Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)

Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 27 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 14
Patched 44

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 48
High Severity 8
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 31
Missing Authorization 9
Cross-Site Request Forgery (CSRF) 5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 3
Server-Side Request Forgery (SSRF) 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Improper Authentication 1
Information Exposure 1
Unverified Password Change 1
URL Redirection to Untrusted Site (‘Open Redirect’) 1
Deserialization of Untrusted Data 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Dave Jong 7
Lana Codes 7
yuyudhn 4
Le Ngoc Anh 3
Mika 3
Rafie Muhammad 3
Junsu Yeo 2
Erwan LR 2
LEE SE HYOUNG 2
Chien Vuong 2
deokhunKim 2
Alex Sanford 2
Fioravante Souza 1
Nguyen Xuan Chien 1
Ivan Kuzymchak 1
Yash Kanchhal 1
WPScanTeam 1
Sanjay Das 1
Marco Wotschka 1
Taurus Omar 1
Nguyen Anh Tien 1
Suprit S Pandurangi 1
Skalucy 1
Ramuel Gall 1
thiennv 1
Phd 1
Pablo Sanchez 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Add to Feedly add-to-feedly
Advanced Custom Fields (ACF) advanced-custom-fields
Advanced Custom Fields Pro advanced-custom-fields-pro
Advanced Woo Search advanced-woo-search
Albo Pretorio On line albo-pretorio-on-line
AnyWhere Elementor anywhere-elementor
CM Pop-Up banners for WordPress cm-pop-up-banners
Community by PeepSo – Social Network, Membership, Registration, User Profiles peepso-core
Contact Form 7 extension for Google Map fields cf7-google-map
Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free cryptocurrency-donation-box
Custom 404 Pro custom-404-pro
DX Delete Attached Media dx-delete-attached-media
Easy Appointments easy-appointments
Easy Digital Downloads – Simple eCommerce for Selling Digital Files easy-digital-downloads
FV Flowplayer Video Player fv-wordpress-flowplayer
Fast & Effective Popups & Lead-Generation for WordPress – HollerBox holler-box
Hostel hostel
Image Optimizer by 10web – Image Optimizer and Compression plugin image-optimizer-wd
Library Viewer library-viewer
Login rebuilder login-rebuilder
Loginizer loginizer
Manager for Icomoon manager-for-icomoon
Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress metform
Multi Rating multi-rating
Newsletter Popup newsletter-popup
OSM – OpenStreetMap osm
Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE otter-blocks
Participants Database participants-database
Photo Gallery by Ays – Responsive Image Gallery gallery-photo-gallery
Product Addons & Fields for WooCommerce woocommerce-product-addon
Spiffy Calendar spiffy-calendar
TK Google Fonts GDPR Compliant tk-google-fonts
TP Education tp-education
UserAgent-Spy useragent-spy
WOLF – WordPress Posts Bulk Editor and Manager Professional bulk-editor
WP Directory Kit wpdirectorykit
WP Docs wp-docs
WP EasyPay – Square for WordPress wp-easy-pay
WP Fastest Cache wp-fastest-cache
WP Job Portal – A Complete Job Board wp-job-portal
WP-FormAssembly formassembly-web-forms
WPO365 | Mail Integration for Office 365 / Outlook mail-integration-365
WPPizza – A Restaurant Plugin wppizza

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Editorialmag editorialmag
JupiterX jupiterx
TheGem thegem

Vulnerability Details

Easy Digital Downloads 3.1 – 3.1.1.4.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation

Affected Software: Easy Digital Downloads – Simple eCommerce for Selling Digital Files
CVE ID: CVE-2023-30869
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e3e07c8-8fd0-4966-8276-aece794b75b2

Otter – Gutenberg Blocks <= 2.2.5 – Authenticated (Author+) PHAR Deserialization

Affected Software: Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE
CVE ID: CVE-2023-2288
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f18be13a-1b16-40f8-85a7-bd77b49e243c

CM Pop-Up banners <= 1.5.10 – Authenticated (Subscriber+) SQL Injection via getStatistics

Affected Software: CM Pop-Up banners for WordPress
CVE ID: CVE-2023-30750
CVSS Score: 8.8 (High)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff29e160-993b-422c-b49b-a216db5a0765

AnyWhere Elementor <= 1.2.7 – Sensitive Information Exposure

Affected Software: AnyWhere Elementor
CVE ID: CVE-2023-0443
CVSS Score: 8.6 (High)
Researcher/s: Sanjay Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5782439f-a546-45f6-aec7-e600442d3c41

JupiterX Theme <= 3.0.0 – Authenticated Local File Inclusion via print_pane

Affected Software: JupiterX
CVE ID: CVE-2023-32110
CVSS Score: 8.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5abb538-9e69-485e-9389-90a2422510ca

TK Google Fonts GDPR Compliant <= 2.2.7 – Authorization Bypass

Affected Software: TK Google Fonts GDPR Compliant
CVE ID: CVE Unknown
CVSS Score: 7.3 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c1e005f-c0f1-4dff-928b-18919f117048

Newsletter Popup <= 1.2 – Unauthenticted Stored Cross-Site Scripting via ‘nl_data’

Affected Software: Newsletter Popup
CVE ID: CVE-2023-0733
CVSS Score: 7.2 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b5d64b8-c339-4bbc-b91e-4805428f7296

Cryptocurrency Donation Box – Bitcoin & Crypto Donations <= 2.2.5 – Authenticated (Administrator+) SQL Injection


Contact Form 7 extension for Google Map fields <= 1.8.3 – Stored Cross-Site Scripting

Affected Software: Contact Form 7 extension for Google Map fields
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd3fc3a4-ba32-4c05-bc93-ed7b86c426fa

HollerBox <= 2.1.3 – Authenticated (edit_popups+) SQL Injection

Affected Software: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
CVE ID: CVE-2023-2111
CVSS Score: 6.6 (Medium)
Researcher/s: WPScanTeam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4970be62-9aad-4a5f-9dd3-4bf48bded022

Metform Elementor Contact Form Builder <= 3.3.0 – Missing Authorization


WP Directory Kit <= 1.2.2 – Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action

Affected Software: WP Directory Kit
CVE ID: CVE-2023-2280
CVSS Score: 6.5 (Medium)
Researcher/s: Ramuel Gall, Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abb1a758-5c16-4841-b1c7-0705ab16b328

WP Fastest Cache <= 1.1.4 – Authenticated(Administrator+) Blind Server Side Request Forgery via check_url

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-1938
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b937940c-a3e0-49d3-b066-550b78351b54

WOLF <= 1.0.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE-2023-31218
CVSS Score: 6.4 (Medium)
Researcher/s: Junsu Yeo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2be16ee8-6bae-44d9-bde7-8e893293c3f9

OSM – OpenStreetMap <= 6.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: OSM – OpenStreetMap
CVE ID: CVE-2022-4676
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6dac6353-9e70-482d-b54b-ffde661b212c

Library Viewer <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Library Viewer
CVE ID: CVE-2023-32102
CVSS Score: 6.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82c08769-2bb6-4c87-b198-f18216b3e744

Manager for Icomoon <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Manager for Icomoon
CVE ID: CVE-2023-29387
CVSS Score: 6.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ef75bb4-febf-4009-a6b4-f0b40a4fc903

TP Education <= 4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes

Affected Software: TP Education
CVE ID: CVE-2023-32103
CVSS Score: 6.4 (Medium)
Researcher/s: deokhunKim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfba9979-44a2-4ad4-bb6a-f54f73b628d4

TheGem < 5.8.1.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: TheGem
CVE ID: CVE-2023-32237
CVSS Score: 6.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc4d4103-a19a-45a5-9059-23eb7f72c84b

TheGem < 5.8.1.1 – Missing Authorization

Affected Software: TheGem
CVE ID: CVE-2023-32238
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/074e8e37-147d-47ea-93ed-652d7de7be9e

TheGem < 5.8.1.1 – Improper Authentication

Affected Software: TheGem
CVE ID: CVE-2023-32238
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3942bba9-3c3a-47bf-9a53-95376917d6bb

Easy Appointments <= 3.11.9 – Cross-Site Request Forgery via multiple AJAX actions

Affected Software: Easy Appointments
CVE ID: CVE-2022-36424
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/461cec8c-77e4-4f20-8dff-c4f675dc235f

Editorialmag <= 1.1.9 – Missing Authorization to Authenticated Plugin Activation

Affected Software: Editorialmag
CVE ID: CVE-2023-32129
CVSS Score: 6.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5fd470bb-d791-45dc-a743-6f03fc75f00c

WPO365 | Mail Integration for Office 365 / Outlook <= 1.9.0 – reflected Cross-Site Scripting via error_description

Affected Software: WPO365 | Mail Integration for Office 365 / Outlook
CVE ID: CVE-2023-32119
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b3b4b45-5964-490a-991b-c9eb79c670e2

WPPizza <= 3.17.1 – Reflected Cross-Site Scripting

Affected Software: WPPizza – A Restaurant Plugin
CVE ID: CVE-2023-32105
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/225ac126-7448-4faf-92c7-ee96831b272e

Loginizer <= 1.7.8 – Reflected Cross-Site Scripting via ‘limit_session[count]’

Affected Software: Loginizer
CVE ID: CVE-2023-2296
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e6ef932-975c-423b-b780-b38449eec577

Custom 404 Pro <= 3.7.2 – Reflected Cross-Site Scripting via ‘s’

Affected Software: Custom 404 Pro
CVE ID: CVE-2023-2023
CVSS Score: 6.1 (Medium)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e5bdc92-e682-4121-9ba5-167742f61138

WP Docs <= 1.9.9 – Reflected Cross-Site Scripting

Affected Software: WP Docs
CVE ID: CVE-2023-32106
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ac15c0d-74d3-4121-a63e-97dbbe594274

FV Flowplayer Video Player <= 7.5.32.7212 – Reflected Cross-Site Scripting via id

Affected Software: FV Flowplayer Video Player
CVE ID: CVE-2023-30499
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9b78834c-cb13-4698-aa19-65f8c6874c8f

Albo Pretorio Online <= 4.6.3 – Reflected Cross-Site Scripting

Affected Software: Albo Pretorio On line
CVE ID: CVE-2023-32108
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b186c98e-6a8d-4675-aaaa-c6748319dec1

Advanced Custom Fields PRO <= 6.1.5 – Reflected Cross-Site Scripting via ‘post_status’

Affected Software: Advanced Custom Fields Pro
CVE ID: CVE-2023-30777
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfb9812b-3804-436b-b665-5e4e599b1bec

PPOM for WooCommerce <= 32.0.6 – Reflected Cross-Site Scripting

Affected Software: Product Addons & Fields for WooCommerce
CVE ID: CVE-2023-2256
CVSS Score: 6.1 (Medium)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d223de07-6377-491f-8d2c-9c31aa814792

Photo Gallery by Ays <= 5.1.3 – Reflected Cross-Site Scripting via ays_gpg_settings_tab

Affected Software: Photo Gallery by Ays – Responsive Image Gallery
CVE ID: CVE-2023-32107
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db48a271-e649-4dbe-901b-aa55eba9123b

Albo Pretorio Online <= 4.6.3 – Reflected Cross-Site Scripting

Affected Software: Albo Pretorio On line
CVE ID: CVE-2023-32109
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1a3ea4c-163f-406c-a819-92d3157fd93f

Advanced Custom Fields <= 6.1.5 – Reflected Cross-Site Scripting via ‘post_status’

Affected Software: Advanced Custom Fields (ACF)
CVE ID: CVE-2023-30777
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e7ae8dcd-00b6-4afc-85bb-6697820bb37c

WP EasyPay <= 4.0.4 – Reflected Cross-Site Scripting

Affected Software: WP EasyPay – Square for WordPress
CVE ID: CVE-2023-1465
CVSS Score: 6.1 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8786f44-09b9-4281-b615-5df4b494a083

TheGem < 5.8.1.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: TheGem
CVE ID: CVE-2023-32237
CVSS Score: 5.4 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6134c76d-754b-4e54-aa4e-b791d9321b8e

Participants Database <= 2.4.9 – Cross-Site Request Forgery via _process_general

Affected Software: Participants Database
CVE ID: CVE-2023-31235
CVSS Score: 5.4 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7ce9573-eda5-45c0-8775-966f2fbe9496

Library Viewer <= 2.0.6 – Open Redirect via ‘redirect_to’

Affected Software: Library Viewer
CVE ID: CVE-2023-32101
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b12a7e57-a45f-407a-9dd9-843a628d73ac

Community by PeepSo <= 6.0.9.0 – Missing Authorization to Sensitive Information Exposure

Affected Software: Community by PeepSo – Social Network, Membership, Registration, User Profiles
CVE ID: CVE-2023-27630
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3479e7a4-7719-4438-8bf5-bf9b9990f3f4

WP Job Portal <= 1.1.9 – Missing Authorization to Settings Modification

Affected Software: WP Job Portal – A Complete Job Board
CVE ID: CVE-2022-41786
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ce039db-b597-4bbf-8067-933a262ae1b6

Multi Rating <= 5.0.6 – Missing Authorization to Arbitrary Ratings Value Change

Affected Software: Multi Rating
CVE ID: CVE-2023-32127
CVSS Score: 5.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3d00464-557f-4177-87aa-f5340b796dbb

WP-FormAssembly <= 2.0.8 – Limited Server Side Request Forgery via ‘formassembly’ shortcode

Affected Software: WP-FormAssembly
CVE ID: CVE Unknown
CVSS Score: 5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/288853b8-7523-472e-8406-257ffb3bd5ea

Spiffy Calendar <= 4.9.3 – Reflected Cross-Site Scripting via page parameter

Affected Software: Spiffy Calendar
CVE ID: CVE-2023-32122
CVSS Score: 4.7 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5adf03ff-5b87-4ed3-b7ec-b89bc814aba6

Add to Feedly <= 1.2.11 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Add to Feedly
CVE ID: CVE-2023-2470
CVSS Score: 4.4 (Medium)
Researcher/s: Fioravante Souza
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1496ce98-ee19-4f37-9ec7-eb0fafb5df19

Advanced Woo Search <= 2.77 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Advanced Woo Search
CVE ID: CVE-2023-2452
CVSS Score: 4.4 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4278e9d7-aa1e-47a5-b715-09dae5156303

UserAgent-Spy <= 1.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: UserAgent-Spy
CVE ID: CVE-2023-2490
CVSS Score: 4.4 (Medium)
Researcher/s: Yash Kanchhal
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/434755f8-b2af-4f35-9af9-f0b9578718c8

Multi Rating <= 5.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Multi Rating
CVE ID: CVE-2023-32130
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ca2311c-7b44-4dad-bea0-131776205319

Login rebuilder <= 2.8.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Login rebuilder
CVE ID: CVE-2023-2223
CVSS Score: 4.4 (Medium)
Researcher/s: Taurus Omar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ae14765-ba85-4aba-83ae-41f7de2f2551

PPOM for WooCommerce <= 32.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Product Addons & Fields for WooCommerce
CVE ID: CVE-2023-1839
CVSS Score: 4.4 (Medium)
Researcher/s: Suprit S Pandurangi
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f105002-a19a-4376-af65-7e9416175174

Participants Database <= 2.4.9 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Participants Database
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a52015fe-c4df-46a6-8f23-b33730797f4c

Hostel <= 1.1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings

Affected Software: Hostel
CVE ID: CVE-2023-32120
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4865576-9929-4ce2-a220-935f1f3e0485

Newsletter Popup <= 1.2 – Cross-Site Request Forgery to Record Deletion

Affected Software: Newsletter Popup
CVE ID: CVE-2023-0766
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/274429f7-1cd1-49e4-a145-dce36bebb9c2

DX Delete Attached Media <= 2.0.2 – Missing Authorization to Settings Update

Affected Software: DX Delete Attached Media
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b78004e-caa5-4478-ba16-5f1a10e31541

Multi Rating <= 5.0.6 – Cross-Site Request Forgery to Arbitrary Ratings Value Change

Affected Software: Multi Rating
CVE ID: CVE-2023-32125
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/80ad0b55-bd85-4240-ae54-f72d6b81ea7c

WP Job Portal <= 1.1.9 – Cross-Site Request Forgery to Settings Modification

Affected Software: WP Job Portal – A Complete Job Board
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98a2570c-c757-44ad-9981-af0bf2d3c341

WOLF <= 1.0.6 – Cross-Site Request Forgery via wpbe_update_page_field

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Junsu Yeo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a39ca182-981b-4636-acd5-4c8a269858dd

Image Optimizer by 10web <= 1.0.26 – Authenticated(Administator+) Directory Traversal

Affected Software: Image Optimizer by 10web – Image Optimizer and Compression plugin
CVE ID: CVE-2023-2117
CVSS Score: 2.7 (Low)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f58a5eb-53cb-4a25-b693-bcd2b7a1cd00

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023) appeared first on Wordfence.

More great articles

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)

Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being…

Read Story

classicpartnerships.com redirect malware

We're getting inquiries about a new malware redirect affecting WordPress sites - classicpartnerships.com.  Malicious URLs: hxxps://scripts.classicpartnerships[.]com/train.js hxxps://event.classicpartnerships[.]com/c.php?id=325-34675473-24-6758 hxxps://event.classicpartnerships[.]com/s.php?id=463-24-745783-2 hxxps://event.classicpartnerships[.]com/go.php?id=5325-1285453-12-334 hxxps://rosevertical[.]online/go/mvrtkmbvmi5denbs…

Read Story

Icegram Persistent Cross-Site Scripting

Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.