vulnerabilities in plugins and themes

WordPress Plugins and Themes with Vulnerabilities Jan24

by

Last week there were 67 vulnerabilities found in 60 WordPress Plugins

Type of vulnerability:

Cross-site scripting, SQL Injection, Unauthorized Actions, Cross-site Request Forgery, etc.

Contact Us to find more Be sure to mention the name of the plugin or theme you want to know about.

Vulnerable Plugins

Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated Arbitrary File Upload via uploadFile

Affected Software: Simple Inventory Management – just scan barcodes to manage products and orders. For WooCommerce
CVE ID: CVE-2023-52221
CVSS Score: 9.8 (Critical)
Patch Status: Patched

Customer Reviews for WooCommerce <= 5.38.9 – Authenticated (Author+) Arbitrary File Upload

Affected SoftwareCustomer Reviews for WooCommerce
CVE ID: CVE-2023-6979
CVSS Score: 9.8 (Critical)
Patch Status: Patched

AI Engine: ChatGPT Chatbot <= 1.9.98 – Unauthenticated Arbitrary File Upload via rest_upload

Affected SoftwareAI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
CVE ID: CVE-2023-51409
CVSS Score: 9.8 (Critical)
Patch Status: Patched

Barcode Scanner with Inventory & Order Manager <= 1.5.1 – Unauthenticated SQL Injection via userToken

Affected SoftwareSimple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
CVE ID: CVE-2023-52215
CVSS Score: 9.8 (Critical)
Patch Status: Patched

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API

Affected SoftwarePOST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
CVE ID: CVE-2023-6875
CVSS Score: 9.8 (Critical)
Patch Status: Patched

WP Testimonials <= 1.4.4 – Authenticated (Contributor+) SQL Injection

Affected SoftwareWP Testimonials
CVE ID: CVE Unknown
CVSS Score: 8.8 (High)
Patch Status: Patched

WP Register Profile With Shortcode <= 3.5.9 – Cross-Site Request Forgery to User Password Reset

Affected SoftwareWP Register Profile With Shortcode
CVE ID: CVE-2023-5448
CVSS Score: 8.8 (High)
Patch Status: Patched

Profile Builder Pro <= 3.10.0 – Cross-Site Request Forgery

Affected SoftwareProfile Builder Pro
CVE ID: CVE-2024-22140
CVSS Score: 8.8 (High)
Patch Status: Patched

Download Monitor <= 4.9.4 – Authenticated (Admin+) SQL Injection

Affected SoftwareDownload Monitor
CVE ID: CVE Unknown
CVSS Score: 7.2 (High)
Patch Status: Patched

Order Export & Order Import for WooCommerce <= 2.4.3 – Authenticated (Shop Manager+) Arbitrary File Upload via upload_import_file

Affected SoftwareOrder Export & Order Import for WooCommerce
CVE ID: CVE-2024-22135
CVSS Score: 7.2 (High)
Patch Status: Patched

PDF Invoices & Packing Slips for WooCommerce <= 3.7.5 – Authenticated (Shop Manager+) SQL Injection

Affected SoftwarePDF Invoices & Packing Slips for WooCommerce
CVE ID: CVE-2024-22147
CVSS Score: 7.2 (High)
Patch Status: Patched

Index Now <= 2.6.3 – Cross-Site Request Forgery via reset_form

Affected SoftwareIndex Now
CVE ID: CVE-2024-0428
CVSS Score: 7.1 (High)
Patch Status: Patched

EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta

Affected Software/sEventONEventON Pro
CVE ID: CVE-2023-6158
CVSS Score: 6.5 (Medium)
Patch Status: Patched

List category posts <= 0.89.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected SoftwareList category posts
CVE ID: CVE-2023-6994
CVSS Score: 6.5 (Medium)
Patch Status: Patched

EventON – WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) – Cross-Site Request Forgery via save_virtual_event_settings

Affected Software/sEventONEventON Pro
CVE ID: CVE-2023-6244
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Profile Builder Pro <= 3.10.0 – Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure

Affected SoftwareProfile Builder Pro
CVE ID: CVE-2024-22141
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Word Replacer Pro <= 1.0 – Missing Authorization

Affected SoftwareWord Replacer Pro
CVE ID: CVE-2023-52229
CVSS Score: 6.5 (Medium)
Patch Status: Unpatched

GD Rating System <= 3.5.0 – Unauthenticated Stored Cross-Site Scripting via IP

Affected SoftwareGD Rating System
CVE ID: CVE Unknown
CVSS Score: 6.5 (Medium)
Patch Status: Patched

EventON – WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 – Cross-Site Request Forgery via evo_eventpost_update_meta

Affected Software/sEventONEventON Pro
CVE ID: CVE-2023-6242
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Formidable Forms <= 6.7 – HTML Injection

Affected SoftwareFormidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2023-6830
CVSS Score: 6.5 (Medium)
Patch Status: Patched

Happy Elementor Addons <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareHappy Addons for Elementor
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Voting Record <= 2.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

Affected SoftwareVoting Record
CVE ID: CVE-2023-7084
CVSS Score: 6.4 (Medium)
Patch Status: Unpatched

OneClick Chat to Order <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected SoftwareOneClick Chat to Order
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Beds24 Online Booking <= 2.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareBeds24 Online Booking
CVE ID: CVE-2023-52228
CVSS Score: 6.4 (Medium)
Patch Status: Unpatched

TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareTNC PDF viewer
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Constant Contact Forms by MailMunch <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareConstant Contact Forms by MailMunch
CVE ID: CVE-2024-22137
CVSS Score: 6.4 (Medium)
Patch Status: Unpatched

Plugin for Google Reviews <= 3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected SoftwarePlugin for Google Reviews
CVE ID: CVE-2023-6884
CVSS Score: 6.4 (Medium)
Patch Status: Patched

WP SMS <= 6.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareWP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Email Encoder – Protect Email Addresses and Phone Numbers <= 2.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareEmail Encoder – Protect Email Addresses and Phone Numbers
CVE ID: CVE-2023-7070
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareEssential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
CVE ID: CVE-2023-7071
CVSS Score: 6.4 (Medium)
Patch Status: Patched

Football pool <= 2.11.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareFootball Pool
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Patch Status: Patched

ARMember <= 4.0.22 – Cross-Site Request Forgery

Affected SoftwareARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
CVE ID: CVE-2023-52200
CVSS Score: 6.3 (Medium)
Patch Status: Patched

WooCommerce < 8.4.0 – Reflected Cross-Site Scripting

Affected SoftwareWooCommerce
CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Patch Status: Patched

Profile Builder Pro <= 3.10.0 – Reflected Cross-Site Scripting

Affected SoftwareProfile Builder Pro
CVE ID: CVE-2024-22142
CVSS Score: 6.1 (Medium)
Patch Status: Patched

Shortcodes Finder <= 1.5.4 – Reflected Cross-Site Scripting

Affected SoftwareShortcodes Finder
CVE ID: CVE-2024-21750
CVSS Score: 6.1 (Medium)
Patch Status: Unpatched

Advanced Woo Search <= 2.96 – Reflected Cross-Site Scripting

Affected SoftwareAdvanced Woo Search
CVE ID: CVE-2024-0251
CVSS Score: 6.1 (Medium)
Patch Status: Patched

Voting Record <= 2.0 – Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

Affected SoftwareVoting Record
CVE ID: CVE-2023-7083
CVSS Score: 6.1 (Medium)
Patch Status: Unpatched

Auto Affiliate Links <= 6.4.2.7 – Cross-Site Request Forgery

Affected SoftwareAuto Affiliate Links
CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Patch Status: Patched

Metform Elementor Contact Form Builder <= 3.8.1 – Cross-Site Request Forgery

Affected SoftwareMetform Elementor Contact Form Builder
CVE ID: CVE-2023-6788
CVSS Score: 5.4 (Medium)
Patch Status: Patched

Schema & Structured Data for WP & AMP <= 1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting

Affected SoftwareSchema & Structured Data for WP & AMP
CVE ID: CVE-2024-22146
CVSS Score: 5.4 (Medium)
Patch Status: Patched

RabbitLoader <= 2.19.13 – Missing Authorization via multiple AJAX actions

Affected SoftwareRabbitLoader
CVE ID: CVE-2024-21751
CVSS Score: 5.4 (Medium)
Patch Status: Patched

MailerLite – WooCommerce integration <= 2.0.8 – Cross-Site Request Forgery via Multiple AJAX Functions

Affected SoftwareMailerLite – WooCommerce integration
CVE ID: CVE-2023-52223
CVSS Score: 5.4 (Medium)
Patch Status: Patched

Contact Form 7 Extension For Mailchimp <= 0.5.70 – Authenticated (Subscriber+) Server-Side Request Forgery

Affected SoftwareContact Form 7 Extension For Mailchimp
CVE ID: CVE-2024-22134
CVSS Score: 5.4 (Medium)
Patch Status: Unpatched

Paid Memberships Pro <= 2.12.6 – Information Exposure in Debug Logs

Affected SoftwarePaid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Patch Status: Patched

Seraphinite Accelerator <= 2.20.45 – Unauthenticated Sensitive Information Exposure via Log File

Affected SoftwareSeraphinite Accelerator
CVE ID: CVE-2024-22138
CVSS Score: 5.3 (Medium)
Patch Status: Unpatched

WordPress Manutenção <= 1.0.6 – IP Spoofing to Maintenance Mode Bypass

Affected SoftwareWordPress Manutenção
CVE ID: CVE-2024-22139
CVSS Score: 5.3 (Medium)
Patch Status: Unpatched

The Events Calendar <= 6.2.8.2 – Unauthenticated Sensitive Information Exposure

Affected SoftwareThe Events Calendar
CVE ID: CVE-2023-6557
CVSS Score: 5.3 (Medium)
Patch Status: Patched

ElementsKit Lite <= 3.0.3 – Unauthenticated Sensitive Information Exposure

Affected SoftwareElementsKit Elementor addons
CVE ID: CVE-2023-6582
CVSS Score: 5.3 (Medium)
Patch Status: Patched

Newsletter <= 8.0.6 – Cross-Site Request Forgery

Affected SoftwareNewsletter – Send awesome emails from WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Patch Status: Patched

Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery

Affected SoftwarePhotos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
CVE ID: CVE Unknown
CVSS Score: 4.7 (Medium)
Patch Status: Patched

Formidable Forms <= 6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected SoftwareFormidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder
CVE ID: CVE-2023-6842
CVSS Score: 4.4 (Medium)
Patch Status: Patched

Woocommerce Vietnam Checkout <= 2.0.8 – Authenticated (Admin+) Stored Cross-Site Scripting

Affected SoftwareWoocommerce Vietnam Checkout
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Patch Status: Patched

WordPress Button Plugin MaxButtons <= 9.7.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

Affected SoftwareWordPress Button Plugin MaxButtons
CVE ID: CVE-2023-6594
CVSS Score: 4.4 (Medium)
Patch Status: Patched

Swift SMTP <= 5.0.6 – Cross-Site Request Forgery

Affected SoftwareSwift SMTP (formerly Welcome Email Editor)
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

LiveChat Elementor <= 1.0.13 – Cross-Site Request Forgery

Affected SoftwareWordPress Live Chat Plugin for Elementor – LiveChat
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Envira Gallery Lite <= 1.8.7.2 – Missing Authorization to Gallery Modification via envira_gallery_insert_images

Affected SoftwareGallery Plugin for WordPress – Envira Photo Gallery
CVE ID: CVE-2023-6742
CVSS Score: 4.3 (Medium)
Patch Status: Patched

InstaWP Connect <= 0.1.0.8 – Cross-Site Request Forgery via create_file_db_manager

Affected SoftwareInstaWP Connect – 1-click WP Staging & Migration
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Seraphinite Alternative Slugs Manager <= 1.3 – Cross-Site Request Forgery

Affected SoftwareSeraphinite Alternative Slugs Manager
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

MailerLite – WooCommerce integration <= 2.0.8 – Missing Authorization via Multiple Functions

Affected SoftwareMailerLite – WooCommerce integration
CVE ID: CVE-2023-52227
CVSS Score: 4.3 (Medium)
Patch Status: Patched

LiveChat WooCommerce <= 2.2.16 – Cross-Site Request Forgery

Affected SoftwareWordPress Live Chat Plugin for WooCommerce – LiveChat
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Advanced Flamingo <= 1.0 – Cross-Site Request Forgery

Affected SoftwareAdvanced Flamingo
CVE ID: CVE-2023-52226
CVSS Score: 4.3 (Medium)
Patch Status: Unpatched

WP Spell Check <= 9.17 – Cross-Site Request Forgery

Affected SoftwareWP Spell Check
CVE ID: CVE-2024-22143
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Contact Form 7 – Dynamic Text Extension <= 4.1.0 – Insecure Direct Object Reference

Affected SoftwareContact Form 7 – Dynamic Text Extension
CVE ID: CVE-2023-6630
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery

Affected SoftwareContact Form 7 Connector
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Products & Order Export for WooCommerce <= 2.0.7 – Missing Authorization

Affected SoftwareProducts, Order & Customers Export for WooCommerce
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Patch Status: Patched

Droit Elementor Addons <= 3.1.5 – Cross-Site Request Forgery

Affected SoftwareDroit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
CVE ID: CVE-2024-22136
CVSS Score: 4.3 (Medium)
Patch Status: Unpatched

WPS Hide Login <= 1.9.11 – Hidden Login Page Location Disclosure

Affected SoftwareWPS Hide Login
CVE ID: CVE-2023-49748
CVSS Score: 3.7 (Low)
Patch Status: Unpatched

Source: https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-4-2024-to-january-14-2024/

Image by pikisuperstar on Freepik

Speed Up your Pages - Fix Core Web Vitals
Business SEO - Rank on the First Page
Subscribe to Newsletter
Grow Your Email List