Wordfence Intelligence CE Weekly Vulnerability Report (Feb 6, 2023 to Feb 12, 2023)

Main / Wordfence Intelligence CE Weekly Vulnerability Report (Feb 6, 2023 to Feb 12, 2023)

Discription

In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as [Wordfence Intelligence Community Edition]().

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using [our CVE Request form](), and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Our mission with Wordfence Intelligence Community Edition is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence Community Edition user interface and vulnerability API are completely free to access and utilize both personally and commercially.

Last week, there were 71 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.

* * *

#### [ImageMagick Engine <= 1.7.5 – Cross-Site Request Forgery to PHAR Deserialization]()

**CVE ID**: CVE-2022-3568
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rasoul Jahanshahi]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Plugin for Google Reviews <= 2.2.3 – Authenticated (Subscriber+) SQL Injection]()

**CVE ID**: CVE-2022-44580
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [GigPress <= 2.3.28 – Authenticated (Subscriber+) SQL Injection]()

**CVE ID**: CVE-2023-0381
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Auto Featured Image (Auto Post Thumbnail) <= 3.9.15 – Authenticated (Author+) Arbitrary File Upload]()

**CVE ID**: CVE-2023-0477
**CVSS Score**: 7.2 (High)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [My Sticky Elements <= 2.0.8 – Authenticated (Admin+) SQL Injection]()

**CVE ID**: CVE-2023-0487
**CVSS Score**: 7.2 (High)
**Researcher/s**: [qerogram]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Redirection for Contact Form 7 <= 2.7.0 – Authenticated(Editor+) Privilege Escalation]()

**CVE ID**: CVE-2023-23990
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Monolit <= 2.0.6 – Unauthenticated Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25041
**CVSS Score**: 7.2 (High)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Gutenberg Forms <= 2.2.8.3 – Authenticated(Subscriber+) Sensitive Information Disclosure]()

**CVE ID**: CVE-2022-45803
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Nguyen Anh Tien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shortcodes Ultimate <= 5.12.6 – Authenticated (Subscriber+) Arbitrary File Read via Shortcode]()

**CVE ID**: CVE-2023-25050
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shortcodes Ultimate <= 5.12.6 – Authenticated (Subscriber+) Server-Side Request Forgery]()

**CVE ID**: CVE-2023-25050
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Cost of Goods for WooCommerce <= 2.8.6 – Missing Authorization in save_costs]()

**CVE ID**: CVE-2023-23868
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Cat]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Icegram Express <= 5.5.2 – Unauthenticated CSV Injection]()

**CVE ID**: CVE-2022-45810
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Quick Contact Form <= 8.0.3.1 – Cross-Site Request Forgery to Sensitive Information Disclosure]()

**CVE ID**: CVE-2023-25035
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP-Optimize <= 3.2.11 – Cross-Site Request Forgery]()

**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Cost of Goods for WooCommerce <= 2.8.6 – Cross-Site Request Forgery in save_costs]()

**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Cat]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Scriptless Social Sharing <= 3.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options]()

**CVE ID**: CVE-2023-0377
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Quick Contact Form <= 8.0.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-23885
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Icegram Collect <= 1.3.8 – Authenticated(Contributor+) Cross-Site Scripting via Shortcode]()

**CVE ID**: CVE-2023-25024
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Interactive Geo Maps <= 1.5.9 – Authenticated (Editor+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-0731
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Quebely <= 1.8.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘className’ Block Option]()

**CVE ID**: CVE-2023-0376
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Visualizer <= 3.9.1 – Authenticated(Contributor+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2022-46848
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shortcodes Ultimate <= 5.12.6 – Authenticated (Contributor+) Stored Cross Site Scripting]()

**CVE ID**: CVE-2023-25040
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Comments Import & Export <= 2.3.1 – CSV Injection]()

**CVE ID**: CVE-2022-45370
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Pie Register <= 3.8.2.2 – Open Redirect]()

**CVE ID**: CVE-2023-0552
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Omar Amin]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [å¾®ä¿¡æºå¨äººé«çº§ç <= 6.0.1 – Reflectedite Scripting]()

**CVE ID**: CVE-2022-45837
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Link Juice Keeper <= 2.0.2 – Authenticated(Admin+) Stored Cross-Site Scripting]()

**CVE ID**: CVE Unknown
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Chained Quiz <= 1.3.2.5 – Authenticated(Admin+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25027
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Quick Paypal Payments <= 5.7.25 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE Unknown
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Arigato Autoresponder and Newsletter <= 2.7.1 – Authenticated(Admin+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25031
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_add_folder]()

**CVE ID**: CVE-2023-0724
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [0mk Shortener <= 0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting]()

**CVE ID**: CVE-2022-2933
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Juampa RodrÃguez]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_move_object]()

**CVE ID**: CVE-2023-0712
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_save_state]()

**CVE ID**: CVE-2023-0722
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_add_folder]()

**CVE ID**: CVE-2023-0713
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization via ajax_unassign_folders]()

**CVE ID**: CVE-2023-0684
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_save_folder]()

**CVE ID**: CVE-2023-0718
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization via ajax_delete_folder]()

**CVE ID**: CVE-2023-0717
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_edit_folder]()

**CVE ID**: CVE-2023-0716
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_save_folder_order]()

**CVE ID**: CVE-2023-0730
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery on ajax_save_folder]()

**CVE ID**: CVE-2023-0728
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_edit_folder]()

**CVE ID**: CVE-2023-0726
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_delete_folder]()

**CVE ID**: CVE-2023-0727
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Auto Affiliate Links <= 6.2.1.5 – Authenticated(Subscriber+) Plugin Settings Change]()

**CVE ID**: CVE-2022-45840
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Nguyen Anh Tien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_clone_folder]()

**CVE ID**: CVE-2023-0725
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_save_folder_order]()

**CVE ID**: CVE-2023-0720
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_save_sort_order]()

**CVE ID**: CVE-2023-0719
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_save_sort_order]()

**CVE ID**: CVE-2023-0729
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization on ajax_clone_folder]()

**CVE ID**: CVE-2023-0715
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WPCode <= 2.0.6 – Missing Authorization to Sensitive Key Disclosure/Update]()

**CVE ID**: CVE-2023-0328
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Sanjay Das]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Quiz And Survey Master <= 8.0.8 – Cross-Site Request Forgery to Arbitrary Media Deletion]()

**CVE ID**: CVE-2023-0292
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Julien Ahrens]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Missing Authorization via ajax_save_state]()

**CVE ID**: CVE-2023-0711
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [ShopLentor <= 2.5.1 – Cross-Site Request Forgery to Post Updates]()

**CVE ID**: CVE-2022-46798
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery on ajax_move_object]()

**CVE ID**: CVE-2023-0723
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Wicked Folders <= 2.18.16 – Cross-Site Request Forgery via ajax_unassign_folders]()

**CVE ID**: CVE-2023-0685
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [CURCY <= 2.1.25 – Missing Authorization to Currency Exchange Retrieval]()

**CVE ID**: CVE-2022-46796
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Vulnerability: eCommerce Product Catalog plugin for WordPress <= 3.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25049
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Under Construction <= 3.96 – Cross-Site Request Forgery via admin_action_ucp_dismiss_notice]()

**CVE ID**: CVE-2023-0831
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Ramuel Gall](), [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking Calendar Contact Form <= 1.2.34 – Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission]()

**CVE ID**: CVE-2023-25037
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking Calendar Contact Form <= 1.2.34 – Cross-Site Request Forgery via cpdexbccf_feedback]()

**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Podlove Podcast Publisher <= 3.8.3 – Cross-Site Request Forgery]()

**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [A2 Optimized WP <= 3.0.4 – Cross Site Request Forgery]()

**CVE ID**: CVE-2023-23711
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Under Construction <= 3.96 – Cross-Site Request Forgery via admin_action_install_weglot]()

**CVE ID**: CVE-2023-0832
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Ramuel Gall](), [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Void Contact Form 7 Widget For Elementor Page Builder <= 2.1.1 – Cross-Site Request Forgery in void_cf7_opt_in_user_data_track]()

**CVE ID**: CVE-2022-47166
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Ajax Search Lite <= 4.10.3 – Missing Authorization leading to Authenticated (Subscriber+) Sensitive Information Disclosure]()

**CVE ID**: CVE-2022-38456
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Google Maps CP <= 1.0.43 – Cross-Site Request Forgery via feedback_action]()

**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce <= 5.2.3 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2022-46797
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [PayPal Brasil para WooCommerce <= 1.4.2 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-25026
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Google Maps CP <= 1.0.43 – Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission]()

**CVE ID**: CVE-2023-25039
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Mercado Pago payments for WooCommerce <= 6.3.1 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2022-45068
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Album and Image Gallery plus Lightbox <= 1.6.2 – Cross-Site Request Forgery]()

**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [ColorWay <= 4.2.3 – Cross Site Request Forgery]()

**CVE ID**: CVE-2023-25447
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

If you’d like to receive this weekly vulnerability report by email, along with Wordfence Intelligence CE product updates, sign up to the Wordfence Intelligence Community Edition Newsletter by filling out this form below.

* * *

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence Community Edition leaderboard]() along with being mentioned in our weekly vulnerability report.

The post [Wordfence Intelligence CE Weekly Vulnerability Report (Feb 6, 2023 to Feb 12, 2023)]() appeared first on [Wordfence]().Read More

References

Back to Main

Subscribe for the latest news: