Critical WordPress Plugin & Theme Vulnerabilities – January 2024: How to Stay Protected

Last week there were 67 vulnerabilities found in 60 WordPress Plugins

Type of vulnerability:

Cross-site scripting, SQL Injection, Unauthorized Actions, Cross-site Request Forgery, etc.

Contact Us to find more Be sure to mention the name of the plugin or theme you want to know about.

Vulnerable Plugins

Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated Arbitrary File Upload via uploadFile

Affected Software: Simple Inventory Management – just scan barcodes to manage products and orders. For WooCommerce
CVE ID: CVE-2023-52221
CVSS Score: 9.8 (Critical)
Patch Status: Patched

Customer Reviews for WooCommerce <= 5.38.9 – Authenticated (Author+) Arbitrary File Upload

Affected Software: Customer Reviews for WooCommerce
CVE ID: CVE-2023-6979
CVSS Score: 9.8 (Critical)
Patch Status: Patched

AI Engine: ChatGPT Chatbot <= 1.9.98 – Unauthenticated Arbitrary File Upload via rest_upload

Affected Software: AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
CVE ID: CVE-2023-51409
CVSS Score: 9.8 (Critical)
Patch Status: Patched

Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated SQL Injection via userToken

Affected Software: Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
CVE ID: CVE-2023-52215
CVSS Score: 9.8 (Critical)
Patch Status: Patched

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API

Affected Software: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
CVE ID: CVE-2023-6875
CVSS Score: 9.8 (Critical)
Patch Status: Patched

WP Testimonials <= 1.4.4 – Authenticated (Contributor+) SQL Injection

Affected Software: WP Testimonials
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Patch Status: Patched

WP Register Profile With Shortcode <= 3.5.9 – Cross-Site Request Forgery to User Password Reset

Affected Software: WP Register Profile With Shortcode
CVE ID: CVE-2023-5448
CVSS Score: 8.8 (High)
Patch Status: Patched

Profile Builder Pro <= 3.10.0 – Cross-Site Request Forgery

Affected Software: Profile Builder Pro
CVE ID: CVE-2024-22140
CVSS Score: 8.8 (High)
Patch Status: Patched

Download Monitor <= 4.9.4 – Authenticated (Admin+) SQL Injection

Affected Software: Download Monitor
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Patch Status: Patched

Order Export & Order Import for WooCommerce <= 2.4.3 – Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file

Affected Software: Order Export & Order Import for WooCommerce
CVE ID: CVE-2024-22135
CVSS Score: 7.2 (High)
Patch Status: Patched

PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 – Authenticated (Shop Manager+) SQL Injection

Affected Software: PDF Invoices & Packing Slips for WooCommerce
CVE ID: CVE-2024-22147
CVSS Score: 7.2 (High)
Patch Status: Patched

Index Now <= 2.6.3 – Cross-Site Request Forgery via reset_form

Affected Software: Index Now
CVE ID: CVE-2024-0428
CVSS Score: 7.1 (High)
Patch Status: Patched

EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta

Affected Software/s: EventON, EventON Pro
CVE ID: CVE-2023-6158
CVSS Score: 6.5 (Medium)
Patch Status: Patched

List category posts <= 0.89.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: List category posts
CVE ID: CVE-2023-6994
CVSS Score: 6.5 (Medium)
Patch Status: Patched

EventON – WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery via save_virtual_event_settings

Affected Software/s: EventON, EventON Pro
CVE ID: CVE-2023-6244
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Profile Builder Pro <= 3.10.0 – Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure

Affected Software: Profile Builder Pro
CVE ID: CVE-2024-22141
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Word Replacer Pro <= 1.0 – Missing Authorization

Affected Software: Word Replacer Pro
CVE ID: CVE-2023-52229
CVSS Score: 6.5 (Medium)
Patch Status: Unpatched

GD Rating System <= 3.5.0 – Unauthenticated Stored Cross-Site Scripting via IP

Affected Software: GD Rating System
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Patch Status: Patched

EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Cross-Site Request Forgery via evo_eventpost_update_meta

Affected Software/s: EventON, EventON Pro
CVE ID: CVE-2023-6242
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Formidable Forms <= 6.7 – HTML Injection

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2023-6830
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Happy Elementor Addons <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Happy Addons for Elementor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Voting Record <= 2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected Software: Voting Record
CVE ID: CVE-2023-7084
CVSS Score: 6.4 (Medium)
Patch Status: Unpatched

OneClick Chat to Order <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: OneClick Chat to Order
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Beds24 Online Booking <= 2.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Beds24 Online Booking
CVE ID: CVE-2023-52228
CVSS Score: 6.4 (Medium)
Patch Status: Unpatched

TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: TNC PDF viewer
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Constant Contact Forms by MailMunch <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Constant Contact Forms by MailMunch
CVE ID: CVE-2024-22137
CVSS Score: 6.4 (Medium)
Patch Status: Unpatched

Plugin for Google Reviews <= 3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Plugin for Google Reviews
CVE ID: CVE-2023-6884
CVSS Score: 6.4 (Medium)
Patch Status: Patched

WP SMS <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Email Encoder – Protect Email Addresses and Phone Numbers
CVE ID: CVE-2023-7070
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-7071
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Football pool <= 2.11.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Football Pool
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

ARMember <= 4.0.22 – Cross-Site Request Forgery

Affected Software: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2023-52200
CVSS Score: 6.3 (Medium)
Patch Status: Patched

WooCommerce < 8.4.0 – Reflected Cross-Site Scripting

Affected Software: WooCommerce
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Patch Status: Patched

Profile Builder Pro <= 3.10.0 – Reflected Cross-Site Scripting

Affected Software: Profile Builder Pro
CVE ID: CVE-2024-22142
CVSS Score: 6.1 (Medium)
Patch Status: Patched

Shortcodes Finder <= 1.5.4 – Reflected Cross-Site Scripting

Affected Software: Shortcodes Finder
CVE ID: CVE-2024-21750
CVSS Score: 6.1 (Medium)
Patch Status: Unpatched

Advanced Woo Search <= 2.96 – Reflected Cross-Site Scripting

Affected Software: Advanced Woo Search
CVE ID: CVE-2024-0251
CVSS Score: 6.1 (Medium)
Patch Status: Patched

Voting Record <= 2.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

Affected Software: Voting Record
CVE ID: CVE-2023-7083
CVSS Score: 6.1 (Medium)
Patch Status: Unpatched

Auto Affiliate Links <= 6.4.2.7 – Cross-Site Request Forgery

Affected Software: Auto Affiliate Links
CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Patch Status: Patched

Metform Elementor Contact Form Builder <= 3.8.1 – Cross-Site Request Forgery

Affected Software: Metform Elementor Contact Form Builder
CVE ID: CVE-2023-6788
CVSS Score: 5.4 (Medium)
Patch Status: Patched

Schema & Structured Data for WP & AMP <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Schema & Structured Data for WP & AMP
CVE ID: CVE-2024-22146
CVSS Score: 5.4 (Medium)
Patch Status: Patched

RabbitLoader <= 2.19.13 – Missing Authorization via multiple AJAX actions

Affected Software: RabbitLoader
CVE ID: CVE-2024-21751
CVSS Score: 5.4 (Medium)
Patch Status: Patched

MailerLite – WooCommerce integration <= 2.0.8 – Cross-Site Request Forgery via Multiple AJAX Functions

Affected Software: MailerLite – WooCommerce integration
CVE ID: CVE-2023-52223
CVSS Score: 5.4 (Medium)
Patch Status: Patched

Contact Form 7 Extension For Mailchimp <= 0.5.70 – Authenticated (Subscriber+) Server-Side Request Forgery

Affected Software: Contact Form 7 Extension For Mailchimp
CVE ID: CVE-2024-22134
CVSS Score: 5.4 (Medium)
Patch Status: Unpatched

Paid Memberships Pro <= 2.12.6 – Information Exposure in Debug Logs

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Patch Status: Patched

Seraphinite Accelerator <= 2.20.45 – Unauthenticated Sensitive Information Exposure via Log File

Affected Software: Seraphinite Accelerator
CVE ID: CVE-2024-22138
CVSS Score: 5.3 (Medium)
Patch Status: Unpatched

WordPress Manutenção <= 1.0.6 – IP Spoofing to Maintenance Mode Bypass

Affected Software: WordPress Manutenção
CVE ID: CVE-2024-22139
CVSS Score: 5.3 (Medium)
Patch Status: Unpatched

The Events Calendar <= 6.2.8.2 – Unauthenticated Sensitive Information Exposure

Affected Software: The Events Calendar
CVE ID: CVE-2023-6557
CVSS Score: 5.3 (Medium)
Patch Status: Patched

ElementsKit Lite <= 3.0.3 – Unauthenticated Sensitive Information Exposure

Affected Software: ElementsKit Elementor addons
CVE ID: CVE-2023-6582
CVSS Score: 5.3 (Medium)
Patch Status: Patched

Newsletter <= 8.0.6 – Cross-Site Request Forgery

Affected Software: Newsletter – Send awesome emails from WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Patch Status: Patched

Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery

Affected Software: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Patch Status: Patched

Formidable Forms <= 6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2023-6842
CVSS Score: 4.4 (Medium)
Patch Status: Patched

Woocommerce Vietnam Checkout <= 2.0.8 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Woocommerce Vietnam Checkout
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Patch Status: Patched

WordPress Button Plugin MaxButtons <= 9.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Software: WordPress Button Plugin MaxButtons
CVE ID: CVE-2023-6594
CVSS Score: 4.4 (Medium)
Patch Status: Patched

Swift SMTP <= 5.0.6 – Cross-Site Request Forgery

Affected Software: Swift SMTP (formerly Welcome Email Editor)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

LiveChat Elementor <= 1.0.13 – Cross-Site Request Forgery

Affected Software: WordPress Live Chat Plugin for Elementor – LiveChat
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Envira Gallery Lite <= 1.8.7.2 – Missing Authorization to Gallery Modification via envira_gallery_insert_images

Affected Software: Gallery Plugin for WordPress – Envira Photo Gallery
CVE ID: CVE-2023-6742
CVSS Score: 4.3 (Medium)
Patch Status: Patched

InstaWP Connect <= 0.1.0.8 – Cross-Site Request Forgery via create_file_db_manager

Affected Software: InstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Seraphinite Alternative Slugs Manager <= 1.3 – Cross-Site Request Forgery

Affected Software: Seraphinite Alternative Slugs Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

MailerLite – WooCommerce integration <= 2.0.8 – Missing Authorization via Multiple Functions

Affected Software: MailerLite – WooCommerce integration
CVE ID: CVE-2023-52227
CVSS Score: 4.3 (Medium)
Patch Status: Patched

LiveChat WooCommerce <= 2.2.16 – Cross-Site Request Forgery

Affected Software: WordPress Live Chat Plugin for WooCommerce – LiveChat
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Advanced Flamingo <= 1.0 – Cross-Site Request Forgery

Affected Software: Advanced Flamingo
CVE ID: CVE-2023-52226
CVSS Score: 4.3 (Medium)
Patch Status: Unpatched

WP Spell Check <= 9.17 – Cross-Site Request Forgery

Affected Software: WP Spell Check
CVE ID: CVE-2024-22143
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Contact Form 7 – Dynamic Text Extension <= 4.1.0 – Insecure Direct Object Reference

Affected Software: Contact Form 7 – Dynamic Text Extension
CVE ID: CVE-2023-6630
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery

Affected Software: Contact Form 7 Connector
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Products & Order Export for WooCommerce <= 2.0.7 – Missing Authorization

Affected Software: Products, Order & Customers Export for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Droit Elementor Addons <= 3.1.5 – Cross-Site Request Forgery

Affected Software: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
CVE ID: CVE-2024-22136
CVSS Score: 4.3 (Medium)
Patch Status: Unpatched

WPS Hide Login <= 1.9.11 – Hidden Login Page Location Disclosure

Affected Software: WPS Hide Login
CVE ID: CVE-2023-49748
CVSS Score: 3.7 (Low)
Patch Status: Unpatched

Source: https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-4-2024-to-january-14-2024/

Image by pikisuperstar on Freepik