Last week, there were 55 vulnerabilities disclosed in 46 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 15 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via start_staging and get_staging_progress
- MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via save_settings_permission
- PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
| Unpatched | 16 |
| Patched | 39 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
| Low Severity | 0 |
| Medium Severity | 37 |
| High Severity | 16 |
| Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 18 |
| Cross-Site Request Forgery (CSRF) | 7 |
| Missing Authorization | 6 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
| Deserialization of Untrusted Data | 5 |
| Information Exposure | 4 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Server-Side Request Forgery (SSRF) | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
| Incorrect Privilege Assignment | 1 |
| Improper Authorization | 1 |
| Unverified Password Change | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
| Lana Codes (Wordfence Vulnerability Researcher) |
20 |
| foobar7 | 5 |
| Marco Wotschka (Wordfence Vulnerability Researcher) |
5 |
| Yan&Co ApS | 2 |
| Vladislav Pokrovsky | 2 |
| Chloe Chamberland (Wordfence Vulnerability Researcher) |
1 |
| Nguyen Anh Tien | 1 |
| Do Xuan Trung | 1 |
| osama-hamad | 1 |
| Rafie Muhammad | 1 |
| Dmitrii Ignatyev | 1 |
| Alex Thomas (Wordfence Vulnerability Researcher) |
1 |
| teo23mal | 1 |
| David Anderson | 1 |
| Pablo Sanchez | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
| 10Web Map Builder for Google Maps | wd-google-maps |
| Allow PHP in Posts and Pages | allow-php-in-posts-and-pages |
| Awesome Weather Widget | awesome-weather |
| BAN Users | ban-users |
| Booking Calendar | booking |
| Booking calendar, Appointment Booking System | booking-calendar |
| Booster for WooCommerce | woocommerce-jetpack |
| Checkout Field Editor | woocommerce-checkout-field-editor |
| Comments – wpDiscuz | wpdiscuz |
| Crayon Syntax Highlighter | crayon-syntax-highlighter |
| DoLogin Security | dologin |
| Dropbox Folder Share | dropbox-folder-share |
| Enable Media Replace | enable-media-replace |
| Essential Addons for Elementor | essential-addons-for-elementor-lite |
| Essential Blocks Pro | essential-blocks-pro |
| Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
| Feeds for YouTube (YouTube video, channel, and gallery plugin) | feeds-for-youtube |
| File Manager Pro – Filester | filester |
| Google Maps Plugin by Intergeo | intergeo-maps |
| Horizontal scrolling announcement | horizontal-scrolling-announcement |
| JQuery Accordion Menu Widget | jquery-vertical-accordion-menu |
| Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation | zero-bs-crm |
| Leyka | leyka |
| Login with phone number | login-with-phone-number |
| MapPress Maps for WordPress | mappress-google-maps-for-wordpress |
| Migration, Backup, Staging – WPvivid | wpvivid-backuprestore |
| MultiVendorX – MultiVendor Marketplace Solution For WooCommerce | dc-woocommerce-multi-vendor |
| Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
| Photospace Responsive Gallery | photospace-responsive |
| PowerPress Podcasting plugin by Blubrry | powerpress |
| Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress | quiz-master-next |
| Read More & Accordion | expand-maker |
| ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | shortpixel-image-optimiser |
| Simplr Registration Form Plus+ | simplr-registration-form |
| Slimstat Analytics | wp-slimstat |
| Testimonial Slider Shortcode | testimonial-slider-shortcode |
| WP Customer Reviews | wp-customer-reviews |
| WP User Control | wp-user-control |
| WS Facebook Like Box Widget | ws-facebook-likebox |
| Welcart e-Commerce | usc-e-shop |
| WooCommerce | woocommerce |
| WooCommerce Beta Tester | woocommerce-beta-tester |
| WooCommerce CVR Payment Gateway | woocommerce-cvr-payment-gateway |
| WooCommerce EAN Payment Gateway | woocommerce-ean-payment-gateway |
| WooCommerce Subscription | woocommerce-subscriptions |
| WordPress File Upload | wp-file-upload |
| woocommerce-checkout-field-editor | woocommerce-checkout-field-editor |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.
Allow PHP in Posts and Pages <= 3.0.4 – Authenticated (Subscriber+) Remote Code Execution via Shortcode
Affected Software: Allow PHP in Posts and Pages
CVE ID: CVE-2023-4994
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d8b4bb6-3715-40c1-8140-7fcf874ccec3
CVE ID: CVE-2023-4994
CVSS Score: 9.9 (Critical)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d8b4bb6-3715-40c1-8140-7fcf874ccec3
Dropbox Folder Share <= 1.9.7 – Unauthenticated Local File Inclusion
Affected Software: Dropbox Folder Share
CVE ID: CVE-2023-4488
CVSS Score: 9.8 (Critical)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/647a2f27-092a-4db1-932d-87ae8c2efcca
CVE ID: CVE-2023-4488
CVSS Score: 9.8 (Critical)
Researcher/s: Marco Wotschka
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/647a2f27-092a-4db1-932d-87ae8c2efcca
Slimstat Analytics <= 5.0.9 – Authenticated (Contributor+) Blind SQL Injection via Shortcode
Affected Software: Slimstat Analytics
CVE ID: CVE-2023-4598
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07c0f5a5-3455-4f06-b481-f4d678309c50
CVE ID: CVE-2023-4598
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland, Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07c0f5a5-3455-4f06-b481-f4d678309c50
Welcart e-Commerce <= 2.8.21 – Authenticated(level_5+) SQL Injection via get_logs
Affected Software: Welcart e-Commerce
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35dadb9c-f0c6-4b74-bb31-5e9d504b3db5
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35dadb9c-f0c6-4b74-bb31-5e9d504b3db5
Simplr Registration Form Plus+ <= 2.4.5 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change
Affected Software: Simplr Registration Form Plus+
CVE ID: CVE-2023-4213
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ddf0452-3afe-4ada-bccc-30c818968a81
CVE ID: CVE-2023-4213
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ddf0452-3afe-4ada-bccc-30c818968a81
Login with phone number <= 1.4.8 – Cross-Site Request Forgery to User Password Change
Affected Software: Login with phone number
CVE ID: CVE-2023-4916
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71083db7-377b-47a1-ac8b-83d8974a2654
CVE ID: CVE-2023-4916
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71083db7-377b-47a1-ac8b-83d8974a2654
Essential Addons for Elementor <= 5.8.8 – Authenticated (Contributor+) Privilege Escalation
Affected Software: Essential Addons for Elementor
CVE ID: CVE-2023-41955
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c13701e-424d-462f-b152-4dc5ad3ef197
CVE ID: CVE-2023-41955
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c13701e-424d-462f-b152-4dc5ad3ef197
BAN Users <= 1.5.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update & Privilege Escalation
Affected Software: BAN Users
CVE ID: CVE-2023-4153
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af6bd2db-47a4-4381-a881-d5f97a159f8d
CVE ID: CVE-2023-4153
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af6bd2db-47a4-4381-a881-d5f97a159f8d
Horizontal scrolling announcement <= 9.2 – Authenticated (Subscriber+) SQL Injection via Shortcode
Affected Software: Horizontal scrolling announcement
CVE ID: CVE-2023-4999
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf50922a-58a6-4ca4-80b7-cafb37b87216
CVE ID: CVE-2023-4999
CVSS Score: 8.8 (High)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf50922a-58a6-4ca4-80b7-cafb37b87216
File Manager Pro – Filester – <= 1.7.6 – Cross-Site Request Forgery to Arbitrary File Rename
Affected Software: File Manager Pro – Filester
CVE ID: CVE-2023-4827
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfbc7af2-1e2c-4aaf-b73c-870f7519aff1
CVE ID: CVE-2023-4827
CVSS Score: 8.8 (High)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cfbc7af2-1e2c-4aaf-b73c-870f7519aff1
MultiVendorX <= 4.0.25 – Improper Authorization on REST Routes via ‘save_settings_permission’
Affected Software: MultiVendorX – MultiVendor Marketplace Solution For WooCommerce
CVE ID: CVE Unknown
CVSS Score: 8.6 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/afd9046c-5b6a-411e-8e66-ff1ba60d7f9d
CVE ID: CVE Unknown
CVSS Score: 8.6 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/afd9046c-5b6a-411e-8e66-ff1ba60d7f9d
WPvivid Backup Plugin <= 0.9.90 – Missing Authorization via ‘start_staging’ and ‘get_staging_progress’
Affected Software: Migration, Backup, Staging – WPvivid
CVE ID: CVE-2023-41243
CVSS Score: 8.3 (High)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28e723ee-e99a-4ec4-b492-bfba04d27fd0
CVE ID: CVE-2023-41243
CVSS Score: 8.3 (High)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/28e723ee-e99a-4ec4-b492-bfba04d27fd0
Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via products
Affected Software/s: Essential Blocks Pro, Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-4402
CVSS Score: 8.1 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ede7a25-9bb2-408e-b7fb-e5bd4f594351
CVE ID: CVE-2023-4402
CVSS Score: 8.1 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ede7a25-9bb2-408e-b7fb-e5bd4f594351
Essential Blocks <= 4.2.0 – Unauthenticated PHP Object Injection via queries
Affected Software/s: Essential Blocks Pro, Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-4386
CVSS Score: 8.1 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af468f83-d6ad-474c-bf7f-c4eeb6df1b54
CVE ID: CVE-2023-4386
CVSS Score: 8.1 (High)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af468f83-d6ad-474c-bf7f-c4eeb6df1b54
Read More & Accordion <= 3.2.2 – Authenticated (Administrator+) PHP Object Injection
Affected Software: Read More & Accordion
CVE ID: CVE-2023-3392
CVSS Score: 7.2 (High)
Researcher/s: Do Xuan Trung
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73ab9f95-05cc-47fc-bfcb-1787f6f80789
CVE ID: CVE-2023-3392
CVSS Score: 7.2 (High)
Researcher/s: Do Xuan Trung
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73ab9f95-05cc-47fc-bfcb-1787f6f80789
Booking calendar, Appointment Booking System <= 3.2.8 – Multiple Authenticated(Editor+) SQL Injection
Affected Software: Booking calendar, Appointment Booking System
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a02f4fc4-42ca-4f8e-9c28-bfa69644e7b6
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a02f4fc4-42ca-4f8e-9c28-bfa69644e7b6
Dropbox Folder Share <= 1.9.7 – Unauthenticated Server-Side Request Forgery via ‘link’
Affected Software: Dropbox Folder Share
CVE ID: CVE-2023-3025
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d62bd2bd-db01-479f-89e4-8031d69a912f
CVE ID: CVE-2023-3025
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d62bd2bd-db01-479f-89e4-8031d69a912f
WooCommerce Beta Tester < 2.2.4 – Authenticated (Administrator+) SQL Injection
Affected Software: WooCommerce Beta Tester
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: teo23mal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6cbec61-cbe8-44a6-8cc8-8603393ed6b0
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Researcher/s: teo23mal
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6cbec61-cbe8-44a6-8cc8-8603393ed6b0
Enable Media Replace <= 4.1.2 – Authenticated(Editor+) PHP Object Injection
Affected Software: Enable Media Replace
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e7e6445-c1c5-48a8-a76d-819f2db1efc2
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e7e6445-c1c5-48a8-a76d-819f2db1efc2
ShortPixel Image Optimizer <= 5.4.1 – Authenticated(Editor+) PHP Object Injection
Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f23bf62-6008-4a9c-a7ae-a2e513699684
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f23bf62-6008-4a9c-a7ae-a2e513699684
Booking Calendar <= 9.7.3 – Unauthenticated Stored Cross-Site Scripting
Affected Software: Booking Calendar
CVE ID: CVE-2023-4620
CVSS Score: 6.5 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f883823f-c225-4cd2-a0f6-39013476ed83
CVE ID: CVE-2023-4620
CVSS Score: 6.5 (Medium)
Researcher/s: Pablo Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f883823f-c225-4cd2-a0f6-39013476ed83
Testimonial Slider Shortcode <= 1.1.8 – Authenticated (Contributor+) Cross-Site Scripting Vulnerability via Shortcode
Affected Software: Testimonial Slider Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30cb1b8c-84ce-4401-9c30-775efb257fe6
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30cb1b8c-84ce-4401-9c30-775efb257fe6
Feeds for YouTube <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Feeds for YouTube (YouTube video, channel, and gallery plugin)
CVE ID: CVE-2023-4841
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/376e2638-a873-4142-ad7d-067ae3333709
CVE ID: CVE-2023-4841
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/376e2638-a873-4142-ad7d-067ae3333709
Awesome Weather Widget <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Awesome Weather Widget
CVE ID: CVE-2023-4944
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bf77988-370b-437f-83a0-18a147e3e087
CVE ID: CVE-2023-4944
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bf77988-370b-437f-83a0-18a147e3e087
Crayon Syntax Highlighter <= 2.8.4 – Authenticated (Contributor+) Server Side Request Forgery
Affected Software: Crayon Syntax Highlighter
CVE ID: CVE-2023-4893
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/527f75f1-6361-4e16-8ae4-d38ca4589811
CVE ID: CVE-2023-4893
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/527f75f1-6361-4e16-8ae4-d38ca4589811
WS Facebook Like Box Widget <= 5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: WS Facebook Like Box Widget
CVE ID: CVE-2023-4963
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bebc229-9d15-439f-a8df-f68455bc5193
CVE ID: CVE-2023-4963
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8bebc229-9d15-439f-a8df-f68455bc5193
Booster for WooCommerce <= 7.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-4945
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/981639a3-63c4-4b3f-827f-4d770bd44806
CVE ID: CVE-2023-4945
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/981639a3-63c4-4b3f-827f-4d770bd44806
PowerPress <= 11.0.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via Media URL
Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae8c888e-46ed-468f-a5d5-74a7f9d01a36
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae8c888e-46ed-468f-a5d5-74a7f9d01a36
JQuery Accordion Menu Widget <= 3.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: JQuery Accordion Menu Widget
CVE ID: CVE-2023-4890
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0cf3015-cdc9-4ac9-82f3-e9b4d1203e22
CVE ID: CVE-2023-4890
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0cf3015-cdc9-4ac9-82f3-e9b4d1203e22
MapPress Maps for WordPress <= 2.88.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: MapPress Maps for WordPress
CVE ID: CVE-2023-4840
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3d2c9a4-32f7-484f-86ce-a33ef1174b28
CVE ID: CVE-2023-4840
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c3d2c9a4-32f7-484f-86ce-a33ef1174b28
Google Maps Plugin by Intergeo <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Google Maps Plugin by Intergeo
CVE ID: CVE-2023-4887
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb6d11ad-0983-4a4b-b52b-824eae8b8e3c
CVE ID: CVE-2023-4887
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb6d11ad-0983-4a4b-b52b-824eae8b8e3c
Horizontal scrolling announcement <= 9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Software: Horizontal scrolling announcement
CVE ID: CVE-2023-5001
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4f60e8c-2745-4930-9101-914bd73c6e1c
CVE ID: CVE-2023-5001
CVSS Score: 6.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4f60e8c-2745-4930-9101-914bd73c6e1c
Jetpack CRM <= 5.5.0 – Authenticated (Client+) Stored Cross-Site Scripting
Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1dbd0e2-8c6c-4127-b37c-269af3b7f71c
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e1dbd0e2-8c6c-4127-b37c-269af3b7f71c
PageLayer <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e34b6ae5-1370-4058-95dd-5686978ca45b
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e34b6ae5-1370-4058-95dd-5686978ca45b
WooCommerce <= 7.8.2 – Sensitive Information Exposure
Affected Software: WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: osama-hamad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b2d1879-c337-41c9-9f47-f9c2fe8e5928
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: osama-hamad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b2d1879-c337-41c9-9f47-f9c2fe8e5928
wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Post Rating Increase/Decrease
Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-3998
CVSS Score: 5.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d09bdab-ffab-44cc-bba2-821b21a8e343
CVE ID: CVE-2023-3998
CVSS Score: 5.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d09bdab-ffab-44cc-bba2-821b21a8e343
wpDiscuz <= 7.6.3 – Insecure Direct Object Reference to Comment Rating Increase/Decrease
Affected Software: Comments – wpDiscuz
CVE ID: CVE-2023-3869
CVSS Score: 5.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b30ac1b0-eae2-4194-bf8e-ae73b4236965
CVE ID: CVE-2023-3869
CVSS Score: 5.3 (Medium)
Researcher/s: Vladislav Pokrovsky
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b30ac1b0-eae2-4194-bf8e-ae73b4236965
Leyka <= 3.30.3 – Authenticated (Subscriber+) Sensitive Information Exposure
Affected Software: Leyka
CVE ID: CVE-2023-4917
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dcd24b90-94ff-4625-8e3e-9c90e38683f9
CVE ID: CVE-2023-4917
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dcd24b90-94ff-4625-8e3e-9c90e38683f9
WP User Control <= 1.5.3 – Insecure Password Reset Mechanism
Affected Software: WP User Control
CVE ID: CVE-2023-4915
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4ca1736-7b99-49db-9367-586dbc14df41
CVE ID: CVE-2023-4915
CVSS Score: 5.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f4ca1736-7b99-49db-9367-586dbc14df41
WooCommerce <= 7.0.0 – Authenticated(Shop Manager+) Sensitive Information Exposure
Affected Software: WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: David Anderson
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1efcff5-3af6-4c44-9654-b917523419aa
CVE ID: CVE Unknown
CVSS Score: 4.9 (Medium)
Researcher/s: David Anderson
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1efcff5-3af6-4c44-9654-b917523419aa
WordPress File Upload <= 4.23.2 – Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: WordPress File Upload
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e1915d9-8ea9-4ab2-9746-3c49bc0bd7c8
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e1915d9-8ea9-4ab2-9746-3c49bc0bd7c8
Jetpack CRM <= 5.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32f2fc21-165c-483f-ab81-48d8f221e4be
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32f2fc21-165c-483f-ab81-48d8f221e4be
Photospace Responsive <= 2.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: Photospace Responsive Gallery
CVE ID: CVE-2023-4271
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bc98896-6ff9-40de-ace2-2ca331c2a44a
CVE ID: CVE-2023-4271
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3bc98896-6ff9-40de-ace2-2ca331c2a44a
Migration, Backup, Staging – WPvivid <= 0.9.90 – Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Migration, Backup, Staging – WPvivid
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6d3ede8-465e-4588-b8ef-36bcd1850ec3
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6d3ede8-465e-4588-b8ef-36bcd1850ec3
WP Customer Reviews <= 3.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: WP Customer Reviews
CVE ID: CVE-2023-4648
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f81950be-de32-4fa1-94fe-42667414fe2d
CVE ID: CVE-2023-4648
CVSS Score: 4.4 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f81950be-de32-4fa1-94fe-42667414fe2d
WooCommerce Subscription < 4.6.0 – Cross-Site Request Forgery
Affected Software: WooCommerce Subscription
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08a98c08-cddc-4bc3-bc07-15d084070abd
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08a98c08-cddc-4bc3-bc07-15d084070abd
DoLogin Security <= 3.7 – Missing Authorization on Dashboard Widget
Affected Software: DoLogin Security
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24e2b96c-665f-4616-ac99-1a2b1b0a9ccd
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24e2b96c-665f-4616-ac99-1a2b1b0a9ccd
WooCommerce EAN Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) EAN Update
Affected Software: WooCommerce EAN Payment Gateway
CVE ID: CVE-2023-4947
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes, Yan&Co ApS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6
CVE ID: CVE-2023-4947
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes, Yan&Co ApS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6
Quiz And Survey Master <= 8.1.15 – Cross-Site Request Forgery via ‘display_results’
Affected Software: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32173d38-7f85-4e0c-9b4c-38bee2783d77
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32173d38-7f85-4e0c-9b4c-38bee2783d77
10Web Map Builder for Google Maps <= 1.0.73 – Cross-Site Request Forgery to Notice Dismissal
Affected Software: 10Web Map Builder for Google Maps
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4be81ba0-c678-4234-b63e-da9813817bef
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4be81ba0-c678-4234-b63e-da9813817bef
10Web Map Builder for Google Maps <= 1.0.73 – Missing Authorization to Notice Dismissal
Affected Software: 10Web Map Builder for Google Maps
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63666c16-9f68-4a27-b163-4c25f0a7589e
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63666c16-9f68-4a27-b163-4c25f0a7589e
Checkout Field Editor (Premium) < 1.7.5 – Cross-Site Request Forgery
Affected Software: woocommerce-checkout-field-editor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4647210-ba7e-4233-83d6-12572213f5fb
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4647210-ba7e-4233-83d6-12572213f5fb
Booster for WooCommerce <= 7.1.0 – Authenticated (Subscriber+) Information Disclosure via Shortcode
Affected Software: Booster for WooCommerce
CVE ID: CVE-2023-4796
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4cd49b2-ff93-4582-906b-b690d8472c38
CVE ID: CVE-2023-4796
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4cd49b2-ff93-4582-906b-b690d8472c38
Checkout Field Editor <= 1.7.4 – Cross-Site Request Forgery to Checkout Fields Update
Affected Software: Checkout Field Editor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad430706-749f-4582-af07-6c543b8d5aad
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: foobar7
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad430706-749f-4582-af07-6c543b8d5aad
WooCommerce CVR Payment Gateway < 6.1.0 – Missing Authorization to Authenticated (Contributor+) CVR Update
Affected Software: WooCommerce CVR Payment Gateway
CVE ID: CVE-2023-4948
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes, Yan&Co ApS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f72ba0e2-a9c4-43b0-a01f-185554090162
CVE ID: CVE-2023-4948
CVSS Score: 4.3 (Medium)
Researcher/s: Lana Codes, Yan&Co ApS
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f72ba0e2-a9c4-43b0-a01f-185554090162
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023) appeared first on Wordfence.
