Site icon API Security Blog

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)

Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:

* [Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset]()
* [Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions]()
* [HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation]()

Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 29
Patched | 32

* * *

### Total Vulnerabilities by CVSS Severity Last Week

**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 0
Medium Severity | 49
High Severity | 8
Critical Severity | 4

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 24
Cross-Site Request Forgery (CSRF) | 14
Missing Authorization | 14
Authorization Bypass Through User-Controlled Key | 4
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 2
Information Exposure | 1
Uncontrolled Resource Consumption (‘Resource Exhaustion’) | 1
Unrestricted Upload of File with Dangerous Type | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

**Researcher Name** | **Number of Vulnerabilities**
—|—
[Alex Thomas]()
(Wordfence Vulnerability Researcher) | 9
[LEE SE HYOUNG]() | 6
[Abdi Pranata]() | 6
[Lana Codes]()
(Wordfence Vulnerability Researcher) | 3
[Rafie Muhammad]() | 3
[yuyudhn]() | 3
[Rio Darmawan]() | 2
[Muhammad Daffa]() | 2
[Elliot]() | 1
[Rafael B.]() | 1
[Bob Matyas]() | 1
[Kijam López]() | 1
[easyBug]() | 1
[Alex Sanford]() | 1
[Dipak Panchal]() | 1
[Yassir Sbai Fahim]() | 1
[Rafi Priatna Kasbiantoro]() | 1
[Pavitra Tiwari]() | 1
[Nguyen Anh Tien]() | 1
[Nithissh S]() | 1
[Friday]() | 1
[Dave Jong]() | 1
[PetiteMais]() | 1
[Yuki Haruma]() | 1
[Le Ngoc Anh]() | 1
[thiennv]() | 1
[TaeEun Lee]() | 1
[Paolo Elia]() | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | [armember-membership]()
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements | [mystickyelements]()
Animated Number Counters | [animated-number-counters]()
Auto Location for WP Job Manager via Google | [auto-location-for-wp-job-manager]()
BadgeOS | [badgeos]()
Baidu Tongji generator | [baidu-tongji-generator]()
Booking Package | [booking-package]()
Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin | [media-library-helper]()
Classified Listing – Classified ads & Business Directory Plugin | [classified-listing]()
Coming Soon Page – Responsive Coming Soon & Maintenance Mode | [responsive-coming-soon-page]()
Cryptocurrency Widgets – Price Ticker & Coins List | [cryptocurrency-price-ticker-widget]()
FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin | [fluent-smtp]()
Getnet Argentina para Woocommerce | [integrar-getnet-con-woo]()
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) | [gift-voucher]()
HT Mega – Absolute Addons For Elementor | [ht-mega-for-elementor]()
Header Footer Code Manager | [header-footer-code-manager]()
Image Regenerate & Select Crop | [image-regenerate-select-crop]()
Image Social Feed Plugin | [add-instagram]()
Kingkong Board | [kingkong-board]()
LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder | [learning-management-system]()
LearnPress – WordPress LMS Plugin | [learnpress]()
Livestream Notice | [livestream-notice]()
Menubar | [menubar]()
Mobile Call Now & Map Buttons | [mobile-call-now-map-buttons]()
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress | [ninja-forms]()
Product Category Tree | [product-category-tree]()
Querlo Chatbot | [querlo-chatbots]()
RSVPMaker | [rsvpmaker]()
Reservation.Studio widget | [reservation-studio-widget]()
SMTP Mail | [smtp-mail]()
Secondary Title | [secondary-title]()
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) | [woolentor-addons]()
Simple Giveaways – Grow your business, email lists and traffic with contests | [giveasap]()
Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) | [only-tweet-like-share-and-google-1]()
Simple Site Verify | [simple-site-verify]()
Social Share Boost | [social-share-boost]()
SrbTransLatin – Serbian Latinisation | [srbtranslatin]()
Sublanguage | [sublanguage]()
User Registration – Custom Registration Form, Login Form And User Profile For WordPress | [user-registration]()
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP | [yotuwp-easy-youtube-embed]()
Visibility Logic for Elementor | [visibility-logic-elementor]()
Visual Website Collaboration, Feedback & Project Management – Atarim | [atarim-visual-collaboration]()
WP Content Copy Protection & No Right Click | [wp-content-copy-protector]()
WP Dummy Content Generator | [wp-dummy-content-generator]()
WP Full Stripe Free | [wp-full-stripe-free]()
WP Mail Log | [wp-mail-log]()
WP RSS Images | [wp-rss-images]()
WP Reroute Email | [wp-reroute-email]()
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | [wp-sms]()
WP-Cirrus | [wp-cirrus]()
WP-Optimize – Cache, Clean, Compress. | [wp-optimize]()
WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps | [wordpress-mobile-pack]()
oAuth Twitter Feed for Developers | [oauth-twitter-feed-for-developers]()
wpForo Forum | [wpforo]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
WPLMS Learning Management System for WordPress, WordPress LMS | [wplms]()

* * *

### Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

#### [User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload]()

**Affected Software**: [User Registration – Custom Registration Form, Login Form And User Profile For WordPress]()
**CVE ID**: CVE-2023-3342
**CVSS Score**: 9.9 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [HT Mega – Absolute Addons for Elementor <= 2.2.0 – Missing Authorization to Privilege Escalation]()

**Affected Software**: [HT Mega – Absolute Addons For Elementor]()
**CVE ID**: CVE Unknown
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Booking Package <= 1.5.98 – Authorization Bypass to Arbitrary Password Reset]()

**Affected Software**: [Booking Package]()
**CVE ID**: CVE-2023-37389
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Atarim – Client Interface <= 3.9.1 – Missing Authorization via AJAX actions]()

**Affected Software**: [Visual Website Collaboration, Feedback & Project Management – Atarim]()
**CVE ID**: CVE Unknown
**CVSS Score**: 9.1 (Critical)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Getnet Argentina para Woocommerce 0.0.1 – 0.0.4 – Authorization Bypass via webhook]()

**Affected Software**: [Getnet Argentina para Woocommerce]()
**CVE ID**: CVE-2023-3525
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Kijam López]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [LearnPress <= 4.2.3 – Missing Authorization to Information Exposure]()

**Affected Software**: [LearnPress – WordPress LMS Plugin]()
**CVE ID**: CVE-2023-36515
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Reroute Email <= 1.4.9 – Unauthenticated Stored Cross-Site Scripting via Email Subject]()

**Affected Software**: [WP Reroute Email]()
**CVE ID**: CVE-2023-3168
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [RSVPMarker <= 10.5.4 – Authenticated (Administrator+) SQL Injection via ‘resend’]()

**Affected Software**: [RSVPMaker]()
**CVE ID**: CVE-2023-29095
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafi Priatna Kasbiantoro]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Mail Log <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting via Email]()

**Affected Software**: [WP Mail Log]()
**CVE ID**: CVE-2023-3088
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SMTP Mail <= 1.2.16 – Unauthenticated Stored Cross-Site Scripting via Email Subject]()

**Affected Software**: [SMTP Mail]()
**CVE ID**: CVE-2023-3092
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Coming Soon <= 1.5.8 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Coming Soon Page – Responsive Coming Soon & Maintenance Mode]()
**CVE ID**: CVE-2022-46849
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [FluentSMTP <= 2.2.4 – Unauthenticated Stored Cross-Site Scripting via Email Subject]()

**Affected Software**: [FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin]()
**CVE ID**: CVE-2023-3087
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [ARMember <= 4.0.5 – Cross-Site Request Forgery]()

**Affected Software**: [ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup]()
**CVE ID**: CVE-2023-3011
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Masteriyo – LMS for WordPress <= 1.6.7 – Sensitive Information Exposure]()

**Affected Software**: [LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder]()
**CVE ID**: CVE-2023-3345
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Yassir Sbai Fahim]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Simple Giveaways <= 2.46.0 – Missing Authorization]()

**Affected Software**: [Simple Giveaways – Grow your business, email lists and traffic with contests]()
**CVE ID**: CVE-2023-23893
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Nguyen Anh Tien]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [BadgeOS <= 3.7.1.6 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion]()

**Affected Software**: [BadgeOS]()
**CVE ID**: CVE-2023-2173
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Querlo Chatbot <= 1.2.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [Querlo Chatbot]()
**CVE ID**: CVE-2023-3418
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafael B.]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Secondary Title <= 2.0.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [Secondary Title]()
**CVE ID**: CVE-2023-28773
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [TaeEun Lee]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WPLMS < 4.900 – Cross-Site Request Forgery]()

**Affected Software**: [WPLMS Learning Management System for WordPress, WordPress LMS]()
**CVE ID**: CVE-2023-36690
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Dave Jong]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Kingkong Board <= 2.1.0.2 – Missing Authorization]()

**Affected Software**: [Kingkong Board]()
**CVE ID**: CVE-2023-36694
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [wpForo Forum <= 2.1.8 – Reflected Cross-Site Scripting via ‘wpforo_debug’]()

**Affected Software**: [wpForo Forum]()
**CVE ID**: CVE-2023-2309
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Alex Sanford]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP-Optimize <= 3.2.12 & SrbTransLatin <= 2.4 – Stored/Reflected Cross-Site Scripting via Third Party Library]()

**Affected Software/s**: [SrbTransLatin – Serbian Latinisation](), [WP-Optimize – Cache, Clean, Compress.]()
**CVE ID**: CVE-2023-1119
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Paolo Elia]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Animated Number Counters <= 1.6 – Authenticated (Editor+) Stored Cross-Site Scripting]()

**Affected Software**: [Animated Number Counters]()
**CVE ID**: CVE-2023-24393
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WordPress Mobile Pack <= 3.4.1 – Cross-Site Request Forgery]()

**Affected Software**: [WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps]()
**CVE ID**: CVE-2023-37391
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [LearnPress <= 4.2.3 – Missing Authorization]()

**Affected Software**: [LearnPress – WordPress LMS Plugin]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Sublanguage <= 2.9 – Missing Authorization]()

**Affected Software**: [Sublanguage]()
**CVE ID**: CVE-2023-36695
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Header Footer Code Manager <= 1.1.34 – Cross-Site Request Forgery via process_bulk_action]()

**Affected Software**: [Header Footer Code Manager]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [BadgeOS <= 3.7.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [BadgeOS]()
**CVE ID**: CVE-2023-2171
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Alex Thomas]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Menubar <= 5.8.2 – Cross-Site Request Forgery in wpm-admin.php]()

**Affected Software**: [Menubar]()
**CVE ID**: CVE-2023-36687
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Image Regenerate & Select Crop <= 7.1.0 – Missing Authorization]()

**Affected Software**: [Image Regenerate & Select Crop]()
**CVE ID**: CVE-2023-36680
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [LearnPress <= 4.2.3 – Missing Authorization]()

**Affected Software**: [LearnPress – WordPress LMS Plugin]()
**CVE ID**: CVE-2023-36516
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Product Category Tree <= 2.5 – Missing Authorization]()

**Affected Software**: [Product Category Tree]()
**CVE ID**: CVE-2023-29173
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Friday]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Ninja Forms <= 3.6.25 – Denial of Service via Large Form Submissions]()

**Affected Software**: [Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress]()
**CVE ID**: CVE-2023-35909
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [PetiteMais]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Cryptocurrency Widgets – Price Ticker & Coins List <= 2.6.2 – Missing Authorization]()

**Affected Software**: [Cryptocurrency Widgets – Price Ticker & Coins List]()
**CVE ID**: CVE-2023-36681
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Dummy Content Generator <= 2.3.0 – Missing Authorization]()

**Affected Software**: [WP Dummy Content Generator]()
**CVE ID**: CVE-2023-37394
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Auto Location for WP Job Manager via Google <= 1.0 – Authenticated (Administrator+) Stored Cross Site Scripting]()

**Affected Software**: [Auto Location for WP Job Manager via Google]()
**CVE ID**: CVE-2023-3344
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Bob Matyas]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP Full Stripe Free <= 1.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [WP Full Stripe Free]()
**CVE ID**: CVE-2023-28934
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [easyBug]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Social Share Boost <= 4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Social Share Boost]()
**CVE ID**: CVE-2023-25044
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [WP-Cirrus <= 0.6.11 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [WP-Cirrus]()
**CVE ID**: CVE-2023-36692
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [All-in-one Floating Contact Form <= 2.1.1 – Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings]()

**Affected Software**: [All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements]()
**CVE ID**: CVE-2023-3248
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Dipak Panchal]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Livestream Notice <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Livestream Notice]()
**CVE ID**: CVE-2023-27621
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Pavitra Tiwari]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Reservation.Studio widget <= 1.0.9 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Reservation.Studio widget]()
**CVE ID**: CVE-2023-24397
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Nithissh S]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Video Gallery <= 1.3.12 – Authenticated (Administrator+) Stored Cross-Site Scripting]()

**Affected Software**: [Video Gallery – YouTube Playlist, Channel Gallery by YotuWP]()
**CVE ID**: CVE-2023-25477
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:** Read More

Exit mobile version