Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!

Last week, there were 124 vulnerabilities disclosed in 123 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following in real-time to our Premium, Care, and Response customers last week:

wp-autoload.php backdoor – while we typically write firewall rules for vulnerabilities, we wrote a firewall rule to block successful exploitation of this piece of malware we wrote about here. 
Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Unpatched
66

Patched
58

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
0

Medium Severity
113

High Severity
10

Critical Severity
1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
53

Missing Authorization
24

Cross-Site Request Forgery (CSRF)
21

Information Exposure
7

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
4

Unrestricted Upload of File with Dangerous Type
3

Server-Side Request Forgery (SSRF)
2

Incorrect Authorization
1

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
1

Authorization Bypass Through User-Controlled Key
1

Guessable CAPTCHA
1

Use of Less Trusted Source
1

Protection Mechanism Failure
1

Improper Access Control
1

Improper Authorization
1

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
1

Reliance on Untrusted Inputs in a Security Decision
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

Rafie Muhammad
9

Abdi Pranata
8

emad
7

Mika
7

DoYeon Park (p6rkdoye0n)
6

Ngô Thiên An (ancorn_)
6

Joshua Chan
5

Le Ngoc Anh
4

LEE SE HYOUNG
4

qilin_99
4

LVT-tholv2k
4

Rafshanzani Suhada
3

Vladislav Pokrovsky (ΞX.MI)
3

Abu Hurayra (HurayraIIT)
3

Skalucy
3

resecured.io
2

Revan Arifio
2

Francesco Carlucci
2

yuyudhn
2

István Márton
(Wordfence Vulnerability Researcher)
2

thiennv
2

Elliot
2

SeungYongLee
2

Phd
2

Abdullah Hussam
1

Sebastian Neef
1

Yudistira Arya
1

Nguyen Xuan Chien
1

Brandon James Roldan (tomorrowisnew)
1

Alex Thomas
(Wordfence Vulnerability Researcher)
1

Shahzaib Ali Khan
1

Dmitrii Ignatyev
1

Bob Matyas
1

Krzysztof Zając
1

Truoc Phan
1

Dave Jong
1

Nguyen Anh Tien
1

Yuchen Ji
1

Arvandy
1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

12 Step Meeting List
12-step-meeting-list

360 Javascript Viewer
360deg-javascript-viewer

AMP for WP – Accelerated Mobile Pages
accelerated-mobile-pages

Abandoned Cart Lite for WooCommerce
woocommerce-abandoned-cart

AdFoxly – Ad Manager, AdSense Ads & Ads.txt
adfoxly

Add to Cart Text Changer and Customize Button, Add Custom Icon
woo-add-to-cart-text-change

Ads by datafeedr.com
ads-by-datafeedrcom

Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
affiliatebooster-blocks

Antispam Bee
antispam-bee

Aparat
aparat

Aruba HiSpeed Cache
aruba-hispeed-cache

Author Box, Guest Author and Co-Authors for Your Posts – Molongui
molongui-authorship

Automatic Youtube Video Posts Plugin
automatic-youtube-video-posts

BSK Forms Blacklist
bsk-gravityforms-blacklist

Backup Migration
backup-backup

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
bp-better-messages

BigCommerce For WordPress
bigcommerce

BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
bookingpress-appointment-booking

BrainCert – HTML5 Virtual Classroom
html5-virtual-classroom

Bravo Translate
bravo-translate

Button Generator – easily Button Builder
button-generation

CF7 Google Sheets Connector
cf7-google-sheets-connector

Campaign Monitor for WordPress
forms-for-campaign-monitor

Chartify – WordPress Chart Plugin
chart-builder

Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back
chat-bubble

Client Dash
client-dash

Coming soon and Maintenance mode
coming-soon-page

CommentLuv
commentluv

Contact Form 7
contact-form-7

Contact Form – Custom Builder, Payment Form, and More
powr-pack

Credit Tracker
credit-tracker

Crypto Converter Widget
crypto-converter-widget

Currency Converter Calculator
currency-converter-calculator

Database for CF7
database-for-cf7

Debug Log Manager
debug-log-manager

Delete Post Revisions In WordPress
delete-post-revisions-on-single-click

Doofinder WP & WooCommerce Search
doofinder-for-woocommerce

Ecwid Ecommerce Shopping Cart
ecwid-shopping-cart

Email Address Encoder
email-address-encoder

Enhanced Text Widget
enhanced-text-widget

Event post
event-post

Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media
evergreen-content-poster

Export WP Page to Static HTML/CSS
export-wp-page-to-static-html

File Gallery
file-gallery

Form builder to get in touch with visitors, grow your email list and collect payments — Happyforms
happyforms

Forms by CaptainForm – Form Builder for WordPress
captainform

Formzu WP
formzu-wp

GDPR Cookie Consent by Supsystic
gdpr-compliance-by-supsystic

Gift Up Gift Cards for WordPress and WooCommerce
gift-up

GoDaddy Email Marketing
godaddy-email-marketing-sign-up-forms

Guest Author
guest-author

HDW Player Plugin (Video Player & Video Gallery)
hdw-player-video-player-video-gallery

HUSKY – Products Filter for WooCommerce Professional
woocommerce-products-filter

Hubbub Lite (formerly Grow Social)
social-pug

IdeaPush
ideapush

Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More
importify

Innovs HR – Complete Human Resource Management System for Your Business
innovs-hr-manager

JetBlocks for Elementor
jet-blocks

JetBlog for Elementor
jet-blog

JetCompareWishlist for Elementor
jet-compare-wishlist

JetElements
jet-elements

JetEngine
jet-engine

JetFormBuilder — Dynamic Blocks Form Builder
jetformbuilder

JetMenu for Elementor
jet-menu

JetPopup
jet-popup

JetProductGallery
jet-woo-product-gallery

JetReviews for Elementor
jet-reviews

JetSearch
jet-search

JetSmartFilters for Elementor
jet-smart-filters

JetTabs for Elementor
jet-tabs

JetThemeCore for Elementor
jet-theme-core

JetTricks for Elementor
jet-tricks

JetWooBuilder for Elementor
jet-woo-builder

KP Fastest Tawk.to Chat
kp-fastest-tawk-to-chat

LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
ladipage

List all posts by Authors, nested Categories and Titles
list-all-posts-by-authors-nested-categories-and-titles

MSync
msync

Media File Renamer: Rename Files (Manual, Auto & AI)
media-file-renamer

MkRapel Regiones y Ciudades de Chile para WC
wc-ciudades-y-regiones-de-chile

Mollie Payments for WooCommerce
mollie-payments-for-woocommerce

Multiple Post Passwords
multiple-post-passwords

MyTube PlayList
mytube

Nested Pages
wp-nested-pages

NextScripts: Social Networks Auto-Poster
social-networks-auto-poster-facebook-twitter-g

Ocean Extra
ocean-extra

Page Builder: Pagelayer – Drag and Drop website builder
pagelayer

Parallax Slider Block
parallax-slider-block

Participants Database
participants-database

Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
wp-retina-2x

PowerPack Pro for Elementor
powerpack-elements

Prevent Landscape Rotation
prevent-landscape-rotation

Product Size Chart For WooCommerce
product-size-chart-for-woo

Qode Essential Addons
qode-essential-addons

Quotes for WooCommerce
quotes-for-woocommerce

Razorpay for WooCommerce
woo-razorpay

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
custom-registration-form-builder-with-submission-manager

Related Post
related-post

Responsive Lightbox & Gallery
responsive-lightbox

SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share
wp-scheduled-posts

Seraphinite Accelerator
seraphinite-accelerator

Sign In Scheduling Online Appointment Booking System
10to8-online-booking

Simple Long Form
simple-long-form

Site Offline Or Coming Soon Or Maintenance Mode
site-offline

SiteOrigin Widgets Bundle
so-widgets-bundle

Social Share Buttons & Analytics Plugin – GetSocial.io
wp-share-buttons-analytics-by-getsocial

SoundCloud Shortcode
soundcloud-shortcode

SpeedyCache – Cache, Optimization, Performance
speedycache

Spiffy Calendar
spiffy-calendar

Swift Performance Lite
swift-performance-lite

Track Geolocation Of Users Using Contact Form 7
track-geolocation-of-users-using-contact-form-7

UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping
wc-multishipping

WP Catalogue
wp-catalogue

WP CleanFix
wp-cleanfix

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
wp-event-manager

WP Forms Puzzle Captcha
wp-forms-puzzle-captcha

WP Pocket URLs
wp-pocket-urls

WP Shortcodes Plugin — Shortcodes Ultimate
shortcodes-ultimate

WordPress Brute Force Protection – Stop Brute Force Attacks
guardgiant

YASR – Yet Another Star Rating Plugin for WordPress
yet-another-stars-rating

affiliate-toolkit – WordPress Affiliate Plugin
affiliate-toolkit-starter

canvasio3D Light
canvasio3d-light

teachPress
teachpress

which template file
which-template-file

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

adifier
adifier

restricted-site-access
restricted-site-access

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 – Unauthenticated SQL Injection via search terms

Affected Software: HUSKY – Products Filter for WooCommerce Professional
CVE ID: CVE-2023-40010
CVSS Score: 9.8 (Critical)
Researcher/s: Nguyen Anh Tien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b905b8ec-d13d-4455-9c5f-61aaa09d75ba

JetEngine <= 3.2.4 – Authenticated (Contributor+) Privilege Escalation

Affected Software: JetEngine
CVE ID: CVE-2023-48757
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad66015d-7831-4590-9583-3abf7ca43c3b

CommentLuv <= 3.0.4 – Server Side Request Forgery via do_click

Affected Software: CommentLuv
CVE ID: CVE-2023-49159
CVSS Score: 8.2 (High)
Researcher/s: Yuchen Ji
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eeef2a59-47a1-4d8d-b815-8c74cc608e6c

Backup Migration <= 1.3.6 – Unauthenticated Arbitrary File Download to Sensitive Information Exposure

Affected Software: Backup Migration
CVE ID: CVE-2023-6266
CVSS Score: 7.5 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/08801f53-3c57-41a3-a637-4b52637cc612

CF7 Google Sheets Connector <= 5.0.5 – Unauthenticated Sensitive Information Exposure via Debug Log

Affected Software: CF7 Google Sheets Connector
CVE ID: CVE-2023-44989
CVSS Score: 7.5 (High)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fad510b7-85f4-4cae-aaf0-eb68a32cf1b4

Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization to Unauthenticated Unauthorized Action

MSync <= 1.0.0 – Authenticated (Administrator+) SQL Injection

Affected Software: MSync
CVE ID: CVE-2023-49166
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f37ed0e-3e03-4f00-9967-16047beab1cf

Mollie Payments for WooCommerce <= 7.3.11 – Authenticated (Shop Manager+) Arbitrary File Upload

Affected Software: Mollie Payments for WooCommerce
CVE ID: CVE-2023-6090
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d350095-125a-4445-89c1-bce437e4098c

BookingPress <= 1.0.76 – Authenticated (Administrator+) Arbitrary File Upload

Affected Software: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
CVE ID: CVE-2023-6219
CVSS Score: 7.2 (High)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29

JetEngine <= 3.2.4 – Missing Authorization

Affected Software: JetEngine
CVE ID: CVE-2023-48758
CVSS Score: 7.1 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3f2c97f4-0a6e-4693-a6c8-bd81ca76988c

WP Cleanfix <= 5.5.0 – Missing Authorization via register

Affected Software: WP CleanFix
CVE ID: CVE-2023-48775
CVSS Score: 7.1 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/57896fa8-9360-41e8-a60e-8b95d01c25ac

WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 – Authenticated (Administrator+) SQL Injection via orderby

Affected Software: WordPress Brute Force Protection – Stop Brute Force Attacks
CVE ID: CVE-2023-48764
CVSS Score: 6.6 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d3f7676-5ab0-4fe0-a0be-786f4cf84056

Contact Form 7 <= 5.8.3 – Authenticated (Editor+) Arbitrary File Upload

Affected Software: Contact Form 7
CVE ID: CVE-2023-6449
CVSS Score: 6.6 (Medium)
Researcher/s: István Márton
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d7fb020-6acb-445e-a46b-bdb5aaf8f2b6

Bravo Translate <= 1.2 – Authenticated (Administrator+) SQL Injection

Affected Software: Bravo Translate
CVE ID: CVE-2023-49161
CVSS Score: 6.6 (Medium)
Researcher/s: Arvandy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256518c-9a3e-4e6e-8d49-d309e397c14d

Chat Bubble <= 2.3 – Cross-Site Request Forgery via cbb_submit_settings_data

Prevent Landscape Rotation <= 2.0 – Cross-Site Request Forgery via adminpage.php

Affected Software: Prevent Landscape Rotation
CVE ID: CVE-2023-48772
CVSS Score: 6.5 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4235f279-0975-4814-b156-b45b011e3ce6

Database for CF7 <= 1.2.4 – Missing Authorization via wpcf7db_delete AJAX action

Affected Software: Database for CF7
CVE ID: CVE-2023-49167
CVSS Score: 6.5 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fcaab95-7940-45f9-a3c2-c3b0dc540b61

MkRapel Regiones y Ciudades de Chile para WC <= 4.3.0 – Cross-Site Request Forgery via multiple functions

Affected Software: MkRapel Regiones y Ciudades de Chile para WC
CVE ID: CVE-2023-48781
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bac5e0-8182-426c-94da-e6832af8c487

Product Size Chart For WooCommerce <= 1.1.5 – Cross-Site Request Forgery via get_save_option

Affected Software: Product Size Chart For WooCommerce
CVE ID: CVE-2023-48778
CVSS Score: 6.5 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e15f804-f5a9-4e29-8aeb-4ba2b116dc46

Guest Author <= 2.3 – Authenticated Stored Cross-Site Scripting

Affected Software: Guest Author
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b7d7b64-8194-4b81-83f5-1f3b23109455

Powr Pack <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Contact Form – Custom Builder, Payment Form, and More
CVE ID: CVE-2023-45609
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e67ce3b-144f-4ce1-b658-47d865312c6a

Responsive Lightbox <= 2.4.5 – Authenticated (Author+) Stored Cross-Site Scripting via name

Affected Software: Responsive Lightbox & Gallery
CVE ID: CVE-2023-49174
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4b60c1e2-5a4b-4a7a-8224-f1afd3888e08

12 Step Meeting List <= 3.14.24 – Authenticated (Contributor+) Server-Side Request Forgery

Affected Software: 12 Step Meeting List
CVE ID: CVE-2023-46641
CVSS Score: 6.4 (Medium)
Researcher/s: Shahzaib Ali Khan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d6e9cb0-6b90-4a5b-8626-0b3f378fbc92

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6225
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/558e36f6-4678-46a2-8154-42770fbb5574

WP Catalogue <= 1.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Catalogue
CVE ID: CVE-2023-48780
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5684d4b7-8a3e-47ee-9d7b-195cb5db9a66

Ads by datafeedr.com <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Ads by datafeedr.com
CVE ID: CVE-2023-49169
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/61c71bbf-ddae-4f35-ac8d-9753fb3fb67f

Event post <= 5.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Event post
CVE ID: CVE-2023-49179
CVSS Score: 6.4 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a92b96b-ecbc-4414-8e42-04b5c3a02131

Formzu WP <= 1.6.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id

Affected Software: Formzu WP
CVE ID: CVE-2023-49160
CVSS Score: 6.4 (Medium)
Researcher/s: resecured.io
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ee73abf-0ab8-48ab-bd94-18ed66f877fd

Accelerated Mobile Pages <= 1.0.88.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: AMP for WP – Accelerated Mobile Pages
CVE ID: CVE-2023-48321
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/983e8ec0-fec4-4420-8ef6-6bf43881f5f1

Currency Converter Calculator <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Currency Converter Calculator
CVE ID: CVE-2023-49149
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9a423266-89e1-422d-b1e3-6368051eb2fe

10to8 Online Appointment Booking System <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Sign In Scheduling Online Appointment Booking System
CVE ID: CVE-2023-49173
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fbb5ed0-ed76-44fe-88c4-eb05ad87e510

BP Better Messages <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Email Address Encoder 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Email Address Encoder
CVE ID: CVE-2023-48765
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab5b7dc4-113d-4f58-956e-2a9284e1e25e

Parallax Slider Block <= 1.2.4 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: Parallax Slider Block
CVE ID: CVE-2023-49184
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae3974e6-cba1-4976-a6af-9e60557cfde8

Credit Tracker <= 1.1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Credit Tracker
CVE ID: CVE-2023-49152
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b611f3ba-ac36-49fc-a75f-10003c5ca955

Crypto Converter Widget <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Crypto Converter Widget
CVE ID: CVE-2023-49150
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d621869c-31f7-4243-9815-f6d1bbe469e2

Aparat <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Aparat
CVE ID: CVE-2023-48770
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d14dd6-ff1c-475b-8cff-efc7736124b4

Related Post <= 2.0.53 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Related Post
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f08ca5e3-8b48-4333-9c42-cc103d40394c

Spiffy Calendar <= 4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Spiffy Calendar
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f433edb4-a8df-4548-a401-0089b605bbe5

Multiple Plugins by Crocoblock <= (Various Versions) – Missing Authorization

File Gallery <= 1.8.5.4 – Reflected Cross-Site Scripting via post_id

Affected Software: File Gallery
CVE ID: CVE-2023-48771
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b51caf3-eff4-491f-b354-7d8939548a64

affiliate-toolkit – WordPress Affiliate Plugin <= 3.4.3 – Reflected Cross-Site Scripting via keyword

Affected Software: affiliate-toolkit – WordPress Affiliate Plugin
CVE ID: CVE-2023-46086
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0f45738b-fff6-438e-8870-508c622c1752

NextScripts <= 4.4.2 – Reflected Cross-Site Scripting via code

Affected Software: NextScripts: Social Networks Auto-Poster
CVE ID: CVE-2023-49183
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/15f00b65-8304-4132-a2cf-8145444ecfb1

Adifier (Premium Theme) < 3.1.4 – Reflected Cross-Site Scripting

Affected Software: adifier
CVE ID: CVE-2023-49187
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2250d512-dfe0-47d3-a61f-4e501d105f30

JetBlocks For Elementor <= 1.3.8 – Reflected Cross Site Scripting

Affected Software: JetBlocks for Elementor
CVE ID: CVE-2023-48756
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2614ca26-6efc-49f5-8cee-5b078721acc1

WP Forms Puzzle Captcha <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting

Affected Software: WP Forms Puzzle Captcha
CVE ID: CVE-2023-48278
CVSS Score: 6.1 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2f34854a-5ca1-48a3-81d5-80f80f3a85fc

PowerPack Pro for Elementor <= 2.9.23 – Reflected Cross-Site Scripting

Affected Software: PowerPack Pro for Elementor
CVE ID: CVE-2023-49739
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2feabc97-0463-4e50-91a8-234445ca2504

MyTube PlayList <= 2.0.3 – Reflected Cross-Site Scripting via addplaylistid

Affected Software: MyTube PlayList
CVE ID: CVE-2023-48767
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/523cfed4-0422-40f3-8d81-d7862bcb1792

Seraphinite Accelerator <= 2.20.28 – Reflected Cross-Site Scripting via rt

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2023-49740
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53356d15-8db0-4015-addf-9bf66446e81f

List all posts by Authors, nested Categories and Title <= 2.7.10 – Cross-Site Scripting

Affected Software: List all posts by Authors, nested Categories and Titles
CVE ID: CVE-2023-49182
CVSS Score: 6.1 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6b84df5b-ff93-43b3-b9e4-cf963cf2af10

BrainCert – HTML5 Virtual Classroom <= 1.30 – Reflected Cross-Site Scripting

Affected Software: BrainCert – HTML5 Virtual Classroom
CVE ID: CVE-2023-49172
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/76b3b5b7-fefe-44fb-a30e-c55226d4aaea

HDW Player Plugin (Video Player & Video Gallery) <= 5.0 – Cross-Site Scripting

Affected Software: HDW Player Plugin (Video Player & Video Gallery)
CVE ID: CVE-2023-49178
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/778aa2be-ffcb-4d28-9efe-c29c8d5391bd

Forms by CaptainForm <= 2.5.3 – Reflected Cross-Site Scripting via REQUEST_URI

Affected Software: Forms by CaptainForm – Form Builder for WordPress
CVE ID: CVE-2023-49170
CVSS Score: 6.1 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f690ea9-b773-49d4-9fa4-2a8bb7593d62

WP Pocket URLs <= 1.0.2 – Reflected Cross-Site Scripting

Affected Software: WP Pocket URLs
CVE ID: CVE-2023-49176
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8a22873f-6f09-4183-92c5-a84e0d378920

Campaign Monitor for WordPress <= 2.8.12 – Reflected Cross-Site Scripting

Affected Software: Campaign Monitor for WordPress
CVE ID: CVE-2023-38474
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4d7cab5-1641-4ed3-92c7-ad7594dcb74b

which template file <= 4.9.0 – Unauthenticated Cross-Site Scripting

Affected Software: which template file
CVE ID: CVE-2023-49177
CVSS Score: 6.1 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/be3208c8-aceb-4ac9-91e1-d5de5a85f74d

Doofinder for WooCommerce <= 2.1.4 – Reflected Cross-Site Scripting

Affected Software: Doofinder WP & WooCommerce Search
CVE ID: CVE-2023-49185
CVSS Score: 6.1 (Medium)
Researcher/s: Phd
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46a2031-e304-43fb-85bf-ec9abf0b2f90

Innovs HR <= 1.0.3.4 – Reflected Cross-Site Scripting

Affected Software: Innovs HR – Complete Human Resource Management System for Your Business
CVE ID: CVE-2023-49171
CVSS Score: 6.1 (Medium)
Researcher/s: SeungYongLee
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f43b5c02-fb10-48f1-9457-f67c5008fe5b

Happyforms <= 1.25.9 – Reflected Cross-Site Scripting

SiteOrigin Widgets Bundle < 1.51.0 – Authenticated (Admin+) Local File Inclusion

Affected Software: SiteOrigin Widgets Bundle
CVE ID: CVE-2023-6295
CVSS Score: 5.9 (Medium)
Researcher/s: Sebastian Neef
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1dbdc673-b0ee-4d1d-8cd9-603056f41cda

Automatic Youtube Video Posts Plugin <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Automatic Youtube Video Posts Plugin
CVE ID: CVE-2023-49180
CVSS Score: 5.5 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a595b3c-2b21-43fe-8d4e-6721f4541c9b

Client Dash <= 2.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Client Dash
CVE ID: CVE-2023-49165
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7f8839cf-9e48-4981-8a0d-bb0c06cdf441

WP Event Manager <= 3.1.39 – Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
CVE ID: CVE-2023-49181
CVSS Score: 5.5 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f25b2a4b-d863-4f24-ae67-4c8e41602c6f

Download canvasio3D Light <= 2.4.6 – Missing Authorization

Affected Software: canvasio3D Light
CVE ID: CVE-2023-48776
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11795557-74c0-469a-9751-adc759f9214b

Export WP Page to Static HTML/CSS <= 2.1.9 – Missing Authorization via Multiple AJAX Actions

Affected Software: Export WP Page to Static HTML/CSS
CVE ID: CVE-2023-6369
CVSS Score: 5.4 (Medium)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1

Abandoned Cart Lite for WooCommerce <= 5.16.1 – Missing Authorization via multiple AJAX functions

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE-2023-41671
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86

Chronopost & Mondial relay pour WooCommerce – WCMultiShipping <= 2.3.7 – Incorrect Authorization

Affected Software: UPS, Mondial Relay & Chronopost for WooCommerce – WCMultiShipping
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16a3469d-6264-4ed7-b6ae-fdd7a80c8ca5

Abandoned Cart Lite for WooCommerce <= 5.16.1 – Cross-Site Request Forgery

Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1ce1316b-674a-4436-968f-9ffca4e8f726

Social Pug <= 1.20.3 – Missing Authorization via multiple admin_init actions

Affected Software: Hubbub Lite (formerly Grow Social)
CVE ID: CVE-2023-49193
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/22b17fcb-0c97-462d-b67c-6da2919478d5

Enhanced Text Widget <= 1.6.2 – Missing Authorization via etw_hide_admin_notification_callback

Affected Software: Enhanced Text Widget
CVE ID: CVE-2023-49192
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25122475-fc2c-4a8c-90d3-f4a85fb3a8cc

360 Javascript Viewer <= 1.7.11 – Missing Authorization

Affected Software: 360 Javascript Viewer
CVE ID: CVE-2023-48779
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25a8169d-1057-4cf2-9048-fb85f62d6ead

Yet Another Stars Rating <= 3.4.3 – Missing Authorization via init

Affected Software: YASR – Yet Another Star Rating Plugin for WordPress
CVE ID: CVE-2023-39305
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/395b016f-018c-458d-a585-34f3de3eae5c

PageLayer <= 1.7.7 – Cross-Site Request Forgery via pagelayer_load_plugin

Affected Software: Page Builder: Pagelayer – Drag and Drop website builder
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a0c8ecc-f0a1-41fa-a5f7-2d65d610efc0

Participants Database <= 2.5.5 – Missing Authorization

Affected Software: Participants Database
CVE ID: CVE-2023-48751
CVSS Score: 5.3 (Medium)
Researcher/s: Yudistira Arya
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4

WP Retina 2x <= 6.4.5 – Sensitive Information Exposure

Affected Software: Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina)
CVE ID: CVE-2023-44982
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/52c2aae5-17c2-45eb-b55f-bb27555fb1f7

WP Forms Puzzle Captcha <= 4.1 – Captcha Bypass

Affected Software: WP Forms Puzzle Captcha
CVE ID: CVE-2023-48276
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/58502e48-c1cf-4b94-954c-71046256c917

Media File Renamer <= 5.6.9 – Sensitive Information Exposure via Log File

Affected Software: Media File Renamer: Rename Files (Manual, Auto & AI)
CVE ID: CVE-2023-44991
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/71e55161-f5ad-44e5-8a61-ce48c05e6dba

Aruba HiSpeed Cache <= 2.0.6 – Sensitive Information Exposure via Log File

Affected Software: Aruba HiSpeed Cache
CVE ID: CVE-2023-44983
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7391dd8c-0170-48c6-8451-9e7a00e268d0

Button Generator – easily Button Builder <= 2.3.8 – Missing Authorization

Affected Software: Button Generator – easily Button Builder
CVE ID: CVE-2023-49154
CVSS Score: 5.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/73dd286e-5338-42d2-9928-1e14150ccf56

Restricted Site Access <= 7.4.1 – IP Spoofing to Protection Mechanism Bypass

Affected Software: restricted-site-access
CVE ID: CVE-2023-48753
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/804169d3-a53a-42ba-821d-e9647ac075c4

Importify <= 1.0.4 – Unauthenticated Sensitive Information Exposure

Affected Software: Importify – Dropshipping WooCommerce Plugin for Aliexpress, Amazon, Etsy, Alibaba, Walmart & More
CVE ID: CVE-2023-49194
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/830ff660-0265-46e5-8d16-ecd03cdf9f52

Swift Performance Lite <= 2.3.6.14 – Missing Authorization to Unauthenticated Settings Export

Affected Software: Swift Performance Lite
CVE ID: CVE-2023-6289
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8321f68f-da2d-4382-979d-54008de2cae7

Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post

Affected Software: Gift Up Gift Cards for WordPress and WooCommerce
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95abec2d-a03a-4b07-8890-18568650c41f

teachPress <= 9.0.4 – Cross-Site Request Forgery

Affected Software: teachPress
CVE ID: CVE-2023-48755
CVSS Score: 5.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9956e04c-ff59-40c0-a8ab-3e2ed2c52d7f

Coming soon and Maintenance mode <= 3.7.3 – IP Address Spoofing via get_real_ip

Affected Software: Coming soon and Maintenance mode
CVE ID: CVE-2023-49741
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9fd9c076-d36c-4cda-b636-aa65195956d2

JetElements For Elementor <= 2.6.13 – Missing Authorization to Unauthenticated Arbitrary Attachment Download

Affected Software: JetElements
CVE ID: CVE-2023-48759
CVSS Score: 5.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d199e597-64ed-4dcc-a153-b5c8e4e9e93d

BigCommerce <= 5.0.6 – Unauthenticated Sensitive Information Exposure

Affected Software: BigCommerce For WordPress
CVE ID: CVE-2023-49162
CVSS Score: 5.3 (Medium)
Researcher/s: Joshua Chan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3a7e0b6-dc6d-4e3a-bb05-12d6ace330df

JetFormBuilder <= 3.1.4 – Unauthenticated Content Injection

Affected Software: JetFormBuilder — Dynamic Blocks Form Builder
CVE ID: CVE-2023-48763
CVSS Score: 5.3 (Medium)
Researcher/s: Revan Arifio
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f0343861-a376-43ea-826e-277c2a5ea635

Antispam Bee <= 2.11.3 – IP Address Spoofing via get_client_ip

Affected Software: Antispam Bee
CVE ID: CVE-2023-41134
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fb102891-b4a8-4089-b70c-43866ad85b7b

KP Fastest Tawk.to Chat <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: KP Fastest Tawk.to Chat
CVE ID: CVE-2023-49175
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02ddfc75-8a9e-4a8e-8339-52348a963c69

GDPR Cookie Consent by Supsystic <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: GDPR Cookie Consent by Supsystic
CVE ID: CVE-2023-49191
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/158a63c1-1b2e-4fbf-ac86-43471ba8ebc2

Molongui <= 4.6.19 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Author Box, Guest Author and Co-Authors for Your Posts – Molongui
CVE ID: CVE-2023-39921
CVSS Score: 4.4 (Medium)
Researcher/s: Abdullah Hussam
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/16130c5d-9865-4953-b078-0b448722e36d

Chart Builder <= 1.9.6 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Chartify – WordPress Chart Plugin
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18cbf346-91a3-4856-930e-7753eb1470d9

SoundCloud Shortcode <= 3.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: SoundCloud Shortcode
CVE ID: CVE-2023-34018
CVSS Score: 4.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5084afcc-b6fc-4d89-9ad7-c4ea3e4dae82

Social Share Buttons & Analytics Plugin – GetSocial.io <= 4.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Social Share Buttons & Analytics Plugin – GetSocial.io
CVE ID: CVE-2023-49189
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/513124f6-ea14-46ca-94c5-f9fa15b19d8c

Simple Long Form <= 2.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Simple Long Form
CVE ID: CVE-2023-41136
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68c22e71-c704-44c1-86e6-856f6244393d

Track Geolocation Of Users Using Contact Form 7 <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Track Geolocation Of Users Using Contact Form 7
CVE ID: CVE-2023-49188
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8f79-f683-4b06-841d-a9104c87f3c6

BSK Forms Blacklist <= 3.6.3 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: BSK Forms Blacklist
CVE ID: CVE-2023-5980
CVSS Score: 4.4 (Medium)
Researcher/s: Bob Matyas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8283a502-6fb8-43ff-8f46-8afbfdbb22f7

Multiple Post Passwords <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Multiple Post Passwords
CVE ID: CVE-2023-49157
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f220293-9789-4824-b736-ead014c45366

Site Offline <= 1.5.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Site Offline Or Coming Soon Or Maintenance Mode
CVE ID: CVE-2023-49190
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/96f30a22-f218-48e7-9796-b9f1d5becc2c

Evergreen Content Poster <= 1.3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Nested Pages <= 3.2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Nested Pages
CVE ID: CVE-2023-49195
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec9029a3-be05-469a-a8e2-20987a4a4ad9

Multiple Plugins by Crocoblock <= (Various Versions) – Cross-Site Request Forgery

teachPress <= 9.0.5 – Cross-Site Request Forgery via delete_database()

Affected Software: teachPress
CVE ID: CVE-2023-49163
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3544357f-97c9-49cb-a48d-74b60480111d

Qode Essential Addons <= 1.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Affected Software: Qode Essential Addons
CVE ID: CVE-2023-47840
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/443c59b9-275d-4d17-a870-9ae013c1a5c1

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 – Insecure Direct Object Reference to Information Disclosure

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate
CVE ID: CVE-2023-6226
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4d936a48-b300-4a41-8d28-ba34cb3c5cb7

IdeaPush <= 8.53 – Missing Authorization

Affected Software: IdeaPush
CVE ID: CVE-2023-48774
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5811fc63-da34-43cb-ae33-a34a8795bb72

Quotes for WooCommerce <= 2.0.1 – Missing Authorization

Affected Software: Quotes for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f7a5d4b-8ba2-45d8-92d4-3c66a81fb4f8

Quotes for WooCommerce <= 2.0.1 – Cross-Site Request Forgery

Affected Software: Quotes for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6954364e-567c-407c-afc6-983b7257cc88

RegistrationMagic <= 5.2.2.6 – Cross-Site Request Forgery

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-47645
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7dcde10d-4eb7-42fe-926e-05e56affc521

Debug Log Manager <= 2.2.0 – Cross-Site Request Forgery

Affected Software: Debug Log Manager
CVE ID: CVE-2023-5772
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a

LadiApp <= 4.3 – Missing Authorization

Affected Software: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
CVE ID: CVE-2023-49158
CVSS Score: 4.3 (Medium)
Researcher/s: Truoc Phan
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8f88ff96-5bd7-448d-a030-e75fd268bff6

Ocean Extra <= 2.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation

Affected Software: Ocean Extra
CVE ID: CVE-2023-49164
CVSS Score: 4.3 (Medium)
Researcher/s: Dave Jong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca

SpeedyCache <= 1.1.2 – Missing Authorization via speedycache_create_test_cache

Affected Software: SpeedyCache – Cache, Optimization, Performance
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac7c0dde-5299-4938-beed-eb2fe227a812

Button Generator – easily Button Builder <= 2.3.8 – Cross-Site Request Forgery

Affected Software: Button Generator – easily Button Builder
CVE ID: CVE-2023-49155
CVSS Score: 4.3 (Medium)
Researcher/s: Elliot
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b73467de-fb0c-45e3-b3ae-5158b261907b

Add to Cart Text Changer and Customize Button, Add Custom Icon <= 2.0 – Cross-Site Request Forgery via wactc_text_form

Affected Software: Add to Cart Text Changer and Customize Button, Add Custom Icon
CVE ID: CVE-2023-49153
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4470c03-64fc-46d9-b224-de5a3149c3d5

GoDaddy Email Marketing <= 1.4.3 – Missing Authorization

Affected Software: GoDaddy Email Marketing
CVE ID: CVE-2023-49156
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c8d9d19e-a080-40e9-8a71-01888393f618

SchedulePress <= 5.0.4 – Insufficient Authorization to Authenticated (Contributor+) Arbitrary Post Modifications

Affected Software: SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cd2c9b28-d5b5-4930-a441-f889ee2778cd

Ecwid Ecommerce Shopping Cart <= 6.12.4 – Cross-Site Request Forgery

Affected Software: Ecwid Ecommerce Shopping Cart
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/db5d6cc9-24d7-42bf-905e-4c3764c659ed

AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 – Cross-Site Request Forgery

Affected Software: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
CVE ID: CVE-2023-46617
CVSS Score: 4.3 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e46513d2-65d0-4215-99a7-051603ec4569

Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates <= 3.0.4 – Cross-Site Request Forgery via process_bulk_action

Affected Software: Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates
CVE ID: CVE-2023-49148
CVSS Score: 4.3 (Medium)
Researcher/s: LEE SE HYOUNG
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4b9eeb9-7ce4-446d-8ac0-af9cea0c893a

Razorpay for WooCommerce <= 4.5.6 – Cross-Site Request Forgery

Affected Software: Razorpay for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6a2b2f6-c648-4755-be24-92c7f287813e

Delete Post Revisions In WordPress <= 4.6 – Cross-Site Request Forgery

Affected Software: Delete Post Revisions In WordPress
CVE ID: CVE-2023-48754
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f1946a48-c1d6-4ca9-909f-0d4b78c25c36

Razorpay for WooCommerce <= 4.5.6 – Missing Authorization

Affected Software: Razorpay for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023) appeared first on Wordfence.

Posted in

About Us

I believe that everyone should have a mechanic that they can trust and after spending several years helping out various customers for large companies I've seen my fair share of issues.

Honesty, Integrity, and Compassion are what we share with everyone that we work with. Stop scouring the internet for help and see how we can help you today.

Our Services

Website Migrations

Plugin & Theme Updates

IDX Broker Customizations

Facebook Chatbots

DNS & Email Integrations

logo

E-mail: contact@thewpmechanic.com