La semana pasada, se revelaron 45 vulnerabilidades en 30 complementos de WordPress y se agregaron temas de WordPress a la base de datos de vulnerabilidades de Wordfence Intelligence, y hubo 17 investigadores de vulnerabilidades que contribuyeron a la seguridad de WordPress la semana pasada. Revise esas vulnerabilidades en este informe ahora para asegurarse de que su sitio no se vea afectado.
Nuestra misión es hacer que la información valiosa sobre vulnerabilidades sea fácilmente accesible para todos, como la comunidad de WordPress, para que tanto las personas como las organizaciones puedan utilizar esos datos para hacer que Internet sea más seguro.
Total de vulnerabilidades parcheadas y sin parchear la semana pasada
| Estado del parche | Número de vulnerabilidades |
| Sin parchear | 5 |
| Parcheado | 40 |
Vulnerabilidades totales por gravedad CVSS la semana pasada
| Clasificación de gravedad | Número de vulnerabilidades |
| Gravedad baja | 0 |
| Gravedad Media | 34 |
| Gravedad alta | 10 |
| Gravedad crítica | 1 |
Vulnerabilidades totales por tipo de CWE la semana pasada
| Tipo de vulnerabilidad por CWE | Número de vulnerabilidades |
| Neutralización incorrecta de la entrada durante la generación de la página web («Cross-site Scripting») | 18 |
| Omisión de autorización mediante clave controlada por el usuario | 5 |
| Autorización faltante | 5 |
| Falsificación de solicitud entre sitios (CSRF) | 5 |
| Neutralización incorrecta de elementos especiales utilizados en un comando SQL (‘inyección SQL’) | 5 |
| Deserialización de datos no confiables | 1 |
| Exposición de la información | 1 |
| Carga sin restricciones de archivos con tipo peligroso | 1 |
| Omisión de autenticación usando una ruta o canal alternativo | 1 |
| Autorización incorrecta | 1 |
| Neutralización incorrecta de elementos de fórmula en un archivo CSV | 1 |
| Falsificación de solicitud del lado del servidor (SSRF) | 1 |
Investigadores que contribuyeron a la seguridad de WordPress la semana pasada
| Nombre del investigador | Número de vulnerabilidades |
| Ramuel Gall (Investigador de vulnerabilidades de Wordfence) | 12 |
| Alex Thomas (Investigador de vulnerabilidades de Wordfence) | 7 |
| Erwan LR | 4 |
| Iliase Dehy | 2 |
| Chien-Vuong | 2 |
| Omar Tauro | 2 |
| Le Ngoc Anh | 1 |
| juampa rodriguez | 1 |
| Aymane Mazguiti | 1 |
| Mohamed Selim | 1 |
| Lana Codes (Investigador de vulnerabilidades de Wordfence) | 1 |
| Etán Imanol Castro Aldrete | 1 |
| Ivan Kuzymchak (Investigador de vulnerabilidades de Wordfence) | 1 |
| Marco Wotschka (Investigador de vulnerabilidades de Wordfence) | 1 |
| ONG VAN TU | 1 |
| Shreya Pohekar | 1 |
| iohex | 1 |
Complementos de WordPress con vulnerabilidades reportadas la semana pasada
| Software | Software Slug |
| Aajoda Testimonials | aajoda-testimonials |
| Abandoned Cart Lite for WooCommerce | woocommerce-abandoned-cart |
| Catalyst Connect Zoho CRM Client Portal | catalyst-connect-client-portal |
| CodeColorer | codecolorer |
| Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy | dokan-lite |
| Download Monitor | download-monitor |
| Easy Digital Downloads – Simple eCommerce for Selling Digital Files | easy-digital-downloads |
| Editorial Calendar | editorial-calendar |
| Elementor Addons, Widgets and Enhancements – Stax | stax-addons-for-elementor |
| FiboSearch – Ajax Search for WooCommerce | ajax-search-for-woocommerce |
| FormCraft – Contact Form Builder for WordPress | formcraft-form-builder |
| GD Mail Queue | gd-mail-queue |
| Getwid – Gutenberg Blocks | getwid |
| Gravity Forms Google Sheet Connector | gsheetconnector-gravity-forms |
| KiviCare – Clinic & Patient Management System (EHR) | kivicare-clinic-management-system |
| Lana Email Logger | lana-email-logger |
| Mail logging – WP Mail Catcher | wp-mail-catcher |
| Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress | metform |
| PowerPress Podcasting plugin by Blubrry | powerpress |
| Responsive CSS EDITOR | responsive-css-editor |
| Shopping Cart & eCommerce Store | wp-easycart |
| Social Media Share Buttons & Social Sharing Icons | ultimate-social-media-icons |
| Ultimate Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
| Ultimate Product Catalog | ultimate-product-catalogue |
| Visitor Traffic Real Time Statistics | visitors-traffic-real-time-statistics |
| WP Brutal AI | wpbrutalai |
| WP Inventory Manager | wp-inventory-manager |
| WP Mail Logging | wp-mail-logging |
| WP-Members Membership Plugin | wp-members |
| WordPress Tables | wptables |
¿Deseas proteger su sitio WordPress?
La seguridad en WordPress es muy importante porque si tu sitio web es hackeado, corres el riesgo de perder datos importantes, activos y credibilidad. Además, el incidente puede poner en peligro los datos personales y la información de contactos y/o facturación de tus clientes. Existen muchas formas de mejorar la seguridad en WordPress, como elegir un buen proveedor de alojamiento web, mantener actualizado el software y los plugins, utilizar contraseñas seguras y realizar copias de seguridad regularmente.
Contacta a nuestro equipo especializado en seguridad y monitoreo de aplicaciones:
Hablemos Escríbenos
Detalles de vulnerabilidad
Abandoned Cart Lite for WooCommerce <= 5.14.2 – Authentication Bypass
Affected Software: Abandoned Cart Lite for WooCommerce
CVE ID: CVE-2023-2986
CVSS Score: 9.8 (Critical)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/68052614-204f-4237-af0e-4b8210ebd59f
Download Monitor <= 4.8.3 – Authenticated(Subscriber+) Arbitrary File Upload via upload_file
Affected Software: Download Monitor
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/657b1b7b-eac2-4935-a50f-0849c4e96b16
Ultimate Addons for Contact Form 7 <= 3.1.23 – Authenticated(Subscriber+) SQL Injection
Affected Software: Ultimate Addons for Contact Form 7
CVE ID: CVE-2023-1615
CVSS Score: 8.8 (High)
Researcher/s: Etan Imanol Castro Aldrete
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/817ca119-ddaf-4525-beee-68c4e0aac544
WP Brutal AI < 2.0.0 – Cross-Site Request Forgery to SQL Injection
Affected Software: WP Brutal AI
CVE ID: CVE-2023-2601
CVSS Score: 8.8 (High)
Researcher/s: Taurus Omar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b4eb5833-25cd-4a6c-9240-37a9f8c1b120
Getwid – Gutenberg Blocks <= 1.8.3 – Authenticated(Subscriber+) Server Side Request Forgery
Affected Software: Getwid – Gutenberg Blocks
CVE ID: CVE-2023-1895
CVSS Score: 8.5 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e9c2a942-c14c-4b59-92a7-6946b2e4731b
Metform Elementor Contact Form Builder <= 3.3.0 – Unauthenticated CSV Injection
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0721
CVSS Score: 8.3 (High)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ccd85a72-1872-4c4f-8ba7-7f91b0b37d4a
GD Mail Queue <= 3.9.3 – Unauthenticated Stored Cross-Site Scripting via Email
Affected Software: GD Mail Queue
CVE ID: CVE-2023-3122
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b668f45-c7fb-481b-bc8e-115e5b7248c9
WP Mail Catcher <= 2.1.2 – Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: Mail logging – WP Mail Catcher
CVE ID: CVE-2023-3080
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1525e1c9-4b94-4f9f-92c5-fc69fe000771
WP EasyCart <= 5.4.10 – Authenticated (Administrator+) SQL Injection via ‘orderby’
Affected Software: Shopping Cart & eCommerce Store
CVE ID: CVE-2023-3023
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c9c1ddaf-4bf2-4937-b7bf-a09162db043e
Lana Email Logger <= 1.0.2 – Unauthenticated Stored Cross-Site Scripting via Email Subject
Affected Software: Lana Email Logger
CVE ID: CVE-2023-3166
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d5f372bf-6b13-4ba7-8b8b-9d3b500e4420
WP Mail Logging <= 1.11.1 – Unauthenticated Stored Cross-Site Scripting via Email
Affected Software: WP Mail Logging
CVE ID: CVE-2023-3081
CVSS Score: 7.2 (High)
Researcher/s: Alex Thomas
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ef20b3e6-d8f4-458e-b604-b46ef16e229e
Dokan <=3.7.19 – Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor
Affected Software: Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
CVE ID: CVE Unknown
CVSS Score: 6.6 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1597859c-2808-4e0f-aa8d-4e2727728e22
Responsive CSS EDITOR <= 1.0 – Authenticated(Administrator+) SQL Injection
Affected Software: Responsive CSS EDITOR
CVE ID: CVE-2023-2482
CVSS Score: 6.6 (Medium)
Researcher/s: Chien Vuong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/60ffe162-5bcd-4ffc-af45-81240751bc62
FormCraft Premium <= 3.9.6 – Authenticated(Administrator+) SQL Injection
Affected Software: FormCraft – Contact Form Builder for WordPress
CVE ID: CVE-2023-2592
CVSS Score: 6.6 (Medium)
Researcher/s: Chien Vuong
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/72b4f6bb-59dd-453c-b089-4777dcefb11f
Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via mf shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0694
CVSS Score: 6.5 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1a8b194c-371f-4adc-98fa-8f4e47a38ee7
Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_transaction_id’ shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0693
CVSS Score: 6.5 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f33a8db-7cd0-4a53-b2c1-cd5b7cd16214
KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 – Sensitive Information Exposure
Affected Software: KiviCare – Clinic & Patient Management System (EHR)
CVE ID: CVE-2023-2623
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/39404341-8a27-4770-b6a6-d33e899b6bd8
KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 – Cross-Site Request Forgery
Affected Software: KiviCare – Clinic & Patient Management System (EHR)
CVE ID: CVE-2023-2628
CVSS Score: 6.5 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4101c35e-5af9-4372-9ed1-fb6a15d8500f
Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0688
CVSS Score: 6.5 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/81fc41a4-9206-404c-bd5b-821c77ff3593
Editorial Calendar <= 3.7.12 – Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action
Affected Software: Editorial Calendar
CVE ID: CVE-2022-4115
CVSS Score: 6.4 (Medium)
Researcher/s: iohex
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3dac7b6-512d-4fd6-8294-f0b1c0a2efd7
WordPress Tables <= 1.3.9 – Reflected Cross-Site Scripting via error_msg
Affected Software: WordPress Tables
CVE ID: CVE-2023-25453
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/099dfb18-fc73-4a19-b017-1675c9acfa2f
WP Brutal AI < 2.0.1 – Reflected Cross-Site Scripting
Affected Software: WP Brutal AI
CVE ID: CVE-2023-2605
CVSS Score: 6.1 (Medium)
Researcher/s: Taurus Omar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d2aabec9-1968-4c0e-baed-9aa78eb236e8
Catalyst Connect Zoho CRM Client Portal <= 2.0.0 – Reflected Cross-Site Scripting
Affected Software: Catalyst Connect Zoho CRM Client Portal
CVE ID: CVE-2023-0588
CVSS Score: 6.1 (Medium)
Researcher/s: Shreya Pohekar
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d63543f9-4865-444f-9a32-3b23e92b0bd4
Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0695
CVSS Score: 5.4 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1c866d8d-399c-4bda-a3c9-17c7e5d2ffb8
Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0709
CVSS Score: 5.4 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/25200656-a6a2-42f2-a607-26d4ff502cbf
KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 – Missing Authorization
Affected Software: KiviCare – Clinic & Patient Management System (EHR)
CVE ID: CVE-2023-2627
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/88898997-6199-4b33-bd35-70a1a01812ec
Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0708
CVSS Score: 5.4 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae7549db-9a4b-4dee-8023-d7863dc3b4c8
Gravity Forms Google Sheet Connector <= 1.3.4 – Cross-Site Request Forgery via verify_code_integation_new
Affected Software: Gravity Forms Google Sheet Connector
CVE ID: CVE-2023-2326
CVSS Score: 5.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dea1e775-68b4-45e6-9d90-41e39d5d0dfd
Metform Elementor Contact Form Builder <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0710
CVSS Score: 4.9 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/89a98053-33c7-4e75-87a1-0f483a990641
Aajoda Testimonials <= 2.2.1 – Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Aajoda Testimonials
CVE ID: CVE-2023-2178
CVSS Score: 4.4 (Medium)
Researcher/s: Juampa Rodríguez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/10f28404-acd0-40de-af42-2970b5b25bde
Ultimate Product Catalog <= 5.2.5 – Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Ultimate Product Catalog
CVE ID: CVE-2023-2711
CVSS Score: 4.4 (Medium)
Researcher/s: Ilyase Dehy, Aymane Mazguiti
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/288559f0-eab6-4933-a026-8413476af6eb
Social Media Share Buttons & Social Sharing Icons <= 2.8.1 – Authenticated(Administrator+) Stored Cross-Site Scripting
Affected Software: Social Media Share Buttons & Social Sharing Icons
CVE ID: CVE-2023-1166
CVSS Score: 4.4 (Medium)
Researcher/s: Mohamed Selim
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cf2013a-d403-456f-aeb4-46b6e00b057f
PowerPress <= 10.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘Feed[title]’
Affected Software: PowerPress Podcasting plugin by Blubrry
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64371d43-3acd-4863-80e4-deab071777b9
FiboSearch – AJAX Search for WooCommerce <= 1.23.0 – Authenticated (Admin+) Stored Cross-Site Scripting
Affected Software: FiboSearch – Ajax Search for WooCommerce
CVE ID: CVE-2023-2450
CVSS Score: 4.4 (Medium)
Researcher/s: Ivan Kuzymchak
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/880573d8-6dad-4a1b-a5db-33e1dc243062
CodeColorer <= 0.10.0 – Authenticated (Administrator+) Stored Cross-Site Scripting
Affected Software: CodeColorer
CVE ID: CVE-2023-2795
CVSS Score: 4.4 (Medium)
Researcher/s: Ilyase Dehy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c78ec44e-c3e4-410e-9937-46657664d6cb
Download Monitor <= 4.7.60 – Missing Authorization to Authenticated Data Export
Affected Software: Download Monitor
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d58f34b-5bd7-4be6-a7ce-b0769bec9aad
Getwid – Gutenberg Blocks <= 1.8.3 – Improper Authorization via get_remote_templates REST endpoint
Affected Software: Getwid – Gutenberg Blocks
CVE ID: CVE-2023-1910
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6cd64ab0-007b-4778-9d92-06e530638fad
Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0691
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8fc4b815-dc05-4270-bf7a-3b01622739d7
Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 – Missing Authorization in toggle_widget
Affected Software: Elementor Addons, Widgets and Enhancements – Stax
CVE ID: CVE-2023-2189
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/926550bb-265d-4811-a375-10c47e9fb4d6
WP-Members Membership <= 3.4.7.3 – Missing Authorization to Settings Update
Affected Software: WP-Members Membership Plugin
CVE ID: CVE-2023-2869
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bf05a79a-0375-4c9d-bbf0-a87484327b87
Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 – Cross-Site Request Forgery via toggle_widget
Affected Software: Elementor Addons, Widgets and Enhancements – Stax
CVE ID: CVE-2023-1807
CVSS Score: 4.3 (Medium)
Researcher/s: Alex Thomas
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c12094bd-aa23-4f9b-92e1-d1d4284fb2a0
Visitor Traffic Real Time Statistics <= 6.7 – Missing Authorization to Information Disclosure
Affected Software: Visitor Traffic Real Time Statistics
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c7ab5a00-ce1c-4d74-9192-c9834e2d702d
WP Inventory Manager <= 2.1.0.13 – Cross-Site Request Forgery via delete_item
Affected Software: WP Inventory Manager
CVE ID: CVE-2023-2842
CVSS Score: 4.3 (Medium)
Researcher/s: NGO VAN TU
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d51f0230-b85c-4c2d-9fa0-e68b52e51c76
Metform Elementor Contact Form Builder <= 3.3.1 – Authenticated (Subscriber+) Information Disclosure via ‘mf_payment_status’ shortcode
Affected Software: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
CVE ID: CVE-2023-0692
CVSS Score: 4.3 (Medium)
Researcher/s: Ramuel Gall
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ddd85ff2-6607-4ac8-b91c-88f6f2fa6c56
Easy Digital Downloads <= 3.1.1.4.2 – Cross-Site Request Forgery via edd_trigger_upgrades
Affected Software: Easy Digital Downloads – Simple eCommerce for Selling Digital Files
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e3adcb85-efc5-429c-8a06-9bfb472d668f