WordPress Vulnerability Report

This week, 79 vulnerabilities may affect over 6.6 million WordPress sites. There are 55 plugin vulnerabilities and 5 themes with security patches available, so run those updates if you use these plugins! Additionally, there are 19 plugin vulnerabilities with no patch available yet. At least three of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.

For reference, these reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

WordPress Core News

WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Advanced Custom Fields

Plugin: Advanced Custom Fields (ACF)
Plugin Slug: advanced-custom-fields
Installations: 2,000,000+
Vulnerability: Authenticated (Contributor+) PHP Object Injection vulnerability
Patched in Version: 6.1.0
Severity Score: High

WPCode

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Plugin Slug: insert-headers-and-footers
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.9
Severity Score: Medium
CVE: 2023-1624

WP Fastest Cache

Plugin: WP Fastest Cache
Plugin Slug: wp-fastest-cache
Installations: 1,000,000+
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-1926

WP Fastest Cache

Plugin: WP Fastest Cache
Plugin Slug: wp-fastest-cache
Installations: 1,000,000+
Vulnerability: Multiple Missing Authorization
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-1931

Formidable Forms

Plugin: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
Plugin Slug: formidable
Installations: 300,000+
Vulnerability: PHP Object Injection
Patched in Version: 6.2
Severity Score: Critical
CVE: 2023-1405

Health Check & Troubleshooting

Plugin: Health Check & Troubleshooting
Plugin Slug: health-check
Installations: 300,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.0
Severity Score: Medium
CVE: 2022-47161

PHP Compatibility Checker

Plugin: PHP Compatibility Checker
Plugin Slug: php-compatibility-checker
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.0
Severity Score: Medium
CVE: 2023-24421

SEOPress

Plugin: SEOPress – On-site SEO
Plugin Slug: wp-seopress
Installations: 200,000+
Vulnerability: Authenticated (Administrator+) PHP Object Injection
Patched in Version: 6.5.0.3
Severity Score: Medium

Ajax Search Lite

Plugin: Ajax Search Lite
Plugin Slug: ajax-search-lite
Installations: 70,000+
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: 4.11.1
Severity Score: Medium
CVE: 2023-1420

User Registration

Plugin: User Registration – Custom Registration Form, Login Form And User Profile For WordPress
Plugin Slug: user-registration
Installations: 60,000+
Vulnerability: Broken Access Control
Patched in Version: 2.3.3
Severity Score: Medium
CVE: 2023-29429

Amelia

Plugin: Appointment and Event Booking Calendar for WordPress – Amelia
Plugin Slug: ameliabooking
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.76
Severity Score: High
CVE: 2023-29427

Maps Widget for Google Maps

Plugin: Maps Widget for Google Maps
Plugin Slug: google-maps-widget
Installations: 50,000+
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched in Version: 4.25
Severity Score: Medium
CVE: 2023-1913

MapPress Maps for WordPress

Plugin: MapPress Maps for WordPress
Plugin Slug: mappress-google-maps-for-wordpress
Installations: 50,000+
Vulnerability: Authenticated SQL Injection
Patched in Version: 2.85.5
Severity Score: High
CVE: 2023-26015

WCFM Frontend Manager

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug: wc-frontend-manager
Installations: 30,000+
Vulnerability: Missing Authorization
Patched in Version: 6.6.1
Severity Score: Medium
CVE: 2022-4937

WCFM Frontend Manager

Plugin: WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Plugin Slug: wc-frontend-manager
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.6.0
Severity Score: Medium
CVE: 2022-4938

WCFM Marketplace

Plugin: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
Plugin Slug: wc-multivendor-marketplace
Installations: 30,000+
Vulnerability: Missing Authorization
Patched in Version: 3.4.12
Severity Score: High
CVE: 2022-4935

WCFM Marketplace

Plugin: WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
Plugin Slug: wc-multivendor-marketplace
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.5.0
Severity Score: Medium
CVE: 2022-4936

Limit Login Attempts

Plugin: WP Limit Login Attempts
Plugin Slug: wp-limit-login-attempts
Installations: 30,000+
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 1.7.2
Severity Score: High
CVE: 2023-1912

PixTypes

Plugin: PixTypes
Plugin Slug: pixtypes
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.15
Severity Score: Medium
CVE: 2023-25487

Simple Job Board

Plugin: Simple Job Board
Plugin Slug: simple-job-board
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.10.4
Severity Score: Medium
CVE: 2023-29440

WCFM Membership

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Plugin Slug: wc-multivendor-membership
Installations: 20,000+
Vulnerability: Missing Authorization
Patched in Version: 2.10.11
Severity Score: High
CVE: 2022-4940

WCFM Membership

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Plugin Slug: wc-multivendor-membership
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.10.0
Severity Score: Medium
CVE: 2022-4941

WCFM Membership

Plugin: WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
Plugin Slug: wc-multivendor-membership
Installations: 20,000+
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 2.10.1
Severity Score: Critical
CVE: 2022-4939

Connections Business Directory

Plugin: Connections Business Directory
Plugin Slug: connections
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 10.4.37
Severity Score: Medium
CVE: 2023-29437

MasterStudy LMS WordPress

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Plugin Slug: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability: Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Patched in Version: 2.9.35
Severity Score: Medium

Superb Social Media Share Buttons and Follow Buttons

Plugin: Superb Social Media Share Buttons and Follow Buttons for WordPress
Plugin Slug: superb-social-share-and-follow-buttons
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.5
Severity Score: Medium
CVE: 2023-29428

WP Data Access

Plugin: WP Data Access
Plugin Slug: wp-data-access
Installations: 10,000+
Vulnerability: Authenticated (Subscriber+) Privilege Escalation
Patched in Version: 5.3.8
Severity Score: High
CVE: 2023-1874

Magic Post Thumbnail

Plugin: Magic Post Thumbnail
Plugin Slug: magic-post-thumbnail
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.1.11
Severity Score: High
CVE: 2023-29171

Comments Ratings

Plugin: Comments Ratings
Plugin Slug: comments-ratings
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.7
Severity Score: Medium
CVE: 2023-23704

Spreadshop Plugin

Plugin: Spreadshop Plugin
Plugin Slug: spreadshop
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.6
Severity Score: Medium
CVE: 2023-29426

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Admin+ LFI
Patched in Version: 5.4.3
Severity Score: High
CVE: 2023-1124

Sp*tify Play Button for WordPress

Plugin: Sp*tify Play Button for WordPress
Plugin Slug: spotify-play-button-for-wordpress
Installations: 4,000+
Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: 2.08
Severity Score: Medium
CVE: 2023-1840

Spiffy Calendar

Plugin: Spiffy Calendar
Plugin Slug: spiffy-calendar
Installations: 3,000+
Vulnerability: Auth. SQL Injection (SQLi)
Patched in Version: 4.9.2
Severity Score: High
CVE: 2022-46859

PropertyHive

Plugin: PropertyHive
Plugin Slug: propertyhive
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.47
Severity Score: High
CVE: 2023-29172

Albo Pretorio On line

Plugin: Albo Pretorio On line
Plugin Slug: albo-pretorio-on-line
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.6.2
Severity Score: High
CVE: 2023-28993

Cancel order request WooCommerce

Plugin: Cancel order request / Return order / Repeat Order / Reorder for WooCommerce
Plugin Slug: cancel-order-request-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.3
Severity Score: Medium
CVE: 2023-29423

Product Enquiry for WooCommerce

Plugin: Product Enquiry for WooCommerce, WooCommerce product catalog
Plugin Slug: enquiry-quotation-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.13
Severity Score: Medium
CVE: 2023-29170

Dynamics 365 Integration

Plugin: Dynamics 365 Integration
Plugin Slug: integration-dynamics
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.3.14
Severity Score: Medium
CVE: 2023-29422

Product Catalog Simple

Plugin: Product Catalog Simple
Plugin Slug: post-type-x
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.7.0
Severity Score: High
CVE: 2023-29388

Product page shipping calculator for WooCommerce

Plugin: Product page shipping calculator for WooCommerce
Plugin Slug: product-page-shipping-calculator-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.21
Severity Score: Medium
CVE: 2023-29094

qTranslate X Cleanup and WPML Import

Plugin: qTranslate X Cleanup and WPML Import
Plugin Slug: qtranslate-to-wpml-export
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 3.0.2
Severity Score: Medium
CVE: 2023-29431

ShiftController Employee Shift Scheduling

Plugin: ShiftController Employee Shift Scheduling
Plugin Slug: shiftcontroller
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.9.24
Severity Score: Medium
CVE: 2023-29425

ShiftController Employee Shift Scheduling

Plugin: ShiftController Employee Shift Scheduling
Plugin Slug: shiftcontroller
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.9.24
Severity Score: High
CVE: 2023-29424

CopySafe Web Protection

Plugin: CopySafe Web Protection
Plugin Slug: wp-copysafe-web
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.14
Severity Score: High
CVE: 2023-29098

SMTP Mailing Queue

Plugin: SMTP Mailing Queue
Plugin Slug: smtp-mailing-queue
Installations: 900+
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched in Version: 2.0.0
Severity Score: Medium

HT Builder

Plugin: HT Builder – WordPress Theme Builder for Elementor
Plugin Slug: ht-builder
Installations: 400+
Vulnerability: Cross Site Request Forgery (CSRF) via plugin_activation
Patched in Version: 1.3.0
Severity Score: Medium

Welcome Bar

Plugin: Welcome Bar
Plugin Slug: intelly-welcome-bar
Installations: 30+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.4
Severity Score: Medium

Welcome Bar

Plugin: Welcome Bar
Plugin Slug: intelly-welcome-bar
Installations: 30+
Vulnerability: Missing Authorization
Patched in Version: 2.0.4
Severity Score: Medium

User Role by BestWebSoft

Plugin: Add User Role
Plugin Slug: add-user-role
Vulnerability: Privilege Escalation via CSRF
Patched in Version: 1.6.7
Severity Score: High
CVE: 2023-0820

Ajax Search Lite Pro

Plugin: Ajax Search Pro
Plugin Slug: ajax-search-pro
Vulnerability: Multiple Cross Site Scripting (XSS)
Patched in Version: 4.26.2
Severity Score: Medium
CVE: 2023-1435

Ajax Search Pro

Plugin: Ajax Search Pro
Plugin Slug: ajax-search-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 4.26.2
Severity Score: Medium
CVE: 2023-1420

Fancy Product Designer

Plugin: Fancy Product Designer
Plugin Slug: fancy-product-designer
Vulnerability: Insufficient Authorization to Arbitrary Options Update via fpd_update_options
Patched in Version: 4.7.0
Severity Score: High
CVE: 2021-4334

Fancy Product Designer

Plugin: Fancy Product Designer
Plugin Slug: fancy-product-designer
Vulnerability: Insufficient Authorization on Multiple AJAX Actions
Patched in Version: 4.7.0
Severity Score: Medium
CVE: 2021-4335

Image Over Image For WPBakery Page Builder

Plugin: Image Over Image For WPBakery Page Builder
Plugin Slug: image-over-image-vc-extension
Vulnerability: Contributor+ Stored XSS
Patched in Version: 3.0
Severity Score: Medium
CVE: 2023-0399

Transbank Webpay REST

Plugin: Transbank Webpay REST
Plugin Slug: transbank-webpay-plus-rest
Vulnerability: SQL Injection
Patched in Version: 1.6.7
Severity Score: Medium
CVE: 2023-27610

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Optin Forms

Plugin: Optin Forms – Simple List Building Plugin for WordPress
Plugin Slug: optin-forms
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29434

Libsyn Publisher Hub

Plugin: Libsyn Publisher Hub
Plugin Slug: libsyn-podcasting
Installations: 3,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25057

Comment Reply Notification

Plugin: Comment Reply Notification
Plugin Slug: comment-reply-notification
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25051

Cryptocurrency All-in-One

Plugin: Cryptocurrency All-in-One
Plugin Slug: cryptocurrency-prices
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29435

Easy Sign Up

Plugin: Easy Sign Up
Plugin Slug: easy-sign-up
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23701

iframe Shortcode

Plugin: IFrame Shortcode
Plugin Slug: flynsarmy-iframe-shortcode
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29436

Tiny carousel horizontal slider plus

Plugin: Tiny carousel horizontal slider plus
Plugin Slug: tiny-carousel-horizontal-slider-plus
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24418

SimpleModal Contact Form (SMCF)

Plugin: SimpleModal Contact Form (SMCF)
Plugin Slug: simplemodal-contact-form-smcf
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29438

Solidres

Plugin: Solidres – Hotel booking plugin for WordPress
Plugin Slug: solidres
Installations: 100+
Vulnerability: Multiple Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-1377

tencentcloud-cos

Plugin: tencentcloud-cos
Plugin Slug: tencentcloud-cos
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29433

WP FEvents Book

Plugin: WP FEvents Book
Plugin Slug: wp-fevents-book
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1129

IMPress Listings

Plugin: IMPress Listings
Plugin Slug: wp-listings
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-22711

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1865

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1866

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1867

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1868

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1869

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1870

YourChannel

Plugin: YourChannel: Everything you want in a YouTube
Plugin Slug: yourchannel
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1871

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Weaver Xtreme Theme

Theme: Weaver Xtreme
Theme Slug: weaver-xtreme
Downloads: 466,189
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
Patched in Version: 6.2
Severity Score: Medium
CVE: 2023-1403

The7

Theme: The7
Theme Slug: dt-the7
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 11.6.1
Severity Score: High
CVE: 2023-29100

Houzez

Theme: Houzez
Theme Slug: houzez
Vulnerability: SQL Injection
Patched in Version: 2.8.3
Severity Score: High
CVE: 2023-29432

Outdoor

Theme: Outdoor
Theme Slug: outdoor
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.7
Severity Score: High
CVE: 2023-29236

TheRoof

Theme: TheRoof
Theme Slug: theroof
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.4
Severity Score: High
CVE: 2023-29430

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – April 12, 2023

WordPress Core News

WordPress Plugin Vulnerabilities with Patches

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report