass via type connect-app API
- Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox
- Generic Object Injection
- Generic XSS in Custom Meta
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 33 |
Patched | 52 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 67 |
High Severity | 13 |
Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 27 |
Missing Authorization | 18 |
Cross-Site Request Forgery (CSRF) | 13 |
Deserialization of Untrusted Data | 7 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
Authorization Bypass Through User-Controlled Key | 3 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 |
Improper Input Validation | 2 |
Information Exposure | 2 |
Argument Injection or Modification | 1 |
Use of Less Trusted Source | 1 |
Improper Access Control | 1 |
Storing Passwords in a Recoverable Format | 1 |
Path Traversal: ‘../filedir’ | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Rafie Muhammad | 11 |
Ngô Thiên An (ancorn_) | 9 |
Lucio Sá | 6 |
Dave Jong | 5 |
Webbernaut | 4 |
Daniel Ruf | 4 |
Francesco Carlucci | 4 |
Ulyses Saicha | 3 |
Le Ngoc Anh | 3 |
Krzysztof Zając | 3 |
hir0ot | 2 |
Nex Team | 2 |
Mika | 2 |
Abu Hurayra (HurayraIIT) | 2 |
Abdi Pranata | 2 |
Colin Xu | 2 |
Kang SeoHee | 1 |
Huynh Tien Si | 1 |
xEHLE | 1 |
Bob Matyas | 1 |
lttn | 1 |
Akbar Kustirama | 1 |
Joshua Chan | 1 |
drop | 1 |
emad | 1 |
Matan Berson (matanber) | 1 |
Sean Murphy | 1 |
Pedro Cuco (illex) | 1 |
Friday | 1 |
Angelo Delicato | 1 |
Dimas Maulana | 1 |
Arvandy | 1 |
István Márton | 1 |
Rafshanzani Suhada | 1 |
Debangshu Kundu | 1 |
Arpeet Rathi | 1 |
Dhabaleshwar Das | 1 |
Dmitrii Ignatyev | 1 |
Nguyen Xuan Chien | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
3D FlipBook – PDF Flipbook WordPress | interactive-3d-flipbook-powered-physics-engine |
ActivityPub | activitypub |
Ads Invalid Click Protection | ads-invalid-click-protection |
Ajax Search Lite | ajax-search-lite |
Autotitle for WordPress | autotitle-for-wordpress |
Booster Elite for WooCommerce | booster-elite-for-woocommerce |
Booster Plus for WooCommerce | booster-plus-for-woocommerce |
CPT Bootstrap Carousel | cpt-bootstrap-carousel |
Complianz – GDPR/CCPA Cookie Consent | complianz-gdpr |
Constant Contact Forms | constant-contact-forms |
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder | arforms-form-builder |
Coupon Referral Program | coupon-referral-program |
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider | depicter |
Easy SVG Allow | easy-svg-image-allow |
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box | easy-facebook-likebox |
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | embedpress |
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) | mystickymenu |
FooGallery Premium | foogallery-premium |
Gecka Terms Thumbnails | gecka-terms-thumbnails |
HTML5 MP3 Player with Folder Feedburner Playlist Free | html5-mp3-player-with-mp3-folder-feedburner-playlist |
HTML5 MP3 Player with Playlist Free | html5-mp3-player-with-playlist |
HTML5 SoundCloud Player with Playlist Free | html5-soundcloud-player-with-playlist |
Happy Addons for Elementor | happy-elementor-addons |
Happy Addons for Elementor Pro | happy-elementor-addons-pro |
Hostinger | hostinger |
Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building | icegram |
Ideal Interactive Map | ideal-interactive-map |
Infogram – Add charts, maps and infographics | infogram |
JS & CSS Script Optimizer | js-css-script-optimizer |
Keap Official Opt-in Forms | infusionsoft-official-opt-in-forms |
Laybuy Payment Extension for WooCommerce | laybuy-gateway-for-woocommerce |
LearnPress – WordPress LMS Plugin | learnpress |
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder | wp-maintenance-mode |
MapPress Maps for WordPress | mappress-google-maps-for-wordpress |
Mapster WP Maps | mapster-wp-maps |
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) | google-analytics-for-wordpress |
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | host-webfonts-local |
Orbit Fox by ThemeIsle | themeisle-companion |
Oxygen Builder | oxygenbuilder |
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications | post-smtp |
Page Builder: Live Composer | live-composer-page-builder |
Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
Posts to Page | posts-to-page |
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
Private Google Calendars | private-google-calendars |
Product Delivery Date for WooCommerce – Lite | product-delivery-date-for-woocommerce-lite |
Product Expiry for WooCommerce | product-expiry-for-woocommerce |
Quiz Maker | quiz-maker |
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | feedzy-rss-feeds |
Randomize | randomize |
Rate Star Review – AJAX Reviews for Content, with Star Ratings | rate-star-review |
Site Notes | site-notes |
TJ Shortcodes | theme-junkie-shortcodes |
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics | taggbox-widget |
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | profile-builder |
Void Contact Form 7 Widget For Elementor Page Builder | cf7-widget-elementor |
WP 2FA – Two-factor authentication for WordPress | wp-2fa |
WP Compress – Image Optimizer [All-In-One] | wp-compress-image-optimizer |
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting | erp |
WP Job Manager | wp-job-manager |
WP Plugin Lister | wp-plugin-lister |
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
WP SOCIAL BOOKMARK MENU | wp-social-bookmark-menu |
WP Ultimate Review | wp-ultimate-review |
WP-Members Membership Plugin | wp-members |
WooCommerce | woocommerce |
WooCommerce Conversion Tracking | woocommerce-conversion-tracking |
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | print-invoices-packing-slip-labels-for-woocommerce |
Woocommerce Tranzila Payment Gateway | woo-tranzila-gateway |
WordPress Users | wordpress-users |
cformsII | cforms2 |
oEmbed Gist | oembed-gist |
pTypeConverter | ptypeconverter |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Meris | meris |
Weaver Xtreme | weaver-xtreme |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
WooCommerce Tranzila Gateway <= 1.0.8 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-52218
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ed30ebb-cb06-428c-a60e-676f36e75fa9
LearnPress <= 4.2.5.7 – Unauthenticated SQL Injection via order_by
CVE ID: CVE-2023-6567
CVSS Score: 9.8 (Critical)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ab578cd-3a0b-43d3-aaa7-0a01f431a4e2
Taggbox <= 3.1 – Unauthenticated PHP Object Injection
CVE ID: CVE-2023-52225
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cae6e8b9-a8a9-41d3-83e8-d833515a0244
WP Compress – Image Optimizer [All-In-One] <= 6.10.33 – Unauthenticated Directory Traversal via css
CVE ID: CVE-2023-6699
CVSS Score: 9.1 (Critical)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44
Gecka Terms Thumbnails <= 1.1 – Authenticated (Subscriber+) PHP Object Injection
CVE ID: CVE-2023-52219
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07abe182-370f-4241-9631-387a7930f2f6
HTML5 SoundCloud Player <= 2.8.0 – Authenticated (Author+) PHP Object Injection
CVE ID: CVE-2023-52205
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/229235de-03c6-4560-b0ea-ab21fde256be
Page Builder: Live Composer <= 1.5.25 – Authenticated (Author+) PHP Object Injection
CVE ID: CVE-2023-52206
CVSS Score: 8.8 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a0f9f80-e338-4afd-9a4b-e421865c8b0b
HTML5 MP3 Player with Playlist Free <= 3.0.0 – Authenticated (Author+) PHP Object Injecton
CVE ID: CVE-2023-52207
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2eac991e-fc34-456c-a9a6-d30fde39fd42
Randomize <= 1.4.3 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2023-52204
CVSS Score: 8.8 (High)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b971ae0-624d-416e-b2f2-92ce44e96418
HTML5 MP3 Player with Folder Feedburner <= 2.8.0 – Authenticated (Author+) PHP Object Injection
CVE ID: CVE-2023-52202
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b7321e8-153c-4586-8114-65583e06573e
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting
CVE ID: CVE-2023-6600
CVSS Score: 8.6 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e835b97-c066-4e8f-b99f-1a930105af0c
LearnPress <= 4.2.5.7 – Command Injection
CVE ID: CVE-2023-6634
CVSS Score: 8.1 (High)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21291ed7-cdc0-4698-9ec4-8417160845ed
Hostinger <= 1.9.7 – Missing Authorization to Maintenance Mode Activation
CVE ID: CVE-2023-6751
CVSS Score: 7.3 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d89cf759-5e5f-43e2-90a9-a8e554653ee1
ARForms <= 1.5.8 – Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url
CVE ID: CVE-2023-6828
CVSS Score: 7.2 (High)
Researcher/s: drop
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e349cae-a996-4a32-807a-a98ebcb01edd
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device
CVE ID: CVE-2023-7027
CVSS Score: 7.2 (High)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e8911a3-ce0f-420c-bf2a-1c2929d01cef
WP ERP <= 1.12.8 – Authenticated (Accounting manager+) SQL Injection
CVE ID: CVE-2024-21747
CVSS Score: 7.2 (High)
Researcher/s: Arvandy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7d85921-9d70-4812-9c5f-11ee1d0821be
pTypeConverter <= 0.2.8.1 – Authenticated (Editor+) SQL Injection
CVE ID: CVE-2023-52201
CVSS Score: 7.2 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3c26454-a91d-4141-9b31-5c902c5e8eec
WP-Members Membership Plugin <= 3.4.8 – Missing Authorization to Sensitive Information Exposure
CVE ID: CVE-2023-6733
CVSS Score: 6.5 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/46c61f38-553e-43b2-a666-b160db40e66d
Coupon Referral Program <= 1.7.2 – Sensitive Information Disclosure
CVE ID: CVE-2023-52190
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6015e204-1e07-4c75-ad22-969045934468
Ideal Interactive Map <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52189
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/019c5e06-1345-4c8e-abb9-dc0ea5d55ef5
Page Builder: Live Composer <= 1.5.23 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52193
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09631637-55e2-4e1e-9dcb-bba205be5f43
Easy SVG Allow <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG
CVE ID: CVE-2023-7089
CVSS Score: 6.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a766b5b-e21e-4009-86d9-7f0a5c91ed51
Orbit Fox Companion <= 2.10.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields
CVE ID: CVE-2023-6781
CVSS Score: 6.4 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/23e39019-c322-4027-84f2-faabd9ca4983
MapPress Maps for WordPress <= 2.88.13 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6524
CVSS Score: 6.4 (Medium)
Researcher/s: Akbar Kustirama
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28a8f025-c2ab-4a5f-a99e-a2d19b14a190
Posts to Page <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52195
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e5fdaae-3ef2-477e-b79b-0b6e415edb40
Laybuy Payment Extension for WooCommerce <= 5.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-21745
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c91caaa-9bdd-4170-98f1-0d686d3ffcba
3D Flipbook <= 1.15.2 – Authenticated (Contributor+) Cross-Site Scripting via Ready Function
CVE ID: CVE-2023-6776
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/500fd8aa-9ad1-41ee-bbeb-cda9c80c4fcb
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-7044
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e770e98-3c13-4e37-b51b-4c39bce2cb42
Infogram <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52191
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72e1482c-0f55-4f43-8590-d4f2758f0eea
Keap Official Opt-in Forms <= 1.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52192
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a0f1006-8015-4e67-9b03-16d3ad3c0e77
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6801
CVSS Score: 6.4 (Medium)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a713d897-c549-4e0d-9cb3-7002ef2b127f
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-6986
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ceae0115-268c-401b-876b-3477d10c10e6
Mapster WP Maps <= 1.2.38 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-21744
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d38ee896-8cdd-45c5-b393-bdcb7baa7bd3
FooGallery Premium <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6747
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut, Debangshu Kundu, Arpeet Rathi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dce8ac32-cab8-4e05-bf6f-cc348d0c9472
Private Google Calendars <= 20231125 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52198
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e276cc49-2da1-4e2f-bb64-28ffe6ec9acf
Oxygen Builder <= 4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
CVE ID: CVE-2023-6938
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ee069cb3-370e-48ea-aa35-c30fe83c2498
TJ Shortcodes 0.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-6530
CVSS Score: 6.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f88ef4cf-3f22-40e0-b651-59cb40f148fd
oEmbed Gist <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52194
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fed0e3bc-1401-410a-805d-1ea3e423024b
Rate Star Review <= 1.5.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-52213
CVSS Score: 6.1 (Medium)
Researcher/s: Kang SeoHee
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/025a13e6-5f0a-49ca-bd63-44e4095072bd
Autotitle for WordPress <= 1.0.3 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
CVE ID: CVE-2023-6946
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/062d906d-5a6e-4180-a2f2-18411334b9a1
Happy Addons for Elementor <= 3.9.1.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-6632
CVSS Score: 6.1 (Medium)
Researcher/s: xEHLE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06ef69f0-34d3-4389-8a81-a4d9922f1468
Ajax Search Lite <= 4.11.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-21752
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19418da4-bef4-4cbc-901c-f2aeee39b3cf
WP Plugin Lister <= 2.1.0 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
CVE ID: CVE-2023-6503
CVSS Score: 6.1 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b819e88-111a-4611-ae23-87ac7a878b4a
POST SMTP Mailer <= 2.8.6 – Reflected Cross-Site Scripting via msg
CVE ID: CVE-2023-6629
CVSS Score: 6.1 (Medium)
Researcher/s: Matan Berson (matanber)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7681f984-d488-4da7-afe1-988e5ad012f2
Meris <= 1.1.2 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-7194
CVSS Score: 6.1 (Medium)
Researcher/s: Angelo Delicato
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a627f10a-1463-4e4b-98a9-2008fa76e25a
CPT Bootstrap Carousel <= 1.12 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-52196
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78321b7-b62b-40ab-a15d-037ebd905d8b
WP SMS <= 6.5 – Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
CVE ID: CVE-2023-6981
CVSS Score: 6.1 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8f53053-5150-4fba-b8d6-3d6c9df32c69
Weaver Xtreme <= 6.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6990
CVSS Score: 5.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc7384d7-c2fd-4d63-9b80-bb5bde9a23d5
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Missing Authorization
CVE ID: CVE-2023-6798
CVSS Score: 5.4 (Medium)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2cdf4e5-0a40-42ca-b5ac-78511fdd2b77
Product Expiry for WooCommerce <= 2.5 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
CVE ID: CVE-2024-0201
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4006612-770a-482f-a8c2-e62f607914a9
PageLayer <= 1.7.8 – Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields
CVE ID: CVE-2023-6738
CVSS Score: 5.4 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d14c8890-482c-4d43-a68f-0d04c4feca8f
Constant Contact Forms <= 2.4.2 – Information Disclosure via Log Files
CVE ID: CVE-2023-52208
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2990b307-2b07-4daf-917b-d9587253cbeb
Wp Ultimate Review <= 2.2.5 – IP Spoofing
CVE ID: CVE-2024-21746
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31418a45-7dae-4cd4-8f85-0498a285ef6d
ActivityPub <= 1.0.5 – Missing Authorization
CVE ID: CVE-2023-52199
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3666a841-711d-4ecf-bb77-f2db4d5817ea
Product Delivery Date for WooCommerce – Lite <= 2.7.0 – Missing Authorization
CVE ID: CVE-2023-52210
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a32ae77-3d4e-4fd4-a43a-7d1a52dcfa77
WP Job Manager <= 2.0.0 – Missing Authorization
CVE ID: CVE-2023-52211
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b1af76a-3836-4527-9ea6-8bffa173a84e
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 – Cross-Site Request Forgery
CVE ID: CVE-2023-6984
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fe2cfc96-63f4-4e4b-bf49-6031594a4805
Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings
CVE ID: CVE-2023-6498
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01c1458d-3e38-4dbf-bb65-80465ea6d0ad
CformsII <= 15.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52203
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72800e9b-8e2c-4725-9a87-a9b187ad5967
Ads Invalid Click Protection <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-52197
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0fa8050-6318-4528-8dd4-a3ca5467cfaa
Icegram <= 3.1.20 – Missing Authorization
CVE ID: CVE-2024-21748
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/059f526f-6769-4092-92b0-2ef6248963ee
WP 2FA – Two-factor authentication for WordPress <= 2.5.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-6520
CVSS Score: 4.3 (Medium)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0af451be-2477-453c-a230-7f3fb804398b
WP Social Bookmark Menu <= 1.2 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-7074
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/120a75c5-4fff-4a77-b376-d6968853b40e
LearnPress <= 4.2.5.7 – Insecure Direct Object Reference to Information Disclosure
CVE ID: CVE-2023-6223
CVSS Score: 4.3 (Medium)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/215d5d9e-dabb-462d-8c51-952f8c497b78
Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure
CVE ID: CVE-2023-52231
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38a90190-569f-46d8-bef4-fe28caf5e2fc
WordPress Users <= 1.4 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-6390
CVSS Score: 4.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c1a7bda-29c5-4b4b-bbd8-71187609892e
Easy Social Feed <= 6.5.2 – Missing Authorization to Settings Modification
CVE ID: CVE-2023-6883
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3deee9b5-2e36-447d-a492-e22e3dc6a5ab
Quiz Maker <= 6.5.1.1 – Missing Authorization
CVE ID: CVE-2024-21743
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e62f27b-c6b0-48ed-bfd7-a1893552eb3e
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 – Missing Authorization to Order Export
CVE ID: CVE-2023-7068
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5abc282d-68c9-423c-a15c-d4d3f7035661
WP Job Manager <= 2.0.0 – Cross-Site Request Forgery
CVE ID: CVE-2023-52212
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/69430e1a-db2f-4715-84aa-5a1dfd712180
Google Analytics by Monster Insights <= 8.21.0 – Missing Authorization
CVE ID: CVE-2023-52220
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81099cdc-bce6-4ee6-b819-c3925acf96a8
Site Notes <= 2.0.0 – Cross-Site Request Forgery to Admin Note Deletion
CVE ID: CVE-2023-6633
CVSS Score: 4.3 (Medium)
Researcher/s: Pedro Cuco (illex)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89cbe41d-3765-4061-8ef6-b63556a5677c
Void Contact Form 7 Widget For Elementor Page Builder <= 2.3 – Missing Authorization
CVE ID: CVE-2023-52214
CVSS Score: 4.3 (Medium)
Researcher/s: Friday
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93784c84-93b3-4f43-84a0-5aeed3ba9cfd
WP SMS <= 6.5 – Cross-Site Request Forgery to Subscriber Deletion
CVE ID: CVE-2023-6980
CVSS Score: 4.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94ad6b51-ff8d-48d5-9a70-1781d13990a5
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 – Missing Authorization
CVE ID: CVE-2023-7019
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b57d3d1d-dcdb-4f11-82d8-183778baa075
WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization
CVE ID: CVE-2023-52217
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf798142-4daf-41f5-8416-701d03476520
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider <= 2.0.6 – Cross-Site Request Forgery via save
CVE ID: CVE-2023-6493
CVSS Score: 4.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c907ea-3ab4-4674-8945-ade4f6ff2679
WP 2FA <= 2.5.0 – Insecure Direct Object Reference to Arbitrary Email Sending
CVE ID: CVE-2023-6506
CVSS Score: 4.3 (Medium)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40
Booster Plus for WooCommerce < 7.1.3 – Missing Authorization to Arbitrary Options Disclosure
CVE ID: CVE-2023-52230
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd0a4212-fe04-4c3b-9d78-b1a0bf97e274
Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Arbitrary Page/Post Deletion
CVE ID: CVE-2023-52232
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/df65af54-ce55-4c50-8a62-5541a1879ad4
WooCommerce <= 8.2.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-52222
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb8517bc-f45f-40a1-ae80-ed227c8b32d7
Booster Elite for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure
CVE ID: CVE-2023-52234
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4afcb16-9c97-483f-be48-31b5156bcca3
Profile Builder <= 3.10.7 – Insecure Direct Object Reference to Sensitive Information Exposure via user_meta Shortcode
CVE ID: CVE-2023-6504
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f515ccf8-7231-4728-b155-c47049087d42
JS & CSS Script Optimizer <= 0.3.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-52216
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb863896-5a5a-4c65-b2a5-0901de7961f2
My Sticky Bar <= 2.6.6 – Cross-Site Request Forgery to Sensitive Information Exposure
CVE ID: CVE-2023-7048
CVSS Score: 3.1 (Low)
Researcher/s: Ulyses Saicha
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be0ab40f-cff7-48bd-8dae-cc50af047151
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2023 to January 7, 2023) appeared first on Wordfence.