Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)
Discription

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

###

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 20
Patched | 40

* * *

### Total Vulnerabilities by CVSS Severity Last Week

**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 1
Medium Severity | 53
High Severity | 6
Critical Severity | 0

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 26
Cross-Site Request Forgery (CSRF) | 21
Missing Authorization | 8
Information Exposure | 1
Authorization Bypass Through User-Controlled Key | 1
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1
Unrestricted Upload of File with Dangerous Type | 1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

**Researcher Name** | **Number of Vulnerabilities**
—|—
[Truoc Phan]() | 6
[LEE SE HYOUNG]() | 5
[Erwan LR]() | 5
[Marco Wotschka]()
(Wordfence Vulnerability Reasearcher) | 4
[Abdi Pranata]() | 3
[Mika]() | 3
[Lana Codes]()
(Wordfence Vulnerability Reasearcher) | 3
[yuyudhn]() | 3
[Nguyen Xuan Chien]() | 3
[Rafshanzani Suhada]() | 2
[konagash]() | 2
[NeginNrb]() | 2
[Rafie Muhammad]() | 2
[A. S. M. Muhiminul Hasan]() | 1
[Theodoros Malachias]() | 1
[Rio Darmawan]() | 1
[Le Ngoc Anh]() | 1
[emad]() | 1
[Alex Thomas]()
(Wordfence Vulnerability Reasearcher) | 1
[Daniel Ruf]() | 1
[Amirmohammad vakili]() | 1
[thiennv]() | 1
[Chloe Chamberland]()
(Wordfence Vulnerability Reasearcher) | 1
[Phd]() | 1
[killr00t]() | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | [armember-membership]()
All Bootstrap Blocks | [all-bootstrap-blocks]()
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment | [booking-and-rental-manager-for-woocommerce]()
CF7 Google Sheets Connector | [cf7-google-sheets-connector]()
CF7 Google Sheets Connector Pro | [cf7-google-sheets-connector-pro]()
CHP Ads Block Detector | [chp-ads-block-detector]()
Church Admin | [church-admin]()
Constant Contact Forms | [constant-contact-forms]()
Contact Form by WD – responsive drag & drop contact form builder tool | [contact-form-maker]()
Elementor Forms Google Sheet Connector | [gsheetconnector-for-elementor-forms]()
Elementor Forms Google Sheet Connector Pro | [gsheetconnector-for-elementor-forms-pro]()
Flo Forms – Easy Drag & Drop Form Builder | [flo-forms]()
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | [form-maker]()
Forminator – Contact Form, Payment Form & Custom Form Builder | [forminator]()
Galleria | [galleria]()
Google Map Shortcode | [google-map-shortcode]()
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor | [front-editor]()
LWS Cleaner | [lws-cleaner]()
LWS Tools | [lws-tools]()
Login Configurator | [login-configurator]()
MStore API | [mstore-api]()
MasterStudy LMS WordPress Plugin – for Online Courses and Education | [masterstudy-lms-learning-management-system]()
ND Shortcodes | [nd-shortcodes]()
Ninja Forms Google Sheet Connector | [gsheetconnector-ninja-forms]()
Ninja Forms Google Sheet Connector Pro | [gsheetconnector-ninja-forms-pro]()
Password Protected | [password-protected]()
Protect WP Admin | [protect-wp-admin]()
Recent Posts Slider | [recent-posts-slider]()
Recipe Maker For Your Food Blog from Zip Recipes | [zip-recipes]()
Securimage-WP | [securimage-wp]()
Seed Fonts | [seed-fonts]()
Sermon’e – Sermons Online | [UNKNOWN-CVE-2023-35776-1]()
Stock Manager for WooCommerce | [woocommerce-stock-manager]()
Template Debugger | [quick-edit-template-link]()
Tutor LMS – eLearning and online course solution | [tutor]()
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | [unlimited-elements-for-elementor]()
WP Affiliate Links | [wp-affiliate-links]()
WP Backup Manager | [wp-backup-manager]()
WP Directory Kit | [wpdirectorykit]()
WP Matterport Shortcode | [shortcode-gallery-for-matterport-showcase]()
WP PDF Generator | [wp-pdf-generator]()
WPForms Google Sheet Connector | [gsheetconnector-wpforms]()
WPForms Google Sheet Connector Pro | [gsheetconnector-wpforms-pro]()
Who Hit The Page – Hit Counter | [who-hit-the-page-hit-counter]()
WooCommerce Stripe Payment Gateway | [woocommerce-gateway-stripe]()
WordPress Contact Forms by Cimatti | [contact-forms]()
WordPress NextGen GalleryView | [wordpress-nextgen-galleryview]()
YaySMTP – Simple WP SMTP Mail | [yaysmtp]()
Zephyr Project Manager | [zephyr-project-manager]()
breadcrumb simple | [breadcrumb-simple]()
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin | [mycred]()
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 | [fat-rat-collect]()

* * *

### Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

#### [Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 – Authenticated (Contributor+) Arbitrary File Upload]()

**Affected Software**: [Unlimited Elements For Elementor (Free Widgets, Addons, Templates)]()
**CVE ID**: CVE-2023-3295
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Chloe Chamberland](), [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Tutor LMS <= 2.2.0 – Missing Authorization via REST API]()

**Affected Software**: [Tutor LMS – eLearning and online course solution]()
**CVE ID**: CVE-2023-3133
**CVSS Score**: 7.5 (High)
**Researcher/s**: [A. S. M. Muhiminul Hasan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Stripe Payment Gateway <= 7.4.0 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Disclosure]()

**Affected Software**: [WooCommerce Stripe Payment Gateway]()
**CVE ID**: CVE-2023-34000
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Ninja Forms Google Sheet Connector <= 1.2.6 – Reflected Cross-Site Scripting]()

**Affected Software/s**: [Ninja Forms Google Sheet Connector](), [Ninja Forms Google Sheet Connector Pro]()
**CVE ID**: CVE-2023-2333
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [YaySMTP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting via Email]()

**Affected Software**: [YaySMTP – Simple WP SMTP Mail]()
**CVE ID**: CVE-2023-3093
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Who Hit The Page – Hit Counter <= 1.4.14.3 – Unauthenticated Cross-Site Scripting]()

**Affected Software**: [Who Hit The Page – Hit Counter]()
**CVE ID**: CVE-2023-25466
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Contact Form Maker <= 1.13.23 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Contact Form by WD – responsive drag & drop contact form builder tool]()
**CVE ID**: CVE-2023-2655
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: [killr00t]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [All Bootstrap Blocks <= 1.3.6 – Cross-Site Request Forgery to Plugin Settings Reset]()

**Affected Software**: [All Bootstrap Blocks]()
**CVE ID**: CVE-2023-35047
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Directory Kit <= 1.2.3 – Missing Authorization to Plugin Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_admin_action]()

**Affected Software**: [WP Directory Kit]()
**CVE ID**: CVE-2023-2351
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [MStore API <= 3.9.5 – Missing Authorization]()

**Affected Software**: [MStore API]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Sermon’e <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [Sermon’e – Sermons Online]()
**CVE ID**: CVE-2023-35776
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [MasterStudy LMS <= 3.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [MasterStudy LMS WordPress Plugin – for Online Courses and Education]()
**CVE ID**: CVE-2023-35090
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [ND Shortcodes <= 6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [ND Shortcodes]()
**CVE ID**: CVE-2022-4623
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Matterport Shortcode <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [WP Matterport Shortcode]()
**CVE ID**: CVE-2023-35094
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [ND Shortcodes <= 6.9 – Authenticated (Subscriber+) Local File Inclusion]()

**Affected Software**: [ND Shortcodes]()
**CVE ID**: CVE-2023-1273
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Front User Submit | Front Editor <= 3.7.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [NextGen GalleryView <= 0.5.5 – Reflected Cross-Site Scripting]()

**Affected Software**: [WordPress NextGen GalleryView]()
**CVE ID**: CVE-2023-35098
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [CF7 Google Sheets Connector <= 5.0.1 – Reflected Cross-Site Scripting via ‘code’]()

**Affected Software/s**: [CF7 Google Sheets Connector Pro](), [CF7 Google Sheets Connector]()
**CVE ID**: CVE-2023-2320
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Elementor Forms Google Sheet Connector <= 1.0.6 – Reflected Cross-Site Scripting via ‘code’]()

**Affected Software/s**: [Elementor Forms Google Sheet Connector Pro](), [Elementor Forms Google Sheet Connector]()
**CVE ID**: CVE-2023-2324
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Backup Manager <= 1.13.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [WP Backup Manager]()
**CVE ID**: CVE-2023-35775
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WPForms Google Sheet Connector <= 3.4.5 – Reflected Cross-Site Scripting]()

**Affected Software/s**: [WPForms Google Sheet Connector Pro](), [WPForms Google Sheet Connector]()
**CVE ID**: CVE-2023-2321
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Recent Posts Slider <= 1.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [Recent Posts Slider]()
**CVE ID**: CVE-2023-35043
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP Affiliate Links <= 0.1.1 – Reflected Cross-Site Scripting]()

**Affected Software**: [WP Affiliate Links]()
**CVE ID**: CVE-2023-35097
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Google Map Shortcode <= 3.1.2 – Reflected Cross-Site Scripting]()

**Affected Software**: [Google Map Shortcode]()
**CVE ID**: CVE-2023-35772
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Church Admin <= 3.7.29 – Reflected Cross-Site Scripting]()

**Affected Software**: [Church Admin]()
**CVE ID**: CVE-2023-34021
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Phd]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [LWS Tools <= 2.4.1 – Cross-Site Request Forgery]()

**Affected Software**: [LWS Tools]()
**CVE ID**: CVE-2023-35774
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [konagash]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [LWS Cleaner <= 2.3.0 – Cross-Site Request Forgery]()

**Affected Software**: [LWS Cleaner]()
**CVE ID**: CVE-2023-35781
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [konagash]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Fat Rat Collect <= 2.6.1 – Missing Authorization]()

**Affected Software**: [胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有开源插件]()
**CVE ID**: CVE-2023-35045
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Protect WP Admin <= 3.8 – Unauthenticated Information Disclosure to Protection Bypass]()

**Affected Software**: [Protect WP Admin]()
**CVE ID**: CVE-2023-3139
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Daniel Ruf]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Forminator <= 1.23.3 – Race Condition to Multiple Poll Voting]()

**Affected Software**: [Forminator – Contact Form, Payment Form & Custom Form Builder]()
**CVE ID**: CVE-2023-2010
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Amirmohammad vakili]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [CHP Ads Block Detector <= 3.9.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [CHP Ads Block Detector]()
**CVE ID**: CVE-2023-2354
**CVSS Score**: 4.9 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Seed Fonts 2.3.1 – Authenticated(Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Seed Fonts]()
**CVE ID**: CVE-2023-35779
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [ARMember <= 4.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup]()
**CVE ID**: CVE-2023-33323
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [emad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking and Rental Manager <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress and all Kinds of Equipment]()
**CVE ID**: CVE-2023-35048
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [NeginNrb]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Login Configurator <= 2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Login Configurator]()
**CVE ID**: CVE-2023-34369
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [NeginNrb]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Password Protected <= 2.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Password Protected]()
**CVE ID**: CVE-2023-32580
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Flo Forms <= 1.0.40 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Flo Forms – Easy Drag & Drop Form Builder]()
**CVE ID**: CVE-2023-35095
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Recent Posts Slider <= 1.1 – Cross-Site Request Forgery]()

**Affected Software**: [Recent Posts Slider]()
**CVE ID**: CVE-2023-35778
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [MStore API <= 3.9.6 – Cross-Site Request Forgery to Product Limit Update]()

**Affected Software**: [MStore API]()
**CVE ID**: CVE-2023-3203
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Truoc Phan]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Zephyr Project Manager <= 3.3.93 – Cross-Site Request Forgery]()

**Affected Software**: [Zephyr Project Manager]()
**CVE ID**: CVE-2023-34373
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Theodoros Malachias]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP PDF Generator <= 1.2.2 – Cross-Site Request Forgery to PDF Settings Update]()

**Affected Software**: [WP PDF Generator]()
**CVE ID**: CVE-2023-35038
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Securimage-WP <= 3.6.16 – Cross-Site Request Forgery]()

**Affected Software**: [Securimage-WP]()
**CVE ID**: CVE-2023-35044
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [MasterStudy LMS <= 3.0.7 – Missing Authorization to Course Category Creation]()

**Affected Software**: [MasterStudy LMS WordPress Plugin – for Online Courses and Education]()
**CVE ID**: CVE-2023-35093
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [CHP Ads Block Detector <= 3.9.4 – Missing Authorization to Plugin Settings Update]()

**Affected Software**: [CHP Ads Block Detector]()
**CVE ID**: CVE-2023-2353
**CVSS Score**: 4.3 (Medium)
**Researcher/s**: [Marco Wotschka](Read More

References

Back to Main
Subscribe for the latest news: