Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in avalex GmbH avalex – Automatically secure legal texts plugin <= 3.0.3 versions.

**Solution**

Update the WordPress avalex plugin to the latest available version (at least 3.0.4).

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress avalex Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.0.4.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-25059: WordPress avalex plugin <= 3.0.3 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Veribo, Roland Murg WP Booking System – Booking Calendar plugin <= 2.0.18 versions.

**Solution**

Update the WordPress WP Booking System plugin to the latest available version (at least 2.0.18.1).

Found this useful? Thank Abdi Pranata for reporting this vulnerability. Buy a coffee ☕

Abdi Pranata discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Booking System Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.0.18.1.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24402: WordPress WP Booking System – Booking Calendar plugin <= 2.0.18 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Kiboko Labs Arigato Autoresponder and Newsletter plugin <= 2.7.1.1 versions.

**Solution**

Update the WordPress Arigato Autoresponder and Newsletter plugin to the latest available version (at least 2.7.1.2).

Rafshanzani Suhada discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Arigato Autoresponder and Newsletter Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.7.1.2.

**5 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-25061: WordPress Arigato Autoresponder and Newsletter plugin <= 2.7.1.1 - Cross Site Scripting (XSS) - Patchstack

[PUSHED PREMATURELY] Information temporarily redacted until it should be made public.

**From Innovator to Enterprise****Trust The Global Leaders in WordPress Security**

View Our Products

**A Comprehensive Security Solution For WordPress**

Wordfence is a global team of WordPress security analysts, threat researchers, software engineers, and support staff. We are the leaders in our field, and we focus exclusively on securing WordPress websites, and on WordPress security research. We provide 24-hour service, 365 days a year for mission-critical websites, with a 1 hour response time via Wordfence Response. To learn more about our products, check out our Product Comparison Page.

**Login Security**

Wordfence leads the industry in login security controls, including brute force protection, XMLRPC protection, reCAPTCHA to block automated attacks, and IP access control.

**Centralized Management**

Centralized security events and template-based security configuration management, 100% free. Our customers constantly tell us that Wordfence Central is too good to be true. Even users of the free version of Wordfence get full access to Wordfence Central at no cost.

**24/7 Incident Response Team**

Wordfence Care and Response customers receive hands-on support to install, configure, and optimize Wordfence along with continuous security monitoring from our team. Wordfence Response customers get 24/7 support and monitoring with a 1-hour response time.

**Two-Factor Authentication**

Two-factor authentication or 2FA has become a standard requirement for any secure service. Wordfence provides robust 2FA for your admins and users using secure open standards.

**Malware Scan**

Wordfence maintains the largest WordPress-specific malware database in the world. Using this intelligence trove, we produce malware signatures to block intrusion attempts, detect malicious activity, and provide robust security for your WordPress site.

**The Wordfence Firewall**

The Wordfence Threat Intelligence Team continuously discovers new vulnerabilities in WordPress core, plugins, and themes. We immediately release new firewall rules that protect against these vulnerabilities, which are deployed in real-time to our paid customers providing the best available intrusion prevention for WordPress.

**It's All About The Data**

Our unique data is what makes Wordfence so effective. Premium, Care, and Response customers receive real-time updates to protection and detection rules.

**Total Attacks Blocked****9,856,826,927**

**Malicious IPs Blocklisted****180,705**

**Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 27, 2023 to Apr 2, 2023)**

Last week, there were 82 vulnerabilities disclosed in 70 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with …  
Read More

**Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 20, 2023 to Mar 26, 2023)**

Last week, there were 80 vulnerabilities disclosed in 69 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with …  
Read More

**PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover**

This post has been updated with additional information that has become available since its publication The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by …  
Read More

**Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023)**

Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.   Our mission …  
Read More

**Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched**

The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). As with all Reflected Cross-Site Scripting vulnerabilities, these could be leveraged for a complete site takeover …  
Read More

**Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023)**

Last week, there were 60 vulnerabilities disclosed in 40 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 16 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with …  
Read More

**The Official Wordfence Mailing List**

Receive WordPress security news before publication.

*   **Wordfence is the best!**
    
    I’ve been using Wordfence for some time now on 6 of my sites. It works extremely well and provides me with the protection from intruders that I need. I’ve only had a couple of minor issues, mostly caused by my lack of experience, but the support at Wordfence has been great at helping me out of a jam. I highly recommend the plugin, and purchasing the upgrade to the pro version is worth every penny. The plugin is easy to install and setup is simple. And.. if your host is GoDaddy, it is one of their recommended plugin partners.
    
*   **Amazing, Must-have for WP Site security**
    
    My small business WP Site got hacked (built, installed and maintained by me) and a cryptocurrency miner was hidden somewhere in my code.
    
    I spent a week trying to eliminate that code, and my Host also looked for it, without success, meanwhile I looked like a jerk trying to mine cryptocurrency from clients and potential clients!
    
    I tried several other WP security plugins, and web scan sites, but none could find or fix my problem.
    
    I downloaded and installed Wordfence, it found and repaired my problem in less than 5 minutes!
    
    I’ve since enabled many of its additional features and have been stunned to learn just how many attempts there are daily to log into my page! No wonder it got hacked. Some jerk even set up a new username for himself!
    
    Anyhow, I’ll never have any other WP page without Wordfence, and neither should you!
    
    Amazing plugin, very simple and very powerful.
    
*   **Wordfence site-cleaning team saved my client big time**
    
    I’ve have the Wordfence plugin (free version) on dozens of my personal and client sites for a few years. Easy to install and configure, it’s blocked many attacks and I’ve never had a site hacked that had it. On one client site, we didn’t use it, they got hacked and it was nasty, they sell tickets to their events and their payment system stopped taking payments (and gave some customers virus/malware).
    
    Not just one site, but the client’s entire hosting account was infected. I contacted Wordfence for a site cleaning and they got on it right away. In two days, the site was cleaned and taking payments again. Wordfence running on the sites after the cleaning reported a malware backdoor in my wptwin site-cloning script. I sent the report and the wptwin.php script to the security analyst who cleaned the site and within a few hours, he replied that indeed this was a false positive. That was great service and set me at ease that the client’s site had not become re-infected.
    
*   **Awesome**
    
    Wordfence is my favourite WordPress plugin. Immediately installed on all my client’s sites. Saved my bacon numerous times.
    
*   **Fantastic Support – The Best Solution for a Hacked Website**
    
    If you know the horror of having your website hacked, you know the mountain of stress that comes with it. Even worse is trying to find a solution to fix your hacked website for a reasonable price without being overly sold to. This is where WordFence comes in to save the day.
    
    They very quickly and thoroughly fixed my hacked website, keeping me updated with the status at all times. I also received a long report detailing what was hacked, how it was fixed, and instructions to secure my website from future hacks. In a matter of days, my site was unblacklisted by Google and I’m back in business!
    
    While I can’t yet speak to how well WordFence secures your website from hacks, I can say that they have been the best solution for fixing my hacked website. Based on that experience, I have no problem entrusting them with securing my website going forward.
    
    THANK YOU WORDFENCE! It was worth every penny.
    
*   **Excellent support and the best security plugin**
    
    We have been using Wordfence (free version) for years on all our 100+ WordPress websites. We haven’t had any hacked websites since then. Just recently we purchased the premium license to increase the security of our websites even more. We had some questions regarding a multi WP install on the same domain in various subfolders and received timely and professional support within a day. Everything is setup properly now and we sleep quietly at night knowing that it’s all secured.
    
*   **Awesome Plugin and Premium Support**
    
    Wordfence Premium has provided excellent customer service. The plugin is easy to use, and the premium support is friendly and informative. Very happy with their service.
    
*   **Wordfence review**
    
    Wordfence is a top-notch plugin, even the free version has tons on functions. I strongly recommend it for not only the newbie web-designer but also the experienced one as well. It is undoubtedly a great product.
    
*   **Thank you very much for providing such a good plugin and service**
    
    Having researched and trialed various security plugins Wordfence wins hands down each time. All our websites are running Wordfence Premium and this plugin has served us very well for several years and the support team are second to none. As a small business there are an array of tasks to take care of and it is a very small price to pay for Wordfence Premium to take care of an extremely important task and is worth every penny.
    
    A reliable security plugin is paramount but it goes without saying this must be backed up by a good technical support team who can assist you when there is a problem. The Wordfence technical support goes beyond the call of duty and their knowledge is very reassuring when things go awry with your website.
    
    Phil provided an excellent service giving us the confidence we are with the right people who really know what they are doing and can explain and assist in a very succinct, knowledgeable and helpful manner.
    
    Having numerous plugins running on a WordPress website can result in all manner of conflicts, never mind issues that maybe caused by the hosting services used which can be a nightmare to unravel without the right technical support at hand.
    
    Wordfence not only protects your website from being hacked but provides a wealth of advice and excellent technical support when needed. Thank you very much for providing such a good service.
    
*   **Best Money I Spend!**
    
    Wordfence is by far the best and most important plug-in I have installed on every site I maintain. The free version is good, but the premium version is worth every penny and more. In fact, I refuse to create or maintain a site without it.

CVE-2023-1931: WordPress Security Plugin | Wordfence

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the deleteCssAndJsCacheToolbar function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to perform cache deletion.

CVE-2023-1931

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_preload_single_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to initiate cache creation.

CVE-2023-1928

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the deleteCssAndJsCacheToolbar function. This makes it possible for unauthenticated attackers to perform cache deletion via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-1927

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the wpfc_clear_cache_of_allsites_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to delete caches.

CVE-2023-1930

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the wpfc_purgecache_varnish_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to purge the varnish cache.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-1929: WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_purgecache_varnish_callback' — Wordfence Intelligence

*   **wp-fastest-cache/trunk/wpFastestCache.php**
    
    r2886944
    
    r2893158
    
     
    
    410
    
    410
    
    411
    
    411
    
            public function wpfc\_preload\_single\_callback(){
    
     
    
    412
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    413
    
                    die( 'Security check' );
    
     
    
    414
    
                }
    
     
    
    415
    
    412
    
    416
    
                include\_once('inc/single-preload.php');
    
    413
    
    417
    
                SinglePreloadWPFC::create\_cache();
    
    …
    
    …
    
     
    
    425
    
    429
    
    426
    
    430
    
            public function wpfc\_preload\_single\_save\_settings\_callback(){
    
     
    
    431
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    432
    
                    die( 'Security check' );
    
     
    
    433
    
                }
    
     
    
    434
    
    427
    
    435
    
                include\_once('inc/single-preload.php');
    
    428
    
    436
    
                SinglePreloadWPFC::save\_settings();
    
    …
    
    …
    
     
    
    503
    
    511
    
    504
    
    512
    
            public function wpfc\_db\_statics\_callback(){
    
     
    
    513
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    514
    
                    die( 'Security check' );
    
     
    
    515
    
                }
    
     
    
    516
    
               
    
    505
    
    517
    
                global $wpdb;
    
    506
    
    518
    
    …
    
    …
    
     
    
    572
    
    584
    
    573
    
    585
    
            public function wpfc\_save\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    586
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    587
    
                    die( 'Security check' );
    
     
    
    588
    
                }
    
     
    
    589
    
    574
    
    590
    
                include\_once('inc/cdn.php');
    
    575
    
    591
    
                CdnWPFC::save\_cdn\_integration();
    
    …
    
    …
    
     
    
    577
    
    593
    
    578
    
    594
    
            public function wpfc\_start\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    595
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    596
    
                    die( 'Security check' );
    
     
    
    597
    
                }
    
     
    
    598
    
    579
    
    599
    
                include\_once('inc/cdn.php');
    
    580
    
    600
    
                CdnWPFC::start\_cdn\_integration();
    
    …
    
    …
    
     
    
    582
    
    602
    
    583
    
    603
    
            public function wpfc\_pause\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    604
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    605
    
                    die( 'Security check' );
    
     
    
    606
    
                }
    
     
    
    607
    
    584
    
    608
    
                include\_once('inc/cdn.php');
    
    585
    
    609
    
                CdnWPFC::pause\_cdn\_integration();
    
    …
    
    …
    
     
    
    587
    
    611
    
    588
    
    612
    
            public function wpfc\_remove\_cdn\_integration\_ajax\_request\_callback(){
    
     
    
    613
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'cdn-nonce')){
    
     
    
    614
    
                    die( 'Security check' );
    
     
    
    615
    
                }
    
     
    
    616
    
               
    
    589
    
    617
    
                include\_once('inc/cdn.php');
    
    590
    
    618
    
                CdnWPFC::remove\_cdn\_integration();
    
    …
    
    …
    
     
    
    662
    
    690
    
    663
    
    691
    
            public function wpfc\_purgecache\_varnish\_callback(){
    
     
    
    692
    
                if(!wp\_verify\_nonce($\_REQUEST\["security"\], 'wpfc-varnish-ajax-nonce')){
    
     
    
    693
    
                    die( 'Security check' );
    
     
    
    694
    
                }
    
     
    
    695
    
    664
    
    696
    
                if($varnish\_datas = get\_option("WpFastestCacheVarnish")){
    
    665
    
    697
    
                    include\_once('inc/varnish.php');
    
    …
    
    …
    
     
    
    865
    
    897
    
    866
    
    898
    
            public function deleteCacheToolbar(){
    
     
    
    899
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    900
    
                    die( 'Security check' );
    
     
    
    901
    
                }
    
     
    
    902
    
    867
    
    903
    
                $this->deleteCache();
    
    868
    
    904
    
            }
    
    869
    
    905
    
    870
    
    906
    
            public function deleteCssAndJsCacheToolbar(){
    
     
    
    907
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    908
    
                    die( 'Security check' );
    
     
    
    909
    
                }
    
     
    
    910
    
               
    
    871
    
    911
    
                $this->deleteCache(true);
    
    872
    
    912
    
            }
    
    …
    
    …
    
     
    
    911
    
    951
    
    912
    
    952
    
            public function wpfc\_toolbar\_save\_settings\_callback(){
    
     
    
    953
    
                if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    954
    
                    die( 'Security check' );
    
     
    
    955
    
                }
    
     
    
    956
    
    913
    
    957
    
                if(current\_user\_can('manage\_options')){
    
    914
    
    958
    
                    if(is\_array($\_GET\["roles"\]) && !empty($\_GET\["roles"\])){
    
    …
    
    …
    
     
    
    939
    
    983
    
    940
    
    984
    
            public function wpfc\_clear\_cache\_of\_allsites\_callback(){
    
     
    
    985
    
     
    
    986
    
                if(defined('DOING\_AJAX') && DOING\_AJAX){
    
     
    
    987
    
                    if(!wp\_verify\_nonce($\_REQUEST\["nonce"\], 'wpfc')){
    
     
    
    988
    
                        die( 'Security check' );
    
     
    
    989
    
                    }
    
     
    
    990
    
                }
    
     
    
    991
    
    941
    
    992
    
                include\_once('inc/cdn.php');
    
    942
    
    993
    
                CdnWPFC::cloudflare\_clear\_cache();

Tag

#wordpress