In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme and, plugin vulnerabilities known as [Wordfence Intelligence Community Edition]().
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using [our CVE Request form](), and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.
Last week, there were 69 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.
* * *
#### [EZP Coming Soon Page <= 1.0.7.3 – Authenticated (Admin+) Stored Cross Site Scripting]()
**CVE ID**: CVE-2023-24398
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Metform Elementor Contact Form Builder <= 3.1.2 – Unauthenticated Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-0084
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Mohammed El Amin, Chemouri]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [IP Vault â WP Firewall <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2022-47171
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [rezaduty]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Gallery â Image and Video Gallery with Thumbnails <= 2.0.1 – Unauthenticated Stored Cross-Site Scripting]()
**CVE ID**: CVE-2022-47603
**CVSS Score**: 7.2 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Magazine Edge <= 1.13 – Authenticated (Subscriber+) Arbitrary Plugin Activation]()
**CVE ID**: CVE-2023-25068
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [EmbedSocial â Social Media Feeds, Reviews and Galleries = 1.1.27 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0371
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Galleries by Angie Makes <= 1.67 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2022-4795
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WP Dark Mode <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2022-4714
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Private Message < 1.0.6 – Insecure Direct Object Reference]()
**CVE ID**: CVE-2023-0453
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Veshraj Ghimire]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Custom Add User <= 2.0.2 – Reflected Cross-Site Scripting]()
**CVE ID**: CVE-2023-0043
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Shreya Pohekar]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Image Hover Effects Plugin – Caption Hover with Carousel <= 2.8 – Unauthenticated Stored Cross Site Scripting]()
**CVE ID**: CVE-2022-45831
**CVSS Score**: 7.2 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Interactive Geo Maps <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Flexible Elementor Panel <= 2.3.8 – Cross Site Request Forgery]()
**CVE ID**: CVE-2022-45076
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [RankMath SEO <= 1.0.107.2 – Authenticated (Contributor+) Local File Inclusion]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.1 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GS Books Showcase <= 1.3.0 – Authenticator (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0541
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Tabs <= 2.1.14 – Cross Site Request Forgery]()
**CVE ID**: CVE-2023-25065
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Marketing Performance <= 2.0.0 – Unauthenticated Stored Cross Site Scripting]()
**CVE ID**: CVE-2023-24404
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nithissh S]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Multi-column Tag Map <= 17.0.24 – Authenticated (Contributor+) Stored Cross Site Scripting]()
**CVE ID**: CVE-2023-23815
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP htpasswd <= 1.7 – Authenticated (Admin+) Stored Cross Site Scripting]()
**CVE ID**: CVE-2023-25064
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WP Email Capture <= 3.9.3 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Album and Image Gallery plus Lightbox <= 1.6.2 – Missing Authorization]()
**CVE ID**: CVE-2023-25060
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Cat]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WebinarIgnition <= 2.14.2 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-25023
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Namaste! LMS <= 2.5.9.3 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-0548
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Felipe Restrepo Rodriguez]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Booking System <= 2.0.18 – Authenticated (Admin+) Stored Cross Site Scripting]()
**CVE ID**: CVE-2023-24402
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Beautiful Cookie Consent Banner <= 2.10.0 – Unauthenticated Stored Cross-Site Scripting]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [User Activity <= 1.0.1 – IP Address Spoofing]()
**CVE ID**: CVE-2022-4550
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [rezaduty]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Ocean Extra <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-23891
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [1003 Mortgage Application <= 1.73 – Unauthenticated CSV Injection]()
**CVE ID**: CVE-2022-45357
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Rodrigo Escobar]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Side Cart Woocommerce (Ajax) <= 2.1 – Cross-Site Request Forgery]()
**CVE ID**: CVE-2022-45376
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Correos Oficial <= 1.3.0.0 – Unauthenticated Arbitrary File Download]()
**CVE ID**: CVE-2023-0331
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Andrea Iodice]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Cost Calculator <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WP Statistics <= 13.2.10 – Authenticated (Subscriber+) SQL Injection]()
**CVE ID**: CVE-2022-38074
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Posts and Users Stats <= 1.1.3 – Authenticated (Subscriber+) CSV Injection]()
**CVE ID**: CVE-2022-44738
**CVSS Score**: 5.8 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Wufoo Shortcode <= 1.51 – Authenticated (Contributor+) Cross-Site Scripting via Shortcodes]()
**CVE ID**: CVE-2022-4679
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GS Insever Portfolio <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0539
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [BackupBuddy <= 8.8.2 – Reflected Cross-Site Scripting]()
**CVE ID**: CVE-2022-4897
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [WPScanTeam]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Print Invoice & Delivery Notes for WooCommerce <= 4.7.1 – Reflected Cross-Site Scripting]()
**CVE ID**: CVE-2023-0479
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Watu Quiz <= 3.3.8 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-25022
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GeoDirectory <= 2.2.23 – Authenticated (Admin+) SQL Injection]()
**CVE ID**: CVE-2023-0278
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Daniel Krohmer](), [Kunal Sharma]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Simple History <= 3.3.1 – Authenticated (Subscriber+) CSV Injection]()
**CVE ID**: CVE-2022-45350
**CVSS Score**: 6 (Medium)
**Researcher/s**: [ed32.dll]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Real Media Library: Media Library Folder & File Manager <= 4.18.28 – Authenticated (Author+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-0253
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Bipul Jaiswal]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Usersnap <= 4.16 – Authenticated (Admin+) Stored Cross Site Scripting]()
**CVE ID**: CVE-2022-47607
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [EmbedStories <= 0.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0372
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [PHP Execution <= 1.0.0 – Cross Site Request Forgery]()
**CVE ID**: CVE-2023-23879
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [ShortPixel Adaptive Images <= 3.6.1 – Reflected Cross-Site Scripting]()
**CVE ID**: CVE-2023-0334
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Beautiful Cookie Consent Banner <= 2.10.0 – Missing Authorization to Settings Update]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.3 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Real Media Library: Media Library Folder & File Manager <= 4.18.28 – Authenticated (Author+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-0285
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Bipul Jaiswal]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Formidable Form Builder <= 5.5.6 – Cross-Site Request Forgery]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.1 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Robo Gallery Plugin <= 3.2.11 – Cross-Site Request Forgery]()
**CVE ID**: CVE-2023-24414
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [VK All in One Expansion Unit <= 9.85.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0230
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Weâre Open! <= 1.45 – Cross-Site Request Forgery]()
**CVE ID**: CVE-2023-25067
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Opening Hours <= 2.3.0 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Multi Rating <= 5.0.5 – Cross Site Request Forgery]()
**CVE ID**: CVE-2022-47443
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [rezaduty]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Podlove Podcast Publisher <= 3.8.2 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-25046
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [1003 Mortgage Application <= 1.73 – Authenticated (Subscriber+) Arbitrary File Download]()
**CVE ID**: CVE-2022-45368
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Rodrigo Escobar]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Donation Block For PayPal <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0535
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Easy Digital Downloads <= 3.1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0380
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [PrivateContent <= 8.4.3 – Protection Mechanism Bypass]()
**CVE ID**: CVE-2023-0581
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Riccardo Granata]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [0mk Shortener <= 0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2022-45361
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [Rodrigo Escobar]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Jobs for WordPress <= 2.5.10.2 – Authenticated (Author+) Cross Site Scripting]()
**CVE ID**: CVE-2022-44743
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Arigato Autoresponder and Newsletter <= 2.1.7.1 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2023-0543
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Felipe Restrepo Rodriguez](), [Joaquin Pochat y Gabriel Calle]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GS Filterable Portfolio <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0540
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [GS Portfolio for Envato <= 1.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0559
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Kraken.io Image Optimizer <= 2.6.8 – Missing Authorization to Authenticated (Subscriber+) Plugin Options Update]()
**CVE ID**: CVE-2023-0619
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [CC Custom Taxonomy <= 1.0.1 – Authenticated (Administrator+) Cross Site Scripting]()
**CVE ID**: CVE-2023-25028
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Nithissh S]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Commenter Emails <= 2.6.1 – Unauthenticated CSV Injection]()
**CVE ID**: CVE-2022-45360
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Similar Posts â Best Related Posts Plugin for WordPress <= 3.1.6 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**CVE ID**: CVE-2022-41612
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [din]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [GS Products Slider for WooCommerce <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()
**CVE ID**: CVE-2023-0492
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Auto YouTube Importer <= 1.0.3 – Cross-Site Request Forgery]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.
* * *
_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence Community Edition leaderboard]() along with being mentioned in our weekly vulnerability report.
The post [Wordfence Intelligence CE Weekly Vulnerability Report (1-30-2023 to 2-5-2023)]() appeared first on [Wordfence]().Read More