Last week, there were 64 vulnerabilities disclosed in 67 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, and webhook integration are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _
* * *
### New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:
* [Avada <= 7.11.1 – Authenticated(Contributor+) Server Side Request Forgery]()
* [Avada <= 7.11.1 – Authenticated(Author+) Arbitrary File Upload via Zip Extraction]()
* [Post Grid <= 2.2.50 – Missing Authorization to Sensitive Information Exposure via REST API]()
* WAF-RULE-627, data redacted while we work with the developer to ensure this gets patched.
Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
* * *
### Total Unpatched & Patched Vulnerabilities Last Week
**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 24
Patched | 40
* * *
### Total Vulnerabilities by CVSS Severity Last Week
**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 1
Medium Severity | 50
High Severity | 9
Critical Severity | 4
* * *
### Total Vulnerabilities by CWE Type Last Week
**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 26
Missing Authorization | 12
Cross-Site Request Forgery (CSRF) | 9
Improper Privilege Management | 2
Use of Less Trusted Source | 2
Information Exposure | 2
Deserialization of Untrusted Data | 1
Server-Side Request Forgery (SSRF) | 1
Improper Control of Generation of Code (‘Code Injection’) | 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1
URL Redirection to Untrusted Site (‘Open Redirect’) | 1
Improper Authorization | 1
Improper Access Control | 1
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1
Weak Password Recovery Mechanism for Forgotten Password | 1
Unrestricted Upload of File with Dangerous Type | 1
* * *
### Researchers That Contributed to WordPress Security Last Week
**Researcher Name** | **Number of Vulnerabilities**
—|—
[Abdi Pranata]() | 5
[Marco Wotschka]()
(Wordfence Vulnerability Researcher) | 4
[Lana Codes]()
(Wordfence Vulnerability Researcher) | 4
[Mika]() | 4
[minhtuanact]() | 3
[thiennv]() | 3
[David]() | 2
[Truoc Phan]() | 2
[Rio Darmawan]() | 2
[LEE SE HYOUNG]() | 2
[Yuki Haruma]() | 2
[Muhammad Arsalan Diponegoro]() | 2
[Jonatas Souza Villa Flor]() | 1
[Ivy]() | 1
[Random Robbie]() | 1
[Nithissh S]() | 1
[TomS]() | 1
[NGÃ THIÃN AN]() | 1
[Le Ngoc Anh]() | 1
[Debangshu Kundu]() | 1
[Arpeet Rathi]() | 1
[Rafie Muhammad]() | 1
[Utkarsh Agrawal]() | 1
[Hung Duong]() | 1
[BartÅomiej Marek]() | 1
[Tomasz Swiadek]() | 1
[Prasanna V Balaji]() | 1
[Nguyen Xuan Chien]() | 1
[Elliot]() | 1
[Lokesh Dachepalli]() | 1
[Rafshanzani Suhada]() | 1
[Dmitrii Ignatyev]() | 1
[Dmitrii]() | 1
[Skalucy]() | 1
[yuyudhn]() | 1
[Francesco Carlucci]() | 1
[Jonas Höbenreich]() | 1
_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.
* * *
### WordPress Plugins with Reported Vulnerabilities Last Week
**Software Name** | **Software Slug**
—|—
123.chat â 1:1 Live Video Chat Tool Plugin | [123-chat-videochat]()
Accordion Slider | [accordion-slider]()
Accordion and Accordion Slider | [accordion-and-accordion-slider]()
Advanced File Manager | [file-manager-advanced]()
Album and Image Gallery plus Lightbox | [album-and-image-gallery-plus-lightbox]()
BigBlueButton | [bigbluebutton]()
Blog Designer â Post and Widget | [blog-designer-for-post-and-widget]()
CLUEVO LMS, E-Learning Platform | [cluevo-lms]()
CT Commerce | [ct-commerce]()
Carrrot | [carrrot]()
Cleverwise Daily Quotes | [cleverwise-daily-quotes]()
Comments Like Dislike | [comments-like-dislike]()
Contact form 7 Custom validation | [cf7-field-validation]()
Cookies and Content Security Policy | [cookies-and-content-security-policy]()
Cost Calculator Builder | [cost-calculator-builder]()
Countdown Timer Ultimate | [countdown-timer-ultimate]()
Custom Admin Login Page | WPZest | [custom-admin-login-styler-wpzest]()
Donation Forms by Charitable â Donations Plugin & Fundraising Platform for WordPress | [charitable]()
Donations Made Easy â Smart Donations | [smart-donations]()
Doofinder WP & WooCommerce Search | [doofinder-for-woocommerce]()
Dynamic Pricing and Discount Rules for WooCommerce | [woo-conditional-discount-rules-for-checkout]()
Enhanced Ecommerce Google Analytics for WooCommerce | [woo-ecommerce-tracking-for-google-and-facebook]()
Event Tickets with Ticket Scanner | [event-tickets-with-ticket-scanner]()
GD Security Headers | [gd-security-headers]()
InfiniteWP Client | [iwp-client]()
JS Help Desk â Best Help Desk & Support Plugin | [js-support-ticket]()
Kanban Boards for WordPress | [kanban]()
Make Paths Relative | [make-paths-relative]()
Media from FTP | [media-from-ftp]()
Meta Slider and Carousel with Lightbox | [meta-slider-and-carousel-with-lightbox]()
Orders Tracking for WooCommerce | [woo-orders-tracking]()
Paid Memberships Pro CCBill Gateway | [pmpro-ccbill]()
Password Reset with Code for WordPress REST API | [bdvs-password-reset]()
Plausible Analytics | [plausible-analytics]()
Portfolio Gallery â Responsive Image Gallery | [gallery-portfolio]()
Portfolio and Projects | [portfolio-and-projects]()
Post Ticker Ultimate | [ticker-ultimate]()
Post grid and filter ultimate | [post-grid-and-filter-ultimate]()
Products Quick View for WooCommerce | [woocommerce-products-quick-view]()
Putler Connector for WooCommerce â Accurate Analytics and Reports for your WooCommerce Store | [woocommerce-putler-connector]()
RSVPMaker | [rsvpmaker]()
Schedule Posts Calendar | [schedule-posts-calendar]()
Serial Codes Generator and Validator with WooCommerce Support | [serial-codes-generator-and-validator]()
Simple Org Chart | [simple-org-chart]()
Simple Staff List | [simple-staff-list]()
Smart SEO Tool â SEOä¼åæ件 | [smart-seo-tool]()
Stripe Payment Plugin for WooCommerce | [payment-gateway-stripe-and-woocommerce-integration]()
Tabs & Accordion | [tabs]()
Team Slider and Team Grid Showcase plus Team Carousel | [wp-team-showcase-and-slider]()
Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget | [wp-testimonial-with-widget]()
Timeline and History slider | [timeline-and-history-slider]()
Trending/Popular Post Slider and Widget | [wp-trending-post-slider-and-widget]()
Typing Effect | [animated-typing-effect]()
User Activity Log | [user-activity-log]()
User Submitted Posts â Enable Users to Submit Posts from the Front End | [user-submitted-posts]()
Video Gallery for YouTube Videos and WordPress | [youtube-showcase]()
Video gallery and Player | [html5-videogallery-plus-player]()
WP LINE Notify | [wp-line-notify]()
WP Remote Users Sync | [wp-remote-users-sync]()
WP VR â 360 Panorama and Virtual Tour Builder For WordPress | [wpvr]()
WP-PostRatings | [wp-postratings]()
WebLibrarian | [weblibrarian]()
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more | [woo-pdf-invoice-builder]()
WordPress Mortgage Calculator Estatik | [estatik-mortgage-calculator]()
fitness calculators plugin | [fitness-calculators]()
tagDiv Composer | [td-composer]()
wpDataTables â WordPress Data Table, Dynamic Tables & Table Charts Plugin | [wpdatatables]()
* * *
### WordPress Themes with Reported Vulnerabilities Last Week
**Software Name** | **Software Slug**
—|—
Aapna | [aapna]()
Anand | [anand]()
Anfaust | [anfaust]()
Arendelle | [arendelle]()
Atlast Business | [atlast-business]()
Bazaar Lite | [bazaar-lite]()
Brain Power | [brain-power]()
BunnyPressLite | [bunnypresslite]()
Cafe Bistro | [cafe-bistro]()
College | [college]()
* * *
### Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you shouldâve already been notified if your site was affected by any of these vulnerabilities.
#### [Kanban Boards <= 2.5.21 – Authenticated (Administrator+) Remote Code Execution]()
**Affected Software**: [Kanban Boards for WordPress]()
**CVE ID**: CVE-2023-40606
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [TomS]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation]()
**Affected Software**: [Donation Forms by Charitable â Donations Plugin & Fundraising Platform for WordPress]()
**CVE ID**: CVE-2023-4404
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Contact form 7 Custom validation <= 1.1.3 – Unauthenticated SQL Injection via ‘post’]()
**Affected Software**: [Contact form 7 Custom validation]()
**CVE ID**: CVE-2023-40609
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Password Reset with Code for WordPress REST API <= 0.0.15 – Weak Password Recovery Mechanism]()
**Affected Software**: [Password Reset with Code for WordPress REST API]()
**CVE ID**: CVE-2023-35039
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Jonas Höbenreich]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WP Remote Users Sync <= 1.2.12 – Authenticated (Subscriber+) Server Side Request Forgery]()
**Affected Software**: [WP Remote Users Sync]()
**CVE ID**: CVE-2023-3958
**CVSS Score**: 8.5 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [InfiniteWP Client <= 1.11.1 – Authenticated (Subscriber+) Sensitive Information Exposure]()
**Affected Software**: [InfiniteWP Client]()
**CVE ID**: CVE-2023-2916
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [User Submitted Posts <= 20230809 – Unauthenticated Stored Cross-Site Scripting via ‘user-submitted-content’]()
**Affected Software**: [User Submitted Posts â Enable Users to Submit Posts from the Front End]()
**CVE ID**: CVE-2023-4308
**CVSS Score**: 7.2 (High)
**Researcher/s**: [NGÃ THIÃN AN]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [tagDiv Composer <= 4.1 – Unauthenticated Stored Cross-Site Scripting]()
**Affected Software**: [tagDiv Composer]()
**CVE ID**: CVE-2023-3169
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Truoc Phan]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Cleverwise Daily Quotes <= 3.2 – Reflected Cross-Site Scripting]()
**Affected Software**: [Cleverwise Daily Quotes]()
**CVE ID**: CVE-2023-40335
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Yuki Haruma]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [GD Security Headers <= 1.6.1 – Unauthenticated Cross-Site Scripting]()
**Affected Software**: [GD Security Headers]()
**CVE ID**: CVE-2023-40330
**CVSS Score**: 7.2 (High)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [RSVPMarker <= 10.6.5 – Unauthenticated Stored Cross-Site Scripting via ’email’]()
**Affected Software**: [RSVPMaker]()
**CVE ID**: CVE-2023-27616
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Muhammad Arsalan Diponegoro]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Mortgage Calculator Estatik <= 2.0.7 – Unauthenticated Cross-Site Scripting]()
**Affected Software**: [WordPress Mortgage Calculator Estatik]()
**CVE ID**: CVE-2023-40601
**CVSS Score**: 7.2 (High)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [JS Help Desk â Best Help Desk & Support Plugin <= 2.7.7 – Authenticated (Administrator+) Arbitrary File Upload]()
**Affected Software**: [JS Help Desk â Best Help Desk & Support Plugin]()
**CVE ID**: CVE-2023-25444
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Abdi Pranata]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [wpDataTables – Tables & Table Charts <= 2.1.65 – Authenticated(Administrator+) PHP Object Injection]()
**Affected Software**: [wpDataTables â WordPress Data Table, Dynamic Tables & Table Charts Plugin]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Advanced File Manager <= 5.1 – Authenticated(Administrator+) Arbitrary File and Folder Access]()
**Affected Software**: [Advanced File Manager]()
**CVE ID**: CVE-2023-3814
**CVSS Score**: 6.6 (Medium)
**Researcher/s**: [Dmitrii]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Gallery Portfolio <= 1.4.6 – Missing Authorization via Multiple AJAX actions]()
**Affected Software**: [Portfolio Gallery â Responsive Image Gallery]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Event Tickets with Ticket Scanner <= 1.5.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()
**Affected Software**: [Event Tickets with Ticket Scanner]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [BigBlueButton <= 3.0.0-beta.4 – Authenticated (Author+) Stored Cross-Site Scripting]()
**Affected Software**: [BigBlueButton]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Serial Codes Generator and Validator with WooCommerce Support <= 2.4.14 – Authenticated (Subscriber+) Stored Cross-Site Scripting]()
**Affected Software**: [Serial Codes Generator and Validator with WooCommerce Support]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Typing Effect <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting]()
**Affected Software**: [Typing Effect]()
**CVE ID**: CVE-2023-40605
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [yuyudhn]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Media from FTP <= 11.16 – Authenticated (Author+) Improper Privilege Management]()
**Affected Software**: [Media from FTP]()
**CVE ID**: CVE-2023-4019
**CVSS Score**: 6.3 (Medium)
**Researcher/s**: [Dmitrii Ignatyev]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [LINE Notify <= 1.4.4 – Reflected Cross-Site Scripting via ‘uid’]()
**Affected Software**: [WP LINE Notify]()
**CVE ID**: CVE-2023-30497
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Ivy]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Multiple Themes (Various Versions) – Reflected Cross-Site Scripting via Search Field]()
**Affected Software/s**: [College](), [Anfaust](), [Brain Power](), [BunnyPressLite](), [Bazaar Lite](), [Cafe Bistro](), [Arendelle](), [Anand](), [Atlast Business](), [Aapna]()
**CVE ID**: CVE-2023-2813
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Random Robbie]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Plausible Analytics <= 1.3.3 – Reflected Cross-Site Scripting via page-url]()
**Affected Software**: [Plausible Analytics]()
**CVE ID**: CVE-2023-40553
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WebLibrarian <= 3.5.8.1 – Reflected Cross-Site Scripting via multiple parameters]()
**Affected Software**: [WebLibrarian]()
**CVE ID**: CVE-2023-29441
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Donations Made Easy â Smart Donations <= 4.0.12 – Unauthenticated Stored Cross-Site Scripting]()
**Affected Software**: [Donations Made Easy â Smart Donations]()
**CVE ID**: CVE-2023-40664
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [WP VR <= 8.3.4 – Reflected Cross-Site Scripting]()
**Affected Software**: [WP VR â 360 Panorama and Virtual Tour Builder For WordPress]()
**CVE ID**: CVE-2023-40663
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Fitness calculators plugin <= 2.0.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings]()
**Affected Software**: [fitness calculators plugin]()
**CVE ID**: CVE-2023-40552
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [Rio Darmawan]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Smart SEO Tool-WordPress SEOä¼åæ件 <= 4.0.1 – Cross-Sitquest Forgery via ‘wp_ajax_wb_smart_seo_tool’]()
**Affected Software**: [Smart SEO Tool â SEOä¼åæ件]()
**CVE ID**: CVE Unknown
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Doofinder for WooCommerce <= 1.5.49 – Unauthenticated Open Redirect]()
**Affected Software**: [Doofinder WP & WooCommerce Search]()
**CVE ID**: CVE-2023-40602
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [minhtuanact]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [Cost Calculator Builder <= 3.1.42 – Improper Authorization]()
**Affected Software**: [Cost Calculator Builder]()
**CVE ID**: CVE-2023-40011
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Rafshanzani Suhada]()
**Patch Status**: Patched
**Vulnerability Details:**
* * *
#### [WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking <= 3.7.1 – Cross-Site Request Forgery]()
**Affected Software**: [Enhanced Ecommerce Google Analytics for WooCommerce]()
**CVE ID**: CVE-2023-40561
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Mika]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Putler Connector for WooCommerce <= 2.12.0 – Missing Authorization via ‘putler_connector_sync_complete’]()
**Affected Software**: [Putler Connector for WooCommerce â Accurate Analytics and Reports for your WooCommerce Store]()
**CVE ID**: CVE-2023-40327
**CVSS Score**: 5.3 (Medium)
**Researcher/s**: [David]()
**Patch Status**: Unpatched
**Vulnerability Details:**
* * *
#### [Multiple WPOnlineSupport Plugins <= (Various Versions) – Missing Authorization to Notice Dismissal]()
**Affected Software/s**: [Portfolio and Projects](Read More