Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today!

Last week, there were 109 vulnerabilities disclosed in 98 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
WordPress Core 6.4-6.4.1 – Remote Code Execution POP Chain via Object Injection
(Note that the existence of the POP chain is not classified as a vulnerability on its own so it does not have a Wordfence Intelligence Entry. The rule is intended to block exploitation by any existing Object Injection vulnerability.)
Two additional firewall rules for vulnerabilities that have not yet been patched or publicly disclosed.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	63
Patched	46

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	0
Medium Severity	88
High Severity	9
Critical Severity	12

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	28
Missing Authorization	28
Cross-Site Request Forgery (CSRF)	21
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	6
Unrestricted Upload of File with Dangerous Type	5
Deserialization of Untrusted Data	5
Information Exposure	3
Improper Authorization	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	2
Use of Less Trusted Source	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Uncontrolled Resource Consumption (‘Resource Exhaustion’)	1
Protection Mechanism Failure	1
Authorization Bypass Through User-Controlled Key	1
Server-Side Request Forgery (SSRF)	1
Improper Control of Generation of Code (‘Code Injection’)	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Improper Neutralization of Alternate XSS Syntax	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Nguyen Xuan Chien	13
Rafie Muhammad	12
Abdi Pranata	12
Dmitrii Ignatyev	7
Vladislav Pokrovsky (ΞX.MI)	7
Mika	6
Ngô Thiên An (ancorn_)	5
emad	4
István Márton (Wordfence Vulnerability Researcher)	4
Skalucy	4
Brandon James Roldan (tomorrowisnew)	3
thiennv	3
lttn	3
LVT-tholv2k	2
Marco Wotschka (Wordfence Vulnerability Researcher)	2
Abu Hurayra (HurayraIIT)	2
Kyle Sanchez	2
qilin_99	2
Rafshanzani Suhada	1
Universe	1
German Ritter	1
DoYeon Park (p6rkdoye0n)	1
Naveen Muthusamy	1
Hong Quan	1
0x9567b	1
Luqman Hakim Y	1
Yuchen Ji	1
Labda	1
Enrico Marcolini	1
Claudio Marchesini (Dottormarc)	1
Rachit Arora	1
Muhammad Daffa	1
Huynh Tien Si	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Advanced Database Cleaner	advanced-database-cleaner
Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress	advanced-page-visit-counter
Alma – Pay in installments or later for WooCommerce	alma-gateway-for-woocommerce
Alt Manager	alt-manager
Annual Archive	anual-archive
AppMySite – Create an app with the Best Mobile App Builder	appmysite
ArtPlacer Widget	artplacer-widget
Astra Pro Addon	astra-addon
Author Avatars List/Block	author-avatars
Awesome Support – WordPress HelpDesk & Support Plugin	awesome-support
BCorp Shortcodes	bcorp-shortcodes
Backup Migration	backup-backup
Bacola Core	bacola-core
Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo	biteship
Block for Font Awesome	block-for-font-awesome
Bold Page Builder	bold-page-builder
Bulk Edit Post Titles	bulk-edit-post-titles
Burst Statistics Pro	burst-pro
Burst Statistics – Privacy-Friendly Analytics for WordPress	burst-statistics
CSV Importer	csv-importer
CSprite	csprite
Caddy – Smart Side Cart for WooCommerce	caddy
Calculated Fields Form	calculated-fields-form
Clotya Core	clotya-core
Code Embed	simple-embed-code
Cookie Bar	cookie-bar
Cosmetsy Core	cosmetsy-core
Custom Login	custom-login
Custom Post Type Page Template	custom-post-type-page-template
Dashboard Widgets Suite	dashboard-widgets-suite
Digital Publications by Supsystic	digital-publications-by-supsystic
Duplicator Pro	duplicator-pro
Duplicator – WordPress Migration & Backup Plugin	duplicator
Elementor Timeline Widget	3r-elementor-timeline-widget
Elementor Website Builder – More than Just a Page Builder	elementor
Email Subscription Popup	email-subscribe
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor	embedpress
Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin	wp-event-solution
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
First Order Discount Woocommerce	first-order-discount-woocommerce
Fix My Feed RSS Repair	fix-my-feed-rss-repair
Flexible Woocommerce Checkout Field Editor	flexible-woocommerce-checkout-field-editor
Furnob Core	furnob-core
Genesis Simple Love	genesis-simple-love
Gift Up Gift Cards for WordPress and WooCommerce	gift-up
Guest Author	guest-author
Ibtana – WordPress Website Builder	ibtana-visual-editor
Import and export users and customers	import-users-from-csv-with-meta
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site	integrate-google-drive
LiveChat – WP live chat plugin for WordPress	wp-live-chat-software-for-wordpress
Login With Ajax	login-with-ajax
MW WP Form	mw-wp-form
Manage Notification E-mails	manage-notification-emails
Medibazar Core	medibazar-core
Menu Bar Cart Icon For WooCommerce By Binary Carpenter	bc-menu-cart-woo
Multi Currency For WooCommerce	wc-multi-currency
Optin Forms – Simple List Building Plugin for WordPress	optin-forms
Parto Core	partdo-core
PayTR Taksit Tablosu – WooCommerce	paytr-taksit-tablosu-woocommerce
Piotnet Forms	piotnetforms
Post Duplicator	post-duplicator
Product Catalog Feed by PixelYourSite	product-catalog-feed
Product Enquiry for WooCommerce	gm-woocommerce-quote-popup
Redirects	redirects
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Responsive Slick Slider WordPress	responsive-slick-slider
Rocket Maintenance Mode & Coming Soon Page	rocket-maintenance-mode
Sayfa Sayac	sayfa-sayac
SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy	woo-aliexpress-dropshipping
Shortcoder — Create Shortcodes for Anything	shortcoder
Shortcodes and extra features for Phlox theme	auxin-elements
Smart External Link Click Monitor [Link Log]	link-log
Smart Forms – when you need more than just a contact form	smart-forms
Social Media Feather \| social media sharing	social-media-feather
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
SpeedyCache – Cache, Optimization, Performance	speedycache
Square Thumbnails	square-thumbnails
Structured Content (JSON-LD) #wpsc	structured-content
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything!	suretriggers
Symbiostock – Sell Photos Online For Free!	symbiostock
System Dashboard	system-dashboard
Translate WordPress – Google Language Translator	google-language-translator
Tutor LMS – eLearning and online course solution	tutor
Ultimate Addons for Contact Form 7	ultimate-addons-for-contact-form-7
Ultimate Dashboard – Custom WordPress Dashboard	ultimate-dashboard
Video PopUp	video-popup
WP Booking System – Booking Calendar	wp-booking-system
WP Photo Album Plus	wp-photo-album-plus
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts	wedevs-project-manager
WPBakery Page Builder Addons by Livemesh	addons-for-visual-composer
WPPerformanceTester	wpperformancetester
WPsoonOnlinePage	wp-soononline-page
WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute	wapppress-builds-android-app-for-website
Webflow Pages	webflow-pages
Welcart e-Commerce	usc-e-shop
WooDiscuz – WooCommerce Comments	woodiscuz-woocommerce-comments
WooPayments – Fully Integrated Solution Built and Supported by Woo	woocommerce-payments
WordPress Simple HTML Sitemap	wp-simple-html-sitemap

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Adifier – Classified Ads WordPress Theme	adifier-system
Bacola – Grocery Store and Food eCommerce Theme	bacola
Clotya – Fashion Store eCommerce Theme	clotya
Cosmetsy – Beauty Cosmetics Shop Theme	cosmetsy
Couponis Demo	couponis-demo
Furnob – Furniture Store WooCommerce Theme	furnob
Machic – Electronics Store WooCommerce Theme	machic-core
Medibazar – Medical WooCommerce Theme	medibazar
Partdo – Auto Parts and Tools Shop WooCommerce Theme	partdo
Soledad	soledad

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WappPress <= 5.0.3 – Unauthenticated Arbitrary File Upload

Affected Software: WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute
CVE ID: CVE-2023-49815
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/07eab536-6f20-45ec-9f9e-70ab35555db2

Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 – Unauthenticated SQL Injection

Affected Software/s: Burst Statistics – Privacy-Friendly Analytics for WordPress, Burst Statistics Pro
CVE ID: CVE-2023-5761
CVSS Score: 9.8 (Critical)
Researcher/s: German Ritter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3

Couponis Demo < 2.2 – Unauthenticated SQL Injection

Affected Software: Couponis Demo
CVE ID: CVE-2023-49750
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fd67a02-b0fb-4c4f-9564-c3ee0180e79c

Genesis Simple Love <= 2.0 – Unauthenticated PHP Object Injection

Affected Software: Genesis Simple Love
CVE ID: CVE-2023-49772
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/55abf798-f336-4262-9f52-4526a4bae15a

Soledad <= 8.4.1 – Unauthenticated PHP Object Injection

Affected Software: Soledad
CVE ID: CVE-2023-49826
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6e954190-7c58-4044-a85e-a188fe5b6d89

Adifier System < 3.1.4 – Unauthenticated SQL Injection

Affected Software: Adifier – Classified Ads WordPress Theme
CVE ID: CVE-2023-49752
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8e64d865-5acc-419b-8c61-e8fd8207fa94

BCorp Shortcodes <= 0.23 – Unauthenticated PHP Object Injection

Affected Software: BCorp Shortcodes
CVE ID: CVE-2023-49773
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/94696151-9f99-4847-bd67-8fb77f8b6a0e

Sayfa Sayaç <= 2.6 – Unauthenticated PHP Object Injection

Affected Software: Sayfa Sayac
CVE ID: CVE-2023-49778
CVSS Score: 9.8 (Critical)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b1a29180-901d-447e-8f82-63161b9e11e0

MW WP Form <= 5.0.1 – Unauthenticated Arbitrary File Upload

Affected Software: MW WP Form
CVE ID: CVE-2023-6316
CVSS Score: 9.8 (Critical)
Researcher/s: István Márton
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2c03142-be30-4173-a140-14d73a16dd2b

Duplicator <= 1.5.7 AND Duplicator Pro < 4.5.14.2 – Unauthenticated Sensitive Information Exposure

Affected Software/s: Duplicator Pro, Duplicator – WordPress Migration & Backup Plugin
CVE ID: CVE-2023-6114
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3f7a88c-a09b-46ac-b345-139c2d20a3d2

Adifier System < 3.1.4 – Unauthenticated Local File Inclusion

Affected Software: Adifier – Classified Ads WordPress Theme
CVE ID: CVE-2023-49753
CVSS Score: 9.8 (Critical)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e8574ff9-847c-4337-8c0e-2a717b51f66c

Backup Migration <= 1.3.5 – Unauthenticated Sensitive Information Exposure

Affected Software: Backup Migration
CVE ID: CVE-2023-6271
CVSS Score: 9.8 (Critical)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f661f19d-fdd4-4cd3-8fb3-8b6073d94596

Structured Content <= 1.5.3 – Authenticated (Contributor+) PHP Object Injection

Affected Software: Structured Content (JSON-LD) #wpsc
CVE ID: CVE-2023-49819
CVSS Score: 8.8 (High)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b25252b-fad3-4212-be72-94e94779ef67

Smart Forms <= 2.6.84 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Affected Software: Smart Forms – when you need more than just a contact form
CVE ID: CVE-2023-49856
CVSS Score: 8.8 (High)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3ac48cd9-1de5-4840-b3f3-dc24ca52442e

Elementor <= 3.18.1 – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Affected Software: Elementor Website Builder – More than Just a Page Builder
CVE ID: CVE-2023-48777
CVSS Score: 8.8 (High)
Researcher/s: Hong Quan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5b6d0a38-ac28-41c9-9da1-b30b3657b463

Soledad <= 8.4.1 – Authenticated (Contributor+) SQL Injection

Affected Software: Soledad
CVE ID: CVE-2023-49825
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7a9846c4-4678-4c25-84fd-b05d21ea34fb

Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox

Affected Software: Astra Pro Addon
CVE ID: CVE-2023-49830
CVSS Score: 8.8 (High)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9769bc3-236f-4c9d-a4ce-544e49eee2ec

ArtPlacer Widget <= 2.20.6 – Authenticated (Editor+) SQL Injection

Affected Software: ArtPlacer Widget
CVE ID: CVE-2023-6373
CVSS Score: 8.8 (High)
Researcher/s: Enrico Marcolini, Claudio Marchesini (Dottormarc)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bff3a160-5238-4478-ab11-3300cac51cf2

Piotnet Forms <= 1.0.26 – Unauthenticated Arbitrary File Upload

Affected Software: Piotnet Forms
CVE ID: CVE-2023-6220
CVSS Score: 8.1 (High)
Researcher/s: István Márton
(Wordfence Vulnerability Researcher)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af2b7eac-a3f5-408f-b139-643e70b3f27a

Advanced Database Cleaner <= 3.1.2 – Authenticated (Administrator+) SQL Injection

Affected Software: Advanced Database Cleaner
CVE ID: CVE-2023-49764
CVSS Score: 7.2 (High)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/62c46925-8e97-4989-8c2c-56223d6911a2

Symbiostock Lite <= 6.0.0 – Authenticated (Shop Manager+) Arbitrary File Upload

Affected Software: Symbiostock – Sell Photos Online For Free!
CVE ID: CVE-2023-49814
CVSS Score: 7.2 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/666b8b39-fab0-4e99-b365-a4ac9f964494

Import and export users and customers <= 1.24.2 – Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality

Affected Software: Import and export users and customers
CVE ID: CVE-2023-6583
CVSS Score: 6.6 (Medium)
Researcher/s: Labda
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ac709779-36f1-4f66-8db3-95a514a5ea59

Code Embed <= 2.3.6 – Authenticated(Contributor+) Denial of Service

Affected Software: Code Embed
CVE ID: CVE-2023-49837
CVSS Score: 6.5 (Medium)
Researcher/s: Universe
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2ef2ded1-dd56-4c33-98dc-d4c69e66568f

Alma – Pay in installments or later for WooCommerce <= 5.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Alma – Pay in installments or later for WooCommerce
CVE ID: CVE-2023-50369
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/044d7480-ccd7-4ce8-bb5d-367ba5d0217c

Ibtana – WordPress Website Builder <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Ibtana – WordPress Website Builder
CVE ID: CVE-2023-6684
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b09d496-0e03-48a4-acf7-57febe18ed0a

Spectra <= 2.7.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Spectra – WordPress Gutenberg Blocks
CVE ID: CVE-2023-49833
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0df493cb-2b5e-4a16-b6d8-4cd9a473540d

WooCommerce Payments <= 6.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WooPayments – Fully Integrated Solution Built and Supported by Woo
CVE ID: CVE-2023-49828
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/13617b70-9b57-4873-9942-12bffed411e2

Annual Archive <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Annual Archive
CVE ID: CVE-2023-49847
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/20199c88-1800-4d18-a0ee-0219be77b429

Advanced Page Visit Counter <= 8.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
CVE ID: CVE-2023-50371
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3b497a36-4929-413f-abfc-1d81bfaa7889

Livemesh Addons for WPBakery Page Builder <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WPBakery Page Builder Addons by Livemesh
CVE ID: CVE-2023-50370
CVSS Score: 6.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60af0a7c-014b-4f71-9918-7ddc1186bee4

Video PopUp <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Video PopUp
CVE ID: CVE-2023-4962
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/670ea03e-2f76-48a4-9f40-bc4cfd987a89

Guest Author <= 2.3 – Authenticated (Author+) Stored Cross-Site Scripting

Affected Software: Guest Author
CVE ID: CVE-2023-49747
CVSS Score: 6.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78fd9dcf-228e-46ec-b34f-2cb0c87cc895

Bold Page Builder <= 4.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Bold Page Builder
CVE ID: CVE-2023-49823
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8c99f70b-77a6-4bd7-99b1-ad4ec76d50c6

Shortcodes and extra features for Phlox theme <= 2.15.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Shortcodes and extra features for Phlox theme
CVE ID: CVE-2023-50368
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95d61096-8e44-4b70-a409-c02cb3d1e32c

WP Project Manager <= 2.6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
CVE ID: CVE-2023-49860
CVSS Score: 6.4 (Medium)
Researcher/s: lttn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bd625d24-c1e9-465d-896a-bff75d8c534f

Author Avatars List/Block <= 2.1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Author Avatars List/Block
CVE ID: CVE-2023-49846
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7c8380b-02ae-49d2-8c64-debe7f73ee35

Structured Content <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Structured Content (JSON-LD) #wpsc
CVE ID: CVE-2023-49820
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e44ad307-2663-4613-ae53-9ef6208f08f9

Ultimate Addons for Contact Form 7 <= 3.2.0 – Reflected Cross-Site Scripting

Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2023-49766
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/364946a5-ce1e-4872-895d-e7cf795a04f7

Multiple Plugins by KlbTheme <= (Various Versions) – Reflected Cross-Site Scripting

Affected Software/s: Cosmetsy Core, Parto Core, Medibazar Core, Bacola Core, Clotya Core, Furnob Core
CVE ID: CVE-2023-49839
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4fb06315-30ad-4d98-af75-b04933583be7

WP Photo Album Plus <= 8.5.02.005 – Cross-Site Scripting

Affected Software: WP Photo Album Plus
CVE ID: CVE-2023-49813
CVSS Score: 6.1 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5486d50c-8544-4368-b58b-66024a8ae86d

Email Subscription Popup <= 1.2.18 – Reflected Cross-Site Scripting

Affected Software: Email Subscription Popup
CVE ID: CVE-2023-6527
CVSS Score: 6.1 (Medium)
Researcher/s: 0x9567b
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5f84814e-f7b7-4228-b331-63027a0770af

Machic Core <= 1.2.6 – Reflected Cross-Site Scripting

Affected Software: Machic – Electronics Store WooCommerce Theme
CVE ID: CVE-2023-49186
CVSS Score: 6.1 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4fc9628-b254-405b-a7cc-bb955618bc35

Smart External Link Click Monitor [Link Log] <= 5.0.2 – Reflected Cross-Site Scripting

Affected Software: Smart External Link Click Monitor [Link Log]
CVE ID: CVE-2023-49771
CVSS Score: 6.1 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d062bc7b-0cb0-46bd-b203-90cc9a44a403

Soledad <= 8.4.1 – Reflected Cross-Site Scripting

Affected Software: Soledad
CVE ID: CVE-2023-49827
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83b36fe-4e46-4ab7-a113-6dcfa7cce625

Biteship <= 2.2.22 – Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo
CVE ID: CVE-2023-49767
CVSS Score: 5.5 (Medium)
Researcher/s: Luqman Hakim Y
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a78c46ac-22dd-48f2-a10b-016205f7e7fa

Cookie Bar <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Affected Software: Cookie Bar
CVE ID: CVE-2023-49836
CVSS Score: 5.5 (Medium)
Researcher/s: Muhammad Daffa
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dd58bc54-f16e-48ee-97f4-95b839d75350

WOOCS – WooCommerce Currency Switcher <= 1.4.1.4 – Cross-Site Request Forgery via delete_profiles_data

Affected Software: FOX – Currency Switcher Professional for WooCommerce
CVE ID: CVE-2023-49834
CVSS Score: 5.4 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/139d4ec2-1147-4332-a56d-633890f32560

Digital Publications by Supsystic <= 1.7.6 – Cross-Site Request Forgery via AJAX action

Affected Software: Digital Publications by Supsystic
CVE ID: CVE-2023-5756
CVSS Score: 5.4 (Medium)
Researcher/s: Marco Wotschka
(Wordfence Vulnerability Researcher)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2304e4dc-0dc6-4ded-b8e6-8d76d70f63d7

SpeedyCache <= 1.1.2 – Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: SpeedyCache – Cache, Optimization, Performance
CVE ID: CVE-2023-49746
CVSS Score: 5.4 (Medium)
Researcher/s: Yuchen Ji
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ab922406-4af8-4ef2-bcc8-c326212546b1

Awesome Support <= 6.1.6 – Missing Authorization

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-49757
CVSS Score: 5.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fd9f1385-6457-4bc9-9c75-0fcd399a5956

WP Photo Album Plus <= 8.5.02.005 – IP Spoofing

Affected Software: WP Photo Album Plus
CVE ID: CVE-2023-49774
CVSS Score: 5.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/017fe804-a1a5-4f8d-a531-e928d668dbc4

Manage Notification E-mails <= 1.8.5 – Missing Authorization

Affected Software: Manage Notification E-mails
CVE ID: CVE-2023-6496
CVSS Score: 5.3 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/048bc117-88df-44b3-a30c-692bad23050f

RegistrationMagic <= 5.2.3.0 – Missing Authorization

Affected Software: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE ID: CVE-2023-49831
CVSS Score: 5.3 (Medium)
Researcher/s: lttn
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d041b14-0d05-4bfe-bd5c-7e06d7b108b8

Square Thumbnails <= 1.1.0 – Missing Authorization

Affected Software: Square Thumbnails
CVE ID: CVE-2023-49851
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31cc30c7-262d-4582-8976-fc8095bdca5f

Awesome Support <= 6.1.6 – Missing Authorization

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin
CVE ID: CVE-2023-49857
CVSS Score: 5.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3a1cbd74-e598-4edf-90c2-f97d5070f0cc

Gift Up 2.21.3 – Cross-Site Request Forgery via consume_post

Affected Software: Gift Up Gift Cards for WordPress and WooCommerce
CVE ID: CVE-2023-49744
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e8d9909-7b98-4d98-8293-0c30eebc6c7b

Ultimate Dashboard <= 3.7.10 – Login Page Disclosure on Multi-site

Affected Software: Ultimate Dashboard – Custom WordPress Dashboard
CVE ID: CVE-2023-49822
CVSS Score: 5.3 (Medium)
Researcher/s: Naveen Muthusamy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/56f3cb34-0452-4e3d-9442-0decc77f5e63

PayTR Taksit Tablosu <= 1.3.1 – Improper Authorization

Affected Software: PayTR Taksit Tablosu – WooCommerce
CVE ID: CVE-2023-49853
CVSS Score: 5.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5898944f-565c-4950-83e8-ad0de0f948d1

Flexible Woocommerce Checkout Field Editor <= 2.0.1 – Missing Authorization

Affected Software: Flexible Woocommerce Checkout Field Editor
CVE ID: CVE-2023-49817
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5947f7cb-de84-4a62-bef7-cbeb1f20bb72

WP Photo Album Plus <= 8.5.02.005 – Insecure Direct Object Reference

Affected Software: WP Photo Album Plus
CVE ID: CVE-2023-49812
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72f3925d-6b3a-43bf-bfd1-fef7e71d5e43

AppMySite <= 3.10.0 – Unauthenticated Information Disclsoure

Affected Software: AppMySite – Create an app with the Best Mobile App Builder
CVE ID: CVE-2023-49762
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8b9f171f-56d8-4ab9-bf61-0daa7c0d928f

Redirects <= 1.2.1 – Missing Authorization

Affected Software: Redirects
CVE ID: CVE-2023-49845
CVSS Score: 5.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/903161b0-b64c-4986-8c94-b90221bc911b

Webflow Pages <= 1.0.8 – Missing Authorization

Affected Software: Webflow Pages
CVE ID: CVE-2023-49818
CVSS Score: 5.3 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a01141ed-9b9c-426f-96b3-c6ceade4d35c

Shortcoder <= 6.3.1 – Missing Authorization

Affected Software: Shortcoder — Create Shortcodes for Anything
CVE ID: CVE-2023-49849
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a54ad0b4-b6e7-4eac-843e-261ec6c83d84

EmbedPress <= 3.9.4 – Missing Authorization

Affected Software: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7cf1c70-9778-4b50-b494-d0b1d0277b35

Alt Manager <= 1.5.9 – Missing Authorization

Affected Software: Alt Manager
CVE ID: CVE-2023-50373
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aaa041a3-d8e5-4637-b8da-5f07c498685a

Custom Login <= 4.1.0 – Missing Authorization

Affected Software: Custom Login
CVE ID: CVE-2023-49858
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b23afc11-c31d-4569-8f4b-8141eef7b3d9

Google Language Translator <= 6.0.20 – Missing Authorization to Notice Dismissal

Affected Software: Translate WordPress – Google Language Translator
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ec894433-53c8-4d04-bb8a-92c66cbd2ce7

WP Simple HTML Sitemap <= 2.4 – Missing Authorization

Affected Software: WordPress Simple HTML Sitemap
CVE ID: CVE-2023-49850
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eff4cb35-492b-448a-8d16-b9210917c567

Login With Ajax <= 4.1 – Missing Authorization

Affected Software: Login With Ajax
CVE ID: CVE-2023-49859
CVSS Score: 5.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f11926c8-2b31-4ad5-9fd0-225071a91b2a

WP Project Manager <= 2.6.7 – Missing Authorization

Affected Software: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
CVE ID: CVE-2023-40003
CVSS Score: 5.3 (Medium)
Researcher/s: lttn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f83a6631-ff6c-422e-8b6c-49576fadb89f

Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.1 – Missing Authorization

Affected Software: SharkDropship & Affiliate for AliExpress, eBay, Amazon, Etsy
CVE ID: CVE-2023-49848
CVSS Score: 5.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbc7e515-c712-4a39-a0f7-c3f646083060

Rocket Maintenance Mode & Coming Soon Page <= 4.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Rocket Maintenance Mode & Coming Soon Page
CVE ID: CVE-2023-49842
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/055cc26b-1e24-4e39-89c8-bdc4a69ce938

Optin Forms <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Optin Forms – Simple List Building Plugin for WordPress
CVE ID: CVE-2023-49841
CVSS Score: 4.4 (Medium)
Researcher/s: DoYeon Park (p6rkdoye0n)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/35e0a997-190e-457a-b80c-7b4ecec97095

Smart External Link Click Monitor [Link Log] <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Smart External Link Click Monitor [Link Log]
CVE ID: CVE-2023-49770
CVSS Score: 4.4 (Medium)
Researcher/s: Mika
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c1811f7-0fb4-4f50-93ac-6abd9e6a1d66

Calculated Fields Form <= 1.2.40 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Calculated Fields Form
CVE ID: CVE-2023-6446
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c879123c-531e-43d8-a7d3-16a3c86b68a3

Dashboard Widgets Suite <= 3.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Dashboard Widgets Suite
CVE ID: CVE-2023-49743
CVSS Score: 4.4 (Medium)
Researcher/s: Rachit Arora
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cba77ced-412e-4461-8d2a-980371c78a17

Tutor LMS <= 2.2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Tutor LMS – eLearning and online course solution
CVE ID: CVE-2023-49829
CVSS Score: 4.4 (Medium)
Researcher/s: emad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e2b2a90f-7a0a-4150-8a24-14b2ed11663e

Fix My Feed RSS Repair <= 1.4 – Cross-Site Request Forgery

Affected Software: Fix My Feed RSS Repair
CVE ID: CVE-2023-49816
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/038742d8-3da9-4e2a-bbd4-9ed6b31e8767

Product Catalog Feed by PixelYourSite <= 2.1.1 – Cross-Site Request Forgery

Affected Software: Product Catalog Feed by PixelYourSite
CVE ID: CVE-2023-49824
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/09547dae-85dc-481d-9eb1-423d8faadc80

LiveChat <= 4.5.15 – Cross-Site Request Forgery

Affected Software: LiveChat – WP live chat plugin for WordPress
CVE ID: CVE-2023-49821
CVSS Score: 4.3 (Medium)
Researcher/s: Brandon James Roldan (tomorrowisnew)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b80e90d-72bd-4253-b84b-d2706e1abd4c

System Dashboard <= 2.8.8 – Missing Authorization to Information Disclosure (sd_php_info)

Affected Software: System Dashboard
CVE ID: CVE-2023-5711
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/17bc3a9f-2bf9-44e3-81ef-bfa932085da9

CSV Importer <= 0.3.8 – Cross-Site Request Forgery

Affected Software: CSV Importer
CVE ID: CVE-2023-49775
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/252153ec-3811-484a-984f-eeb6ed9229a5

Integrate Google Drive <= 1.3.4 – Cross-Site Request Forgery

Affected Software: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
CVE ID: CVE-2023-49769
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39c53cd7-3ea3-4971-be51-9544ca9d488f

WPPerformanceTester <= 2.0.0 – Cross-Site Request Forgery

Affected Software: WPPerformanceTester
CVE ID: CVE-2023-49844
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3fb35366-b09c-4667-8fb9-6f80ba6d09f0

Social Media Feather <= 2.1.3 – Missing Authorization

Affected Software: Social Media Feather | social media sharing
CVE ID: CVE-2023-49861
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4154aa02-7fa1-4858-bea7-092ec4a508ac

SureTriggers <= 1.0.23 – Cross-Site Request Forgery

Affected Software: SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything!
CVE ID: CVE-2023-49749
CVSS Score: 4.3 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/461211c9-951e-4ccd-abf5-84941290a6a5

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_db_specs)

Affected Software: System Dashboard
CVE ID: CVE-2023-5714
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53b3ac83-847d-4bd0-a79b-531af266e1b4

Block for Font Awesome <= 1.4.0 – Cross-Site Request Forgery

Affected Software: Block for Font Awesome
CVE ID: CVE-2023-49751
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5d255ca7-37a5-4c1b-84be-356ae3900f7e

Multi Currency For WooCommerce <= 1.5.5 – Cross-Site Request Forgery

Affected Software: Multi Currency For WooCommerce
CVE ID: CVE-2023-49840
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6a19d494-08d1-479a-8ba4-edeb2873866a

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_global_value)

Affected Software: System Dashboard
CVE ID: CVE-2023-5712
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70f14d9d-6ed6-4bcb-944d-f9c5aa6a17a6

WP Booking System <= 2.0.19.2 – Missing Authorization

Affected Software: WP Booking System – Booking Calendar
CVE ID: CVE-2023-49758
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/805c46ec-0b8a-4a40-bfc9-5d2d8d43a17b

Elementor Timeline Widget <= 2.0 – Missing Authorization to Notice Dismissal

Affected Software: Elementor Timeline Widget
CVE ID: CVE-2023-49755
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/819b3e0c-1cd0-45f9-8621-41817ad1de5e

Custom Post Type Page Template <= 1.1 – Cross-Site Request Forgery

Affected Software: Custom Post Type Page Template
CVE ID: CVE-2023-50372
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff05617-61b1-4d1f-9230-c771f23d3283

WPsoonOnlinePage <= 1.9 – Cross-Site Request Forgery

Affected Software: WPsoonOnlinePage
CVE ID: CVE-2023-49760
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a554b365-b54b-4696-87f6-df5099e15708

Caddy <= 1.9.7 – Cross-Site Request Forgery

Affected Software: Caddy – Smart Side Cart for WooCommerce
CVE ID: CVE-2023-49854
CVSS Score: 4.3 (Medium)
Researcher/s: qilin_99
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b331c32e-7341-458b-80be-574cfa915159

First Order Discount Woocommerce <= 1.21 – Cross-Site Request Forgery

Affected Software: First Order Discount Woocommerce
CVE ID: CVE-2023-49843
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b9d161a3-eb9f-447f-b2d2-b8b193678d20

Bulk Edit Post Titles <= 5.0.0 – Missing Authorization

Affected Software: Bulk Edit Post Titles
CVE ID: CVE-2023-49754
CVSS Score: 4.3 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bbdeaa77-72c9-4afc-8913-7a1e44cdeb82

Responsive Slick Slider WordPress <= 1.4 – Authenticated (Contributor+) Content Injection

Affected Software: Responsive Slick Slider WordPress
CVE ID: CVE-2023-49852
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c59f1784-da65-4e6d-b284-d65ee2196be9

WooDiscuz – WooCommerce Comments <= 2.3.0 – Cross-Site Request Forgery

Affected Software: WooDiscuz – WooCommerce Comments
CVE ID: CVE-2023-49759
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e0bfa461-5cea-40e8-af9f-800cdbb6efb5

Post Duplicator <= 2.31 – Missing Authorization via mtphr_duplicate_post

Affected Software: Post Duplicator
CVE ID: CVE-2023-49835
CVSS Score: 4.3 (Medium)
Researcher/s: Huynh Tien Si
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e5665931-8da9-44db-a5b1-46acebf14f3b

Multiple Themes by KlbTheme <= (Various Versions) – Cross-Site Request Forgery

Affected Software/s: Medibazar – Medical WooCommerce Theme, Machic – Electronics Store WooCommerce Theme, Furnob – Furniture Store WooCommerce Theme, Cosmetsy – Beauty Cosmetics Shop Theme, Clotya – Fashion Store eCommerce Theme, Bacola – Grocery Store and Food eCommerce Theme, Partdo – Auto Parts and Tools Shop WooCommerce Theme
CVE ID: CVE-2023-49838
CVSS Score: 4.3 (Medium)
Researcher/s: Vladislav Pokrovsky (ΞX.MI)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e6d5036a-c756-47a6-b071-c393f8a6ce5e

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_option_value)

Affected Software: System Dashboard
CVE ID: CVE-2023-5713
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9d1a33b-2518-48f7-90b6-a94a34473d1e

System Dashboard <= 2.8.7 – Missing Authorization to Information Disclosure (sd_constants)

Affected Software: System Dashboard
CVE ID: CVE-2023-5710
CVSS Score: 4.3 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f170379e-e833-42e0-96fd-1e1722a8331c

Eventin <= 3.3.44 – Missing Authorization

Affected Software: Event Manager, Event Calendar, Event Tickets for WooCommerce – Eventin
CVE ID: CVE-2023-49756
CVSS Score: 4.3 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f256036d-11e8-4311-baa0-d15193c72da0

Product Enquiry for WooCommerce <= 3.0 – Cross-Site Request Forgery

Affected Software: Product Enquiry for WooCommerce
CVE ID: CVE-2023-49761
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f37cc9d0-345e-4ab7-ae99-d9d7fee6c1e5

CSprite <= 1.1 – Cross-Site Request Forgery

Affected Software: CSprite
CVE ID: CVE-2023-49763
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f5da3a4f-7084-4ba9-89c9-5a480efc7eca

BC Menu Bar Cart Icon For WooCommerce By Binary Carpenter <= 1.49.3 – Cross-Site Request Forgery

Affected Software: Menu Bar Cart Icon For WooCommerce By Binary Carpenter
CVE ID: CVE-2023-49855
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fc626bdb-e962-407c-95c3-3f9e28dc5876

Welcart e-Commerce <= 2.9.6 – Authenticated (Administrator+) Directory Traversal

Affected Software: Welcart e-Commerce
CVE ID: CVE-2023-6120
CVSS Score: 4.1 (Medium)
Researcher/s: Marco Wotschka
(Wordfence Vulnerability Researcher)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2677cea6-d60d-4e10-afd7-e088a5592b19

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) appeared first on Wordfence.

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023)

Categories:

New Firewall Rules Deployed Last Week

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Leave a Reply Cancel reply

Request A Quote & $ave

Recent Posts

Recent Comments

Categories