Wordfence Intelligence Weekly WordPress Vulnerability Report (Feb 27, 2023 to Mar 5, 2023)
Discription

Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as [Wordfence Intelligence]().

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using [our CVE Request form](), and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and [vulnerability API]() are completely free to access and utilize both personally and commercially.

Last week, there were 117 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Vulnerability Database, and there were 30 Vulnerability Researchers that contributed to WordPress Security last week. You can find those vulnerabilities below along with some data about the vulnerabilities that were added.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 44
Patched | 73

* * *

### Total Vulnerabilities by CVSS Severity Last Week

**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 1
Medium Severity | 104
High Severity | 10
Critical Severity | 2

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Cross-Site Request Forgery (CSRF) | 53
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 34
Missing Authorization | 16
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 2
Information Exposure | 2
Authorization Bypass Through User-Controlled Key | 2
Server-Side Request Forgery (SSRF) | 2
Incorrect Privilege Assignment | 1
Unrestricted Upload of File with Dangerous Type | 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1
Protection Mechanism Failure | 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1
Improper Validation of Integrity Check Value | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

**Researcher Name** | **Number of Vulnerabilities**
—|—
[Lana Codes]() | 27
[Rio Darmawan]() | 20
[Mika]() | 13
[Dave Jong]() | 6
[FearZzZz]() | 4
[Erwan LR]() | 4
[yuyudhn]() | 4
[WPScanTeam]() | 3
[Prasanna V Balaji]() | 3
[Marco Wotschka]() | 3
[Rafie Muhammad]() | 3
[TEAM WEBoB of BoB 11th]() | 2
[Abdi Pranata]() | 2
[Muhammad Daffa]() | 2
[Nguyen Xuan Chien]() | 2
[Marc-Alexandre Montpas]() | 1
[TaeEun Lee]() | 1
[Pounraj Chinnasamy]() | 1
[Jarko Piironen]() | 1
[dc11]() | 1
[rezaduty]() | 1
[Mohammed El Amin, Chemouri]() | 1
[Universe]() | 1
[Alex Sanford]() | 1
[Vaibhav Rajput]() | 1
[MyungJu Kim]() | 1
[Mahesh Nagabhairava]() | 1
[Leonidas Milosis]() | 1
[Shreya Pohekar]() | 1
[Nguyen Thuc Tuyen]() | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### Vulnerability Details

#### [Houzez <= 2.7.1 – Privilege Escalation]()

**CVE ID**: CVE-2023-26540
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Debug Assistant <= 1.4 – Cross-Site Request Forgery via imlt_create_admin]()

**CVE ID**: CVE-2023-26516
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Prasanna V Balaji]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [OceanWP <= 3.4.1 – Authenticated (Subscriber+) Local File Inclusion]()

**CVE ID**: CVE-2023-23700
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [ProfileGrid <= 5.3.0 – Missing Authorization to Arbitrary Password Reset]()

**CVE ID**: CVE-2023-0940
**CVSS Score**: 8.8 (High)
**Researcher/s**: [dc11]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [CSSTidy – Server-Side Request Forgery]()

**CVE ID**: CVE-2022-40700
**CVSS Score**: 8.3 (High)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched/Patched
**Vulnerability Details:**

* * *

#### [Gallery Blocks with Lightbox <= 3.0.7 – Missing Authorization in pgc_sgb_add_dashboard_widget]()

**CVE ID**: CVE Unknown
**CVSS Score**: 8.1 (High)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Paid Memberships Pro <= 2.9.11 – Authenticated (Subscriber+) SQL Injection via Shortcodes]()

**CVE ID**: CVE-2023-0631
**CVSS Score**: 7.7 (High)
**Researcher/s**: [Marc-Alexandre Montpas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Types <= 3.4.17 – Unauthenticated (Administrator+) Arbitrary File Upload]()

**CVE ID**: CVE-2023-27440
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Leyka <= 3.29.2 – Unauthenticated Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-27450
**CVSS Score**: 7.2 (High)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Dokan <= 3.7.12 – Authenticated (Vendor+) SQL Injection]()

**CVE ID**: CVE-2023-26525
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [LWS Tools <= 2.3.1 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-27453
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Manage Upload Limit <= 1.0.4 – Reflected Cross-Site Scripting via upload_limit]()

**CVE ID**: CVE-2023-27432
**CVSS Score**: 7.1 (High)
**Researcher/s**: [Mahesh Nagabhairava]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Woodmart <= 7.1.1 – Cross-Site Request Forgery to License Update]()

**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Shortcodes Ultimate <= 5.12.7 – Authenticated (Subscriber+) Information Exposure]()

**CVE ID**: CVE-2023-0911
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WoodMart <= 7.1.1 – Missing Authorization to Shortcode Injection]()

**CVE ID**: CVE-2023-25790
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Sales Report Email for WooCommerce <= 2.8 – Missing Authorization for Email Functionality]()

**CVE ID**: CVE-2022-38141
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Smart Slider 3 <= 3.5.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-0660
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Simple Vimeo Shortcode <= 2.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode]()

**CVE ID**: CVE-2023-27443
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Cost Calculator <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-1155
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [menu shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**CVE ID**: CVE-2023-0395
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WordPress Infinite Scroll – Ajax Load More <= 5.6.0.2 – Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode]()

**CVE ID**: CVE-2022-4466
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes]()

**CVE ID**: CVE-2023-24400
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Yoast SEO <= 20.2 – Authenticated (Contributor+) Cross-Site Scripting]()

**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Leonidas Milosis]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [NEX-Forms – Ultimate Form Builder <= 8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**CVE ID**: CVE-2023-0272
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Real Estate 7 <= 3.3.4 – Reflected Cross-Site Scripting via ct_additional_features]()

**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Watu Quiz <= 3.3.9 – Reflected Cross-Site Scripting]()

**CVE ID**: CVE-2023-0968
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Darcie <= 1.1.5 – Reflected Cross-Site Scripting via JS split]()

**CVE ID**: CVE-2023-25961
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [MyungJu Kim]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [GN Publisher <= 1.5.5 – Reflected Cross-Site Scripting]()

**CVE ID**: CVE-2023-1080
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Easy Testimonial Slider and Form <= 1.0.15 – Unauthenticated Reflected Cross-Site Scripting via search_term]()

**CVE ID**: CVE-2022-46799
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [GTmetrix for WordPress <= 0.4.5 – Reflected Cross-Site Scripting via ‘url’]()

**CVE ID**: CVE-2023-23677
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD <= 3.1.5 – Reflected Cross-Site Scripting via cart_search]()

**CVE ID**: CVE-2022-47449
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [TEAM WEBoB of BoB 11th]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Real Estate 7 <= 3.3.4 – Cross-Site Request Forgery]()

**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Instant Images <= 5.1.0.1 – Authenticated (Author+) Server-Side Request Forgery via instant_images_download]()

**CVE ID**: CVE-2023-27451
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Universe]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Leyka <= 3.29.2 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-27442
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Rife Elementor Extensions & Templates <= 1.1.10 – Missing Authorization via import_templates]()

**CVE ID**: CVE-2023-27454
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Sheets To WP Table Live Sync <= 2.12.15 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-26535
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Advanced Text Widget <= 2.1.2 – Missing Authorization via atw_dismiss_admin_notice]()

**CVE ID**: CVE-2023-26520
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP SMS <= 6.0.4 – Information Disclosure via REST API]()

**CVE ID**: CVE-2023-27447
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Jarko Piironen]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Metform Elementor Contact Form Builder <= 3.2.1 – reCaptcha Protection Bypass]()

**CVE ID**: CVE-2023-0085
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Mohammed El Amin, Chemouri]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Event Espresso 4 Decaf <= 4.10.44.decaf – Feature Bypass]()

**CVE ID**: CVE-2023-27437
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Repost <= 0.1 – Missing Authorization]()

**CVE ID**: CVE-2023-26522
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Prasanna V Balaji]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Simple CSV/XLS Exporter <= 1.5.8 – CSV Injection]()

**CVE ID**: CVE-2022-42882
**CVSS Score**: 5.1 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Advanced Text Widget <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-26539
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Jetpack CRM <= 5.4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-27429
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [TEAM WEBoB of BoB 11th]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [We’re Open! <= 1.46 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25964
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [TaeEun Lee]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Repost <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scritping]()

**CVE ID**: CVE-2023-26534
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Pounraj Chinnasamy]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Button Generator – easily Button Builder <= 2.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-27452
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Dashboard Widgets Suite <= 3.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-26517
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Publish to Schedule <= 4.5.4 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-26519
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Namaste! LMS <= 2.5.9.9 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘accept_other_payment_methods’, ‘other_payment_methods’ Parameters]()

**CVE ID**: CVE-2023-0844
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Alex Sanford]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [FareHarbor for WordPress <= 3.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25021
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [CPO Content Types <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-25451
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP No External Links <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scritping]()

**CVE ID**: CVE-2023-26537
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Simple File List <= 6.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-1025
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Shreya Pohekar]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [New Adman <= 1.6.8 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-27439
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Simple Slug Translate <= 2.7.2 – Authenticated (Administrator+) Stored Cross-Site Scritping]()

**CVE ID**: CVE-2023-26515
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [JCH Optimize <= 3.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings]()

**CVE ID**: CVE-2023-25491
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Debug Assistant <= 1.4 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**CVE ID**: CVE-2023-26527
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Prasanna V Balaji]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Maspik – Spam blacklist <= 0.7.8 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-24008
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WpStream – Live Streaming, Video on Demand, Pay Per View <= 4.4.10 – Cross-Site Request Forgery via wpstream_settings]()

**CVE ID**: CVE-2023-27458
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Time Slots Booking Form <= 1.1.76 – Cross-Site Request Forgery to Feedback Submission]()

**CVE ID**: CVE-2022-41790
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Download Read More Excerpt Link <= 1.6.0 – Cross-Site Request Forgery to Settings Update]()

**CVE ID**: CVE-2023-1068
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [CP Contact Form with Paypal <= 1.3.34 – Authenticated Feedback Submission]()

**CVE ID**: CVE-2023-27460
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Google Tag Manager <= 1.1 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-22693
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [DeepL Pro API translation <= 2.1.4 – Cross-Site Request Forgery via saveSettings]()

**CVE ID**: CVE-2023-27446
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Search in Place <= 1.0.104 – Missing Authorization to Feedback Submission]()

**CVE ID**: CVE-2023-26521
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Meteor Page Speed Optimization Topping <= 3.1.4 -Missing Authorization to Notice Dismissal]()

**CVE ID**: CVE Unknown
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Preview Link Generator <= 1.0.3 – Cross-Site Request Forgery to Arbitrary Plugin Activation]()

**CVE ID**: CVE-2023-1086
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [WPScanTeam]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Blog Floating Button <= 1.4.12 – Cross-Site Request Forgery]()

**CVE ID**: CVE-2023-27445
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Free WooCommerce Theme 99fy Extension <= 1.2.7 – Cross-Site Request Forgery leading to Arbitrary Plugin Activation]()

**CVE ID**: CVE-2023-0503
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Shortcodes Ultimate <= 5.12.7 – Authenticated (Subscriber+) Arbitrary Post Access via Shortcode]()

**CVE ID**: CVE-2023-0890
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Insurance – WordPress Insurance Service Plugin <= 2.1.3 – Cross-Site Request Forgery leading to Arbitrary Plugin Activation]()

**CVE ID**: CVE-2023-0501
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WC Sales Notification <= 1.2.2 – Cross-Site Request Forgery to Arbitrary Plugin Activation]()

**CVE ID**: CVE-2023-1087
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [WPScanTeam]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Meteor Page Speed Optimization Topping <= 3.1.4 – Cross-Site Request Forgery via processAjaxNoticeDismiss]()

**CVE ID**: CVE-2023-26543
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Muhammad Daffa]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [HT Portfolio <= 1.1.4 – Cross-Site Request Forgery to Arbitrary Plugin Activation]()

**CVE ID**: CVE-2023-0497
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Add Expires Headers & Optimized Minify <= 2.7 – Cross-Site Request Forgery via [placeholder]]()

**CVE ID**: CVE-2023-27457
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Rio Darmawan](Read More

References

Back to Main
Subscribe for the latest news: