Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023)

Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation
Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
WAF-RULE-603 – data redacted while we work with the developer to ensure the vulnerability this rule protects against gets patched.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	68
Patched	48

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	3
Medium Severity	93
High Severity	16
Critical Severity	4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	36
Cross-Site Request Forgery (CSRF)	35
Missing Authorization	22
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	6
Improper Input Validation	2
Improper Authorization	2
Authorization Bypass Through User-Controlled Key	2
Authentication Bypass Using an Alternate Path or Channel	2
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Improper Privilege Management	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Insufficient Verification of Data Authenticity	1
Server-Side Request Forgery (SSRF)	1
Use of Less Trusted Source	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Deserialization of Untrusted Data	1
Improper Control of Generation of Code (‘Code Injection’)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Lana Codes (Wordfence Vulnerability Researcher)	22
Jonas Höbenreich	13
Mika	7
Rafie Muhammad	7
yuyudhn	6
LEE SE HYOUNG	6
thiennv	6
Alex Thomas (Wordfence Vulnerability Researcher)	4
Yuki Haruma	3
Ramuel Gall (Wordfence Vulnerability Researcher)	2
Dave Jong	2
Rafshanzani Suhada	2
Nguyen Xuan Chien	2
Rio Darmawan	2
Dongzhu Li	2
Emili Castells	2
Jerome Bruandet	2
Juampa Rodríguez	1
Le Hong Minh	1
Justiice	1
Skalucy	1
Elliot	1
40826d	1
Francesco Carlucci	1
konagash	1
TomS	1
Hamed	1
Le Ngoc Anh	1
Miguel Neto	1
TaeEun Lee	1
Vinay Kumar	1
Marco Wotschka (Wordfence Vulnerability Researcher)	1
Taihei Shimamine	1
minhtuanact	1
Mateus Machado Tesser	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Ajax Pagination and Infinite Scroll	malinky-ajax-pagination
B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More	b2bking-wholesale-for-woocommerce
BBS e-Popup	bbs-e-popup
Blog-in-Blog	blog-in-blog
Brizy – Page Builder	brizy
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
CRM and Lead Management by vcita	crm-customer-relationship-management-by-vcita
Call Now Accessibility Button	accessibility-help-button
Call Now Icon Animate	call-now-icon-animate
Cart2Cart: Magento to WooCommerce Migration	cart2cart-magento-to-woocommerce-migration
Change WooCommerce Add To Cart Button Text	change-woocommerce-add-to-cart-button-text
Chilexpress woo oficial	chilexpress-oficial
Complianz – GDPR/CCPA Cookie Consent	complianz-gdpr
Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping	advanced-free-flat-shipping-woocommerce
Constant Contact Forms	constant-contact-forms
Contact Form Builder by vcita	contact-form-with-a-meeting-scheduler-by-vcita
Contact Form and Calls To Action by vcita	lead-capturing-call-to-actions-by-vcita
Custom Login Page \| Temporary Users \| Rebrand Login \| Login Captcha	feather-login-page
Directorist – WordPress Business Directory Plugin with Classified Ads Listings	directorist
Disable WordPress Update Notifications and auto-update Email Notifications	disable-update-notifications
Display post meta, term meta, comment meta, and user meta	display-metadata
Donation Platform for WooCommerce: Fundraising & Donation Management	wc-donation-platform
Download Monitor	download-monitor
Dynamic QR Code Generator	dynamic-qr-code-generator
Dynamic Visibility for Elementor	dynamic-visibility-for-elementor
Event Registration Calendar By vcita	event-registration-calendar-by-vcita
Extended Post Status	extended-post-status
Favorites	favorites
File Manager Advanced Shortcode WordPress	file-manager-advanced-shortcode
Floating Action Button	floating-action-button
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder	formidable
GDPR Cookie Consent Notice Box	cookie-consent-box
Google Fonts For WordPress	free-google-fonts
Gravityforms	gravityforms
Headless CMS	headless-cms
Interactive Image Map Plugin – Draw Attention	draw-attention
JS Job Manager	js-jobs
Jetpack – WP Security, Backup, Speed, & Growth	jetpack
Kanban Boards for WordPress	kanban
Kebo Twitter Feed	kebo-twitter-feed
LH Password Changer	lh-password-changer
LWS Hide Login	lws-hide-login
Login Configurator	login-configurator
Nested Pages	wp-nested-pages
Online Booking & Scheduling Calendar for WordPress by vcita	meeting-scheduler-by-vcita
Online Payments – Get Paid with PayPal, Square & Stripe	paypal-payment-button-by-vcita
Page Builder with Image Map by AZEXO	page-builder-by-azexo
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Quick/Bulk Order Form for WooCommerce	woocommerce-bulk-order-form
ReviewX – Multi-criteria Rating & Reviews for WooCommerce	reviewx
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Social Share, Social Login and Social Comments Plugin – Super Socializer	super-socializer
SpamReferrerBlock	spamreferrerblock
TPG Redirect	tpg-redirect
TS Webfonts for さくらのレンタルサーバ	ts-webfonts-for-sakura
Telegram Bot & Channel	telegram-bot
Tutor LMS – eLearning and online course solution	tutor
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member
Uncanny Toolkit for LearnDash	uncanny-learndash-toolkit
Unite Gallery Lite	unite-gallery-lite
User Email Verification for WooCommerce	woo-confirmation-email
VK Blocks	vk-blocks
WOLF – WordPress Posts Bulk Editor and Manager Professional	bulk-editor
WP Directory Kit	wpdirectorykit
WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting	erp
WP Full Auto Tags Manager	wp-full-auto-tags-manager
WP Hide Post	wp-hide-post
WP Inventory Manager	wp-inventory-manager
WP Report Post	wp-report-post
WP User Switch	wp-user-switch
WP-Cache.com	wp-cachecom
WP-Cirrus	wp-cirrus
WPC Smart Wishlist for WooCommerce	woo-smart-wishlist
Web Directory Free	web-directory-free
WooCommerce Box Office	woocommerce-box-office
WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce	cartflows
Woocommerce Order address Print	woocommerce-order-address-print
WordPress CRM, Email & Marketing Automation for WordPress \| Award Winner — Groundhogg	groundhogg
WordPress NextGen GalleryView	wordpress-nextgen-galleryview
WordPress Online Booking and Scheduling Plugin – Bookly	bookly-responsive-appointment-booking-tool
WordPress Social Login	wordpress-social-login
Wordapp	wordapp
Worthy – VG WORT Integration für WordPress	wp-worthy
Yandex Metrica Counter	counter-yandex-metrica
bbPress Toolkit	bbp-toolkit
bbp style pack	bbp-style-pack
premium-addons-pro	premium-addons-pro
wpForo Forum	wpforo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
HashOne	hashone
Viral	viral
Viral News	viral-news

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Wordapp <= 1.5.0 – Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature

Affected Software: Wordapp
CVE ID: CVE-2023-2987
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/80440bfa-4a02-4441-bbdb-52d7dd065a9d

Tutor LMS <= 2.1.10 – Unauthenticated SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-25700
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dfee325-9001-4483-b3eb-846da0314529

Gravity Forms <= 2.7.3 – Unauthenticated PHP Object Injection

Affected Software: Gravityforms
CVE ID: CVE-2023-28782
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc1e5fb7-92d0-4e7f-9b1b-15673e3b852a

File Manager Advanced Shortcode WordPress <= 2.3.2 – Unauthenticated Arbitrary File Upload to Remote Code Execution via Shortcode

Affected Software: File Manager Advanced Shortcode WordPress
CVE ID: CVE-2023-2068
CVSS Score: 9.8 (Critical)
Researcher/s: Mateus Machado Tesser
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea40d06e-672c-42db-9378-d382de5838d4

Directorist <= 7.5.4 – Authenticated (Subscriber+) Arbitrary User Password Reset to Privilege Escalation

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
CVE ID: CVE-2023-1888
CVSS Score: 8.8 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01943559-e05b-4dca-b322-d880b2729ee7

Feather Login Page 1.0.7 – 1.1.1 – Cross-Site Request Forgery to Privilege Escalation

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-2549
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12560b8e-9c47-4f7f-ac9c-d86f17914ba3

Tutor LMS <= 2.2.0 – Authenticated (Student+) SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-25800
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a64b1ff-0d3f-42fa-bab2-4f31bb8f0476

ReviewX <= 1.6.13 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation

Affected Software: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
CVE ID: CVE-2023-2833
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70e1d701-2cff-4793-9e4c-5b16a4038e8d

Tutor LMS <= 2.1.10 – Authenticated (Tutor Instructor+) SQL Injection

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-25990
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d623512-ee99-4a73-a752-ecbb6ad96b63

wpForo Forum <= 2.1.7 – Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents

Affected Software: wpForo Forum
CVE ID: CVE-2023-2249
CVSS Score: 8.8 (High)
Researcher/s: Hamed
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/800fa098-b29f-4979-b7bd-b1186a4dafcb

Web Directory Free <= 1.6.7 – Authenticated (Contributor+) SQL Injection via post_id

Affected Software: Web Directory Free
CVE ID: CVE-2023-2201
CVSS Score: 8.8 (High)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d831fa81-4714-4757-b75d-0a8f5edda910

WP User Switch <= 1.0.2 – Authenticated (Subscriber+) Authentication Bypass via Cookie

Affected Software: WP User Switch
CVE ID: CVE-2023-2546
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e89d912d-fa7a-4fb1-8872-95fa861c21ca

Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Authentication Bypass and Privilege Escalation

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-2545
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ab2178-7438-43ef-961e-b54d0d230f4a

User Email Verification for WooCommerce <= 3.5.0 – Authentication Bypass

Affected Software: User Email Verification for WooCommerce
CVE ID: CVE-2023-2781
CVSS Score: 8.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1e31357-7fbc-414b-a4f4-53fa5f2fc715

bbPress Toolkit <= 1.0.12 – Cross-Site Scripting

Affected Software: bbPress Toolkit
CVE ID: CVE-2023-34032
CVSS Score: 7.2 (High)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11305d35-07d6-4c61-a0c7-035671229f07

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Unauthenticated Stored Cross-Site Scripting

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2298
CVSS Score: 7.2 (High)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e6a0bf9-4767-4d4c-9a1e-adcb3c7719d9

WP Report Post <= 2.1.2 – Authenticated (Editor+) SQL Injection

Affected Software: WP Report Post
CVE ID: CVE-2023-34168
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8dae13e5-cee7-4392-af71-7d466ba6f6c4

Groundhogg <= 2.7.10.3 – Authenticated (Administrator+) SQL Injection

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-34179
CVSS Score: 7.2 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4f2554d-c047-4be2-a4e6-2ae51f077376

Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Local File Inclusion via Shortcode

Affected Software: Blog-in-Blog
CVE ID: CVE-2023-2435
CVSS Score: 7.2 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d53161ad-cc5f-4433-b288-a8095cdfd7db

Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 – Missing Authorization via setToken

Affected Software: Cart2Cart: Magento to WooCommerce Migration
CVE ID: CVE-2023-34379
CVSS Score: 7.1 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d9ab83f-6d0b-4fe4-a121-87b09dcc0953

Headless CMS <= 2.0.3 – Missing Authorization

Affected Software: Headless CMS
CVE ID: CVE-2023-34186
CVSS Score: 6.5 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d1414f5-e705-4fd4-847b-b46d2d20943b

Jetpack <= 12.1 – Authenticated (Author+) Arbitrary File Manipulation

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-2996
CVSS Score: 6.5 (Medium)
Researcher/s: Miguel Neto
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9dfca4cb-71dc-4b2d-bcf3-0ca9f88f88df

B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Price Modification

Affected Software: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More
CVE ID: CVE-2023-3125
CVSS Score: 6.5 (Medium)
Researcher/s: Jerome Bruandet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3f2c4c3-73d6-4b3b-8eb3-c494f52dc183

Directorist <= 7.5.4 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task

Affected Software: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
CVE ID: CVE-2023-1889
CVSS Score: 6.5 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b47edd57-cac7-463f-88cc-8922f1b34612

Uncanny Toolkit for LearnDash <= 3.6.4.3 – Missing Authorization via review-banner-visibility REST route

Affected Software: Uncanny Toolkit for LearnDash
CVE ID: CVE-2023-34019
CVSS Score: 6.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cdaa7450-3b51-470d-8903-52fd1d4215a2

Formidable Forms <= 6.3 – Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d9f060bd-029a-462e-b308-8366e82be383

Contact Form Builder by vcita <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita
CVE ID: CVE-2023-2300
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12ce97ba-8053-481f-bcd7-05d5e8292adb

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software/s: Event Registration Calendar By vcita, Online Payments – Get Paid with PayPal, Square & Stripe
CVE ID: CVE-2023-2406
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ab05954-9999-43ff-8e3c-a987e2da1956

Page Builder by AZEXO <= 1.27.133 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3051
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24486605-9324-4f19-9ca3-340d006432db

WooCommerce Box Office <= 1.1.50 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Box Office
CVE ID: CVE-2023-34004
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ebd05d5-a65d-49df-a865-882e9d17fc0f

Contact Form and Calls To Action by vcita <= 2.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Contact Form and Calls To Action by vcita
CVE ID: CVE-2023-2302
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfc237a-9157-4da9-ba8f-9daf2ba4f20b

Favorites <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Favorites
CVE ID: CVE-2023-2304
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bd03cd0-34f0-491c-8247-79656eba32a8

Display post meta, term meta, comment meta, and user meta <= 0.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting

Affected Software: Display post meta, term meta, comment meta, and user meta
CVE ID: CVE-2023-1661
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f90c0d8-ede6-4f24-870f-19e888238e93

CRM and Lead Management by vcita <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CRM and Lead Management by vcita
CVE ID: CVE-2023-2404
CVSS Score: 6.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e26ccd06-22e0-4d91-a53a-df6ead8a8e3b

Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Post Creation/Modification/Deletion

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3052
CVSS Score: 6.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4e26035-ce4e-4b4b-aa3c-cd86b29b199a

Chilexpress woo oficial <= 1.2.9 – Reflected Cross-Site Scripting

Affected Software: Chilexpress woo oficial
CVE ID: CVE-2023-34176
CVSS Score: 6.1 (Medium)
Researcher/s: Le Hong Minh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0999a738-9fae-4043-99eb-ff222a7608fa

CRM and Lead Management by vcita <= 2.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: CRM and Lead Management by vcita
CVE ID: CVE-2023-2405
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f75c6bf-1b93-49d5-b5fb-e59b4e67432f

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software/s: Event Registration Calendar By vcita, Online Payments – Get Paid with PayPal, Square & Stripe
CVE ID: CVE-2023-2407
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/207b40fa-2062-48d6-990b-f05cbbf8fb8e

Contact Form and Calls To Action by vcita <= 2.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita
CVE ID: CVE-2023-2303
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2345c972-9fd4-4709-8bde-315ab54f60e2

Woocommerce Order address Print <= 3.2 – Reflected Cross-Site Scripting

Affected Software: Woocommerce Order address Print
CVE ID: CVE-2023-34184
CVSS Score: 6.1 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2bbf4e86-308c-43f3-a54c-e1c6ee21260e

Page Builder by AZEXO <= 1.27.133 – Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3055
CVSS Score: 6.1 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2efeffa2-b21a-4aa1-93b0-51c775758ab1

bbp style pack <= 5.5.5 – Reflected Cross-Site Scripting

Affected Software: bbp style pack
CVE ID: CVE-2023-33997
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/49e82146-e8ad-4bc5-94a7-a4ae694b7039

Contact Form Builder by vcita <= 4.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: Contact Form Builder by vcita
CVE ID: CVE-2023-2301
CVSS Score: 6.1 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c39f5f-3b17-4e4d-824e-241159a73400

Social Share, Social Login and Social Comments <= 7.13.51 – Reflected Cross-Site Scripting

Affected Software: Social Share, Social Login and Social Comments Plugin – Super Socializer
CVE ID: CVE-2023-2779
CVSS Score: 6.1 (Medium)
Researcher/s: 40826d
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6257739a-cd7c-4797-882a-016a01fe84b4

Dynamic QR Code Generator <= 0.0.5 – Reflected Cross-Site Scripting

Affected Software: Dynamic QR Code Generator
CVE ID: CVE-2023-34022
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/65f30cd4-1d47-4ebe-a6de-acdb3a813c9c

WP Directory Kit <= 1.2.3 – Reflected Cross-Site Scripting via ‘search’

Affected Software: WP Directory Kit
CVE ID: CVE-2023-2835
CVSS Score: 6.1 (Medium)
Researcher/s: Dongzhu Li
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/847f1c00-0e8f-4d38-84af-fe959e2efe5c

BBS e-Popup <= 2.4.5 – Reflected Cross-Site Scripting

Affected Software: BBS e-Popup
CVE ID: CVE-2023-34174
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f715947-e379-4a05-9ab8-5d9e94ffc136

Premium Addons PRO <= 2.8.24 – Reflected Cross-Site Scripting

Affected Software: premium-addons-pro
CVE ID: CVE-2023-34012
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9445a54c-06b9-400a-a8ae-a58f1b968196

Google Fonts For WordPress <= 3.0.0 – Reflected Cross-Site Scripting

Affected Software: Google Fonts For WordPress
CVE ID: CVE-2023-34180
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94712f92-5045-420b-9d6d-59a4c031e998

Login Configurator <= 2.1 – Reflected Cross-Site Scripting

Affected Software: Login Configurator
CVE ID: CVE-2023-34175
CVSS Score: 6.1 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89a1265-6e26-498c-a2b4-da12d38463c9

WP ERP <= 1.12.3 – Reflected Cross-Site Scripting

Affected Software: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
CVE ID: CVE-2023-34008
CVSS Score: 6.1 (Medium)
Researcher/s: minhtuanact
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5863e9b-3f98-41ea-97ed-26563493cffd

Blog-in-Blog <= 1.1.1 – Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Blog-in-Blog
CVE ID: CVE-2023-2436
CVSS Score: 5.5 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c6a88c3-18b7-470f-8014-373ead66dcfa

Quick/Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Quick/Bulk Order Form for WooCommerce
CVE ID: CVE-2023-34170
CVSS Score: 5.5 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/898af9aa-72c4-46a6-afc2-76dd17672fbc

Download Monitor <= 4.8.1 – Authenticated (Admin+) Server-Side Request Forgery

Affected Software: Download Monitor
CVE ID: CVE-2023-31219
CVSS Score: 5.5 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a03f0780-796c-41a3-8f06-04f76e0da2da

JS Job Manager <= 2.0.0 – Cross-Site Request Forgery via multiple functions

Affected Software: JS Job Manager
CVE ID: CVE-2023-31087
CVSS Score: 5.4 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0131921b-6f60-4da1-b5d9-d44a33d35cae

Groundhogg <= 2.7.10.3 – Cross-Site Request Forgery

Affected Software: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
CVE ID: CVE-2023-34178
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22506d45-40db-47c4-91b2-ab4f49703bf9

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Settings Update and Media Upload

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2414
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c99aab5-a995-44ae-bc14-09f73e6b22c5

Dynamic Visibility for Elementor <= 5.0.5 – Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification

Affected Software: Dynamic Visibility for Elementor
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4e704333-ad88-42c9-b632-babc9d54cb13

Feather Login Page 1.0.7 – 1.1.1 – Missing Authorization to Non-Arbitrary User Deletion

Affected Software: Custom Login Page | Temporary Users | Rebrand Login | Login Captcha
CVE ID: CVE-2023-2547
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d58a6a4-de2c-485f-a8b0-7a7d144fbf3c

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Account Logout

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2415
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/731cbeed-d4aa-448f-878a-8c51a3da4e18

Worthy – VG WORT Integration für WordPress <= 1.6.5-6497609 – Cross-Site Request Forgery

Affected Software: Worthy – VG WORT Integration für WordPress
CVE ID: CVE-2023-24417
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7717cd0f-6aac-4cb0-b27e-2517d5d7ecd9

Extended Post Status <= 1.0.19 – Missing Authorization via wp_insert_post_data

Affected Software: Extended Post Status
CVE ID: CVE-2023-32094
CVSS Score: 5.4 (Medium)
Researcher/s: TaeEun Lee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6369b41-d93f-4959-8fad-be69ef724b24

Change WooCommerce Add To Cart Button Text <= 1.3 – Missing Authorization via rexvs_settings_submit

Affected Software: Change WooCommerce Add To Cart Button Text
CVE ID: CVE-2023-34376
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d47f5d90-dc7d-4500-a6e6-e585e4a5c11b

Page Builder by AZEXO <= 1.27.133 – Missing Authorization to Post Creation

Affected Software: Page Builder with Image Map by AZEXO
CVE ID: CVE-2023-3053
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd56cb73-1c40-44b1-b713-c0291832d988

WordPress Social Login <= 3.0.4 – Reflected Cross-Site Scripting

Affected Software: WordPress Social Login
CVE ID: CVE-2023-34023
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8b03deb-4134-4dde-8545-a14977a47209

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Cross-Site Request Forgery to Account Logout

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2416
CVSS Score: 5.4 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f434585c-8533-4788-b0bc-5650390c29a8

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization on REST-API

Affected Software: Online Booking & Scheduling Calendar for WordPress by vcita
CVE ID: CVE-2023-2299
CVSS Score: 5.3 (Medium)
Researcher/s: Jonas Höbenreich
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4855627a-de56-49ee-b0b0-01b9735d8557

WooCommerce Box Office <= 1.1.51 – Missing Authorization

Affected Software: WooCommerce Box Office
CVE ID: CVE-2023-34003
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8872eca8-4812-4f5f-b775-cbfab90ba2ca

Call Now Accessibility Button <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Call Now Accessibility Button
CVE ID: CVE-2023-28933
CVSS Score: 4.4 (Medium)
Researcher/s: Juampa Rodríguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/04df6505-46c1-4e66-a363-4ccebacb5e42

Yandex Metrica Counter <= 1.4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Yandex Metrica Counter
CVE ID: CVE-2023-34173
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/173661aa-6895-41d6-8869-6abfd2eadf31

Unite Gallery Lite <= 1.7.60 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Unite Gallery Lite
CVE ID: CVE-2023-34183
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/577d8986-edc5-445f-80cf-7a7f2cca9749

Download SpamReferrerBlock <= 2.22 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SpamReferrerBlock
CVE ID: CVE-2023-34372
CVSS Score: 4.4 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/692e995d-cdfc-4ab8-8a8a-5423eb7f8d15

Telegram Bot & Channel <= 3.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Telegram Bot & Channel
CVE ID: CVE-2023-34006
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eb099c3-f6f6-4d9c-a9c7-fa1b81ce082e

Kanban Boards for WordPress <= 2.5.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Kanban Boards for WordPress
CVE ID: CVE-2023-34368
CVSS Score: 4.4 (Medium)
Researcher/s: TomS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7fe3e55e-7286-4d12-b24f-fce69248a446

Call Now Icon Animate <= 0.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Call Now Icon Animate
CVE ID: CVE-2023-34187
CVSS Score: 4.4 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/82f5e976-2564-4f8b-96d5-cfac9945737c

WordPress Social Login <= 3.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Social Login
CVE ID: CVE-2023-34172
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc2c3bdb-65b9-4e0b-899f-bd08077bc8ba

Bulk Order Form for WooCommerce <= 3.5.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Quick/Bulk Order Form for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d549fcd5-6808-4d7d-bf1f-df8cfa458744

CRM Perks Forms <= 1.1.1 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: CRM Perks Forms – WordPress Form Builder
CVE ID: CVE-2023-2836
CVSS Score: 4.4 (Medium)
Researcher/s: Dongzhu Li
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de11636b-a051-4e76-bc26-ed76f66fe0df

GDPR Cookie Consent Notice Box <= 1.1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: GDPR Cookie Consent Notice Box
CVE ID: CVE-2023-32294
CVSS Score: 4.4 (Medium)
Researcher/s: Emili Castells
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f44b8e21-4bfd-487f-96f1-d264d335f54f

TS Webfonts for さくらのレンタルサーバ <= 3.1.0 – Cross-Site Request Forgery

Affected Software: TS Webfonts for さくらのレンタルサーバ
CVE ID: CVE-2023-34169
CVSS Score: 4.3 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/025d576b-7342-4863-ac30-f1ff0205d638

NextGen GalleryView <= 0.5.5 – Cross-Site Request Forgery

Affected Software: WordPress NextGen GalleryView
CVE ID: CVE-2023-34185
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/052ea3af-96d8-4e83-b4e7-3db30b556d0d

WP Report Post <= 2.1.2 – Cross-Site Request Forgery

Affected Software: WP Report Post
CVE ID: CVE-2023-34171
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09e28b72-55c6-4f2f-b689-a8989945651b

Ajax Pagination and Infinite Scroll <= 2.0.1 – Cross-Site Request Forgery

Affected Software: Ajax Pagination and Infinite Scroll
CVE ID: CVE-2023-34033
CVSS Score: 4.3 (Medium)
Researcher/s: Justiice
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0bc7f5dd-a1eb-442d-9913-e391208e7f26

VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update

Affected Software: VK Blocks
CVE ID: CVE-2023-0583
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a94f5b-bc30-4a65-b397-54488c836ec3

Floating Action Button <= <=1.2.1 – Cross-Site Request Forgery

Affected Software: Floating Action Button
CVE ID: CVE-2023-31088
CVSS Score: 4.3 (Medium)
Researcher/s: Yuki Haruma
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14bf654e-c4f1-4267-811e-6d796c14834a

Photo Gallery <= 1.8.15 – Missing Authorization

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1534f67d-cf3f-4185-9aa6-01ae5dee4f26

Multiple Themes (Various Versions) – Missing Authorization to Arbitrary Plugin Activation

Affected Software/s: Viral News, HashOne, Viral
CVE ID: CVE-2023-33923
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/154a838c-f8bb-4568-b066-a78264c75eea

Draw Attention <= 2.0.11 – Missing Authorization to Arbitrary Post Featured Image Modification

Affected Software: Interactive Image Map Plugin – Draw Attention
CVE ID: CVE-2023-2764
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18530601-a294-448c-a1b2-c3995f9042ac

LH Password Changer <= 1.55 – Cross-Site Request Forgery

Affected Software: LH Password Changer
CVE ID: CVE-2023-34182
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19d08a16-51c1-4255-b0e0-01307e1783ca

Social Media & Share Icons <= 2.8.1 – Missing Authorization via handle_installation

Affected Software: Social Media Share Buttons & Social Sharing Icons
CVE ID: CVE-2023-34009
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bfb5d34-738d-4842-be93-9668fceb3334

Advanced Flat rate shipping Woocommerce <= 1.6.4.4 – Cross-Site Request Forgery via enableDisable and deletePost

Affected Software: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping
CVE ID: CVE-2023-34015
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/27b14c6e-44fe-4acb-8058-613f65b6baa4

Donation Platform for WooCommerce: Fundraising & Donation Management <= 1.2.9 – Cross-Site Request Forgery to Survey Submission

Affected Software: Donation Platform for WooCommerce: Fundraising & Donation Management
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c8602ed-6c0d-4357-93e6-bab1ab38ffb2

WP Hide Post <= 2.0.10 – Cross-Site Request Forgery via save_bulk_edit_data

Affected Software: WP Hide Post
CVE ID: CVE-2023-34378
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3c957f3f-fb98-49ff-b317-93b1accd0d47

WP Full Auto Tags Manager <= 2.2 – Cross-Site Request Forgery

Affected Software: WP Full Auto Tags Manager
CVE ID: CVE-2023-34024
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5bf209b8-7c12-4fc3-af7f-4fd25777caab

WPC Smart Wishlist for WooCommerce <= 4.6.7 – Cross-Site Request Forgery via wishlist_add and wishlist_remove

Affected Software: WPC Smart Wishlist for WooCommerce
CVE ID: CVE-2023-34386
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/655fc91d-5920-4214-8ef1-8191e2683f9d

Disable WordPress Update Notifications <= 2.3.3 – Cross-Site Request Forgery

Affected Software: Disable WordPress Update Notifications and auto-update Email Notifications
CVE ID: CVE-2023-34029
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/658ba848-fbfe-4cee-b997-77bc4cae53dc

Uncanny Toolkit for LearnDash <= 3.6.4.3 – Open Redirect

Affected Software: Uncanny Toolkit for LearnDash
CVE ID: CVE-2023-34020
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66e5a569-1dd5-40e9-8356-d7c82c8e30ed

WP-Cirrus <= 0.6.11 – Cross-Site Request Forgery

Affected Software: WP-Cirrus
CVE ID: CVE-2023-34181
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710aa0fd-34e2-4f0e-b354-0722d9692410

LWS Hide Login <= 2.1.5 – Cross-Site Request Forgery

Affected Software: LWS Hide Login
CVE ID: CVE-2023-34025
CVSS Score: 4.3 (Medium)
Researcher/s: konagash
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7678b80f-3184-4979-b1f4-25cd75836010

Constant Contact Forms <= 1.14.0 – Missing Authorization via constant_contact_optin_ajax_handler

Affected Software: Constant Contact Forms
CVE ID: CVE-2023-34387
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85b6262c-2576-4177-a683-44464dba0978

bbPress Toolkit <= 1.0.12 – Cross-Site Request Forgery

Affected Software: bbPress Toolkit
CVE ID: CVE-2023-34031
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a9b2ec2-edbe-45c5-bd36-45a6101356d1

WP Inventory Manager <= 2.1.0.13 – Cross-Site Request Forgery via delete_item

Affected Software: WP Inventory Manager
CVE ID: CVE-2023-34002
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95986a4d-94fb-4afe-ba1e-382d6f4c550f

Ultimate Member <= 2.6.0 – Cross-Site Request Forgery to Form Duplication

Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/97ced4ed-915b-4234-b59d-75db983f90e8

WOLF <= 1.0.7 – Cross-Site Request Forgery via create_profile

Affected Software: WOLF – WordPress Posts Bulk Editor and Manager Professional
CVE ID: CVE-2023-34028
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98dffc17-ac45-4ccd-ae57-96b36bd02be3

Complianz | GDPR/CCPA Cookie Consent <= 6.4.5 – Cross-Site Request Forgery

Affected Software: Complianz – GDPR/CCPA Cookie Consent
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92d5176-4cf0-4a31-9dcc-a2dc3259d29b

VK Blocks <= 1.57.0.5 – Authenticated(Contributor+) Settings Update

Affected Software: VK Blocks
CVE ID: CVE-2023-0584
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b90b7f6c-df7f-48a5-b283-cf5facbd71e5

B2BKing <= 4.6.00 – Missing Authorization to Authenticated(Subscriber+) Information Disclosure

Affected Software: B2BKing — Ultimate WooCommerce Wholesale and B2B Solution — Wholesale Order Form, Catalog Mode, Dynamic Pricing & More
CVE ID: CVE-2023-3126
CVSS Score: 4.3 (Medium)
Researcher/s: Jerome Bruandet
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2e3ac14-1421-49f0-9c60-7f7d5c9d7654

Multiple Themes (Various Versions) – Cross-Site Request Forgery to Arbitrary Plugin Activation

Kebo Twitter Feed <= 1.5.12 – Cross-Site Request Forgery via kebo_twitter_menu_render

Affected Software: Kebo Twitter Feed
CVE ID: CVE-2023-34384
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d56aaa20-f40c-4f99-bc38-0b14fa39a175

SpamReferrerBlock <= 2.22 – Cross-Site Request Forgery

Affected Software: SpamReferrerBlock
CVE ID: CVE-2023-34371
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d70e9d4e-2137-411b-bc01-28388a7b2519

TPG Redirect <= 1.0.6 – Cross-Site Request Forgery

Affected Software: TPG Redirect
CVE ID: CVE-2023-32093
CVSS Score: 4.3 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d92b9c21-067b-41c3-a385-a65faa8dd0ae

WP-Cache.com <= 1.1.1 – Cross-Site Request Forgery

Affected Software: WP-Cache.com
CVE ID: CVE-2023-34177
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9a28625-19e4-4696-bb51-7115368120d3

Bookly <= 21.7 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WordPress Online Booking and Scheduling Plugin – Bookly
CVE ID: CVE-2023-1159
CVSS Score: 4 (Medium)
Researcher/s: Vinay Kumar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4cdf774-c93b-4b94-85ba-aa56bf401873

Nested Pages <= 3.2.3 – Missing Authorization to Authenticated (Editor+) Plugin Settings Reset

Affected Software: Nested Pages
CVE ID: CVE-2023-2434
CVSS Score: 3.8 (Low)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c3e61e9-3610-41b5-9820-28012dc657fd

Brizy Page Builder <= 2.4.18 – IP Address Spoofing to Protection Mechanism Bypass

Affected Software: Brizy – Page Builder
CVE ID: CVE-2023-2897
CVSS Score: 3.7 (Low)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316

CartFlows <= 1.11.11 – Insecure Direct Object Reference to Arbitrary Post Deletion

Affected Software: WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce
CVE ID: CVE Unknown
CVSS Score: 2.7 (Low)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9002f6e-4345-4908-9cb8-9841a2458eb7

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023) appeared first on Wordfence.