Last week, there were 66 vulnerabilities disclosed in 56 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
* * *
### New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:
* [Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates]()
* [WP Post Author <= 3.3.0 – Privilege Escalation]()
Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
* * *
### Total Unpatched & Patched Vulnerabilities Last Week
**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 26
Patched | 40
* * *
### Total Vulnerabilities by CVSS Severity Last Week
**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 0
Medium Severity | 52
High Severity | 9
Critical Severity | 5
* * *
### Total Vulnerabilities by CWE Type Last Week
**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Cross-Site Request Forgery (CSRF) | 22
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 17
Missing Authorization | 8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4
Authorization Bypass Through User-Controlled Key | 3
Authentication Bypass Using an Alternate Path or Channel | 2
Information Exposure | 2
Server-Side Request Forgery (SSRF) | 2
Improper Neutralization of Formula Elements in a CSV File | 2
Improper Privilege Management | 1
Incorrect Privilege Assignment | 1
Use of Hard-coded Cryptographic Key | 1
Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) | 1
* * *
### Researchers That Contributed to WordPress Security Last Week
**Researcher Name** | **Number of Vulnerabilities**
—|—
[Lana Codes]()
(Wordfence Vulnerability Researcher) | 6
[Cat]() | 5
[Erwan LR]() | 4
[Rafie Muhammad]() | 4
[Rafshanzani Suhada]() | 3
[Dave Jong]() | 2
[Marco Wotschka]()
(Wordfence Vulnerability Researcher) | 2
[Dipak Panchal]() | 1
[NeginNrb]() | 1
[emad]() | 1
[Ravi Dharmawan]() | 1
[Justiice]() | 1
[Marc-Alexandre Montpas]() | 1
[Lukas Kinneberg]() | 1
[Kenichiro Ito]() | 1
[coogee86]() | 1
[Muhammad Daffa]() | 1
[Mika]() | 1
[Elliot]() | 1
[Chris Shultz]() | 1
[Le Ngoc Anh]() | 1
[Hoang Van Hiep]() | 1
[FearZzZz]() | 1
[Felipe Restrepo Rodriguez]() | 1
[Edison Poveda]() | 1
[yuyudhn]() | 1
[Etan Imanol Castro Aldrete]() | 1
[Abdi Pranata]() | 1
[qilin_99]() | 1
[Taurus Omar]() | 1
[Luca Greeb]() | 1
[Andreas Krüger]() | 1
[Abu Hurayra]() | 1
[Rafael B.]() | 1
_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.
* * *
### WordPress Plugins with Reported Vulnerabilities Last Week
**Software Name** | **Software Slug**
—|—
AN_GradeBook | [an-gradebook]()
ARMember â Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | [armember-membership]()
Active Directory Integration / LDAP Integration | [ldap-login-for-intranet-sites]()
ApplyOnline â Application Form Builder and Manager | [apply-online]()
Autochat Automatic Conversation | [auyautochat-for-wp]()
AutomateWoo | [automatewoo]()
Booked – Appointment Booking for WordPress | [booked]()
Caldera Forms Google Sheets Connector | [gsheetconnector-caldera-forms]()
Catalyst Connect Zoho CRM Client Portal | [catalyst-connect-client-portal]()
Duplicate Post Page Menu & Custom Post Type | [duplicate-post-page-menu-custom-post-type]()
Easy Accordion FAQ and Knowledge Base Software for WordPress | [knowledge-center]()
Editorial Calendar | [editorial-calendar]()
Email download link | [email-download-link]()
EmbedPress â Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor | [embedpress]()
Enhanced Text Widget | [enhanced-text-widget]()
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button â Chaty | [chaty]()
Form Builder | Create Responsive Contact Forms | [contact-form-add]()
Guest posting / Frontend Posting wordpress plugin â WP Front User Submit / Front Editor | [front-editor]()
Image Map Pro â Drag-and-drop Builder for Interactive Images â Lite | [image-map-pro-lite]()
Image Regenerate & Select Crop | [image-regenerate-select-crop]()
Layer Slider | [slider-slideshow]()
LearnDash LMS | [sfwd-lms]()
LiquidPoll â Advanced Polls for Creators and Brands | [wp-poll]()
Login Configurator | [login-configurator]()
Login/Signup Popup ( Inline Form + Woocommerce ) | [easy-login-woocommerce]()
My Content Management | [my-content-management]()
NEX-Forms â Ultimate Form Builder â Contact forms and much more | [nex-forms-express-wp-form-builder]()
NOO Timetable | [noo-timetable]()
POST SMTP Mailer â Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress | [post-smtp]()
Poll Maker â Best WordPress Poll Plugin | [poll-maker]()
Post Hit Counter | [post-hit-counter]()
Post to CSV by BestWebSoft | [post-to-csv]()
Quiz Expert â Easy Quiz Maker, Exam and Test Manager | [quiz-expert]()
Request a Quote | [request-a-quote]()
SP Project & Document Manager | [sp-client-document-manager]()
SW Product Bundles | [sw-product-bundles]()
Salon booking system | [salon-booking-system]()
Short URL | [shorten-url]()
Subscribe2 â Form, Email Subscribers & Newsletters |
TrustProfile and reviews for WordPress | [trustprofile]()
Ultimate Member â User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | [ultimate-member]()
WP Abstracts | [wp-abstracts-manuscripts-manager]()
WP Job Board | [wpjobboard]()
WP Post Author â The Ideal Author Box for WordPress Posts, Co-Authors and Guest Authors with Author Login and Registration Form Builder | [wp-post-author]()
WP Social AutoConnect | [wp-fb-autoconnect]()
WPFactory Helper | [wpcodefactory-helper]()
WPGraphQL | [wp-graphql]()
Waitlist Woocommerce ( Back in stock notifier ) | [waitlist-woocommerce]()
Web3 â Crypto wallet Login & NFT token gating | [web3-authentication]()
WebwinkelKeur: Webshop keurmerk & reviews for WordPress | [webwinkelkeur]()
WooCommerce Google Sheet Connector | [wc-gsheetconnector]()
WooCommerce Pre-Orders | [woocommerce-pre-orders]()
WooCommerce Ship to Multiple Addresses | [woocommerce-shipping-multiple-addresses]()
Woocommerce Order Barcodes | [woocommerce-order-barcodes]()
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) | [miniorange-login-openid]()
houzez-crm | [houzez-crm]()
* * *
### WordPress Themes with Reported Vulnerabilities Last Week
**Software Name** | **Software Slug**
—|—
The7 â Website and eCommerce Builder for WordPress | [dt-the7]()
* * *
### Vulnerability Details
#### [WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass]()
**Affected Software**: [WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)]()
**CVE ID**: CVE-2023-2982
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Post Author <= 3.2.3 – Privilege Escalation]()
**Affected Software**: [WP Post Author â The Ideal Author Box for WordPress Posts, Co-Authors and Guest Authors with Author Login and Registration Form Builder]()
**CVE ID**: CVE Unknown
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates]()
**Affected Software**: [Ultimate Member â User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin]()
**CVE ID**: CVE-2023-3460
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Marc-Alexandre Montpas]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WPJobBoard <= 5.9.0 – Unauthenticated SQL Injection]()
**Affected Software**: [WP Job Board]()
**CVE ID**: CVE-2023-36525
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [FearZzZz]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Web3 â Crypto wallet Login & NFT token gating <= 2.6.0 – Authentication Bypass]()
**Affected Software**: [Web3 â Crypto wallet Login & NFT token gating]()
**CVE ID**: CVE-2023-3249
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change]()
**Affected Software**: [LearnDash LMS]()
**CVE ID**: CVE-2023-3105
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Houzez CRM <= 1.3.3 – Authenticated (Subscriber+) SQL Injection]()
**Affected Software**: [houzez-crm]()
**CVE ID**: CVE-2023-36529
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [AN_GradeBook <= 5.0.1 – Authenticated (Subscriber+) SQL Injection]()
**Affected Software**: [AN_GradeBook]()
**CVE ID**: CVE-2023-2636
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Lukas Kinneberg]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [SP Project & Document Manager <= 4.67 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change]()
**Affected Software**: [SP Project & Document Manager]()
**CVE ID**: CVE-2023-3063
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Short URL <= 1.6.4 – Authenticated (Subscriber+) SQL Injection]()
**Affected Software**: [Short URL]()
**CVE ID**: CVE-2022-46860
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Form Builder <= 1.9.9.0 – Unauthenticated CSV Injection]()
**Affected Software**: [Form Builder | Create Responsive Contact Forms]()
**CVE ID**: CVE-2023-23796
**CVSS Score**: 8.3 (High)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Active Directory Integration / LDAP Integration <= 4.1.5 – Authenticated (Subscrber+) LDAP Injection]()
**Affected Software**: [Active Directory Integration / LDAP Integration]()
**CVE ID**: CVE-2023-3447
**CVSS Score**: 7.6 (High)
**Researcher/s**: [Luca Greeb](), [Andreas Krüger]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Post to CSV by BestWebSoft <= 1.4.0 – Authenticated (Author+) CSV Injection]()
**Affected Software**: [Post to CSV by BestWebSoft]()
**CVE ID**: CVE-2023-36527
**CVSS Score**: 7.4 (High)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Autochat Automatic Conversation <= 1.1.7 – Unauthenticated Stored Cross-Site Scripting]()
**Affected Software**: [Autochat Automatic Conversation]()
**CVE ID**: CVE-2023-3041
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafael B.]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Email download link <= 3.7 – Unauthenticated Sensitive Information Exposure]()
**Affected Software**: [Email download link]()
**CVE ID**: CVE-2023-36523
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [POST SMTP Mailer <= 2.5.6 – Cross-Site Request Forgery to Account Compromise]()
**Affected Software**: [POST SMTP Mailer â Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress]()
**CVE ID**: CVE-2023-3179
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Booked <= 2.4 – Unauthenticated Sensitive Information Exposure]()
**Affected Software**: [Booked – Appointment Booking for WordPress]()
**CVE ID**: CVE-2022-36399
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [coogee86]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization on multiple AJAX actions]()
**Affected Software**: [Image Regenerate & Select Crop]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [AutomateWoo <= 5.7.5 – Missing Authorization]()
**Affected Software**: [AutomateWoo]()
**CVE ID**: CVE-2023-36512
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Image Regenerate & Select Crop <= 7.1.0 – Cross-Site Request Forgery on multiple AJAX actions]()
**Affected Software**: [Image Regenerate & Select Crop]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Front User Submit | Front Editor <= 3.8.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()
**Affected Software**: [Guest posting / Frontend Posting wordpress plugin â WP Front User Submit / Front Editor]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [NOO Timetable <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
**Affected Software**: [NOO Timetable]()
**CVE ID**: CVE-2022-45821
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Cat]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Image Map Pro â Drag-and-drop Builder for Interactive Images â Lite <= 1.0.0 – Missing Authorization to Stored Cross-Site Scripting]()
**Affected Software**: [Image Map Pro â Drag-and-drop Builder for Interactive Images â Lite]()
**CVE ID**: CVE-2023-3412
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Layer Slider <= 1.1.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
**Affected Software**: [Layer Slider]()
**CVE ID**: CVE-2023-23798
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Image Map Pro â Drag-and-drop Builder for Interactive Images â Lite <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting]()
**Affected Software**: [Image Map Pro â Drag-and-drop Builder for Interactive Images â Lite]()
**CVE ID**: CVE-2023-3411
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Kenichiro Ito]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WPFactory Helper <= 1.5.2 – Reflected Cross-Site Scripting via item_slug]()
**Affected Software**: [WPFactory Helper]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WooCommerce Pre-Orders <= 2.0.1 – Reflected Cross-Site Scripting]()
**Affected Software**: [WooCommerce Pre-Orders]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Chris Shultz]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Login Configurator <= 2.1 – Reflected Cross-Site Scripting]()
**Affected Software**: [Login Configurator]()
**CVE ID**: CVE-2023-1893
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Taurus Omar]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WPGraphQL <= 1.14.5 – Authenticated (Editor+) Server-Side Request Forgery]()
**Affected Software**: [WPGraphQL]()
**CVE ID**: CVE-2023-23684
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [Ravi Dharmawan]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Waitlist Woocommerce ( Back in stock notifier ) <= 2.5.2 – Cross-Site Request Forgery via reset_settings]()
**Affected Software**: [Waitlist Woocommerce ( Back in stock notifier )]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Editorial Calendar <= 3.7.12 – Authenticated (Contributor+) Insecure Direct Object Reference]()
**Affected Software**: [Editorial Calendar]()
**CVE ID**: CVE-2023-36520
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Elliot]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Salon Booking System <= 8.4.6 – Cross-Site Request Forgery to Admin Role Change to Customer, User Meta Update via save_customer]()
**Affected Software**: [Salon booking system]()
**CVE ID**: CVE-2023-3427
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [EmbedPress <= 3.7.3 – Sensitive Information Exposure]()
**Affected Software**: [EmbedPress â Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor]()
**CVE ID**: CVE-2023-3371
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [NEX-Forms – Ultimate Form Builder <= 8.4.3 – Authenticated Stored Cross-Site Scripting via Form Name]()
**Affected Software**: [NEX-Forms â Ultimate Form Builder â Contact forms and much more]()
**CVE ID**: CVE-2023-0439
**CVSS Score**: 4.8 (Medium)
**Researcher/s**: [Felipe Restrepo Rodriguez](), [Edison Poveda]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Poll Maker <= 4.6.2 – Authenticated (Admin+) Server-Side Request Forgery]()
**Affected Software**: [Poll Maker â Best WordPress Poll Plugin]()
**CVE ID**: CVE-2023-34013
**CVSS Score**: 4.7 (Medium)
**Researcher/s**: [Abu Hurayra]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Floating Chat Widget – Chaty <= 3.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button â Chaty]()
**CVE ID**: CVE-2023-3245
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Dipak Panchal]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [SP Project & Document Manager <= 4.67 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings]()
**Affected Software**: [SP Project & Document Manager]()
**CVE ID**: CVE-2023-36530
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [emad]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Knowledge Center <= 2.7 – Authenticated (Admin+) Cross-Site Scripting]()
**Affected Software**: [Easy Accordion FAQ and Knowledge Base Software for WordPress]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Catalyst Connect Zoho CRM Client Portal <= 2.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [Catalyst Connect Zoho CRM Client Portal]()
**CVE ID**: CVE-2022-44629
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Hoang Van Hiep]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [My Content Management <= 1.7.6 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [My Content Management]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [ApplyOnline â Application Form Builder and Manager <= 2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [ApplyOnline â Application Form Builder and Manager]()
**CVE ID**: CVE-2023-24391
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Short URL <= 1.6.4 – Authenticated(Admin+) Stored Cross-Site Scripting]()
**Affected Software**: [Short URL]()
**CVE ID**: CVE-2023-1602
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Etan Imanol Castro Aldrete]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [ARMember <= 4.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting](Read More