Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)

Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

MStore API <= 3.9.2 – Multiple Authentication Bypass
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 – Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change
TheGem < 5.8.1.1 – Missing Authorization
BP Social Connect <= 1.5 – Authentication Bypass
WAF-RULE-595 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
WAF-RULE-596 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
Woodmart Core <= 1.0.36 – Authentication Bypass to Privilege Escalation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	15
Patched	67

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	3
Medium Severity	68
High Severity	8
Critical Severity	3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	35
Cross-Site Request Forgery (CSRF)	17
Missing Authorization	15
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	3
Authentication Bypass Using an Alternate Path or Channel	3
Authorization Bypass Through User-Controlled Key	2
Acceptance of Extraneous Untrusted Data With Trusted Data	2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Server-Side Request Forgery (SSRF)	1
Improper Authentication	1
Deserialization of Untrusted Data	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	16
Lana Codes (Wordfence Vulnerability Researcher)	12
Marco Wotschka (Wordfence Vulnerability Researcher)	10
Erwan LR	6
Mika	4
Dave Jong	3
Emili Castells	2
Liam Gladdy	2
Prasanna V Balaji	2
LEE SE HYOUNG	2
yuyudhn	2
Le Ngoc Anh	1
John Blackbourn	1
LOURCODE	1
Jonas Höbenreich	1
Rio Darmawan	1
WPScanTeam	1
Muhammad Daffa	1
Nguyen Xuan Chien	1
konagash	1
thiennv	1
Jakub Zoczek	1
Nithissh S	1
Ramuel Gall (Wordfence Vulnerability Researcher)	1
Matt Rusnak (Wordfence Vulnerability Researcher)	1
Pavitra Tiwari	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable	ai-engine
AutomateWoo	automatewoo
BP Social Connect	bp-social-connect
Baidu Tongji generator	baidu-tongji-generator
Contact Form by Supsystic	contact-form-by-supsystic
ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages	convertkit
Cookie Monster	cookiemonster
Custom 404 Pro	custom-404-pro
Customize WordPress Emails and Alerts – Better Notifications for WP	bnfw
Drop Shadow Boxes	drop-shadow-boxes
Easing Slider	easing-slider
Easy Forms for Mailchimp	yikes-inc-easy-mailchimp-extender
Essential Addons for Elementor Pro	essential-addons-elementor
File Away	file-away
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty	chaty
Jazz Popups	jazz-popups
MStore API	mstore-api
Multiple Page Generator Plugin – MPG	multiple-pages-generator-by-porthas
OTP Login Woocommerce & Gravity Forms	mobile-login-woocommerce
Performance Lab	performance-lab
Photo Gallery by Ays – Responsive Image Gallery	gallery-photo-gallery
PixelYourSite Pro – Your smart PIXEL (TAG) Manager	pixelyoursite-pro
PixelYourSite – Your smart PIXEL (TAG) Manager	pixelyoursite
Predictive Search	predictive-search
Predictive Search for WooCommerce	woocommerce-predictive-search
Quiz Maker	quiz-maker
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Ricerca – advanced search	ricerca-smart-search
SEO Change Monitor – Track Website Changes	seo-change-monitor
Scripts n Styles	scripts-n-styles
Simple Page Ordering	simple-page-ordering
Smart App Banner	smart-app-banner
Stop Referrer Spam	stop-referrer-spam
Stop Spammers Security \| Block Spam Users, Comments, Forms	stop-spammer-registrations-plugin
Survey Maker – Best WordPress Survey Plugin	survey-maker
Ultimate Dashboard – Custom WordPress Dashboard	ultimate-dashboard
UpdraftPlus WordPress Backup Plugin	updraftplus
Video Gallery	video-slider-with-thumbnails
WP Activity Log	wp-security-audit-log
WP Activity Log Premium	wp-security-audit-log-premium
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc	wp-sms
WP htaccess Control	wp-htaccess-control
Waiting: One-click countdowns	waiting
WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress	wesecur-security
WishSuite – Wishlist for WooCommerce	wishsuite
WooCommerce Bookings	woocommerce-bookings
WooCommerce Brands	woocommerce-brands
WooCommerce Composite Products	woocommerce-composite-products
WooCommerce Pre-Orders	woocommerce-pre-orders
WooCommerce Product Add-ons	woocommerce-product-addons
WooCommerce Ship to Multiple Addresses	woocommerce-shipping-multiple-addresses
WooDiscuz – WooCommerce Comments	woodiscuz-woocommerce-comments
WordPress	wordpress
WordPress CRM, Email & Marketing Automation for WordPress \| Award Winner — Groundhogg	groundhogg
Zotpress	zotpress
nuajik	nuajik-cdn
reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China	recaptcha-for-all
video carousel slider with lightbox	wp-responsive-video-gallery-with-lightbox
woocommerce-product-recommendations	woocommerce-product-recommendations

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Appzend	appzend
BuzzStore	buzzstore
Craft Blog	craft-blog
Fitness Park	fitness-park
Kathmag	kathmag
Kingcabs	kingcabs
Medical Heed	medical-heed
MetroStore	metrostore
Online eStore	online-estore
SparkleStore	sparklestore
SpiderMag	spidermag

Vulnerability Details

BP Social Connect <= 1.5 – Authentication Bypass

Affected Software: BP Social Connect
CVE ID: CVE-2023-2704
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44c96df2-530a-4ebe-b722-c606a7b135f9

RegistrationMagic <= 5.2.1.0 – Authentication Bypass

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-2499
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87ec5542-b6e7-4b18-a3ec-c258e749d32e

MStore API <= 3.9.0 – Authentication Bypass

Affected Software: MStore API
CVE ID: CVE-2023-2733
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c726d8f0-7f2a-414b-9d73-a053921074d9

SEO Change Monitor <= 1.2 – Authenticated (Subscriber+) SQL Injection

Affected Software: SEO Change Monitor – Track Website Changes
CVE ID: CVE-2023-33209
CVSS Score: 8.8 (High)
Researcher/s: Nithissh S
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4f19302-70a5-4132-b841-fba1dd86a0d3

OTP Login Woocommerce & Gravity Forms <= 2.2 – Authentication Bypass to Privilege Escalation

Affected Software: OTP Login Woocommerce & Gravity Forms
CVE ID: CVE-2023-2706
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1b7b653-496f-467a-9513-4be1891f38ae

Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Privilege Escalation

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-2736
CVSS Score: 7.5 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bf472f1-5980-48ee-aa10-aad19b6f2456

Waiting: One-click countdowns <= 0.6.2 – Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Waiting: One-click countdowns
CVE ID: CVE-2023-2757
CVSS Score: 7.4 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38cc5a39-6ec3-4ce9-b9ad-d4ca5dafe9a7

Essential Addons for Elementor Pro <= 5.4.8 – Unauthenticated Server-Side Request Forgery

Affected Software: Essential Addons for Elementor Pro
CVE ID: CVE-2023-32245
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a193b7-21e5-4f57-aaa6-e55c79f8e957

Multiple Page Generator Plugin <= 3.3.17 – Authenticated (Administrator+) SQL Injection

Affected Software: Multiple Page Generator Plugin – MPG
CVE ID: CVE-2023-2607
CVSS Score: 7.2 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1575f0ad-0a77-4047-844c-48db4c8b4e91

WooCommerce Pre-Orders <= 1.9.0 – Unauthenticated Cross-Site Scripting

Affected Software: WooCommerce Pre-Orders
CVE ID: CVE-2023-32802
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b93f66ac-5c9b-483a-a7ad-0a404d3935e0

WooCommerce Product Add-ons <= 6.1.3 – Authenticated (Shop Manager+) PHP Object Injection

Affected Software: WooCommerce Product Add-ons
CVE ID: CVE-2023-32795
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d77666b5-956d-420b-93ed-a15cdbfcced7

Predictive Search <= 1.2.2 – Missing Authorization

Affected Software: Predictive Search
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/340e98bf-6484-4634-b2f8-e02f14de67de

WordPress Core < 6.2.2 – Shortcode Execution in User Generated Content

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Liam Gladdy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e3a6fe2-6292-44ff-8925-a4aeb77c2a7f

WordPress Core < 6.2.1 – Shortcode Execution in User Generated Content

Predictive Search <= 1.2.2 – Missing Authorization

File Away <= 3.9.9.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: File Away
CVE ID: CVE-2023-0431
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f78dd75-d853-4b16-843e-e0c9c55a103c

Drop Shadow Boxes <= 1.7.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Drop Shadow Boxes
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f2b4ac7-f888-408b-a77a-bd73ac8e967d

WordPress Core < 6.2.1 – Insufficient Sanitization of Block Attributes

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/834c92ba-8b48-4ae3-9073-085e8f559762

WooCommerce Brands <= 1.6.45 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WooCommerce Brands
CVE ID: CVE-2023-32746
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/accdcff0-f361-4632-b0b7-e55975adeebb

WordPress Core < 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Jakub Zoczek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bba3eeeb-5e7e-4ec3-9db0-02c44585647a

WooCommerce Pre-Orders <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Pre-Orders
CVE ID: CVE-2023-32793
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3915c2f-400d-433d-bbc8-4d88258123dc

WP SMS <= 6.1.4 – Reflected Cross-Site Scripting via ‘delete_mobile’

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE-2023-32742
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04970416-06db-4339-ac22-34fde5a48f2a

Survey Maker <= 3.4.6 – Reflected Cross-Site Scripting via ‘page’ parameter

Affected Software: Survey Maker – Best WordPress Survey Plugin
CVE ID: CVE-2023-2572
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15b57809-6062-48ca-8572-26032928cd16

WooCommerce Composite Products <= 8.7.5 – Reflected Cross-Site Scripting

Affected Software: WooCommerce Composite Products
CVE ID: CVE-2023-32801
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d45bd32-d693-40e6-9b30-9e0b91eb4660

Chaty <= 3.0.9 – Reflected Cross-Site Scripting

Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
CVE ID: CVE-2023-25019
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36741b46-57ac-402e-bfb1-8424c7e70598

Easy Forms for Mailchimp <= 6.8.8 – Unauthenticated Cross-Site Scripting

Affected Software: Easy Forms for Mailchimp
CVE ID: CVE-2023-23900
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4afb25d5-dce1-4a7a-8afe-0fc2a384b945

UpdraftPlus <= 1.23.3 – Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage

Affected Software: UpdraftPlus WordPress Backup Plugin
CVE ID: CVE-2023-32960
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/597f06ac-f9c7-4dcb-bb72-15ed7e9d8ac6

Custom 404 Pro <= 3.8.1 – Reflected Cross-Site Scripting via ‘page’

Affected Software: Custom 404 Pro
CVE ID: CVE-2023-32740
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d90dad3-d7ef-4060-8328-fd551cee92e2

Stop Spammers Security <= 2022.6 – Reflected Cross-Site Scripting

Affected Software: Stop Spammers Security | Block Spam Users, Comments, Forms
CVE ID: CVE-2023-2489
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/889cb1d5-7f5c-4904-9b5f-cc8a505eb65c

Video Gallery <= 1.0.10 – Reflected Cross-Site Scripting

Affected Software: Video Gallery
CVE ID: CVE-2023-2708
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka, yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cfbad9f-61ba-4216-9078-c1e7e809899a

Jazz Popups <= 1.8.7 – Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’

Affected Software: Jazz Popups
CVE ID: CVE-2023-32965
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba8c5db5-48d4-4ce1-84b9-5743c7444a3a

Photo Gallery by Ays <= 5.1.6 – Reflected Cross-Site Scripting

Affected Software: Photo Gallery by Ays – Responsive Image Gallery
CVE ID: CVE-2023-2568
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca62b54e-dde6-440f-bed9-db320179269e

ConvertKit <= 2.2.0 – Reflected Cross-Site Scripting

Affected Software: ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages
CVE ID: CVE-2023-2337
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf3a16b6-7256-4fad-b3f2-d1d9d833f45e

video carousel slider with lightbox <= 1.0.22 – Reflected Cross-Site Scripting

Affected Software: video carousel slider with lightbox
CVE ID: CVE-2023-2710
CVSS Score: 6.1 (Medium)
Researcher/s: Marco Wotschka, yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e88bb3a8-de24-46fb-a3e4-9ca3fdd4cca7

Quiz Maker <= 6.4.2.6 – Reflected Cross-Site Scripting

Affected Software: Quiz Maker
CVE ID: CVE-2023-2571
CVSS Score: 6.1 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f70d0bea-3ac2-4235-92a2-09458b85bddd

Essential Addons for Elementor Pro <= 5.4.8 – Reflected Cross-Site Scripting

Affected Software: Essential Addons for Elementor Pro
CVE ID: CVE-2023-32241
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8f86293-a32f-49a6-8c8c-d37354ab040a

AutomateWoo <= 5.7.1 – Authenticated (Shop manager+) SQL Injection

Affected Software: AutomateWoo
CVE ID: CVE-2023-32743
CVSS Score: 5.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9202cb4d-7fd4-444d-ab44-8f6d9e68d869

Contact Form by Supsystic <= 1.7.24 – Cross-Site Request Forgery via AJAX action

Affected Software: Contact Form by Supsystic
CVE ID: CVE-2023-2528
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c387b07-baf6-4c62-943e-4bd121160ceb

Groundhogg <= 2.7.9.8 – Missing Authorization to Non-Arbitrary File Upload

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-2716
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c5bde0e-3138-4995-92ae-6deaf6b7be5b

Zotpress <= 7.3.3 – Reflected Cross-Site Scripting

Affected Software: Zotpress
CVE ID: CVE-2023-32961
CVSS Score: 5.4 (Medium)
Researcher/s: LOURCODE
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/617dcc0e-e212-4da0-8918-e55e6b3895fa

Simple Page Ordering <= 2.5.0 – Missing Authorization to Information Disclosure

Affected Software: Simple Page Ordering
CVE ID: CVE-2023-32798
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77d8d29b-b730-46be-a354-7abfa83ac664

Stop Referrer Spam <= 1.3.0 – Cross-Site Request Forgery via processParameters

Affected Software: Stop Referrer Spam
CVE ID: CVE-2023-33207
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5deac61-031f-452a-a478-d5d0c7953817

Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Disable All Plugins

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-2717
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af73240c-b711-4e91-9998-5f7e6a9a4fb9

WordPress Core < 6.2.1 – Directory Traversal

Affected Software: WordPress
CVE ID: CVE-2023-2745
CVSS Score: 5.4 (Medium)
Researcher/s: Ramuel Gall, Matt Rusnak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f

Smart App Banner <= 1.1.2 – Cross-Site Request Forgery via wsl_smart_app_banner_options

Affected Software: Smart App Banner
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f71453d9-8bbf-4546-b69f-e86cc41da9bd

Multiple sparklewpthemes Themes (Various versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation

Affected Software/s: Kathmag, Online eStore, SpiderMag, Medical Heed, Appzend, BuzzStore, Craft Blog, Fitness Park, Kingcabs, MetroStore, SparkleStore
CVE ID: CVE-2023-32959
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62e30cef-ce5d-4450-989e-f08f09b7638f

WooCommerce Predictive Search <= 5.8.0 – Missing Authorization via multiple AJAX actions

Affected Software: Predictive Search for WooCommerce
CVE ID: CVE-2023-32963
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ea2726a-a601-45ac-9f20-c34b82edf441

Easing Slider <= 3.0.8 – Missing Authorization to Unauthenticated Settings Reset

Affected Software: Easing Slider
CVE ID: CVE-2023-30490
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9e04a2f8-5071-4c85-b4f8-cb914ee509b5

Multiple sparklewpthemes Themes (Various versions) – Missing Authorization to Arbitrary Plugin Activation

WooCommerce Predictive Search <= 5.8.0 – Cross-Site Request Forgery via multiple AJAX actions

Groundhogg <= 2.7.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-2735
CVSS Score: 4.9 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4938206e-2ea4-47ed-a307-87cf67dd74a4

WooDiscuz – WooCommerce Comments <= 2.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WooDiscuz – WooCommerce Comments
CVE ID: CVE-2023-33216
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01bd8a24-5580-4b16-94b3-c231d5fe7a01

Chaty <= 3.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3baa0543-cdfb-4699-97ca-eaa83c2494a1

Cookie Monster <= 1.51 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Cookie Monster
CVE ID: CVE-2023-33208
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f040075-83a0-4c9a-8d93-99aa36606b31

PixelYourSite <= 9.3.6 and PixelYourSite Pro <= 9.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software/s: PixelYourSite Pro – Your smart PIXEL (TAG) Manager, PixelYourSite – Your smart PIXEL (TAG) Manager
CVE ID: CVE-2023-2584
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ebf1e83-50b8-4f56-ba76-10100375edda

WP htaccess Control <= 3.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP htaccess Control
CVE ID: CVE-2023-25462
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6741b770-79d3-4797-8f8f-4ca83fde4705

AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: WPScanTeam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6d8f59b0-da92-43aa-990d-5271aa40d6b4

WishSuite <= 1.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WishSuite – Wishlist for WooCommerce
CVE ID: CVE-2023-32962
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b515782a-d7ec-41a6-92f8-91823f2c0dcf

Stop Spammers Security <= 2022.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Stop Spammers Security | Block Spam Users, Comments, Forms
CVE ID: CVE-2023-2489
CVSS Score: 4.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c83df43e-286d-4695-9c37-bee2870fd3b5

WeSecur Security <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress
CVE ID: CVE-2023-24390
CVSS Score: 4.4 (Medium)
Researcher/s: Prasanna V Balaji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d732ea2d-c763-4735-b541-6c5fd5167cb4

Ultimate Dashboard <= 3.7.5 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5103e60-771f-46cf-b432-21d131e30bcc

nuajik CDN <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: nuajik
CVE ID: CVE-2023-33210
CVSS Score: 4.4 (Medium)
Researcher/s: Pavitra Tiwari
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcf09793-1277-41a0-9ce4-b85b13721729

WordPress Core < 6.2.1 – Cross-Site Request Forgery

Affected Software: WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: John Blackbourn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0da1cc3b-5d6b-4ca0-9d8a-31c63ab5b9c9

WooCommerce Ship to Multiple Addresses <= 3.8.3 – Insecure Direct Object Reference

Affected Software: WooCommerce Ship to Multiple Addresses
CVE ID: CVE-2023-32799
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/163328e9-2918-4bc0-8bbc-90d7e992754d

Groundhogg <= 2.7.9.8 – Missing Authorization to Admin Account and Ticket Creation

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-2715
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24747507-8f24-499e-a257-d379dc171e18

Groundhogg <= 2.7.9.8 – Missing Authorization to Update License

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-2714
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29700844-b41d-4f10-90a7-06c8574d8d2a

WooCommerce Bookings <= 1.15.78 – Insecure Direct Object Reference

Affected Software: WooCommerce Bookings
CVE ID: CVE-2023-32747
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b365fb8-7a93-4306-b2b1-ce47dc19457a

Ricerca smart and advanced search <= 1.0.15 – Cross-Site Request Forgery

Affected Software: Ricerca – advanced search
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fefcc8c-3864-4764-86e7-678d8604fd67

WP Activity Log Premium <= 4.5.0 – Cross-Site Request Forgery via ajax_switch_db

Affected Software: WP Activity Log Premium
CVE ID: CVE-2023-2285
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c659f6d-e02b-42ab-ba02-eb9b00602ad4

AutomateWoo <= 5.7.1 – Cross-Site Request Forgery

Affected Software: AutomateWoo
CVE ID: CVE-2023-32745
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/540de1b8-eb1f-4f9d-b45c-d3d5f11b642d

reCAPTCHA for all <= 1.22 – Missing Authorization via recaptcha_for_all_image_select

Affected Software: reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China
CVE ID: CVE-2023-32599
CVSS Score: 4.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66585943-cb70-4296-af66-5b786d1bafb9

WP Activity Log Premium <= 4.5.0 – Missing Authorization via ajax_switch_db

Affected Software: WP Activity Log Premium
CVE ID: CVE-2023-2284
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e29fd6b-462a-42be-9a2a-b6717b20a937

Performance Lab <= 2.2.0 – Cross-Site Request Forgery via dismiss-wp-pointer

Affected Software: Performance Lab
CVE ID: CVE-2022-47174
CVSS Score: 4.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f1e3586-99f7-4cac-bbb2-1a6406c4f8a4

Better Notifications for WP <= 1.9.2 – Cross-Site Request Forgery via handle_actions

Affected Software: Customize WordPress Emails and Alerts – Better Notifications for WP
CVE ID: CVE-2023-32964
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ddabda2-1e27-4b87-b643-b0166112a890

WooCommerce Product Recommendations < 2.3.0 – Cross-Site Request Forgery

Affected Software: woocommerce-product-recommendations
CVE ID: CVE-2023-32744
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/826fe5a8-3290-4f70-b9bb-8bd4aec3634c

WooCommerce Product Add-ons <= 6.1.3 – Cross-Site Request Forgery

Affected Software: WooCommerce Product Add-ons
CVE ID: CVE-2023-32794
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b5bd3852-c1a5-4d7d-b4fb-59911fba4873

WP Activity Log <= 4.5.0 – Cross-Site Request Forgery via ajax_run_cleanup

Affected Software/s: WP Activity Log, WP Activity Log Premium
CVE ID: CVE-2023-2286
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2008e0b-32c6-46fb-93b9-2b0004f478e8

WP Activity Log <= 4.5.0 – Missing Capabilities Check to User Enumeration

Affected Software/s: WP Activity Log, WP Activity Log Premium
CVE ID: CVE-2023-2261
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f51f0919-498e-4f86-a933-1b7f2c4a10a4

Scripts n Styles <= 3.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Scripts n Styles
CVE ID: CVE-2023-31236
CVSS Score: 3.3 (Low)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a86d8f97-54dc-4c6b-92c0-05a8625cc073

Baidu Tongji generator <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Baidu Tongji generator
CVE ID: CVE-2023-31233
CVSS Score: 3.3 (Low)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b9b6f4-6ee7-498d-9693-a5ae5f7f4719

Multiple Page Generator Plugin <= 3.3.17 – Cross-Site Request Forgery to SQL Injection

Affected Software: Multiple Page Generator Plugin – MPG
CVE ID: CVE-2023-2608
CVSS Score: 3.1 (Low)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d900584c-0f58-4abc-92ff-841f898d02fc

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023) appeared first on Wordfence.