Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
* * *
### New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:
* [Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates via API]()
Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
* * *
### Total Unpatched & Patched Vulnerabilities Last Week
**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 34
Patched | 30
* * *
### Total Vulnerabilities by CVSS Severity Last Week
**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 2
Medium Severity | 54
High Severity | 6
Critical Severity | 2
* * *
### Total Vulnerabilities by CWE Type Last Week
**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Missing Authorization | 18
Cross-Site Request Forgery (CSRF) | 18
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 16
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3
Server-Side Request Forgery (SSRF) | 2
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 1
Authorization Bypass Through User-Controlled Key | 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1
Improper Authorization | 1
Protection Mechanism Failure | 1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1
Use of Hard-coded Cryptographic Key | 1
* * *
### Researchers That Contributed to WordPress Security Last Week
**Researcher Name** | **Number of Vulnerabilities**
—|—
[Abdi Pranata]() | 7
[Mika]() | 7
[Rafie Muhammad]() | 5
[Skalucy]() | 3
[Lana Codes]()
(Wordfence Vulnerability Researcher) | 3
[longxi]() | 3
[Nguyen Xuan Chien]() | 2
[yuyudhn]() | 2
[Dipak Panchal]() | 2
[Chloe Chamberland]()
(Wordfence Vulnerability Researcher) | 2
[Junsu Yeo]() | 1
[Cat]() | 1
[TaeEun Lee]() | 1
[Emili Castells]() | 1
[Truoc Phan]() | 1
[konagash]() | 1
[Dmitriy]() | 1
[Christiaan Swiers]() | 1
[Stephen]() | 1
[Muhammad Daffa]() | 1
[LOURCODE]() | 1
[Bob Matyas]() | 1
[Yuchen Ji]() | 1
[Phd]() | 1
[Muhamad Arsyad]() | 1
[Marco Wotschka]()
(Wordfence Vulnerability Researcher) | 1
[Jonas Höbenreich]() | 1
[Marc-Alexandre Montpas]() | 1
[Rio Darmawan]() | 1
[PetiteMais]() | 1
[LEE SE HYOUNG]() | 1
[thiennv]() | 1
_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.
* * *
### WordPress Plugins with Reported Vulnerabilities Last Week
**Software Name** | **Software Slug**
—|—
ACF Photo Gallery Field | [navz-photo-gallery]()
AGP Font Awesome Collection | [agp-font-awesome-collection]()
APIExperts Square for WooCommerce | [woosquare]()
Assistant â Every Day Productivity Apps | [assistant]()
Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors â Molongui | [molongui-authorship]()
Backup Migration | [backup-backup]()
Banner Management For WooCommerce | [banner-management-for-woocommerce]()
Blog2Social: Social Media Auto Post & Scheduler | [blog2social]()
Booster Elementor Addons | [booster-for-elementor]()
Change WP Admin Login | [change-wp-admin-login]()
Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget | [bit-assist]()
Church Admin | [church-admin]()
Clone | [wp-clone-by-wp-academy]()
CodeBard’s Patron Button and Widgets for Patreon | [patron-button-and-widgets-by-codebard]()
Contact Form Builder by Bit Form â Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress | [bit-form]()
Custom Field For WP Job Manager | [custom-field-for-wp-job-manager]()
Custom Field Template | [custom-field-template]()
Discussion Board â WordPress Forum Plugin | [wp-discussion-board]()
Donations Made Easy â Smart Donations | [smart-donations]()
Duplicate Post | [copy-delete-posts]()
Enhanced Text Widget | [enhanced-text-widget]()
Fraud Prevention For Woocommerce | [woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers]()
Google Map Shortcode | [google-map-shortcode]()
HTTP Auth | [http-auth]()
InstaWP Connect â 1-click WP Staging & Migration (beta) | [instawp-connect]()
Instant CSS | [instant-css]()
LWS Affiliation | [lws-affiliation]()
Local Development | [local-development]()
Meks Smart Social Widget | [meks-smart-social-widget]()
Mobile Address Bar Changer | [mobile-address-bar-changer]()
MultiParcels Shipping For WooCommerce | [multiparcels-shipping-for-woocommerce]()
Ninja Forms Contact Form â The Drag and Drop Form Builder for WordPress | [ninja-forms]()
Optimize Database after Deleting Revisions | [rvg-optimize-database]()
Perelink Pro | [perelink]()
Pop-up | [pop-up-pop-up]()
Post to Google My Business (Google Business Profile) | [post-to-google-my-business]()
QR code MeCard/vCard generator | [wp-qrcode-me-v-card]()
Quasar form free â Contact Form Builder for WordPress | [quasar-form]()
RSS Redirect & Feedburner Alternative | [feedburner-alternative-and-rss-redirect]()
Redirection | [redirect-redirection]()
Remove Duplicate Posts | [remove-duplicate-posts]()
SSL Mixed Content Fix | [http-https-remover]()
Saphali Woocommerce Lite | [saphali-woocommerce-lite]()
Schema Pro | [wp-schema-pro]()
Simple Author Box | [simple-author-box]()
Simple Googlebot Visit | [simple-googlebot-visit]()
Simple Wp Sitemap | [simple-wp-sitemap]()
Slider Carousel â Responsive Image Slider | [slider-images]()
Social Media Share Buttons & Social Sharing Icons | [ultimate-social-media-icons]()
Social Share Icons & Social Share Buttons | [ultimate-social-media-plus]()
Taboola | [taboola]()
The Events Calendar | [the-events-calendar]()
Ultimate Posts Widget | [ultimate-posts-widget]()
Update Theme and Plugins from Zip File | [update-theme-and-plugins-from-zip-file]()
User Activity Log | [user-activity-log]()
User Email Verification for WooCommerce | [woo-confirmation-email]()
Video Conferencing with Zoom | [video-conferencing-with-zoom-api]()
WP Clone Menu | [clone-menu]()
WP Quick Post Duplicator | [wp-quick-post-duplicator]()
WPS Limit Login | [wps-limit-login]()
Web Accessibility By accessiBe | [accessibe]()
WordPress Database Administrator | [wp-database-admin]()
cartflows-pro | [cartflows-pro]()
tagDiv Composer | [td-composer]()
wp tell a friend popup form | [wp-tell-a-friend-popup-form]()
wpml-string-translation | [wpml-string-translation]()
* * *
### WordPress Themes with Reported Vulnerabilities Last Week
**Software Name** | **Software Slug**
—|—
nsc | [nsc]()
winters | [winters]()
yourjourney | [yourjourney]()
* * *
### Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldâve already been notified if your site was affected by any of these vulnerabilities.
#### [InstaWP Connect <= 0.0.9.18 – Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver]()
**Affected Software**: [InstaWP Connect â 1-click WP Staging & Migration (beta)]()
**CVE ID**: CVE-2023-3956
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [LWS Affiliation <= 2.2.6 – Unauthenticated Remote/Local File Inclusion]()
**Affected Software**: [LWS Affiliation]()
**CVE ID**: CVE-2023-32297
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Marco Wotschka](), [Jonas Höbenreich]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Quasar form <= 6.1 – Authenticated (Subscriber+) SQL Injection via ‘id’]()
**Affected Software**: [Quasar form free â Contact Form Builder for WordPress]()
**CVE ID**: CVE-2023-35910
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Emili Castells]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [User Activity Log <= 1.6.4 – Unauthenticated SQL Injection]()
**Affected Software**: [User Activity Log]()
**CVE ID**: CVE-2023-3435
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Marc-Alexandre Montpas]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WordPress Database Administrator <= 1.0.3 – Authenticated (Administrator+) SQL Injection]()
**Affected Software**: [WordPress Database Administrator]()
**CVE ID**: CVE-2023-3211
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Christiaan Swiers]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WPML String Translation <= 3.2.5 – Authenticated (Administrator+) SQL Injection via ‘context’]()
**Affected Software**: [wpml-string-translation]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Stephen]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [MultiParcels Shipping For WooCommerce <= 1.15.4 – Unauthenticated Stored Cross-Site Scripting]()
**Affected Software**: [MultiParcels Shipping For WooCommerce]()
**CVE ID**: CVE Unknown
**CVSS Score**: 7.2 (High)
**Researcher/s**: Unknown
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Molongui <= 4.6.19 – Unauthenticated Stored Cross-Site Scripting]()
**Affected Software**: [Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors â Molongui]()
**CVE ID**: CVE-2023-39164
**CVSS Score**: 7.2 (High)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Booster Elementor Addons <= 1.4.9 – Missing Authorization]()
**Affected Software**: [Booster Elementor Addons]()
**CVE ID**: CVE-2023-38480
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Ninja Forms <= 3.6.25 – Reflected Cross-Site Scripting via ‘data’]()
**Affected Software**: [Ninja Forms Contact Form â The Drag and Drop Form Builder for WordPress]()
**CVE ID**: CVE-2023-37979
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [tagDiv Composer <= 4.1 – Cross-Site Request Forgery to Cross-Site Scripting]()
**Affected Software**: [tagDiv Composer]()
**CVE ID**: CVE-2023-39166
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Truoc Phan]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [User Email Verification for WooCommerce <= 3.5.0 – Reflected Cross-Site Scripting]()
**Affected Software**: [User Email Verification for WooCommerce]()
**CVE ID**: CVE-2023-39162
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Nguyen Xuan Chien]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [CodeBard’s Patron Button and Widgets for Patreon <= 2.1.8 – Reflected Cross-Site Scripting via ‘site_account’]()
**Affected Software**: [CodeBard’s Patron Button and Widgets for Patreon]()
**CVE ID**: CVE-2023-30491
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LOURCODE]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [nsc <= 1.0 – Prototype Pollution to Reflected Cross-Site Scripting]()
**Affected Software**: [nsc]()
**CVE ID**: CVE-2023-3965
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [longxi]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Winters <= 1.4.3 – Prototype Pollution to Reflected Cross-Site Scripting]()
**Affected Software**: [winters]()
**CVE ID**: CVE-2023-3962
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [longxi]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Custom Field Template <= 2.5.9 – Reflected Cross-Site Scripting]()
**Affected Software**: [Custom Field Template]()
**CVE ID**: CVE-2023-38392
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Phd]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Blog2Social: Social Media Auto Post & Scheduler <= 7.2.0 – Reflected Cross-Site Scripting]()
**Affected Software**: [Blog2Social: Social Media Auto Post & Scheduler]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [AGP Font Awesome Collection <= 3.2.4 – Reflected Cross-Site Scripting]()
**Affected Software**: [AGP Font Awesome Collection]()
**CVE ID**: CVE-2023-30481
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Skalucy]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Your Journey <= 1.9.8 – Prototype Pollution to Reflected Cross-Site Scripting]()
**Affected Software**: [yourjourney]()
**CVE ID**: CVE-2023-3933
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [longxi]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Church Admin <= 3.7.56 – Server-Side Request Forgery via church_admin_import_csv]()
**Affected Software**: [Church Admin]()
**CVE ID**: CVE-2023-38515
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [Yuchen Ji]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Assistant <= 1.4.3 – Authenticated (Editor+) Server Side Request Forgery]()
**Affected Software**: [Assistant â Every Day Productivity Apps]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WP Quick Post Duplicator <= 1.0 – Missing Authorization]()
**Affected Software**: [WP Quick Post Duplicator]()
**CVE ID**: CVE-2023-31214
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [TaeEun Lee]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Discussion Board <= 2.4.8 – Authenticated (Subscriber+) Content Injection]()
**Affected Software**: [Discussion Board â WordPress Forum Plugin]()
**CVE ID**: CVE-2023-39161
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [wp tell a friend popup form <= 7.1 – Cross-Site Request Forgery via ‘TellAFriend_admin’]()
**Affected Software**: [wp tell a friend popup form]()
**CVE ID**: CVE-2023-25463
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [HTTP Auth <= 0.3.2 – Cross-Site Request Forgery]()
**Affected Software**: [HTTP Auth]()
**CVE ID**: CVE-2023-27435
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Schema Pro <= 2.7.8 – Authenticated(Contributor+) Missing Authorization]()
**Affected Software**: [Schema Pro]()
**CVE ID**: CVE-2023-36683
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Saphali Woocommerce Lite <= 1.8.13 – Cross-Site Request Forgery via ‘woocommerce_saphali_page_s_l’]()
**Affected Software**: [Saphali Woocommerce Lite]()
**CVE ID**: CVE-2023-25788
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WP Clone Menu <= 1.0.1 – Missing Authorization to Menu Clone]()
**Affected Software**: [WP Clone Menu]()
**CVE ID**: CVE-2023-38395
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [APIExperts Square for WooCommerce <= 4.2.8 – Missing Authorization]()
**Affected Software**: [APIExperts Square for WooCommerce]()
**CVE ID**: CVE-2022-47182
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Cat]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Ninja Forms <= 3.6.25 – Missing Authorization to Contributor+ Form Submission Export]()
**Affected Software**: [Ninja Forms Contact Form â The Drag and Drop Form Builder for WordPress]()
**CVE ID**: CVE-2023-38386
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Change WP Admin Login <= 1.1.3 – Protection Mechanism Failure to Login Page Disclosure]()
**Affected Software**: [Change WP Admin Login]()
**CVE ID**: CVE-2023-3604
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Muhamad Arsyad]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Instant CSS <= 1.1.4 – Missing Authorization via AJAX Actions]()
**Affected Software**: [Instant CSS]()
**CVE ID**: CVE-2023-38483
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Slider Carousel â Responsive Image Slider <= 1.5.0 – Missing Authorization]()
**Affected Software**: [Slider Carousel â Responsive Image Slider]()
**CVE ID**: CVE-2023-25457
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Meks Smart Social Widget <= 1.6 – Missing Authorization to notice dimissal]()
**Affected Software**: [Meks Smart Social Widget]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Custom Field For WP Job Manager <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [Custom Field For WP Job Manager]()
**CVE ID**: CVE-2023-3328
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Bob Matyas]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Contact Form Builder by Bit Form <= 2.1.0 – Authenticated (Admin+) Stored Cross-Site Scripting]()
**Affected Software**: [Contact Form Builder by Bit Form â Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress]()
**CVE ID**: CVE-2023-3645
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Dipak Panchal]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Web Accessibility By accessiBe <= 1.15 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [Web Accessibility By accessiBe]()
**CVE ID**: CVE Unknown
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [wp tell a friend popup form <= 7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [wp tell a friend popup form]()
**CVE ID**: CVE-2023-25465
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Bit Assist <= 1.1.8 – Authenticated (Administrator+) Stored Cross-Site Scripting]()
**Affected Software**: [Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget]()
**CVE ID**: CVE-2023-3667
**CVSS Score**: 4.4 (Medium)
**Researcher/s**: [Dipak Panchal]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Remove Duplicate Posts <= 1.3.4 – Missing Authorization to Post Deletion](Read More
References
Back to Main