Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Over the last two weeks, there were 263 vulnerabilities disclosed in 217 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 42 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Two Weeks

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Directory Traversal via HTTP Headers

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
43

Patched
220

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
212

High Severity
30

Critical Severity
20

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
77

Missing Authorization
51

Cross-Site Request Forgery (CSRF)
47

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
30

Unrestricted Upload of File with Dangerous Type
9

Deserialization of Untrusted Data
7

Information Exposure Through Log Files
7

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
5

Information Exposure
4

Protection Mechanism Failure
3

Authorization Bypass Through User-Controlled Key
3

Server-Side Request Forgery (SSRF)
2

URL Redirection to Untrusted Site (‘Open Redirect’)
2

Storage of Sensitive Data in a Mechanism without Access Control
2

Weak Password Recovery Mechanism for Forgotten Password
2

Improper Input Validation
2

Improper Privilege Management
1

Reliance on IP Address for Authentication
1

External Control of File Name or Path
1

Information Exposure Through Debug Information
1

Use of Less Trusted Source
1

Improper Authentication
1

Improper Authorization
1

Improper Access Control
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Rafie Muhammad
61

Brandon James Roldan (tomorrowisnew)
24

Muhammad Daffa
23

Ngô Thiên An (ancorn_)
16

LVT-tholv2k
14

emad
11

Abdi Pranata
10

Joshua Chan
10

Nguyen Xuan Chien
9

Abu Hurayra (HurayraIIT)
9

Mika
6

Skalucy
6

Dave Jong
6

thiennv
5

resecured.io
5

Revan Arifio
5

Huynh Tien Si
3

wpdabh
3

Le Ngoc Anh
3

Dmitrii Ignatyev
3

DoYeon Park (p6rkdoye0n)
3

Hiroho Shimada
2

Kyle Sanchez
2

Hung -mov Nguyen
2

Webbernaut
2

Nguyen Anh Tien
2

Jeongwoo-Lee(Roronoa)
2

Elliot
1

István Márton
(Wordfence Vulnerability Researcher)
1

Taihei Shimamine
1

Rein Daelman (trein)
1

Robert DeVore
1

Marc-Alexandre Montpas
1

Vladislav Pokrovsky (ΞX.MI)
1

Yuchen Ji
1

Fariq Fadillah Gusti Insani (fariqfgi)
1

Yudistira Arya
1

Lucio Sá
1

Francesco Carlucci
1

Benmalek Aymen (centaurus)
1

Nex Team
1

Françoa Taffarel
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

404 Solution
404-solution

AI Power: Complete AI Pack – Powered by GPT-4
gpt3-ai-content-generator

AMP for WP – Accelerated Mobile Pages
accelerated-mobile-pages

ARI Stream Quiz – WordPress Quizzes Builder
ari-stream-quiz

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
armember-membership

Accredible Certificates & Open Badges
accredible-certificates

Active Products Tables for WooCommerce. Professional products tables for WooCommerce store
profit-products-tables-for-woocommerce

Add Any Extension to Pages
add-any-extension-to-pages

Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
advanced-access-manager

Advanced Category Template
advanced-category-template

Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms
advanced-form-integration

Affiliates Manager
affiliates-manager

All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
mystickyelements

Apollo13 Framework Extensions
apollo13-framework-extensions

Appointment & Event Booking Calendar Plugin – Webba Booking
webba-booking-lite

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
simply-schedule-appointments

Author Box, Guest Author and Co-Authors for Your Posts – Molongui
molongui-authorship

Auto Amazon Links – Amazon Associates Affiliate Plugin
amazon-auto-links

Awesome Support – WordPress HelpDesk & Support Plugin
awesome-support

BERTHA AI. Your AI co-pilot for WordPress and Chrome
bertha-ai-free

Back Button Widget
back-button-widget

Backup Migration
backup-backup

Beaver Builder – WordPress Page Builder
beaver-builder-lite-version

Block IPs for Gravity Forms
gf-block-ips

Booking Calendar | Appointment Booking | BookIt
bookit

Booking Manager
booking-manager

Booking for Appointments and Events Calendar – Amelia
ameliabooking

BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
bookingpress-appointment-booking

Booster Elite for WooCommerce
booster-elite-for-woocommerce

Branda – White Label WordPress, Custom Login Page Customizer
branda-white-labeling

Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content
brave-popup-builder

BuddyPress
buddypress

Build App Online
build-app-online

BulkGate SMS Plugin for WooCommerce
woosms-sms-module-for-woocommerce

Business Directory Plugin – Easy Listing Directories for WordPress
business-directory-plugin

CBX Bookmark & Favorite
cbxwpbookmark

CRM Perks Forms – WordPress Form Builder
crm-perks-forms

CSS & JavaScript Toolbox
css-javascript-toolbox

CURCY – Multi Currency for WooCommerce
UNKNOWN-CVE-2023-50831-1

Calculated Fields Form
calculated-fields-form

Checkout Mestres WP
checkout-mestres-wp

Clockwork SMS Notfications
mediaburst-email-to-sms

Clone
wp-clone-by-wp-academy

Colibri Page Builder
colibri-page-builder

Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce
enhanced-e-commerce-for-woocommerce-store

Crowdsignal Dashboard – Polls, Surveys & more
polldaddy

Currency Converter Widget – Exchange Rates
currency-converter-widget

Custom 404 Pro
custom-404-pro

Custom Post Carousels with Owl
dd-post-carousel

Custom Twitter Feeds – A Tweets Widget or X Feed Widget
custom-twitter-feeds

Customer Reviews for WooCommerce
customer-reviews-woocommerce

Customize My Account for WooCommerce
customize-my-account-for-woocommerce

Dan’s Embedder for Google Calendar
dans-gcal

Database Cleaner: Clean, Optimize & Repair
database-cleaner

Defender Security – Malware Scanner, Login Security & Firewall
defender-security

Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
antihacker

Doofinder WP & WooCommerce Search
doofinder-for-woocommerce

Duplicator – WordPress Migration & Backup Plugin
duplicator

Dynamic Content for Elementor
dynamic-content-for-elementor

E2Pdf – Export To Pdf Tool for WordPress
e2pdf

Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
easy-digital-downloads

Easy PayPal & Stripe Buy Now Button
wp-ecommerce-paypal

Easy Video Player
easy-video-player

Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress
plugins-on-steroids

Enable Media Replace
enable-media-replace

EnvíaloSimple: Email Marketing y Newsletters
envialosimple-email-marketing-y-newsletters-gratis

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
essential-blocks

Event Monster – Event Management, Tickets Booking, Upcoming Event
event-monster

Events Shortcodes For The Events Calendar
template-events-calendar

Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
everest-backup

Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!
everest-forms

Export Media URLs
export-media-urls

FOX – Currency Switcher Professional for WooCommerce
woocommerce-currency-switcher

FastDup – Fastest WordPress Migration & Duplicator
fastdup

Floating Button
floating-button

Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin
fluent-support

Form plugin for WordPress – Zoho Forms
zoho-forms

Frontend Admin by DynamiApps
acf-frontend-form-element

Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits
funnel-builder

FunnelKit Checkout
woofunnels-aero-checkout

GEO my WordPress
geo-my-wp

GeoDirectory – WordPress Business Directory Plugin, or Classified Directory
geodirectory

Google Photos Gallery with Shortcodes
google-picasa-albums-viewer

HT Mega – Absolute Addons For Elementor
ht-mega-for-elementor

HTML Forms
html-forms

HUSKY – Products Filter for WooCommerce Professional
woocommerce-products-filter

Happy Addons for Elementor
happy-elementor-addons

HashBar – WordPress Notification Bar
hashbar-wp-notification-bar

Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building
icegram

If-So Dynamic Content Personalization
if-so

Image Optimizer, Resizer and CDN – Sirv
sirv

Image Source Control Lite – Show Image Credits and Captions
image-source-control-isc

Impreza – WordPress Website and WooCommerce Builder
impreza

Inline Image Upload for BBPress
image-upload-for-bbpress

Insert or Embed Articulate Content into WordPress
insert-or-embed-articulate-content-into-wordpress

Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
integrate-google-drive

JS Help Desk – Best Help Desk & Support Plugin
js-support-ticket

JSM file_get_contents() Shortcode
wp-file-get-contents

JVM Gutenberg Rich Text Icons
jvm-rich-text-icons

Job Manager & Career – Manage job board listings, and recruitments
job-manager-career

LA-Studio Element Kit for Elementor
lastudio-element-kit

Limit Login Attempts Reloaded
limit-login-attempts-reloaded

Loan Repayment Calculator and Application Form
quick-interest-slider

Local Delivery Drivers for WooCommerce
local-delivery-drivers-for-woocommerce

Login Lockdown – Protect Login Form
login-lockdown

Login as User or Customer
login-as-customer-or-user

Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
gs-logo-slider

MC4WP: Mailchimp for WordPress
mailchimp-for-wp

MF Gig Calendar
mf-gig-calendar

MStore API
mstore-api

Mail logging – WP Mail Catcher
wp-mail-catcher

Malware Scanner
miniorange-malware-protection

Media File Renamer: Rename Files (Manual, Auto & AI)
media-file-renamer

Menu Image, Icons made easy
menu-image

Metform Elementor Contact Form Builder
metform

Most And Least Read Posts Widget
most-and-least-read-posts-widget

Multi Step Form
multi-step-form

MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution
dc-woocommerce-multi-vendor

My Agile Privacy – The only GDPR solution for WordPress that you can truly trust
myagileprivacy

NEX-Forms – Ultimate Form Builder – Contact forms and much more
nex-forms-express-wp-form-builder

New User Approve
new-user-approve

NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images
nitropack

Page Generator
page-generator

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
paid-member-subscriptions

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
paid-memberships-pro

Pay with Vipps for WooCommerce
woo-vipps

Photo Gallery by 10Web – Mobile-Friendly Image Gallery
photo-gallery

Piotnet Forms
piotnetforms

Poll Maker – Best WordPress Poll Plugin
poll-maker

Pre* Party Resource Hints
pre-party-browser-hints

Product Catalog Simple
post-type-x

Product Code for WooCommerce
product-code-for-woocommerce

Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces
best-woocommerce-feed

Product Filter by WBW
woo-product-filter

Product Table by WBW
woo-product-tables

Product Vendors
woocommerce-product-vendors

ProfileGrid – User Profiles, Memberships, Groups and Communities
profilegrid-user-profiles-groups-and-communities

Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
quiz-master-next

Rate my Post – WP Rating System
rate-my-post

Recipe Maker For Your Food Blog from Zip Recipes
zip-recipes

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
wp-marketing-automations

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager

Rencontre – Dating Site
rencontre

Republish Old Posts
republish-old-posts

Restaurant Reservations
nd-restaurant-reservations

Rise Blocks – A Complete Gutenberg Page Builder
rise-blocks

Schema & Structured Data for WP & AMP
schema-and-structured-data-for-wp

Send Users Email
send-users-email

Sensei LMS – Online Courses, Quizzes, & Learning
sensei-lms

Seos Contact Form
seos-contact-form

Simple Counter
abwp-simple-counter

Simple Job Board
simple-job-board

Simple Membership
simple-membership

Simple Staff List
simple-staff-list

Slider by Soliloquy – Responsive Image Slider for WordPress
soliloquy-lite

Spam protection, Anti-Spam, FireWall by CleanTalk
cleantalk-spam-protect

Split Test For Elementor
split-test-for-elementor

Squirrly SEO – Advanced Pack
squirrly-seo-pack

Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons
sticky-chat-widget

Stock Ticker
stock-ticker

Store Locator WordPress
agile-store-locator

Strong Testimonials
strong-testimonials

Stylish Price List – Price Table Builder & QR Code Restaurant Menu
stylish-price-list

SureFeedback Client Site
projecthuddle-child-site

TerraClassifieds – Simple Classifieds Plugin
terraclassifieds

Theme per user
theme-per-user

Themify Icons
themify-icons

Thrive Automator
thrive-automator

Ultimate Addons for Beaver Builder
bb-ultimate-addon

Ultimate Addons for WPBakery
Ultimate_VC_Addons

Ultimate Dashboard – Custom WordPress Dashboard
ultimate-dashboard

Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin
uncanny-automator

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
userfeedback-lite

Verge3D Publishing and E-Commerce
verge3d

WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders
adminify

WP Affiliate Disclosure
wp-affiliate-disclosure

WP Chat App
wp-whatsapp

WP Crowdfunding
wp-crowdfunding

WP Edit Username
wp-edit-username

WP Frontend Profile
wp-front-end-profile

WP Go Maps (formerly WP Google Maps)
wp-google-maps

WP Job Portal – A Complete Job Board
wp-job-portal

WP MLM SOFTWARE PLUGIN
wp-mlm

WP Mail Log
wp-mail-log

WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce
wp-optin-wheel

WP Remote Site Search
wp-remote-site-search

WP Review Slider
wp-facebook-reviews

WP Shortcodes Plugin — Shortcodes Ultimate
shortcodes-ultimate

WP Simple Booking Calendar
wp-simple-booking-calendar

WP Stripe Checkout
wp-stripe-checkout

WP Tabs – Responsive Tabs Plugin for WordPress
wp-expand-tabs-free

WP User Profile Avatar
wp-user-profile-avatar

WPC Product Bundles for WooCommerce
woo-product-bundle

WPCS – WordPress Currency Switcher Professional
currency-switcher

WS Form LITE – Drag & Drop Contact Form Builder for WordPress
ws-form

Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition
webinar-ignition

Welcart e-Commerce
usc-e-shop

White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard
white-label

WooCommerce Easy Duplicate Product
woo-easy-duplicate-product

WooCommerce Menu Extension
woocommerce-menu-extension

WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
woo-pdf-invoice-builder

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
print-invoices-packing-slip-labels-for-woocommerce

WooCommerce Per Product Shipping
woocommerce-shipping-per-product

WooCommerce Ship to Multiple Addresses
woocommerce-shipping-multiple-addresses

WooCommerce Stripe Payment Gateway
woocommerce-gateway-stripe

WooCommerce Warranty Requests
woocommerce-warranty

WooPayments – Fully Integrated Solution Built and Supported by Woo
woocommerce-payments

Woocommerce Shipping Canada Post
woocommerce-shipping-canada-post

WordPress Infinite Scroll – Ajax Load More
ajax-load-more

WordPress.com Editing Toolkit
full-site-editing

YITH WooCommerce Product Add-Ons
yith-woocommerce-product-add-ons

ZeroBounce Email Verification & Validation
zerobounce

eCommerce Product Catalog Plugin for WordPress
ecommerce-product-catalog

iframe
iframe

iframe Shortcode
iframe-shortcode

uncode-core
uncode-core

weForms – Easy Drag & Drop Contact Form Builder For WordPress
weforms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

BuddyBoss Theme
buddyboss-theme

Divi
Divi

TheGem
thegem

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

BERTHA AI Plugin <= 1.11.10.7 – Unauthenticated Arbitrary File Upload

Affected Software: BERTHA AI. Your AI co-pilot for WordPress and Chrome
CVE ID: CVE-2023-51419
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b4630f7-74db-46c4-bf86-f1ff64be3463

WebinarIgnition <= 3.05.0 – Missing Authorization to Unauthenticated Privilege Escalation

Piotnet Forms Plugin <= 1.0.25 – Unauthenticated Arbitrary File Upload

Affected Software: Piotnet Forms
CVE ID: CVE-2023-51412
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f52298b-344b-4561-b1bf-93bea95a3e53

WP Clone <= 2.4.2 – Sensitive Information Exposure

Affected Software: Clone
CVE ID: CVE-2023-6750
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/44a921e7-cce3-4347-968d-76dab243fcd6

Rencontre – Dating Site <= 3.10.1 – Unauthenticated Arbitrary File Upload

Affected Software: Rencontre – Dating Site
CVE ID: CVE-2023-51468
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/59be1fc7-2854-404d-8e9d-dd9bd26e6a2c

Login as User or Customer (User Switching) <= 3.8 – Authentication Bypass

Affected Software: Login as User or Customer
CVE ID: CVE-2023-51484
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b07ea6a-511d-44ab-b0b7-5124702ad47d

Build App Online <= 1.0.19 – Account Takeover via Weak Password Reset Mechanism

Affected Software: Build App Online
CVE ID: CVE-2023-51478
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/743e40f6-dde3-4d8f-938e-b2a0dcdfb901

Frontend Admin by DynamiApps Plugin <= 3.18.3 – Unauthenticated Arbitrary File Upload

Affected Software: Frontend Admin by DynamiApps
CVE ID: CVE-2023-51411
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7815322d-a240-4855-b458-60caa3cec96c

JS Help Desk <= 2.8.1 – Unauthenticated SQL Injection via email and trackingid

Affected Software: JS Help Desk – Best Help Desk & Support Plugin
CVE ID: CVE-2023-50839
CVSS Score: 9.8 (Critical)
Researcher/s: Fariq Fadillah Gusti Insani (fariqfgi)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a3e89cc-56cb-42d7-b4f6-bfc7ca0e03e6

Checkout Mestres WP <= 7.1.9.6 – Authentication Bypass via Password Reset

Affected Software: Checkout Mestres WP
CVE ID: CVE-2023-51472
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ad16d1e-e778-4cb4-a15d-ddb906f27762

Checkout Mestres WP <= 7.1.9.6 – Missing Authorization to Unauthenticated Arbitrary Options Update

Affected Software: Checkout Mestres WP
CVE ID: CVE-2023-51471
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a52bf70-667b-400f-8912-75fae20a3f5b

WP Frontend Profile <= 1.3.1 – Unauthenticated Privilege Escalation

Affected Software: WP Frontend Profile
CVE ID: CVE-2023-51483
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/91de6cf4-e5df-4130-bb96-92b89717a678

WP MLM Unilevel <= 4.0 – Unauthenticated Privilege Escalation

Affected Software: WP MLM SOFTWARE PLUGIN
CVE ID: CVE-2023-51476
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abcc1ed6-1871-4e8c-9469-c44dbfca5a17

TerraClassifieds <= 2.0.3 Unauthenticated Arbitrary File Upload

Affected Software: TerraClassifieds – Simple Classifieds Plugin
CVE ID: CVE-2023-51473
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0399b60-6e40-4f35-985f-845a32f69d64

Rencontre – Dating Site <= 3.10.1 – Privilege Escalation

Affected Software: Rencontre – Dating Site
CVE ID: CVE-2023-51425
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1278291-9fef-40f5-a432-d96f4bed31fe

WP MLM <= 4.0 – Unauthenticated Arbitrary File Upload

Affected Software: WP MLM SOFTWARE PLUGIN
CVE ID: CVE-2023-51475
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3451ed9-9a9a-443f-b1ce-dcd07bd3e6ce

Theme per user <= 1.0.1 – Unauthenticated PHP Object Injection

Affected Software: Theme per user
CVE ID: CVE-2023-52181
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bc7e6844-23e2-4523-8261-21d4cba87db3

Active Products Tables for WooCommerce <= 1.0.6 – Unauthenticated PHP Object Injection

Affected Software: Active Products Tables for WooCommerce. Professional products tables for WooCommerce store 
CVE ID: CVE-2023-51505
CVSS Score: 9.8 (Critical)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5519d4e-84b5-4901-b55c-a0a919f4b6c9

Checkout Mestres WP <= 7.1.9.6 – Unauthenticated SQL Injection

Affected Software: Checkout Mestres WP
CVE ID: CVE-2023-51469
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e068573d-bc3e-48de-b4e7-6a0666086ac3

WebinarIgnition <= 3.05.0 – Unauthenticated SQL Injection

Recipe Maker For Your Food Blog from Zip Recipes <= 8.1.0 – Authenticated(Contributor+) SQL Injection

Affected Software: Recipe Maker For Your Food Blog from Zip Recipes
CVE ID: CVE-2023-52180
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01ab2ed8-ff2f-41ac-bbbd-d8878fd067d6

WP Mail Log Plugin <= 1.1.2 – Authenticated(Contributor+) Arbitrary File Upload

Affected Software: WP Mail Log
CVE ID: CVE-2023-51410
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0542f8bf-8fb1-4c47-89b7-106a6feacca1

Ultimate Addons for Beaver Builder <= 1.35.14 – Authenticated(Contributor+) Privilege Escalation

Affected Software: Ultimate Addons for Beaver Builder
CVE ID: CVE-2023-51398
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1b29048e-cf06-463c-82e0-f1d973e50232

ARI Stream Quiz <= 1.3.0 – Authenticated (Contributor+) PHP Object Injection

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-52182
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/36ad7fe2-0dc9-427d-811b-8fb1fdb78579

TerraClassifieds <= 2.0.3 – Cross-Site Request Forgery

Affected Software: TerraClassifieds – Simple Classifieds Plugin
CVE ID: CVE-2023-51474
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a6e5f89-ebc0-413a-a76e-3cf4339430ba

Verge3D <= 4.5.2 – Authenticated(Subscriber+) Arbitrary File Upload

Affected Software: Verge3D Publishing and E-Commerce
CVE ID: CVE-2023-51421
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71dd864f-1975-4cee-be26-0cdb0d54be95

Rencontre – Dating Site <= 3.11.1 – Authenticated (Subscriber+) PHP Object Injection

Affected Software: Rencontre – Dating Site
CVE ID: CVE-2023-51470
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/722c35e5-4084-46a4-a3d4-c73f8e7a1882

MF Gig Calendar <=1.2.1 – Authenticated(Contributor+) SQL Injection

Affected Software: MF Gig Calendar
CVE ID: CVE-2023-50842
CVSS Score: 8.8 (High)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d977636-a509-4f32-9ad3-762720fdb433

Job Manager & Career – Manage job board listings, and recruitments <= 1.4.4 – Cross-Site Request Forgery to PHP Object Injection

Affected Software: Job Manager & Career – Manage job board listings, and recruitments
CVE ID: CVE-2023-51545
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8558cd96-3b2a-4282-950b-6d9753698291

Booking Manager <= 2.1.5 – Authenticated(Contributor+) SQL Injection via Shortcode

Affected Software: Booking Manager
CVE ID: CVE-2023-50840
CVSS Score: 8.8 (High)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9829ec10-ad37-4345-b4d6-cd0429b2d8f7

JVM rich text icons <= 1.2.6 – Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion

Affected Software: JVM Gutenberg Rich Text Icons
CVE ID: CVE-2023-51418
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3e54f9b-db12-42ef-a0fa-2d40c0f7908c

Uncode Core <= 2.8.8 – Privilege Escalation

Affected Software: uncode-core
CVE ID: CVE-2023-51515
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bb5e6767-d0a9-4ac4-816f-6fb57b1e5f9b

Events Shortcodes & Templates For The Events Calendar <= 2.3.1 – Authenticated (Contributor+) SQL Injection via shortcode

Affected Software: Events Shortcodes For The Events Calendar
CVE ID: CVE-2023-52142
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1d9ee9f-d8d0-4a9d-b414-bc79c4255b4e

ARMember <= 4.0.10 – Authenticated(Subscriber+) Privilege Escalation

JVM rich text icons <= 1.2.3 – Authenticated(Subscriber+) Arbitrary File Upload

Affected Software: JVM Gutenberg Rich Text Icons
CVE ID: CVE-2023-51417
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca064db0-2718-4521-9467-335b59208858

BookingPress <= 1.0.72 – Authenticated (Contributor+) SQL Injection

Build App Online <= 1.0.19 – Missing Authorization Authenticated(Subscriber+) Arbitrary Options Update

Affected Software: Build App Online
CVE ID: CVE-2023-51479
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3551218-e272-4c96-94fe-9db0aee0d4f4

Most And Least Read Posts Widget <=2.5.16 – Authenticated(Contributor+) SQL Injection via Widget settings

Affected Software: Most And Least Read Posts Widget
CVE ID: CVE-2023-52133
CVSS Score: 8.8 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9fa55cc-c686-43e4-a028-dd2721d2db85

Uncode Core <= 2.8.8 – Authenticated (Subscriber+) Arbitrary File Deletion

Affected Software: uncode-core
CVE ID: CVE-2023-51500
CVSS Score: 8.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/74ab025d-4e76-46e5-b8f8-963eeea5b802

Backup Migration 1.0.8 – 1.3.9 – Remote File Inclusion via content-dir

Affected Software: Backup Migration
CVE ID: CVE-2023-6971
CVSS Score: 8.1 (High)
Researcher/s: Hiroho Shimada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b380283c-0dbb-4d67-9f66-cb7c400c0427

Backup Migration <= 1.3.9 – Unauthenticated Path Traversal to Arbitrary File Deletion

Affected Software: Backup Migration
CVE ID: CVE-2023-6972
CVSS Score: 7.5 (High)
Researcher/s: Hiroho Shimada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0a3ae696-f67d-4ed2-b307-d2f36b6f188c

Everest Backup <= 2.1.9 – Sensitive Information Exposure via Log File

Affected Software: Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
CVE ID: CVE-2023-52185
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31a54705-99e8-4e41-bf57-9365ab387228

WP Stripe Checkout <= 1.2.2.37 – Sensitive Information Exposure via Debug Log

Affected Software: WP Stripe Checkout
CVE ID: CVE-2023-52143
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f244b8e-94ae-4d95-83a7-53b826e98656

WC Marketplace <= 4.0.23 – Missing Authorization via mvx_save_dashpages

Affected Software: MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution
CVE ID: CVE-2023-51355
CVSS Score: 7.5 (High)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cdc0096-8e21-4b82-b9d0-961f48907a09

WebinarIgnition <= 3.05.0 – Authenticated(Subscriber+) PHP Object Injection

Local Delivery Drivers for WooCommerce <= 1.9.0 – Missing Authorization to Driver Account Takeover

Affected Software: Local Delivery Drivers for WooCommerce
CVE ID: CVE-2023-51481
CVSS Score: 7.3 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/99f4f1dc-13a9-4fa0-bdb1-77a0d416c80f

Custom 404 Pro <= 3.10.0 – Unauthenticated Stored Cross-Site Scripting via logging

Affected Software: Custom 404 Pro
CVE ID: CVE-2023-51540
CVSS Score: 7.2 (High)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1106e7b2-eac7-459d-8eb3-fe84c76f3b67

WooCommerce PDF Invoices <= 4.2.1 – Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import

Affected Software: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
CVE ID: CVE-2023-51546
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7927edf2-b092-4b56-83aa-038f99ea658e

Welcart e-Commerce <= 2.9.3 – Authenticated(Editor+) SQL Injection

Affected Software: Welcart e-Commerce
CVE ID: CVE-2023-50847
CVSS Score: 7.2 (High)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a328643a-ab12-427e-9bcd-2d40738afb61

Backup Migration <= 1.3.9 – Authenticated (Admin+) OS Command Injection via url

Affected Software: Backup Migration
CVE ID: CVE-2023-7002
CVSS Score: 7.2 (High)
Researcher/s: Françoa Taffarel
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc49db10-988d-42bd-a9cf-9a86f4c79568

Clockwork SMS Notfications <= 3.0.4 – Authenticated(Administrator+) SQL Injection

Affected Software: Clockwork SMS Notfications
CVE ID: CVE-2023-50843
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08fb51d6-30c1-4a48-b626-a8c6f203ac83

Media File Renamer <= 5.7.7 – Authenticated(Administrator+) Remote Code Execution

Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI)
CVE ID: CVE-2023-50897
CVSS Score: 6.6 (Medium)
Researcher/s: Taihei Shimamine
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/32b2b8e9-aa49-4cc3-97b7-249695969461

E2Pdf <= 1.20.23 – Authenticated(Administrator+) SQL Injection

Affected Software: E2Pdf – Export To Pdf Tool for WordPress
CVE ID: CVE-2023-50849
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f0ed355-b5c8-4143-b391-7436d67ba0de

404 Solution <= 2.34.0 – Authenticated(Administrator+) SQL Injection

Affected Software: 404 Solution
CVE ID: CVE-2023-50848
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/477d3d7a-6028-4dd3-b713-6098bfe32832

Mail logging – WP Mail Catcher <= 2.1.3 – Authenticated(Administrator+) SQL Injection

Affected Software: Mail logging – WP Mail Catcher
CVE ID: CVE-2023-50844
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47aed582-efb6-4caf-a65b-57995907ecaa

WP Adminify <= 3.1.6 – Authenticated(Administrator+) SQL Injection

Page Generator <= 1.7.1 – Authenticated(Administrator+) SQL Injection

Affected Software: Page Generator
CVE ID: CVE-2023-52131
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73ea7672-4e3f-4a26-a59e-043c2cd10a7a

Simply Schedule Appointments <= 1.6.5.27 – Authenticated(Administrator+) SQL Injection

Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
CVE ID: CVE-2023-50851
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/775d4ba7-7198-493c-bae0-7f3f78741b90

Pre* Party Resource Hints <= 1.8.18 – Authenticated(Administrator+) SQL Injection

Affected Software: Pre* Party Resource Hints
CVE ID: CVE-2023-50855
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c043945-d327-4f26-98b4-99ac5b4761f1

Login Lockdown – Protect Login Form <= 2.06 – Authenticated(Administrator+) SQL Injection

Affected Software: Login Lockdown – Protect Login Form
CVE ID: CVE-2023-50837
CVSS Score: 6.6 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c9d088c-e71a-4e73-a7e3-d99f3511e519

YITH WooCommerce Product Add-Ons <= 4.3.0 – Authenticated(Shop Manager+) PHP Object Injection

Affected Software: YITH WooCommerce Product Add-Ons
CVE ID: CVE-2023-49777
CVSS Score: 6.6 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7edd06d9-3897-4644-a77e-e58ab6d14c95

Fluent Support <= 1.7.6 – Authenticated(Administrator+) SQL Injection

Affected Software: Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin
CVE ID: CVE-2023-51547
CVSS Score: 6.6 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8909dafa-3383-405e-a264-f0770e6714a4

Automation By Autonami <= 2.6.1 – Authenticated(Administrator+) SQL Injection

Store Locator WordPress <= 1.4.14 – Authenticated(Administrator+) Directory Traversal to Arbitrary File Deletion

Affected Software: Store Locator WordPress
CVE ID: CVE-2023-50885
CVSS Score: 6.6 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cb5c386-eee3-4e88-a827-766a4901f432

Squirrly SEO – Advanced Pack <= 2.3.8 – Authenticated(Administrator+) SQL Injection

Affected Software: Squirrly SEO – Advanced Pack
CVE ID: CVE-2023-50854
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ce4204f-3ee3-4877-8e9d-123d01ae80f5

GEO my WordPress <= 4.0.2 – Authenticated(Administrator+) SQL Injection

Affected Software: GEO my WordPress
CVE ID: CVE-2023-52134
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94f118c3-d470-43c4-a61a-1ec998694880

RegistrationMagic Plugin <= 5.2.4.5 – Authenticated(Administrator+) SQL Injection

WS Form LITE <= 1.9.170 – Authenticated(Administrator+) SQL Injection

Affected Software: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
CVE ID: CVE-2023-52135
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3171015-227d-420a-ba3a-e6e2dc17ba8c

GeoDirectory <= 2.3.28 – Authenticated(Administrator+) SQL Injection

Affected Software: GeoDirectory – WordPress Business Directory Plugin, or Classified Directory
CVE ID: CVE-2023-50845
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3d48aca-3db5-4585-bd71-5548f3b36ea1

Funnel Builder for WordPress by FunnelKit <= 2.14.3 – Authenticated(Administrator+) SQL Injection

Advanced Form Integration <= 1.75.0 – Authenticated(Administrator+) SQL Injection

BookIt <= 2.4.3 – Authenticated(Administrator+) SQL Injection

Affected Software: Booking Calendar | Appointment Booking | BookIt
CVE ID: CVE-2023-50852
CVSS Score: 6.6 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4e97c01-7e8a-41b7-90ad-029d8c5fd37c

EnvíaloSimple <= 2.1 Unauthenticated PHP Object Injection

Affected Software: EnvíaloSimple: Email Marketing y Newsletters
CVE ID: CVE-2023-51414
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13245eab-9a72-44d7-bbcd-a0d3e2879814

WooCommerce Stripe Payment Gateway <= 7.6.1 – Insecure Direct Object Reference via update_payment_intent_ajax

Affected Software: WooCommerce Stripe Payment Gateway
CVE ID: CVE-2023-51502
CVSS Score: 6.5 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ee04e4d-4385-4854-9bfe-1b957ca13963

Affiliates Manager <= 2.9.31 – Cross-Site Request Forgery via multiple AJAX actions

Affected Software: Affiliates Manager
CVE ID: CVE-2023-52130
CVSS Score: 6.5 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/756b5e3e-46fa-483e-945a-86166e79d989

FunnelKit Checkout <= 3.10.3 – Unauthenticated Arbitrary Content Deletion

Affected Software: FunnelKit Checkout
CVE ID: CVE-2023-51672
CVSS Score: 6.5 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9d07faf-cc88-4233-a552-55e3376a2fc4

Piotnet Forms <= 1.0.25 – Missing Authorization via multiple AJAX actions

Affected Software: Piotnet Forms
CVE ID: CVE-2023-51413
CVSS Score: 6.5 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f119c6c2-cd4e-415a-b717-2bfc90ed729e

weForms <= 1.6.18 – Missing Authorization via export_form_entries

Affected Software: weForms – Easy Drag & Drop Contact Form Builder For WordPress
CVE ID: CVE-2023-51524
CVSS Score: 6.5 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f2b7258e-c594-415a-a872-d5b28397e40d

Sensei LMS <= 4.17.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Sensei LMS – Online Courses, Quizzes, & Learning
CVE ID: CVE-2023-50875
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/031995fb-48c4-4f56-8b64-d66a47b2fbe9

Schema & Structured Data for WP & AMP <= 1.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Schema & Structured Data for WP & AMP
CVE ID: CVE-2023-51677
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0752b4f3-b9f0-4c39-8e4c-2db188600087

Product Code for WooCommerce <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Product Code for WooCommerce
CVE ID: CVE-2023-51669
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0be84866-2a49-42da-b498-962fc1bcb811

Icegram <= 3.1.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message

Insert or Embed Articulate Content into WordPress <= 4.3000000021 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Insert or Embed Articulate Content into WordPress
CVE ID: CVE-2023-50824
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/128d3046-94a0-465c-9225-a3ce652f5282

WooCommerce Menu Extension <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooCommerce Menu Extension
CVE ID: CVE-2023-50834
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/173c8c8a-a015-4522-b957-1805f520a77d

Active Products Tables for WooCommerce <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

WP Crowdfunding <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Crowdfunding
CVE ID: CVE-2023-50859
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/294b5bd1-a7c8-4c06-b107-e80bf3b35da8

Pay with Vipps for WooCommerce <= 1.14.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Pay with Vipps for WooCommerce
CVE ID: CVE-2023-51485
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2950a264-b60c-48ad-b8e0-6d0e1a230982

Colibri Page Builder <= 1.0.239 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Colibri Page Builder
CVE ID: CVE-2023-6988
CVSS Score: 6.4 (Medium)
Researcher/s: Hung -mov Nguyen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/300b24af-10a1-45b9-87ec-7c98dc94e76b

Booking for Appointments and Events Calendar – Amelia <= 1.0.85 – Stored Cross-Site Scripting via Shortcode

Affected Software: Booking for Appointments and Events Calendar – Amelia
CVE ID: CVE-2023-50860
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33398af8-7b7f-47e5-b95b-c9faa33d0c80

My Agile Privacy <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode

Affected Software: My Agile Privacy – The only GDPR solution for WordPress that you can truly trust
CVE ID: CVE-2023-51404
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35c40c81-c7b4-4453-bd2f-7910fcb7f13e

WP Tabs <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Tabs – Responsive Tabs Plugin for WordPress
CVE ID: CVE-2023-52124
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/433c8908-587e-4086-9d0c-c9b1819b26e8

Currency Converter Widget <= 3.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Currency Converter Widget – Exchange Rates
CVE ID: CVE-2023-50822
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47f051dd-138c-4c71-8a92-150c9ffd3601

Colibri Page Builder <= 1.0.240 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Colibri Page Builder
CVE ID: CVE-2023-50833
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/532d185c-4384-4b15-a104-42f8d2a1ca23

Zoho Forms <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Form plugin for WordPress – Zoho Forms
CVE ID: CVE-2023-50891
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57e9b09c-adfb-4fc2-8d2b-41cfc1f73e22

Advanced Access Manager <= 6.9.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

WP Affiliate Disclosure <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via $id

Affected Software: WP Affiliate Disclosure
CVE ID: CVE-2023-52178
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e38ee27-30a4-45be-bab6-a3e65ada215f

Seos Contact Form <= 1.8.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Seos Contact Form
CVE ID: CVE-2023-50830
CVSS Score: 6.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62b2113a-70a2-4223-8c6c-6cd15057d72d

HashBar – WordPress Notification Bar <= 1.4.1 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: HashBar – WordPress Notification Bar
CVE ID: CVE-2023-51372
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f3e4e53-3a4a-4b9d-845c-927a59e03488

WPCS – WordPress Currency Switcher Professional <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WPCS – WordPress Currency Switcher Professional
CVE ID: CVE-2023-51506
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72a06690-f40a-472b-b9d1-985a49b914b3

WP Remote Site Search <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Remote Site Search
CVE ID: CVE-2023-51397
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/79d4e5a8-028a-488e-b419-77a0981a28a9

CURCY – Multi Currency for WooCommerce <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CURCY – Multi Currency for WooCommerce
CVE ID: CVE-2023-50831
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b7dee9e-1272-4e70-926c-a73e2897968c

If-So Dynamic Content Personalization <= 1.6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: If-So Dynamic Content Personalization
CVE ID: CVE-2023-51492
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8407b678-76c5-4232-b17e-8db05f9e7b12

Auto Amazon Links <= 5.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Auto Amazon Links – Amazon Associates Affiliate Plugin
CVE ID: CVE-2023-52175
CVSS Score: 6.4 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b2a5938-232e-487c-b31b-f48e2b9acb65

Limit Login Attempts Reloaded <= 2.25.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Limit Login Attempts Reloaded
CVE ID: CVE-2023-6934
CVSS Score: 6.4 (Medium)
Researcher/s: Hung -mov Nguyen
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/906049c0-4710-47aa-bf44-cdf29032dc1f

Divi <= 4.23.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Divi
CVE ID: CVE-2023-6744
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/999475c5-5f17-47fa-a0d0-47cb5a8a0eb4

iframe Shortcode <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: iframe Shortcode
CVE ID: CVE-2023-50825
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a3c323d5-59bc-4ecc-8211-2104fd22639f

Restaurant Reservations <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Restaurant Reservations
CVE ID: CVE-2023-51403
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4fa8aa9-0af8-4202-b219-863bbef8d02c

CSS & JavaScript Toolbox <= 11.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: CSS & JavaScript Toolbox
CVE ID: CVE-2023-50823
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ace85b25-251b-4549-8f6e-1a1494cbabb6

WordPress.com Editing Toolkit <= 3.78784 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WordPress.com Editing Toolkit
CVE ID: CVE-2023-50879
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b54307fb-ecbc-4742-9deb-59dbb85b4a7c

BuddyPress <= 11.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: BuddyPress
CVE ID: CVE-2023-50880
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b824cab6-d340-487d-90ba-5b554db1da14

Stock Ticker <= 3.23.4 – Authenticated (Contributor+) Stored Cross-Site Scritping

Affected Software: Stock Ticker
CVE ID: CVE-2023-51541
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8e921f4-d889-490f-a817-53d132a56f83

Back Button Widget <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Back Button Widget
CVE ID: CVE-2023-51399
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bcd28bc3-f893-4eb7-946f-34a2e9c7ff27

Easy Video Player <= 1.2.2.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Easy Video Player
CVE ID: CVE-2023-51689
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd28f7f0-ed52-45d0-8d97-5ff95d17eb26

AMP for WP – Accelerated Mobile Pages <= 1.0.92 – Authenticated (Contributor+) Cross-Site Scripting via Shortcode

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2023-6782
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1cae64e-caed-43c0-9a75-9aa4234946a0

WP User Profile Avatar <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP User Profile Avatar
CVE ID: CVE-2023-52118
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c291aa80-f1cd-4933-b522-73ec115a3a68

Dan’s Embedder for Google Calendar <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Dan’s Embedder for Google Calendar
CVE ID: CVE-2023-51504
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cbca88e0-1563-43cb-adf4-4f89856a07d0

CBX Bookmark & Favorite <= 1.7.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: CBX Bookmark & Favorite
CVE ID: CVE-2023-51514
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cddda02e-c36f-4ed8-b3ac-6cb3f17c6ce2

Easy Digital Downloads <= 3.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
CVE ID: CVE-2023-51684
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d19a9c96-918f-4f19-82a9-badd5765cea3

WordPress Infinite Scroll – Ajax Load More <= 6.1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WordPress Infinite Scroll – Ajax Load More
CVE ID: CVE-2023-50874
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3bcc0aa-281f-4c59-b3de-dde4277cc989

Themify Icons <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Themify Icons
CVE ID: CVE-2023-51693
CVSS Score: 6.4 (Medium)
Researcher/s: wpdabh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/efa156b7-ab18-414d-80a5-3a1c2a977b3b

Advanced Access Manager <= 6.9.18 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
CVE ID: CVE-2023-51674
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1bf4f77-9539-4a9f-afec-f43f602c684f

Simple Membership <= 4.3.8 – Reflected Cross-Site Scripting

Affected Software: Simple Membership
CVE ID: CVE-2023-50376
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18fe9769-3681-4a5e-866a-640b4cc76199

Simple Membership <= 4.3.8 – Reflected Cross-Site Scripting Vulnerability via environment_mode

Affected Software: Simple Membership
CVE ID: CVE-2023-6882
CVSS Score: 6.1 (Medium)
Researcher/s: Rein Daelman (trein)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/366165fe-93e5-49ab-b2e5-1de624f22286

WP Google Maps <= 9.0.27 – Unauthenticated Stored Cross-Site Scripting via REST API

Affected Software: WP Go Maps (formerly WP Google Maps)
CVE ID: CVE-2023-6627
CVSS Score: 6.1 (Medium)
Researcher/s: Marc-Alexandre Montpas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a468814-ecb7-4414-9472-6c2aaa5f5c2c

New User Approve <= 2.5.1 – Cross-Site Request Forgery via admin_notices

Affected Software: New User Approve
CVE ID: CVE-2023-50902
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3abde27c-8234-4146-9e55-ea20b275ca48

HT Mega – Absolute Addons For Elementor <= 2.3.8 – Reflected Cross-Site Scripting

Affected Software: HT Mega – Absolute Addons For Elementor
CVE ID: CVE-2023-50901
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6745be2e-d151-452a-8e65-0db2409dd54d

Impreza <= 8.17.4 – Reflected Cross-Site Scripting

Affected Software: Impreza – WordPress Website and WooCommerce Builder
CVE ID: CVE-2023-50893
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7bd931a9-18ec-48fa-9382-d4c2d99258c5

TheGem <= 5.9.1 – Reflected Cross-Site Scripting

Affected Software: TheGem
CVE ID: CVE-2023-50892
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a243fbde-951b-43e0-a432-c92ae4b04c26

Crowdsignal Dashboard – Polls, Surveys & more <= 3.0.11 – Reflected Cross-Site Scripting

Affected Software: Crowdsignal Dashboard – Polls, Surveys & more
CVE ID: CVE-2023-51488
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78da5c5-fb12-4fc9-8c51-6d9f6f7a4043

Google Photos Gallery with Shortcodes <= 4.0.2 – Reflected Cross-Site Scripting

Affected Software: Google Photos Gallery with Shortcodes
CVE ID: CVE-2023-51373
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5ab6a1f-181c-4bc2-bcc3-e19f94fc5e46

Uncode Core <= 2.8.6 – Reflected Cross-Site Scripting

Affected Software: uncode-core
CVE ID: CVE-2023-51501
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4efe60a-d8e3-4e51-95b2-246e30e90e89

HTML Forms <= 1.3.28 – Authenticated (Administrator+) Cross-Site Scripting

Affected Software: HTML Forms
CVE ID: CVE-2023-50836
CVSS Score: 5.5 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2921ea67-e88a-489a-8c45-cfe458f29d2b

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.5 – Authenticated (Admin+) SQL Injection

Affected Software: NEX-Forms – Ultimate Form Builder – Contact forms and much more
CVE ID: CVE-2023-50838
CVSS Score: 5.5 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b5964a7-410b-4fea-9de2-22ffda80c8e8

ZeroBounce Email Verification & Validation <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: ZeroBounce Email Verification & Validation
CVE ID: CVE-2023-51374
CVSS Score: 5.5 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7d215e9-e615-46ab-b0b8-b37f10cfae98

Stylish Price List <= 7.0.17 – Missing Authorization

Affected Software: Stylish Price List – Price Table Builder & QR Code Restaurant Menu
CVE ID: CVE-2023-51673
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d9cea4e-b619-4935-bb7c-a64ddf52d480

JSM file_get_contents() Shortcode <= 2.7.0 – Authenticated (Contributor+) Server-Side Request Forgery via Shortcode

Affected Software: JSM file_get_contents() Shortcode
CVE ID: CVE-2023-6991
CVSS Score: 5.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/191d5bcc-70d8-430b-9215-00ffdc04be87

Simple Staff List <= 2.2.4 – Missing Authorization via ajax_flush_rewrite_rules and staff_member_export

Affected Software: Simple Staff List
CVE ID: CVE-2023-51526
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ef8bf84-768f-4ef1-8037-4e51ccc20c83

ARI Stream Quiz <= 1.2.32 – Cross-Site Request Forgery

Affected Software: ARI Stream Quiz – WordPress Quizzes Builder
CVE ID: CVE-2023-51487
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/45180c8e-0625-4a21-b3a1-673abe52d78f

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6488
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/50a89ad1-a3d0-49e3-8d2e-4cb81ac115ba

Happy Addons for Elementor <= 3.9.1.1 – Server Side Request Forgery (SSRF)

Affected Software: Happy Addons for Elementor
CVE ID: CVE-2023-51676
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64ae36a3-d102-4d51-b685-395283155101

Molongui <= 4.7.3 – Missing Authorization

Affected Software: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
CVE ID: CVE-2023-50876
CVSS Score: 5.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f01ecab-2dfe-45d2-9d9a-ba1e30c7d75f

FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.6 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: FOX – Currency Switcher Professional for WooCommerce
CVE ID: CVE-2023-6556
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47

Doofinder for WooCommerce <= 2.0.33 – Missing Authorization via multiple AJAX actions

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-51678
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad50e216-f522-4294-a4dc-7f3bd52820b3

Business Directory Plugin <= 6.3.9 – Missing Authorization via dispatch

Affected Software: Business Directory Plugin – Easy Listing Directories for WordPress
CVE ID: CVE-2023-51516
CVSS Score: 5.4 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea3c5188-4570-4958-8b2d-69048b10c5f9

Essential Blocks for Gutenberg <= 4.2.0 – Incorrect Authorization Checks

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-51359
CVSS Score: 5.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eca703ec-645c-4d12-ae57-75db14e08f3e

WooCommerce Warranty Requests <= 2.2.7 – Missing Authorization

Affected Software: WooCommerce Warranty Requests
CVE ID: CVE-2023-51496
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03e96aea-30a2-4cd3-8967-52e1870cc293

Block IPs for Gravity Forms <= 1.0.1 – Cross-Site Request Forgery

Affected Software: Block IPs for Gravity Forms
CVE ID: CVE-2023-51358
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19958187-7eb1-479e-bd36-d40974ae65ca

WP Optin Wheel <= 1.4.2 – Sensitive Information Exposure via Log File

Affected Software: WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce
CVE ID: CVE-2023-51408
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a83ade5-5e53-4d53-ada0-43d487e5e23f

Rate my Post – WP Rating System <= 3.4.2 – IP Address Spoofing

Affected Software: Rate my Post – WP Rating System
CVE ID: CVE-2023-51667
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d24aa7e-bbf1-4a54-b53b-7a37e613e0e6

Customer Reviews for WooCommerce <= 5.38.1 – Missing Authorization via CR_Manual

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE-2023-51692
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e093d1f-9c5a-44f8-bc27-9c320e220358

Poll Maker <= 4.8.0 – Missing Authorization

Affected Software: Poll Maker – Best WordPress Poll Plugin
CVE ID: CVE-2023-50904
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/345097c7-8f0e-46ed-9a1d-7c8a4a589e3f

Paid Memberships Pro <= 2.12.5 – Missing Authorization via API

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE-2023-6855
CVSS Score: 5.3 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/383c7837-e7b7-4608-9cdc-91b7dbc7f4e2

AI Power: Complete AI Pack – Powered by GPT-4 <= 1.8.1 – Missing Authorization to Sensitive Data Exposure

Affected Software: AI Power: Complete AI Pack – Powered by GPT-4
CVE ID: CVE-2023-51527
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f95c288-7710-46aa-898b-a923afa7a4ab

Database Cleaner <= 0.9.8 – Sensitive Information Exposure via Log File

Affected Software: Database Cleaner: Clean, Optimize & Repair
CVE ID: CVE-2023-51508
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4031f857-9712-4f4a-93e8-0b01f9a9c32d

Beaver Builder – WordPress Page Builder <= 2.7.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Beaver Builder – WordPress Page Builder
CVE ID: CVE-2023-50889
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4a13c7a1-f904-41b1-ab7f-2df95c9b2880

RegistrationMagic <= 5.2.5.0 – IP Spoofing

MC4WP <= 4.9.9 – Missing Authorization via listen

Affected Software: MC4WP: Mailchimp for WordPress
CVE ID: CVE-2023-51682
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f289527-3a89-4db9-887d-fb0980848734

Product Catalog Simple <= 1.7.6 – Sensitive Information Exposure via Product CSV

Affected Software: Product Catalog Simple
CVE ID: CVE-2023-51687
CVSS Score: 5.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4f4099b3-6c79-42c2-be41-4ad8d73cc2b8

Uncanny Automator <= 5.1.0.2 – Sensitive Information Exposure via Log File

LA-Studio Element Kit for Elementor <= 1.1.5 – Missing Authorization

Affected Software: LA-Studio Element Kit for Elementor
CVE ID: CVE-2023-50884
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523f7a8a-d06d-4778-be14-d0b7ca32dab3

WooCommerce Canada Post Shipping <= 2.8.3 – Missing Authorization

Affected Software: Woocommerce Shipping Canada Post
CVE ID: CVE-2023-51498
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/549788e3-e31a-46a6-a2de-361747c98514

Branda <= 3.4.14 – IP Address Spoofing

Affected Software: Branda – White Label WordPress, Custom Login Page Customizer
CVE ID: CVE-2023-51542
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/552bc1cc-df98-4608-a50e-db1381ca8e0a

Send Users Email <= 1.4.3 – Sensitive Information Exposure via Error Logs

Affected Software: Send Users Email
CVE ID: CVE-2023-52126
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d50e9bb-e357-42d3-b131-468511b8e98a

User Feedback <= 1.0.10 – Missing Authorization

Affected Software: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
CVE ID: CVE-2023-50887
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63c7bb29-c8b2-49ee-8ac4-1046b61b7e6a

WooPayments – Fully Integrated Solution Built and Supported by Woo <= 6.6.2 – Unauthenticated Insecure Direct Object Reference

Affected Software: WooPayments – Fully Integrated Solution Built and Supported by Woo
CVE ID: CVE-2023-51503
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68f5bc13-b0b2-48b6-82ac-ff02367f4780

404 Solution <= 2.33.0 – Sensitive Information Exposure via Log File

Affected Software: 404 Solution
CVE ID: CVE-2023-52146
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73643d45-9542-4372-a7a2-0a443819b8a2

WP User Profile Avatar <= 1.0.0 – Authenticated (Author+) Insecure Direct Object Reference to Avatar Deletion/Update

Affected Software: WP User Profile Avatar
CVE ID: CVE-2023-6384
CVSS Score: 5.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/75c325a1-1a88-4b67-a5f8-6307627d8c6a

Awesome Support <= 6.1.5 – Missing Authorization via wpas_load_reply_history

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-51537
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7d713de0-40a4-4926-9942-e5e2bf7434c4

RegistrationMagic <= 5.2.5.0 – Form Submission Limit Bypass

Quiz And Survey Master <= 8.1.16 – Missing Authorization

Defender Security <= 4.1.0 – Sensitive Information Exposure via Log File

Affected Software: Defender Security – Malware Scanner, Login Security & Firewall
CVE ID: CVE-2023-51490
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94c8979a-db2e-490f-b055-cdf19a48cf73

Metform Elementor Contact Form Builder <= 3.4.0 – Missing Authorization via submit

Affected Software: Metform Elementor Contact Form Builder
CVE ID: CVE-2023-50903
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a6425d39-cc8b-4130-8f67-2d6de7954934

Affiliates Manager <= 2.9.30 – Sensitive Information Exposure via Log File

Affected Software: Affiliates Manager
CVE ID: CVE-2023-52148
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abc3f352-8568-4649-bf3c-dd0ce0295589

Conversios.io <= 6.5.0 – Missing Authorization

Affected Software: Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce
CVE ID: CVE-2023-51357
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae007dc0-9ac7-459d-bfe6-bcde87028b14

eCommerce Product Catalog <= 3.3.26 – Sensitive Information Exposure via CSV Files

Affected Software: eCommerce Product Catalog Plugin for WordPress
CVE ID: CVE-2023-51688
CVSS Score: 5.3 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b48b9170-4dd9-4004-a081-488cafbc7597

FastDup <= 2.1.7 – Sensitive Information Exposure via Log File

Affected Software: FastDup – Fastest WordPress Migration & Duplicator
CVE ID: CVE-2023-51406
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b8261317-462b-49c5-9526-20b695895e49

All-in-one Floating Contact Form – My Sticky Elements <= 2.1.3 – Missing Authorization

WooCommerce Warranty Requests <= 2.2.7 – Missing Authorization

Affected Software: WooCommerce Warranty Requests
CVE ID: CVE-2023-51495
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8970d08-6c75-4dbb-ad24-6d9ba4c07530

Everest Forms <= 2.0.3 – Unauthorized Form Submission via Disabled Forms

BuddyBoss Theme <= 2.4.60 – Missing Authorization

Affected Software: BuddyBoss Theme
CVE ID: CVE-2023-51477
CVSS Score: 5.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ccbeb69e-6476-42a6-86ac-723947c70301

Easy Digital Downloads <= 3.1.5 – Missing Authorization

Affected Software: Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy)
CVE ID: CVE-2023-40005
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dbce48b2-aa7c-4c92-8df8-ee3a17336e97

Image Source Control <= 2.17.0 – Sensitive Information Exposure via Log File

Affected Software: Image Source Control Lite – Show Image Credits and Captions
CVE ID: CVE-2023-52187
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3b3ce65-b226-4b93-ab0c-984f774454f7

WooCommerce Product Vendors <= 2.2.2 – Missing Authorization

Affected Software: Product Vendors
CVE ID: CVE-2023-52186
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4457df6-81ca-4149-bcca-623cff2cbeef

Malware Scanner <= 4.7.1 – IP Spoofing

Affected Software: Malware Scanner
CVE ID: CVE-2023-52176
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb19fd06-7b2c-41a1-a470-230da7ce944d

WooCommerce Product Vendors <= 2.2.1 – Missing Authorization

Affected Software: Product Vendors
CVE ID: CVE-2023-51494
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fcce0a92-520d-45ac-845e-a1635f763eed

iFrame <= 4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via srcdoc

Affected Software: iframe
CVE ID: CVE-2023-52125
CVSS Score: 5 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/66f392d0-d5fb-4a8c-b972-becfac6cf6e7

Enable Media Replace <= 4.1.4 – Reflected Cross-Site Scripting

Affected Software: Enable Media Replace
CVE ID: CVE-2023-6737
CVSS Score: 4.7 (Medium)
Researcher/s: Nex Team
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c37d8218-6059-46f2-a5d9-d7c22486211e

Menu Image, Icons made easy <= 3.10 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Menu Image, Icons made easy
CVE ID: CVE-2023-50826
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ff001c2-95f9-42a2-b5a3-74937be41756

Ultimate Dashboard <= 3.7.11 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE-2023-50828
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/10c1b000-537a-4009-a740-19666505989e

Accredible Certificates & Open Badges <= 1.4.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Accredible Certificates & Open Badges
CVE ID: CVE-2023-50827
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1d5ac3df-ddaf-4c78-acd3-baddea42443f

Photo Gallery by 10Web <= 1.8.18 – Authenticated (Administrator+) Stored Cross-Site Scripting via Widget

Affected Software: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CVE ID: CVE-2023-6924
CVSS Score: 4.4 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/21b4d1a1-55fe-4241-820c-203991d724c4

Everest Forms <= 2.0.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

WP Review Slider <= 12.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Review Slider
CVE ID: CVE-2023-51685
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62233370-3b54-4d89-93e7-07afdae4a413

WP Chat App <= 3.4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WP Chat App
CVE ID: CVE-2023-51370
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73232bff-b11a-4580-8cde-5bf085ba749c

weForms – Easy Drag & Drop Contact Form Builder For WordPress <= 1.6.17 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: weForms – Easy Drag & Drop Contact Form Builder For WordPress
CVE ID: CVE-2023-50896
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c44efe0-bdc0-42e0-9bdd-cf25bff1d2d5

Brave Popup Builder <= 0.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Sticky Chat Widget <= 1.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

Event Management Tickets Booking <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Event Monster – Event Management, Tickets Booking, Upcoming Event
CVE ID: CVE-2023-47525
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee(Roronoa)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f4f2317-945e-4fd8-8a0b-981b88a8412c

Multi Step Form <= 1.7.13 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Multi Step Form
CVE ID: CVE-2023-50832
CVSS Score: 4.4 (Medium)
Researcher/s: Benmalek Aymen (centaurus)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a5e6b508-35ef-45da-bf17-c038d3b7ce52

Custom Post Carousels with Owl <= 1.4.6 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Custom Post Carousels with Owl
CVE ID: CVE-2023-51493
CVSS Score: 4.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a89f795d-246d-4a3c-a7a7-5c9867d7a01e

CRM Perks Forms <= 1.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: CRM Perks Forms – WordPress Form Builder
CVE ID: CVE-2023-51536
CVSS Score: 4.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca954d68-18a5-47e2-af56-261c7a55b017

Simple Counter <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Simple Counter
CVE ID: CVE-2023-50377
CVSS Score: 4.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb4eb28a-3dd5-4d8d-bef0-53cee7285180

WP Edit Username <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: WP Edit Username
CVE ID: CVE-2023-47527
CVSS Score: 4.4 (Medium)
Researcher/s: Jeongwoo-Lee(Roronoa)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f445de97-b6fd-4180-b63e-5b8da40dae6a

Loan Repayment Calculator and Application Form <= 2.9.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Loan Repayment Calculator and Application Form
CVE ID: CVE-2023-50829
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f8756fb7-ee15-4fc7-b5bd-b4f2e64f8e6f

WooCommerce Easy Duplicate Product <= 0.3.0.7 – Missing Authorization via wedp_duplicate_product_action

Affected Software: WooCommerce Easy Duplicate Product
CVE ID: CVE-2023-51523
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02d11be0-2e2e-4c76-8a8e-f3f637b99809

EnvíaloSimple <= 2.1 – Cross-Site Request Forgery

Affected Software: EnvíaloSimple: Email Marketing y Newsletters
CVE ID: CVE-2023-51416
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0c533277-5cea-419f-93ec-e510c0fbd75d

Simple Job Board <= 2.10.6 – Cross-Site Request Forgery

Affected Software: Simple Job Board
CVE ID: CVE-2023-52122
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/100b6786-7cad-4d65-b457-9beb179e293a

Webba Booking <= 4.5.33 – Cross-Site Request Forgery

Affected Software: Appointment & Event Booking Calendar Plugin – Webba Booking
CVE ID: CVE-2023-51354
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/12a195a0-f992-462d-9b4e-69e8a2975635

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.20 – Cross-Site Request Forgery via apbct_settings__update_account_email

Affected Software: Spam protection, Anti-Spam, FireWall by CleanTalk
CVE ID: CVE-2023-51696
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19dd6670-2813-4944-abcd-c26fb9b82092

Custom Twitter Feeds (Tweets Widget) <= 2.1.2 – Cross-Site Request Forgery

Affected Software: Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CVE ID: CVE-2023-52136
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ab56d29-7e35-4bc3-812e-d82890f60c8e

Republish Old Posts <= 1.21 – Cross-Site Request Forgery via rop_options_page

Affected Software: Republish Old Posts
CVE ID: CVE-2023-52145
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1e1db52a-3966-4e04-b0ed-08bda9ba1ff6

Advanced Access Manager <= 6.9.18 – Authenticated (Author+) Open Redirect

Affected Software: Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More
CVE ID: CVE-2023-51675
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1eb25ef3-28ea-4f8f-932a-e90ca1914e8d

Floating Button <= 6.0 – Cross-Site Request Forgery via process_bulk_action

Affected Software: Floating Button
CVE ID: CVE-2023-52149
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20151f80-c25f-482e-a2b0-34607dba9d1e

Rise Blocks – A Complete Gutenberg Page Builder <= 3.1 – Cross-Site Request Forgery

Affected Software: Rise Blocks – A Complete Gutenberg Page Builder
CVE ID: CVE-2023-51378
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2b249842-c480-495a-8eec-6c7d0893ef1c

WP Simple Booking Calendar <= 2.0.8.4 – Cross-Site Request Forgery

Affected Software: WP Simple Booking Calendar
CVE ID: CVE-2023-51525
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f72e5bb-e076-4379-8699-e399761c043f

Icegram <= 3.1.18 – Cross-Site Request Forgery via save_campaign_preview

White Label <= 2.9.0 – Cross-Site Request Forgery via white_label_reset_wl_admins

Ultimate Addons for Beaver Builder <= 1.35.13 – Authenticated(Contributor+) Directory Traversal to Arbitrary File Download

Affected Software: Ultimate Addons for Beaver Builder
CVE ID: CVE-2023-51401
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/38a5be0c-f905-4e27-b5c3-8c0606d71a61

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.3 – Cross-Site Request Forgery

Affected Software: HUSKY – Products Filter for WooCommerce Professional
CVE ID: CVE-2023-50861
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d9179d2-2e90-4de7-8178-073a0ce5865b

Duplicator <= 1.5.7 – Cross-Site Request Forgery via views/tools/diagnostics/information.php

Affected Software: Duplicator – WordPress Migration & Backup Plugin
CVE ID: CVE-2023-51681
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/416da5d4-3d47-443b-a82c-c059c38f5218

Quiz And Survey Master <= 8.1.18 – Cross-Site Request Forgery

Thrive Automator <= 1.17 – Cross-Site Request Forgery

Affected Software: Thrive Automator
CVE ID: CVE-2023-51531
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d5b1a3d-ce7f-4d5d-b72b-61024d5c5378

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.20 – Cross-Site Request Forgery

Affected Software: Spam protection, Anti-Spam, FireWall by CleanTalk
CVE ID: CVE-2023-51535
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4eb4400d-d629-4c88-9ec5-06da9089f6d1

WPC Product Bundles for WooCommerce <= 7.3.1 – Cross-Site Request Forgery

Affected Software: WPC Product Bundles for WooCommerce
CVE ID: CVE-2023-52127
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5188dc72-a00d-4a07-b178-3f3ef26d7fc1

GPT3 AI Content Writer <= 1.8.12 – Cross-Site Request Forgery

Affected Software: AI Power: Complete AI Pack – Powered by GPT-4
CVE ID: CVE-2023-51528
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5511c5f4-b71c-484b-ab6f-2389a29809cd

Apollo13 Framework Extensions <= 1.9.1 – Cross-Site Request Forgery

Affected Software: Apollo13 Framework Extensions
CVE ID: CVE-2023-51539
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/575b51f4-fed4-4057-9e8b-762fda275ef3

WooCommerce Ship to Multiple Addresses <= 3.8.9 – Missing Authorization

Affected Software: WooCommerce Ship to Multiple Addresses
CVE ID: CVE-2023-51497
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/63ab255f-e061-447b-a2b6-21a85eed9d57

WooCommerce PDF Invoice Builder <= 1.2.101 – Cross-Site Request Forgery

Affected Software: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
CVE ID: CVE-2023-51486
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/652367a0-fca2-4313-8217-d8811ada0ab5

Paid Member Subscriptions <= 2.10.4 – Cross-Site Request Forgery via ajax_add_log_entry

HT Mega <= 2.3.3 – Cross-Site Request Forgery via Several Functions

Affected Software: HT Mega – Absolute Addons For Elementor
CVE ID: CVE-2023-51529
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f26b04f-2a25-40a6-9b2c-27d9970acb8f

FunnelKit Checkout <= 3.10.3 – Authenticated(Subscriber+) Missing Authorization to Arbitrary Plugin Activation

Affected Software: FunnelKit Checkout
CVE ID: CVE-2023-51670
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6f789ff9-5d86-4911-8b2f-2a425393c61d

ProfileGrid <= 5.6.6 – Missing Authorization

Affected Software: ProfileGrid – User Profiles, Memberships, Groups and Communities
CVE ID: CVE-2023-52117
CVSS Score: 4.3 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71fb1cef-6e01-4bd7-b0bc-5d21295f119a

Dynamic Content for Elementor < 2.12.5 – Cross-Site Request Forgery

Affected Software: Dynamic Content for Elementor
CVE ID: CVE-2023-52150
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77a85024-33ff-4056-89f6-991182d71b80

Product Filter by WBW <= 2.5.0 – Missing Authorization via getListForTbl

Affected Software: Product Filter by WBW
CVE ID: CVE-2023-50877
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/77acb885-1776-4a74-96d0-4edbf1a92917

Export Media URLs <= 1.0 – Cross-Site Request Forgery

Affected Software: Export Media URLs
CVE ID: CVE-2023-51510
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b121abf-3842-43ac-a3dc-bde6d5e0b263

Calculated Fields Form <= 1.2.28 – Authenticated (Contributor+) Open Redirect via Shortcode

Affected Software: Calculated Fields Form
CVE ID: CVE-2023-51517
CVSS Score: 4.3 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/85555a8f-5d23-458d-9166-d30f8f0551e0

Inline Image Upload for BBPress <= 1.1.18 – Cross-Site Request Forgery via hm_bbpui_admin_page

Affected Software: Inline Image Upload for BBPress
CVE ID: CVE-2023-51668
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/86bd6ae1-e74d-4aab-98e1-3c47cb484fe9

WooCommerce Shipping Per Product <= 2.5.4 – Missing Authorization

Affected Software: WooCommerce Per Product Shipping
CVE ID: CVE-2023-51499
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b0504f3-f8df-4b37-bafa-5320920e9571

Easy PayPal Buy Now Button <= 1.8.1 – Cross-Site Request Forgery

Affected Software: Easy PayPal & Stripe Buy Now Button
CVE ID: CVE-2023-51683
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f6fd0bb-d37b-40b6-b84e-9b21aae891cc

BulkGate SMS Plugin for WooCommerce <= 3.0.2 – Missing Authorization via Multiple AJAX Actions

Affected Software: BulkGate SMS Plugin for WooCommerce
CVE ID: CVE-2023-51679
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/93e590f8-5f8d-4ee5-bcff-96bcb8daf4b7

FunnelKit Checkout <= 3.10.3 – Authenticated(Subscriber+) Missing Authorization to Settings Change

Affected Software: FunnelKit Checkout
CVE ID: CVE-2023-51671
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9603e394-b358-4599-8610-ef5737a39de0

Booster Elite for WooCommerce <= 7.1.2 – Authenticated(Subscriber+) Content Injection

Affected Software: Booster Elite for WooCommerce
CVE ID: CVE-2023-51511
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/995a086a-4795-4092-823c-b941445dc361

MStore API <= 4.10.1 – Cross-Site Request Forgery

Affected Software: MStore API
CVE ID: CVE-2023-50878
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d32bda7-2d2d-4364-8ac9-e32950f889ed

Add Any Extension to Pages <= 1.4 – Cross-Site Request Forgery via aaetp_options_page

Affected Software: Add Any Extension to Pages
CVE ID: CVE-2023-50873
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9f49e727-cac4-4a46-b649-5ca48d5e2402

Sirv <= 7.1.2 – Missing Authorization via sirv_disconnect

Affected Software: Image Optimizer, Resizer and CDN – Sirv
CVE ID: CVE-2023-50898
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4a67ec6-ee13-4532-8213-d17dbf5f2c55

Integrate Google Drive <= 1.3.3 – Missing Authorization via save_settings

Anti Hacker <= 4.34 – Cross-Site Request Forgery via antihacker_ajax_scan

Affected Software: Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan
CVE ID: CVE-2023-50858
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a8ae5712-09a8-45a4-9f79-3e5b7786e652

NEX-Forms – Ultimate Form Builder <= 8.5.2 – Cross-Site Request Forgery

Split Test For Elementor <= 1.6.9 – Cross-Site Request Forgery

Affected Software: Split Test For Elementor
CVE ID: CVE-2023-51407
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be23388e-9371-4ea0-974b-80f76de90012

GS Logo Slider <= 3.5.1 – Cross-Site Request Forgery

WP Job Portal <= 2.0.6 – Cross-Site Request Forgery

Affected Software: WP Job Portal – A Complete Job Board
CVE ID: CVE-2023-52184
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d0aa1fad-1ff4-4bc5-a584-99b528470990

ProjectHuddle Client Site <= 1.0.34 – Missing Authorization via ph_child_ajax_notice_handler

Affected Software: SureFeedback Client Site
CVE ID: CVE-2023-51376
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d484500f-c8c1-4278-8a38-82a7fd5674f9

Slider by Soliloquy <= 2.7.2 – Missing Authorization

Affected Software: Slider by Soliloquy – Responsive Image Slider for WordPress
CVE ID: CVE-2023-51519
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d6331b42-f15b-46c6-b8bd-7f65c28c4a12

Awesome Support <= 6.1.5 – Cross-Site Request Forgery

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-51538
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d69915e9-af9b-4c07-ac43-21c6e350c3c4

Advanced Category Template <= 0.1 – Cross-Site Request Forgery

Affected Software: Advanced Category Template
CVE ID: CVE-2023-50835
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/da09b158-3626-455b-b3bc-b1109d0fab2e

NitroPack <= 1.10.2 – Cross-Site Request Forgery

Affected Software: NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images
CVE ID: CVE-2023-52121
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/daa30370-0d11-45b7-8ca3-b2a3b9046127

Crowdsignal Dashboard – Polls, Surveys & more <= 3.0.11 – Cross-Site Request Forgery via update_rating

Affected Software: Crowdsignal Dashboard – Polls, Surveys & more
CVE ID: CVE-2023-51489
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e03390e5-5604-4b9d-ab1b-dac2b19270cd

Strong Testimonials <= 3.1.10 – Cross-Site Request Forgery

Affected Software: Strong Testimonials
CVE ID: CVE-2023-52123
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0ccdc0d-7c38-4dd3-be39-2359d63b2b6c

Eazy Plugin Manager <= 4.1.2 – Missing Authorization via update_options

Affected Software: Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress
CVE ID: CVE-2023-51482
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e214fadf-73fd-430f-8608-6630ce82b78c

Ultimate Addons for WPBakery <= 3.19.17 – Cross-Site Request Forgery

Affected Software: Ultimate Addons for WPBakery
CVE ID: CVE-2023-51402
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ece4eca1-9dc1-4f17-92e4-8b2e3e1a7306

Product Table by WBW <= 1.8.6 – Cross-Site Request Forgery via saveGroup

Affected Software: Product Table by WBW
CVE ID: CVE-2023-51512
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eff03dbc-1bb7-4a72-b57c-f1bde966c286

Customize My Account for WooCommerce <= 1.8.3 – Cross-Site Request Forgery via restore_my_account_tabs

Affected Software: Customize My Account for WooCommerce
CVE ID: CVE-2023-51369
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f79f9385-f8d1-44a0-9e53-7576a9453163

Product Feed Manager <= 7.3.15 – Authenticated (Admin+) Directory Traversal

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023) appeared first on Wordfence.

Posted in

About Us

I believe that everyone should have a mechanic that they can trust and after spending several years helping out various customers for large companies I've seen my fair share of issues.

Honesty, Integrity, and Compassion are what we share with everyone that we work with. Stop scouring the internet for help and see how we can help you today.

Our Services

Website Migrations

Plugin & Theme Updates

IDX Broker Customizations

Facebook Chatbots

DNS & Email Integrations