Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 – Privilege Escalation via updraft_central_ajax_handler
- WAF-RULE-565 – Data redacted while we work with the developer to ensure the vulnerability protected by this WAF rule gets patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 44 |
Patched | 48 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 0 |
Medium Severity | 80 |
High Severity | 11 |
Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 37 |
Cross-Site Request Forgery (CSRF) | 34 |
Missing Authorization | 13 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
Information Exposure | 3 |
Server-Side Request Forgery (SSRF) | 1 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Lana Codes | 10 |
Rio Darmawan | 7 |
Dave Jong | 6 |
rezaduty | 5 |
Mika | 4 |
minhtuanact | 3 |
Rafie Muhammad | 3 |
yuyudhn | 3 |
Rafshanzani Suhada | 3 |
Nithissh S | 3 |
Aman Rawat | 2 |
Marco Wotschka | 2 |
Cat | 2 |
TEAM WEBoB of BoB 11th | 2 |
Prasanna V Balaji | 2 |
Daniel Kelley | 2 |
Ayoub Safa | 2 |
Muhammad Daffa | 2 |
FearZzZz | 1 |
Bhuvanesh Jayaprakash | 1 |
Erwan LR | 1 |
Etan Imanol Castro Aldrete | 1 |
Dimas Aprilianto | 1 |
dc11 | 1 |
Shreya Pohekar | 1 |
Justiice | 1 |
Nguyen Anh Tien | 1 |
Vinay Kumar | 1 |
Abdi Pranata | 1 |
Brandon James Roldan | 1 |
Pavak Tiwari | 1 |
n0paew | 1 |
Fariq Fadillah Gusti Insani | 1 |
Le Ngoc Anh | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Admin side data storage for Contact Form 7 | admin-side-data-storage-for-contact-form-7 |
Auto Rename Media On Upload | auto-rename-media-on-upload |
Backup Bank: WordPress Backup Plugin | wp-backup-bank |
Be POPIA Compliant | be-popia-compliant |
Branda – White Label WordPress, Custom Login Page Customizer | branda-white-labeling |
Bulk Resize Media | bulk-resize-media |
CF7 Invisible reCAPTCHA | cf7-invisible-recaptcha |
CMS Press | cms-press |
Calendar Event Multi View | cp-multi-view-calendar |
Chronoforms | chronoforms |
Contact Form 7 Redirect & Thank You Page | cf7-redirect-thank-you-page |
Contact Form 7 – PayPal & Stripe Add-on | contact-form-7-paypal-add-on |
Contact Form Email | contact-form-to-email |
Custom Options Plus | custom-options-plus |
Customify – Intuitive Website Styling | customify |
Data Tables Generator by Supsystic | data-tables-generator-by-supsystic |
Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard | drag-n-drop-upload-cf7-pro |
Dynamics 365 Integration | integration-dynamics |
Easy Event calendar | easy-event-calendar |
Ecwid Ecommerce Shopping Cart | ecwid-shopping-cart |
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files | embed-any-document |
Event Manager and Tickets Selling Plugin for WooCommerce | mage-eventpress |
Exxp | exxp-wp |
Fluid Checkout for WooCommerce – Lite | fluid-checkout |
Force First and Last Name as Display Name | force-first-last |
Google XML Sitemap for Images | google-image-sitemap |
Google XML Sitemap for Videos | xml-sitemaps-for-videos |
HT Feed | ht-instagram |
Hotel Booking Lite | motopress-hotel-booking-lite |
Import External Images | import-external-images |
Klaviyo | klaviyo |
LOGIN AND REGISTRATION ATTEMPTS LIMIT | login-attempts-limit-wp |
Modern Events Calendar Lite | modern-events-calendar-lite |
Modern Footnotes | modern-footnotes |
Open RDW kenteken voertuiginformatie | open-rdw-kenteken-voertuiginformatie |
PB SEO Friendly Images | pb-seo-friendly-images |
PhonePe Payment Solutions | phonepe-payment-solutions |
Photo Gallery, Images, Slider in Rbs Image Gallery | robo-gallery |
Popup Maker – Popup for opt-ins, lead gen, & more | popup-maker |
Print Invoice & Delivery Notes for WooCommerce | woocommerce-delivery-notes |
RapidLoad Power-Up for Autoptimize | unusedcss |
Redirection | redirect-redirection |
Return and Warranty Management System for WooCommerce | wc-return-warrranty |
Reusable Blocks Extended | reusable-blocks-extended |
SEO Plugin by Squirrly SEO | squirrly-seo |
SMTP2GO – Email Made Easy | smtp2go |
Shopping Cart & eCommerce Store | wp-easycart |
Site Reviews | site-reviews |
Slide Anything – Responsive Content / HTML Slider and Carousel | slide-anything |
Slideshow Gallery LITE | slideshow-gallery |
Solidres – Hotel booking plugin for WordPress | solidres |
Store Locator for WordPress with Google Maps – LotsOfLocales | store-locator |
Surbma | GDPR Proof Cookie Consent & Notice Bar | surbma-gdpr-proof-google-analytics |
Tags Cloud Manager | tags-cloud-manager |
UpdraftPlus WordPress Backup Plugin | updraftplus |
User Role by BestWebSoft – Add and Customize Roles and Capabilities in WordPress | user-role |
WH Testimonials | wh-testimonials |
WP Basic Elements | wp-basic-elements |
WP Express Checkout (Accept PayPal Payments Easily) | wp-express-checkout |
WP Job Portal – A Complete Job Board | wp-job-portal |
WP Popup Banners | wp-popup-banners |
WP Shortcode by MyThemeShop | wp-shortcode |
WP Simple Events | wp-simple-events |
WSB Brands | wsb-brands |
Website Monetization by MageNet | website-monetization-by-magenet |
WooCommerce Weight Based Shipping | weight-based-shipping-for-woocommerce |
WordPress Console | wordpress-console |
WordPress Email Marketing Plugin – WP Email Capture | wp-email-capture |
WordPress Mortgage Calculator Estatik | estatik-mortgage-calculator |
WordPress Online Booking and Scheduling Plugin – Bookly | bookly-responsive-appointment-booking-tool |
WordPress Plugin for Google Maps – WP MAPS | wp-google-map-plugin |
WordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart |
WordPress WP-Advanced-Search | wp-advanced-search |
Yandex.News Feed by Teplitsa | yandexnews-feed-by-teplitsa |
eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
wpml | wpml |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Brilliance | brilliance |
Chankhe | chankhe |
Mediciti Lite | mediciti-lite |
NewsMag | newsmag |
Real Estate Directory | real-estate-directory |
Regina Lite | regina-lite |
intrepidity | intrepidity |
Vulnerability Details
Be POPIA Compliant <= 1.2.0 – Unauthenticated SQL Injection
CVE ID: CVE-2022-47445
CVSS Score: 9.8 (Critical)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eecd1497-c94e-4f67-8cc5-72afffe9fae2
Intrepidity <= 1.5.1 – Cross-Site Request Forgery via mytheme_add_admin
CVE ID: CVE-2023-27634
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01cc613a-d0b5-4c8f-8961-8f8aaf63b8ac
UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 – Privilege Escalation via updraft_central_ajax_handler
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e329432-c404-4312-969b-42cac345637d
WP Popup Banners <= 1.2.5 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2023-1471
CVSS Score: 8.8 (High)
Researcher/s: Etan Imanol Castro Aldrete
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8281cb20-73d3-4ab5-910e-d353b2a5cbd8
User Role by BestWebSoft <= 1.6.6 – Cross-Site Request Forgery to Privilege Escalation
CVE ID: CVE-2023-0820
CVSS Score: 8.8 (High)
Researcher/s: dc11
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b4bc525-a21f-46f2-895a-c8474f72eb92
WordPress Email Marketing Plugin – WP Email Capture <= 3.10 – Missing Authorization to Email Capture List Download
CVE ID: CVE Unknown
CVSS Score: 8.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a41d78b9-9bdb-48dd-b3ec-2559e79fa251
Admin side data storage for Contact Form 7 <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-24420
CVSS Score: 7.2 (High)
Researcher/s: Bhuvanesh Jayaprakash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/172b2191-6595-47dd-bf2d-97dc3d17e5ca
Tags Cloud Manager <= 1.0.0 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-28166
CVSS Score: 7.2 (High)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ad70391-7ea0-49c0-ac5c-ecf7ddb3c948
Shopping Cart & eCommerce Store <= 5.4.2 – Authenticated (Admin+) Local File Inclusion via import_file_url
CVE ID: CVE-2023-1124
CVSS Score: 7.2 (High)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/936e753b-b3e9-43c9-8686-c610faa8b20e
WH Testimonials <= 3.0.0 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-1372
CVSS Score: 7.2 (High)
Researcher/s: Daniel Kelley
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6fe5f1a-787e-4662-915f-c6f04961e194
Bookly <= 21.5 – Unauthenticated Stored Cross-Site Scripting via Name
CVE ID: CVE-2023-1172
CVSS Score: 7.2 (High)
Researcher/s: Vinay Kumar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3efbd9d-e2b5-4915-a964-29a49c7fba86
Return and Warranty Management System for WooCommerce <= 1.2.3 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2023-22710
CVSS Score: 7.2 (High)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fa1e6527-d874-4003-b36b-5769c2950864
Slideshow Gallery LITE <= 1.7.6 – Authenticated(Admin+) SQL Injection
CVE ID: CVE-2023-28491
CVSS Score: 6.5 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61b07604-b206-4f13-b25f-7a6d54236eb1
Exxp <= 2.6.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2022-45812
CVSS Score: 6.4 (Medium)
Researcher/s: Aman Rawat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0de75f3f-1e6b-42ea-9f08-54c32e37b4c7
Slide Anything <= 2.4.7 – Authenticated (Author+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28499
CVSS Score: 6.4 (Medium)
Researcher/s: FearZzZz
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/130b069d-d224-44af-b2b4-26be7e081f6b
Surbma | GDPR Proof Cookie Consent & Notice Bar <= 17.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-23894
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/48b9f3e3-b7fd-4d7c-8f8b-b11ed977aa92
Robo Gallery <= 3.2.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
CVE ID: CVE-2023-27620
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e0424f8-f60f-49c3-9969-a88c830dc0e2
Ecwid Shopping Cart <= 6.11.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-24408
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8c530e2-ce42-40f3-82ab-1df9089a5407
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG files
CVE ID: CVE-2023-23707
CVSS Score: 6.4 (Medium)
Researcher/s: n0paew
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eebe37bf-2983-47c0-afd8-0aa3e7982196
WP Job Portal <= 1.1.9 – Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28534
CVSS Score: 6.4 (Medium)
Researcher/s: Fariq Fadillah Gusti Insani
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f11ea6b2-1225-42a5-aa7b-260315d0bec5
RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery
CVE ID: CVE-2023-1472
CVSS Score: 6.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f9ee168-82b1-4d13-a84e-379f16dcb283
SEO Plugin by Squirrly SEO <= 12.1.20 – Missing Authorization
CVE ID: CVE-2022-44626
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9251afbb-1a6d-40c6-b62e-a8866742f669
Data Tables Generator by Supsystic <= 1.10.25 – Missing Authorization
CVE ID: CVE-2023-25043
CVSS Score: 6.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae98e3bd-f663-4609-92ed-ed0431047d85
Open RDW kenteken voertuiginformatie <= 2.0.14 – Reflected Cross-Site Scripting via open_data_rdw_kenteken
CVE ID: CVE-2022-47431
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1fa87357-09c0-4e99-8ceb-41a7987c4a57
Solidres <= 0.9.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-1377
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36d9e9cd-7885-4127-b62c-ee0b3aad8846
SEO Plugin by Squirrly SEO <= 12.1.20 – Reflected Cross-Site Scripting via ‘page’ and ‘tab’
CVE ID: CVE-2022-45065
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3edce64d-13c2-454a-b5da-0454453f69cb
WordPress Mortgage Calculator Estatik <= 2.0.7 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-28490
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ce9dd21-3c89-4ddd-9022-f1edf1224e2d
Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard <= 2.11.0 – Reflected Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60ae8b8f-bc65-40df-b6ae-4ec8e328dbe5
WPML <= 4.6.1 – Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5639c00-f34c-45e3-8ff1-dfde7856a80e
Brilliance <= 1.3.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-28171
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5726c70-c2c7-45b9-bd03-38cf1320646a
Mediciti Lite <= 1.3.0 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-28418
CVSS Score: 6.1 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec2825b2-c8df-40fd-b44d-a840be66446f
Dynamics 365 Integration <= 1.3.12 – Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity
CVE ID: CVE-2023-28417
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1671e437-09f0-46bc-87ef-3a5712c3dc98
Force First and Last Name as Display Name <= 1.2 – Cross-Site Request Forgery
CVE ID: CVE-2023-28419
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27d579d5-a4d2-45f7-a7bb-8f384d851d7a
WP Google Map Plugin <= 4.4.2 – Cross-Site Request Forgery via delete()
CVE ID: CVE-2023-28172
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71f58781-3fb3-4eba-8e5a-f98f006f4607
Redirect Redirection <= 1.1.4 – Cross-Site Request Forgery to Plugin De-Installation
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d500729-3b1a-4ece-81de-4c1f9afbf798
Regina Lite <= 2.0.7 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-27619
CVSS Score: 5.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcd3452-a340-44e5-b292-347dc69ab863
WooCommerce Weight Based Shipping <= 5.4.1 – Cross-Site Request Forgery leading to Plugin Settings Changes
CVE ID: CVE-2022-46794
CVSS Score: 5.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5086b8d-6c74-4970-9937-5ddc5b528495
Site Reviews <= 6.5.1 – Missing Authorization
CVE ID: CVE-2023-27625
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d94f6cdd-8232-4e0c-b510-0e755c280b58
Newsmag <= 2.4.4 – Reflected Cross-Site Scripting
CVE ID: CVE-2023-28493
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/debe6f54-0f56-4bc9-a0cd-4f2caa1ed9e3
WordPress Email Marketing Plugin – WP Email Capture <= 3.10 – Information Exposure via wp_email_capture_options_process
CVE ID: CVE-2023-28421
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4570948-1625-44b3-8af6-73765d9710ee
Popup Maker <= 1.17.1 – Sensitive Data Exposure via debug log file
CVE ID: CVE-2022-47597
CVSS Score: 5.3 (Medium)
Researcher/s: rezaduty
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0240b35-72d0-4943-84cd-5d1574609b36
Backup Bank: WordPress Backup Plugin <= 4.0.28 – Missing Authorization via post_user_feedback_backup_bank
CVE ID: CVE-2023-28165
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5ab6dcd-ef22-4fea-9e35-9358ede3ff5d
WP Simple Shopping Cart <= 4.6.3 – Information Disclosure
CVE ID: CVE-2023-1431
CVSS Score: 5.3 (Medium)
Researcher/s: Ayoub Safa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea4453bc-557b-4abf-85c6-4aecfd8f4012
WordPress Console <= 0.3.9 – Missing Authorization via reload.php
CVE ID: CVE-2023-28168
CVSS Score: 5.3 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd3cd605-6292-4a04-9aee-f4b9a8127e8e
PhonePe Payment Solutions <= 1.0.15 – Authenticated (Subscriber+) Server-Side Request Forgery
CVE ID: CVE-2022-45835
CVSS Score: 5 (Medium)
Researcher/s: Aman Rawat
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f24f7e2-2516-4f4d-955f-f3f6001cbce7
Auto Rename Media On Upload <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a566ed-9ed6-4c72-9728-49a0edfb5ba5
eCommerce Product Catalog plugin for WordPress <= 3.3.8 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1470
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26b7438e-438b-41eb-9458-2fba8ab1964d
WP Simple Events <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-24376
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53de68ad-76a6-4043-8369-7679c1c5c1cd
Easy Event calendar <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28169
CVSS Score: 4.4 (Medium)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57dda8e6-54d1-41db-a54d-4a5d635e23b7
Yandex.News Feed by Teplitsa <= 1.12.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25052
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/756810c0-d805-4391-a67b-19b40597d219
SMTP2GO <= 1.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings
CVE ID: CVE-2023-28496
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7cc618c8-63a9-4321-ad18-ee5277a5f5e0
WSB Brands <= 1.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via $logo
CVE ID: CVE-2022-47437
CVSS Score: 4.4 (Medium)
Researcher/s: TEAM WEBoB of BoB 11th
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89321887-0116-47fb-b65b-008c9fb01b62
PB SEO Friendly Images <= 4.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2022-47434
CVSS Score: 4.4 (Medium)
Researcher/s: Dimas Aprilianto
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89fc8407-3d1f-4b1b-9b4c-13c0da928231
CMS Press <= 0.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25452
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/905cb57b-70ec-4324-ae66-9c06d1737939
Modern Footnotes <= 1.4.15 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-28423
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94b98842-8c75-4623-8cc9-ad3dc0916a18
Solidres <= 0.9.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1374
CVSS Score: 4.4 (Medium)
Researcher/s: Daniel Kelley
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b13ee51b-9f23-428f-9cef-4a9b9b06b0c4
WP Express Checkout <= 2.2.8 – Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon
CVE ID: CVE-2023-1469
CVSS Score: 4.4 (Medium)
Researcher/s: Ayoub Safa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b35ee801-f04d-4b22-8238-053b02a6ee0c
Branda – White Label WordPress <= 3.4.8.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3508b46-6920-48b9-9acb-620ea34e07e2
Klaviyo <= 3.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting
CVE ID: CVE-2023-25456
CVSS Score: 4.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2b66f27-e4d2-4f6e-be96-b7f967a30885
Modern Events Calendar lite <= 5.16.2 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2023-1400
CVSS Score: 4.4 (Medium)
Researcher/s: Pavak Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7465ca4-21e8-4935-b294-e7378b2b01a7
Slideshow Gallery LITE <= 1.7.6 – Cross-Site Request Forgery via admin_galleries
CVE ID: CVE-2023-28497
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a598274-3c67-4751-94d6-49abed38422c
Google XML Sitemap for Images <= 2.1.3 – Cross-Site Request Forgery via image_sitemap_generate
CVE ID: CVE-2023-28173
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1165c68d-3da4-45f3-b054-4904e54d18ac
Slideshow Gallery LITE <= 1.7.6 – Cross-Site Request Forgery via admin_slides
CVE ID: CVE-2023-28497
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/164ec659-e1a6-4267-b6e9-4e37a402e503
Real Estate Directory <= 1.0.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
CVE ID: CVE-2023-28532
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17031e21-e697-4e01-8848-c3957f5dac7f
LOGIN AND REGISTRATION ATTEMPTS LIMIT <= 2.1 – Cross-Site Request Forgery
CVE ID: CVE-2022-47138
CVSS Score: 4.3 (Medium)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/257052f4-2b0a-4604-befd-651dc338b3d5
Chronoforms <= 7.0.9 – Cross-Site Request Forgery
CVE ID: CVE-2022-47135
CVSS Score: 4.3 (Medium)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c02b9b2-b41e-4a30-b69a-9cdae86dd7a7
Real Estate Directory <= 1.0.5 – Cross-Site Request Forgery via rdm_activate_plugin
CVE ID: CVE-2023-28532
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39a50c49-5c24-4ae7-8f77-4f3d98270f8f
CP Multi View Event Calendar <= 1.4.10 – Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission
CVE ID: CVE-2023-28492
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49ebff14-ce09-4607-8246-50ae028957f6
Customify <= 2.10.4 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-27633
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b1c0ee5-5329-411c-8030-14bec586d74d
Fluid Checkout for WooCommerce – Lite <= 2.3.1 – Cross-Site Request Forgery via dismiss_notice
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c8caf17-7844-4f26-b989-d29593b3ffda
Website Monetization by MageNet <= 1.0.29.1 – Cross-Site Request Forgery via admin_magenet_settings
CVE ID: CVE-2023-22673
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f1f3562-f869-4442-b77f-c06c5683c1b2
Bulk Resize Media <= 1.1 – Cross-Site Request Forgery via bulk_resize_resize_image
CVE ID: CVE-2022-46865
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/605fbfb9-85d8-43ff-a738-ad1a8a9584c3
Import External Images <= 1.4 – Cross-Site Request Forgery via [placeholder]
CVE ID: CVE-2022-46866
CVSS Score: 4.3 (Medium)
Researcher/s: Cat
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6785be1c-85d4-48f1-be15-275c71284b3e
Reusable Blocks Extended <= 0.9 – Cross-Site Request Forgery via reblex_reusable_screen_block_pattern_registration
CVE ID: CVE-2023-27611
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/67c2cac8-c3cf-46d1-a592-229081bc31e1
WP Shortcode by MyThemeShop <= 1.4.16 – Cross-Site Request Forgery
CVE ID: CVE-2023-28495
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/763fec04-72c5-4910-af97-f58b5b69a02e
WP Basic Elements <= 5.2.15 – Cross-Site Request Forgery via wpbe_save_settings
CVE ID: CVE-2022-47139
CVSS Score: 4.3 (Medium)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78e79423-7b69-4d85-a939-96eb5385624c
Dynamics 365 Integration <= 1.3.12 – Cross-Site Request Forgery via wp_ajax_wpcrm_log
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7945110e-2a9d-4e0e-b0e8-77c16694993b
Hotel Booking Lite <= 4.6.0 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE-2023-28498
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a874287-c648-4807-8387-b0b47187651e
CF7 Invisible reCAPTCHA <= 1.3.3 – Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page
CVE ID: CVE-2023-28167
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8fa1048e-bdcd-41d1-a7c4-196731a60843
HT Feed <= 1.2.7 – Cross-Site Request Forgery leading to Limited Plugin Activation
CVE ID: CVE-2023-23804
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95723482-a6c5-4e95-a88d-c50a88108715
Contact Form Email <= 1.3.31 – Missing Authorization to Feedback Submission
CVE ID: CVE-2023-28494
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9596c243-4099-420a-aa2a-381b6299f927
Custom Options Plus <= 1.8.1 – Cross-Site Request Forgery via custom_options_plus_adm
CVE ID: CVE-2023-28420
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97c8858a-f05d-4159-b914-4e6ae9bf0d79
Store Locator <= 3.98.7 – Cross-Site Request Forgery to Settings Update
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98ae3315-8361-43bb-be2c-1564f4df8d5b
Dynamics 365 Integration <= 1.3.12 – Cross-Site Request Forgery via wp_ajax_wpcrm_log_verbosity
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98e0d103-2369-4c6a-93ae-6be2a1770bae
Contact Form 7 Redirect & Thank You Page <= 1.0.3 – Cross-Site Request Forgery via cf7rl_admin_table
CVE ID: CVE-2023-24395
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99f831f2-fb96-4dc8-ba3d-6015fbc7e2e1
WP-Advanced-Search <= 3.3.8 – Cross-Site Request Forgery leading to Plugin Settings Updates
CVE ID: CVE-2022-47447
CVSS Score: 4.3 (Medium)
Researcher/s: rezaduty
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a2ba21cd-d8f3-402a-b067-1758937d9eb4
Event Manager for WooCommerce <= 3.7.7 – Cross-Site Request Forgery leading to Uninstall Form Submission
CVE ID: CVE-2022-47164
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af59eb6d-1ffa-4593-9bfc-f910d907f6e0
Contact Form 7 – PayPal & Stripe Add-on <= 1.9.3 – Cross-Site Request Forgery
CVE ID: CVE-2023-24405
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c0c13b83-6885-46db-bf33-0b2b63ff06db
WP Basic Elements <= 5.2.15 – Missing Authorization to Plugin Settings Update via wpbe_save_settings
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6516fc0-4ef8-423b-9cdb-a275996fd98b
Print Invoice & Delivery Notes for WooCommerce <= 4.7.2 – Cross-Site Request Forgery via ts_reset_tracking_setting
CVE ID: CVE-2022-46795
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d811782e-3b59-4a46-9a2e-f24ef3dfbd4a
Chankhe <= 1.0.5 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation
CVE ID: CVE-2023-28416
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/efa4b67c-1bb8-413a-8cb8-039168b0b586
Google XML Sitemap for Videos <= 2.6.1 – Cross-Site Request Forgery via video_sitemap_generate
CVE ID: CVE-2023-25055
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/feb4f3dc-9abf-4ee3-834e-e5516652d810
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) appeared first on Wordfence.