Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Indivudals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	40
Patched	86

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	105
High Severity	14
Critical Severity	5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	43
Missing Authorization	36
Cross-Site Request Forgery (CSRF)	26
Unrestricted Upload of File with Dangerous Type	4
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	3
Information Exposure	2
Deserialization of Untrusted Data	2
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)	1
Improper Privilege Management	1
Unverified Password Change	1
Protection Mechanism Failure	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	1
Use of Less Trusted Source	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Improper Authorization	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Abdi Pranata	23
Rafie Muhammad	18
Ngô Thiên An (ancorn_)	10
Le Ngoc Anh	5
István Márton (Wordfence Vulnerability Researcher)	4
Mika	4
Marco Wotschka (Wordfence Vulnerability Researcher)	4
Paolo Tresso (Wordfence Vulnerability Researcher)	4
emad	3
Huynh Tien Si	3
Ala Arfaoui	2
Vincenzo Turturro	2
Gianluca Parisi	2
Vincenzo Cantatore	2
Revan Arifio	1
Enrico Marcolini	1
Claudio Marchesini (Dottormarc)	1
wpdabh	1
RIN MIYACHI	1
Nicolas Surribas	1
Naveen Muthusamy	1
Vladislav Pokrovsky (ΞX.MI)	1
niclo	1
LEE SE HYOUNG	1
Muhammad Daffa	1
Brandon James Roldan (tomorrowisnew)	1
BuShiYue	1
Alex Sanford	1
thiennv	1
Nguyen Xuan Chien	1
Furkan ÖZER	1
DoYeon Park (p6rkdoye0n)	1
Dmitrii Ignatyev	1
Bartłomiej Marek	1
Tomasz Swiadek	1
resecured.io	1
Ivy (TOOR, Lisa)	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
10WebAnalytics	wd-google-analytics
AMP+ Plus	amp-plus
ARI Stream Quiz – WordPress Quizzes Builder	ari-stream-quiz
AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth	aweber-web-form-widget
Accordion	accordions-wp
Acme Fix Images	acme-fix-images
Add Widgets to Page	add-widgets-to-page
Ajax Domain Checker	ajax-domain-checker
Anywhere Flash Embed	anywhere-flash-embed
AppPresser – Mobile App Framework	apppresser
Audio Merchant	audio-merchant
BMI Calculator Plugin	bmi-calculator-shortcode
BP Profile Shortcodes Extra	bp-profile-shortcodes-extra
BSK Contact Form 7 Blacklist	bsk-contact-form-7-blacklist
Bamboo Columns	bamboo-columns
Better RSS Widget	better-rss-widget
BetterDocs – Best Documentation & Knowledge Base Plugin	betterdocs
Big File Uploads – Increase Maximum File Upload Size	tuxedo-big-file-uploads
Bus Ticket Booking with Seat Reservation – WpBusTicketly \| WordPress plugin	bus-ticket-booking-with-seat-reservation
Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress	sprout-invoices
CodeBard’s Patron Button and Widgets for Patreon	patron-button-and-widgets-by-codebard
Comments – wpDiscuz	wpdiscuz
Community by PeepSo – Social Network, Membership, Registration, User Profiles	peepso-core
Conditional Fields for Contact Form 7	cf7-conditional-fields
Customer Reviews for WooCommerce	customer-reviews-woocommerce
Daily Prayer Time	daily-prayer-time-for-mosques
Delete Duplicate Posts	delete-duplicate-posts
Ditty – Responsive News Tickers, Sliders, and Lists	ditty-news-ticker
DrawIt (draw.io)	drawit
EWWW Image Optimizer	ewww-image-optimizer
Easy Call Now by ThikShare	easy-call-now
EasyAzon – Amazon Associates Affiliate Plugin	easyazon
Elementor Addon Elements	addon-elements-for-elementor-page-builder
Email Encoder – Protect Email Addresses and Phone Numbers	email-encoder-bundle
Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification	miniorange-otp-verification
Embed Privacy	embed-privacy
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor	embedpress
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Essential Grid Portfolio – Photo Gallery	essential-grid
Events Addon for Elementor	events-addon-for-elementor
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty	chaty
Footer Putter	footer-putter
FormCraft – Contact Form Builder for WordPress	formcraft-form-builder
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
Frontend File Manager Plugin	nmedia-user-file-uploader
Hreflang Manager	hreflang-manager-lite
Image Compressor & Optimizer – iLoveIMG	iloveimg
Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms	cf7-constant-contact
Interactive World Map	interactive-world-map
Jetpack – WP Security, Backup, Speed, & Growth	jetpack
LWS Hide Login	lws-hide-login
LayerSlider	layerslider
Leadster	leadster-marketing-conversacional
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator	legal-pages
Live Preview for Contact Form 7	cf7-live-preview
LuckyWP Scripts Control	luckywp-scripts-control
MP3 Audio Player for Music, Radio & Podcast by Sonaar	mp3-music-player-by-sonaar
Namaste! LMS	namaste-lms
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
Permalinks Customizer	permalinks-customizer
Phlox Shop	auxin-shop
Popup Box – Best WordPress Popup Plugin	ays-popup-box
Post Status Notifier Lite	post-status-notifier-lite
Premium Portfolio Features for Phlox theme	auxin-portfolio
Premmerce Redirect Manager	premmerce-redirect-manager
Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic	shareaholic
Pz-LinkCard	pz-linkcard
Quick Call Button	quick-call-button
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Restaurant & Cafe Addon for Elementor	restaurant-cafe-addon-for-elementor
SearchIQ – The Search Solution	searchiq
Shortcodes and extra features for Phlox theme	auxin-elements
Simple 301 Redirects by BetterLinks	simple-301-redirects
Simply Excerpts	simply-excerpts
Slider Revolution	revslider
Slider – Ultimate Responsive Image Slider	ultimate-responsive-image-slider
Star CloudPRNT for WooCommerce	star-cloudprnt-for-woocommerce
Theater for WordPress	theatre
URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress	url-shortify
Ultimate Dashboard – Custom WordPress Dashboard	ultimate-dashboard
WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses	wp-courses
WP Custom Admin Interface	wp-custom-admin-interface
WP EXtra	wp-extra
WP Fastest Cache	wp-fastest-cache
WP Like Button	wp-like-button
WP Maintenance	wp-maintenance
WP Meta and Date Remover	wp-meta-and-date-remover
WP Not Login Hide (WPNLH)	wp-not-login-hide-wpnlh
WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation	wp-cafe
Website Optimization – Plerdy	plerdy-heatmap
Welcart e-Commerce	usc-e-shop
Welcome Email Editor	welcome-email-editor
WooCommerce	woocommerce
WooCommerce Blocks	woo-gutenberg-products-block
WooCommerce Bookings	woocommerce-bookings
WooCommerce Product Carousel Slider	product-carousel-slider-for-woocommerce
Woocommerce Shipping Canada Post	woocommerce-shipping-canada-post
WordPress File Upload	wp-file-upload
YOP Poll	yop-poll
avalex – Automatisch sichere Rechtstexte	avalex
eCommerce Product Catalog Plugin for WordPress	ecommerce-product-catalog
wpMandrill	wpmandrill

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Betheme	betheme
Thrive Themes Builder	thrive-theme

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Shortcodes and extra features for Phlox theme <= 2.14.0 – Unauthenticated Local File Inclusion

Affected Software: Shortcodes and extra features for Phlox theme
CVE ID: CVE-2023-37888
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09437329-f01a-4998-90ec-e4b2e271e896

WP Fastest Cache <= 1.2.2 – Unauthenticated SQL Injection

Affected Software: WP Fastest Cache
CVE ID: CVE-2023-6063
CVSS Score: 9.8 (Critical)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/876efd71-8867-44b8-8017-86fad2a1b89f

Phlox Shop <= 2.0.0 – Unauthenticated Local File Inclusion

Affected Software: Phlox Shop
CVE ID: CVE-2023-39163
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e11e4bab-f8a9-4ecb-b36e-09a55e47f1ae

Phlox Portfolio <= 2.3.1 – Unauthenticated Local File Inclusion

Affected Software: Premium Portfolio Features for Phlox theme
CVE ID: CVE-2023-38399
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6f3f82e-6b1b-4138-b8f3-82e8dcd24479

Frontend File Manager Plugin <= 22.5 – Authenticated (Editor+) Directory Traversal

Affected Software: Frontend File Manager Plugin
CVE ID: CVE-2023-5105
CVSS Score: 9.1 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b59b5c41-6173-485e-869d-4165dc18e2bd

Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Arbitrary File Upload

Affected Software: Audio Merchant
CVE ID: CVE-2023-6196
CVSS Score: 8.8 (High)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/06513dfe-f263-48b7-ba01-2c205247095b

Thrive Theme Builder <= 3.20.1 – Cross-Site Request Forgery

Affected Software: Thrive Themes Builder
CVE ID: CVE-2023-47781
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/353c3cd9-5ada-466b-b8e5-d40e0ec4e867

Thrive Theme Builder <= 3.20.1 – Privilege Escalation

Affected Software: Thrive Themes Builder
CVE ID: CVE-2023-47782
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b345dfe-3945-405a-9825-c88816b2adee

WP Courses LMS <= 3.2.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Affected Software: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a6f7952-cb64-4cff-aae7-0f03692cd95f

Welcart e-Commerce <= 2.9.4 – Cross-Site Request Forgery

Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59004bb-b026-4137-a332-f46a09237e7b

Welcart e-Commerce <= 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload

Essential Grid <= 3.0.18 – Missing Authorization

Affected Software: Essential Grid Portfolio – Photo Gallery
CVE ID: CVE-2023-47771
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/326618eb-186b-44a2-a779-00d5366bfff2

Thrive Theme Builder <= 3.20.1 – Missing Authorization

Affected Software: Thrive Themes Builder
CVE ID: CVE-2023-47783
CVSS Score: 8.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd6fa4f-8f4d-4d2f-ac67-98124cfa9592

AppPresser <= 4.2.5 – Insecure Password Reset Mechanism

Affected Software: AppPresser – Mobile App Framework
CVE ID: CVE-2023-4214
CVSS Score: 8.1 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde

Paid Memberships Pro <= 2.12.3 – Authenticated (Subscriber+) Arbitrary File Upload

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE-2023-6187
CVSS Score: 7.5 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5979f2eb-2ca8-4b06-814c-c4236bb81af0

Image Compressor & Optimizer – iLoveIMG <= 1.0.5 – Authenticated (Administrator+) PHP Object Injection

Affected Software: Image Compressor & Optimizer – iLoveIMG
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/501e9cd1-1187-4d01-a3cc-5edba64c391f

Welcart e-Commerce <= 2.9.5 – Authenticated (Administrator+) PHP Object Injection

Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91f86c22-94db-4c43-985a-2f3dd96ece21

Slider Revolution <= 6.6.15 – Authenticated (Author+) Arbitrary File Upload

Affected Software: Slider Revolution
CVE ID: CVE-2023-47784
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2d29afd-06e8-461a-918f-38228441a51a

Bus Ticket Booking with Seat Reservation <= 5.2.5 – Unauthenticated Cross-Site Scripting

Affected Software: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
CVE ID: CVE-2023-30496
CVSS Score: 7.2 (High)
Researcher/s: Ivy (TOOR, Lisa)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9960282-4730-4ee8-b338-adcc57f01cc6

Forminator <= 1.27.0 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: Forminator – Contact Form, Payment Form & Custom Form Builder
CVE ID: CVE-2023-6133
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13cfa202-ab90-46c0-ab53-00995bfdcaa3

Email Encoder Bundle <= 2.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers
CVE ID: CVE-2023-47821
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09f328f6-8a66-46bf-80d9-3ffeaecfec32

Better RSS Widget <= 2.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Better RSS Widget
CVE ID: CVE-2023-47813
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12660e7a-51fc-42c5-8a09-49df1db51efb

eCommerce Product Catalog for WordPress <= 3.3.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: eCommerce Product Catalog Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39695b53-9af7-42f0-8bde-3969398a7186

LayerSlider <= 7.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: LayerSlider
CVE ID: CVE-2023-47786
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/441bc9fe-3dd6-40a6-b7f3-36511115c083

WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute

Affected Software/s: WooCommerce, WooCommerce Blocks
CVE ID: CVE-2023-47777
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/525dec5b-b457-483c-ab2d-09dd320edcaa

Quiz And Survey Master <= 8.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE-2023-47834
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c482b6e-ce1e-46e2-8847-10c485594448

Ajax Domain Checker <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ajax Domain Checker
CVE ID: CVE-2023-47810
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/699459a1-d407-4561-9d08-dd5d918ea601

Add Widgets to Page <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Add Widgets to Page
CVE ID: CVE-2023-47808
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af20a2c-065c-48d5-a95c-2883ceeb50c6

Slider Revolution <= 6.6.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Slider Revolution
CVE ID: CVE-2023-47772
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/772e843b-00ea-45f5-b730-c9a793d4c2db

Jetpack <= 12.8-a.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-45050
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/824360ab-c797-465a-8480-baeae941af29

BMI Calculator Plugin <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BMI Calculator Plugin
CVE ID: CVE-2023-47814
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bf0e224-d8c7-4bf9-b9a3-97545da9d90c

Bamboo Columns <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Bamboo Columns
CVE ID: CVE-2023-47812
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e7b40e4-c80a-4317-acff-77696fd8098f

Anywhere Flash Embed <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Anywhere Flash Embed
CVE ID: CVE-2023-47811
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a95d7ff6-55ce-4d63-8433-60cece306628

DrawIt (draw.io) <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: DrawIt (draw.io)
CVE ID: CVE-2023-47831
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddde9db5-3ed7-42f7-97c1-4ff9b9d1f627

WooCommerce Product Carousel Slider <= 3.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WooCommerce Product Carousel Slider
CVE ID: CVE-2023-47755
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6f6dab2-da03-43b6-b9c1-ebc6a7e1d1c9

BP Profile Shortcodes Extra <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BP Profile Shortcodes Extra
CVE ID: CVE-2023-47815
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea9eaca6-3441-4976-8556-0ce288d1a0c6

ARI Stream Quiz <= 1.2.32 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-47835
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/edb4f4b7-a59c-454b-82b5-d8e91c1c82a3

Daily Prayer Time <= 2023.10.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Daily Prayer Time
CVE ID: CVE-2023-47817
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0ccd265-2e64-4b23-a032-aaeb9941df34

Shareaholic <= 9.7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
CVE ID: CVE-2023-4889
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff6932c6-f3ec-46a8-a03b-95512eee5bf1

AWeber <= 7.3.9 – Missing Authorization via AJAX actions

Affected Software: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
CVE ID: CVE-2023-47757
CVSS Score: 6.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/397f20d8-2400-4403-8543-f57141378012

Betheme <= 27.1.1 – Missing Authorization

Affected Software: Betheme
CVE ID: CVE-2023-47770
CVSS Score: 6.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72bdc81e-1a9d-4dd8-93a5-fb1026d6a2d9

Interactive World Map <= 3.2.0 – Reflected Cross-Site Scripting

Affected Software: Interactive World Map
CVE ID: CVE-2023-47767
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09b0bfd3-93a7-4f13-828d-772f54085a60

BSK Contact Form 7 Blacklist <= 1.0.1 – Reflected Cross-Site Scripting

Affected Software: BSK Contact Form 7 Blacklist
CVE ID: CVE-2023-5141
CVSS Score: 6.1 (Medium)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e27b0a8-e052-49ed-8744-a2376aa386f5

Star CloudPRNT for WooCommerce <= 2.0.3 – Reflected Cross-Site Scripting

Affected Software: Star CloudPRNT for WooCommerce
CVE ID: CVE-2023-4603
CVSS Score: 6.1 (Medium)
Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/110c6d41-e814-41c9-a3e7-d94ec3d953e6

AMP+ Plus <= 3.0 – Reflected Cross Site Scripting

Affected Software: AMP+ Plus
CVE ID: CVE-2023-5210
CVSS Score: 6.1 (Medium)
Researcher/s: Nicolas Surribas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/417ff4fd-e514-4366-b9a6-c04d7434eac1

EmbedPress <= 3.9.1 – Reflected Cross-Site Scripting

Affected Software: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41edf49a-18a2-4cf0-b498-738e77287b90

Footer Putter <= 6.1.3 – Reflected Cross-Site Scripting

Affected Software: Footer Putter
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/688353c9-e4e5-4717-9651-15d05248554f

Post Status Notifier Lite <= 1.11.0 – Reflected Cross-Site Scripting

Affected Software: Post Status Notifier Lite
CVE ID: CVE-2023-47766
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6af1224e-0ed3-4770-96c0-c15cc895d36d

Permalinks Customizer <= 2.8.2 – Reflected Cross-Site Scripting

Affected Software: Permalinks Customizer
CVE ID: CVE-2023-47773
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/702dca65-fa8c-48c7-89e4-cba4b151e2c4

Namaste! LMS <= 2.6.1.1 – Reflected Cross-Site Scripting

Affected Software: Namaste! LMS
CVE ID: CVE-2023-4602
CVSS Score: 6.1 (Medium)
Researcher/s: Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d014f512-9030-49ce-945d-4900594fb373

Accordion <= 2.6 – Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings

Affected Software: Accordion
CVE ID: CVE-2023-47809
CVSS Score: 5.5 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff656409-2344-4190-a731-5a282e21375c

Embed Privacy <= 1.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Embed Privacy
CVE ID: CVE-2023-48300
CVSS Score: 5.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/26d9dfc7-151c-4b32-9ae4-3085d08f137c

Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-4689
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/472cdbc4-3bfa-4254-b35a-be7ae10782e6

MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10 – Missing Authorization to Template Import

Affected Software: MP3 Audio Player for Music, Radio & Podcast by Sonaar
CVE ID: CVE-2023-47822
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6bcb9d95-acb4-4405-b785-1e5eace10dc9

Legal Pages <= 1.3.8 – Cross-Site Request Forgery via moveToTrash and fetch_and_insert_template_data

Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
CVE ID: CVE-2023-47824
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6fb9c8c3-e491-4bca-adeb-b87d9f8f3b32

Pz-LinkCard <= 2.4.8 – Cross-Site Request Forgery via page_cacheman

Affected Software: Pz-LinkCard
CVE ID: CVE-2023-47790
CVSS Score: 5.4 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6de97ac-127d-47ec-8b74-03e7fa4932f6

eCommerce Product Catalog for WordPress <= 3.3.25 – Cross-Site Request Forgery

Affected Software: eCommerce Product Catalog Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ba70f811-543f-4da4-ba45-715dbd6be6be

Audio Merchant <= 5.0.4 – Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting

Affected Software: Audio Merchant
CVE ID: CVE-2023-6197
CVSS Score: 5.4 (Medium)
Researcher/s: Ala Arfaoui
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d7911337-57fa-4268-8366-d37ff13fae86

Delete Duplicate Posts <= 4.8.9 – Missing Authorization via AJAX Actions

Affected Software: Delete Duplicate Posts
CVE ID: CVE-2023-47754
CVSS Score: 5.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f603a25f-7d56-4cf4-89aa-de87ee49522a

Elementor Addon Elements <= 1.12.7 – Cross-Site Request Forgery

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-4690
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd53b4e1-c6b7-4111-911a-04b14c7a9c4e

Restaurant & Cafe Addon for Elementor <= 1.5.2 – Missing Authorization

Affected Software: Restaurant & Cafe Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07712191-03b6-4de4-b0a4-e6f03ce9dc81

Ditty <= 3.1.24 – Missing Authorization via save_ditty_permissions_check

Affected Software: Ditty – Responsive News Tickers, Sliders, and Lists
CVE ID: CVE-2023-47764
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08630dfd-df43-4a5a-8fc7-ba8ff753db3d

FormCraft <= 1.2.7 – Missing Authorization via formcraft_nag_update

Affected Software: FormCraft – Contact Form Builder for WordPress
CVE ID: CVE-2023-47823
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25d5735a-8eed-4b4a-9bbe-9e42fb18ddf2

SearchIQ <= 4.4 – Missing Authorization via getSIQPluginSettings

Affected Software: SearchIQ – The Search Solution
CVE ID: CVE-2023-47832
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3001829b-f63b-4b99-91a0-53d615ac96c1

YOP Poll <= 6.5.26 – Race Condition to Vote Manipulation

Affected Software: YOP Poll
CVE ID: CVE-2023-6109
CVSS Score: 5.3 (Medium)
Researcher/s: RIN MIYACHI
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/360b1927-a863-46be-ad11-3f6251c75a3c

WPCafe <= 2.2.19 – Missing Authorization via dismiss_ajax_call

Affected Software: WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation
CVE ID: CVE-2023-47805
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4261bc62-a091-408b-8643-e6fa61d62103

LWS Hide Login <= 2.1.8 – Protection Mechanism Bypass

Affected Software: LWS Hide Login
CVE ID: CVE-2023-47818
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/532cffdb-16e8-4ced-9477-483c96db343c

avalex – Automatisch sichere Rechtstexte <= 3.0.8 – Missing Authorization

Affected Software: avalex – Automatisch sichere Rechtstexte
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7319293e-f921-46d1-aea6-2578d1a251a7

WP Maintenance <= 6.1.3 – IP Restriction Bypass

Affected Software: WP Maintenance
CVE ID: CVE-2023-47769
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/87a1cc00-330c-40c3-a174-8ea50075c4bd

Elementor Addon Elements <= 1.12.7 – Missing Authorization to Sensitive Information Exposure

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-4723
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka, Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89489218-263f-4157-a5cd-a12bc6a0dfe6

Welcome Email Editor <= 5.0.5 – Missing Authorization via ajax_handler

Affected Software: Welcome Email Editor
CVE ID: CVE-2023-47756
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/943cd10b-1b58-4803-ba6f-291f73353422

Events Addon for Elementor <= 2.1.2 – Missing Authorization

Affected Software: Events Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b7f52e71-da35-4b46-b658-d293f81b5dc9

Acme Fix Images <= 1.0.0 – Missing Authorization via acme_fix_images_ajax_callback

Affected Software: Acme Fix Images
CVE ID: CVE-2023-47793
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9047775-2d72-4eb5-9339-419f95aa19b2

EWWW Image Optimizer <= 7.2.0 – Unauthenticated Sensitive Information Exposure via Debug Log

Affected Software: EWWW Image Optimizer
CVE ID: CVE-2023-40600
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d20ff1a8-8794-41e1-9e66-1cda90f9ff77

WP Meta and Date Remover <= 2.3.0 – Cross-Site Request Forgery via updateSettings

Affected Software: WP Meta and Date Remover
CVE ID: CVE-2023-47836
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/faa9ad87-44b2-47b3-a05c-52e59af7255a

Jetpack < 12.7 – Authenticated(Contributor+) Clickjacking via Iframe Injection

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-47774
CVSS Score: 5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/92a3e622-b3b2-450e-82a7-0a942711e8c0

Integration for Contact Form 7 and Constant Contact <= 1.1.4 – Open Redirect

Affected Software: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
CVE ID: CVE-2023-47779
CVSS Score: 4.7 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c8404d2-7b37-40df-b756-328f827f273d

Chaty <= 3.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
CVE ID: CVE-2023-47759
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/361deac0-f675-432c-b7d2-b99f168d476d

Popup Box <= 3.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Popup Box – Best WordPress Popup Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5a40bac7-d3b8-486d-938a-30591ff3016c

Simply Excerpts <= 1.4 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Simply Excerpts
CVE ID: CVE-2023-5137
CVSS Score: 4.4 (Medium)
Researcher/s: niclo
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e6a7f09-2166-426e-a548-daafb23363a6

Quick Call Button <= 1.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Quick Call Button
CVE ID: CVE-2023-47829
CVSS Score: 4.4 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b5e9c7f-e0c9-4c27-8b39-87e15fd29604

Ultimate Dashboard <= 3.7.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE-2023-4726
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79cce1fc-a27f-4842-b1a2-2c53857add4c

WP Not Login Hide <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: WP Not Login Hide (WPNLH)
CVE ID: CVE-2023-5940
CVSS Score: 4.4 (Medium)
Researcher/s: Furkan ÖZER
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fc46de4-af1c-4e38-9caa-55b7b18a69ae

Theater for WordPress <= 0.18.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Theater for WordPress
CVE ID: CVE-2023-47833
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0fdad22-5aee-468f-885c-f65c068cf413

Premmerce Redirect Manager <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Premmerce Redirect Manager
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3d4f658-e9ce-490b-bcaa-1061a463dbb2

Elementor Addon Elements <= 1.12.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Elementor Addon Elements
CVE ID: CVE-2023-5381
CVSS Score: 4.4 (Medium)
Researcher/s: Paolo Tresso
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd2bc2e7-960e-40db-9dcc-a6a60117bd83

Website Optimization – Plerdy <= 1.3.2 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Website Optimization – Plerdy
CVE ID: CVE-2023-5715
CVSS Score: 4.4 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db18ac07-2e7a-466d-b00c-a598401f8633

URL Shortify <= 1.7.9 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
CVE ID: CVE-2023-5605
CVSS Score: 4.4 (Medium)
Researcher/s: Bartłomiej Marek, Tomasz Swiadek
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddc4b758-5a1e-4d0a-949e-869fcd9df0bc

wpDiscuz <= 7.6.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Comments – wpDiscuz
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f68bc7e9-3bfe-4b2f-82a1-92bbde1a133a

Conditional Fields for Contact Form 7 <= 2.4.1 – Missing Authorization

Affected Software: Conditional Fields for Contact Form 7
CVE ID: CVE-2023-47838
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cfd8b2d-cf2a-439d-9f9a-dbe499b1cd48

WP Courses LMS <= 3.2.3 – Cross-Site Request Forgery

LuckyWP Scripts Control <= 1.2.1 – Missing Authorization

Affected Software: LuckyWP Scripts Control
CVE ID: CVE-2023-47778
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51c42ca2-cdba-49f5-bea2-83c9b8cf0db7

Events Addon for Elementor <= 2.1.2 – Cross-Site Request Forgery

Affected Software: Events Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5256ef2b-e1fc-4746-b35e-07a265f47f95

wpDiscuz <= 7.6.11 – Cross-Site Request Forgery

Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-47775
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53af9dfd-eb2d-4f6f-b02f-daf790b95f1f

Ultimate Responsive Image Slider <= 3.5.11 – Missing Authorization via AJAX action

Affected Software: Slider – Ultimate Responsive Image Slider
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5c92beb0-1fcf-4352-bd34-00e31b265c04

10WebAnalytics <= 1.2.12 – Missing Authorization via gawd_wd_bp_install_notice_status

Affected Software: 10WebAnalytics
CVE ID: CVE-2023-47807
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd2a4cb-dd74-4b00-82f5-3bf1452e71a3

miniorange otp verification <= 4.2.1 – Missing Authorization via dismiss_notice

Affected Software: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
CVE ID: CVE-2023-47776
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62ea1427-0990-4645-aa1a-42da6fd3944f

WP EXtra <= 6.4 – Cross-Site Request Forgery ToolImport

Affected Software: WP EXtra
CVE ID: CVE-2023-47825
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e3f3104-e213-4b0f-9821-b3f1a5c06191

Leadster <= 1.1.2 – Cross-Site Request Forgery via leadster_script_code_action

Affected Software: Leadster
CVE ID: CVE-2023-47791
CVSS Score: 4.3 (Medium)
Researcher/s: BuShiYue
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86837f87-ea91-404a-92ac-38d1abf14cde

Live Preview for Contact Form 7 <= 1.2.0 – Missing Authorization via update_option

Affected Software: Live Preview for Contact Form 7
CVE ID: CVE-2023-47830
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89dbf14f-1cc8-4a66-b3d3-3568cba9a0aa

WP Custom Admin Interface <= 7.31 – Missing Authorization via wpcai_pro_notice_disable

Affected Software: WP Custom Admin Interface
CVE ID: CVE-2023-47763
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b040f47-b126-4640-9fc5-bda8650f6c69

EasyAzon – Amazon Associates Affiliate <= 5.1.0 – Missing Authorization on AJAX actions

Affected Software: EasyAzon – Amazon Associates Affiliate Plugin
CVE ID: CVE-2023-47780
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91ba93de-4c5f-4611-8296-adfc85c8dd2b

LayerSlider <= 7.7.9 – Cross-Site Request Forgery

Affected Software: LayerSlider
CVE ID: CVE-2023-47785
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9225ebc6-bff9-4176-a86e-022ff8ec3b05

Big File Uploads <= 2.1.1 – Cross-Site Request Forgery via actions

Affected Software: Big File Uploads – Increase Maximum File Upload Size
CVE ID: CVE-2023-47792
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93b527a8-30c0-4e47-bb2b-522380b21699

Easy Call Now by ThikShare <= 1.1.0 – Cross-Site Request Forgery via settings_page

Affected Software: Easy Call Now by ThikShare
CVE ID: CVE-2023-47819
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9bd8c4e5-ef53-47e8-8658-291509e9b987

Restaurant & Cafe Addon for Elementor <= 1.5.2 – Cross-Site Request Forgery

Affected Software: Restaurant & Cafe Addon for Elementor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d986739-d6a5-491d-948f-4c58af75369a

Conditional Fields for Contact Form 7 <= 2.4.0 – Missing Authorization

Affected Software: Conditional Fields for Contact Form 7
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a175d2b2-0a35-4c5a-b05b-4d334e444e85

CodeBard’s Patron Button and Widgets for Patreon <= 2.1.9 – Cross-Site Request Forgery

Affected Software: CodeBard’s Patron Button and Widgets for Patreon
CVE ID: CVE-2023-47765
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4ea53bd-2ce7-4dce-8c57-51ba81838f1a

WooCommerce Bookings <= 2.0.3 – Cross-Site Request Forgery

Affected Software: WooCommerce Bookings
CVE ID: CVE-2023-47787
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54841af-65ce-4434-a67e-79ea673ec8f9

Customer Reviews for WooCommerce <= 5.38.1 – Cross-Site Request Forgery via manual review reminders

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b243722e-6510-48bd-be26-95ccbe79fa57

WordPress File Upload 4.24.0 – Cross-Site Request Forgery

Affected Software: WordPress File Upload
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6048088-c11c-4741-8dde-da707f8f84f2

ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6c5f933-b71b-4475-abdf-4cffff2a1a6c

wpMandrill <= 1.33 – Missing Authorization via getAjaxStats

Affected Software: wpMandrill
CVE ID: CVE-2023-47828
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b89cf8ef-9fa0-4ede-8ec9-c166d0db74fe

Essential Blocks for Gutenberg <= 4.2.0 – Missing Authorization via AJAX actions

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-47760
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c2136e1c-5f69-434d-bdc7-72a144da744b

Hreflang Manager <= 1.06 – Cross-Site Request Forgery

Affected Software: Hreflang Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c357e34f-2d0f-4af4-bb67-cbbc6cd4e141

Customer Reviews for WooCommerce <= 5.38.1 – Missing Authorization via manual review reminders

Legal Pages <= 1.3.8 – Missing Authorization

Affected Software: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db0508dd-143f-4674-8193-d46967d2799f

Simple 301 Redirects by BetterLinks <= 2.0.7 – Missing Authorization via clicked

Affected Software: Simple 301 Redirects by BetterLinks
CVE ID: CVE-2023-47761
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddacd612-0cd5-4b07-9184-bec6f1adbb4c

Jetpack <= 12.6.2 – Improper Authorization via WPCom External Media REST endpoints

Affected Software: Jetpack – WP Security, Backup, Speed, & Growth
CVE ID: CVE-2023-47788
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e62fa16f-a4a1-44a7-9a66-abafd8dddf67

WooCommerce Canada Post Shipping <= 2.8.3 – Cross-Site Request Forgery

Affected Software: Woocommerce Shipping Canada Post
CVE ID: CVE-2023-47789
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ff850f88-6e89-48dd-ad70-dda4018c22fc

Restaurant & Cafe Addon for Elementor <= 1.5.3 – Missing Authorization via multiple AJAX functions

Affected Software: Restaurant & Cafe Addon for Elementor
CVE ID: CVE-2023-47826
CVSS Score: 3.1 (Low)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad003d57-a573-473e-80a9-5bf60d42a707

WP Like Button <= 1.7.0 – Missing Authorization via crublabFBLBAjax

Affected Software: WP Like Button
CVE ID: CVE-2023-47820
CVSS Score: 3.1 (Low)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da550fd7-3c1a-4b07-afc0-2366e0f5cccd

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) appeared first on Wordfence.