WordPress Vulnerability Report

This week, 116 vulnerabilities may affect over 6 million WordPress sites. There are 67 plugin vulnerabilities and 2 themes with security patches available, so run those updates if you use these plugins! Additionally, there are 45 plugin vulnerabilities and 2 theme vulnerabilities with no patch available yet. At least three of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.

For reference, these reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

WordPress Core News

WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

All In One WP Security & Firewall

Plugin: All-In-One Security (AIOS) – Security and Firewall
Plugin Slug: all-in-one-wp-security-and-firewall
Installations: 1,000,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.1.5
Severity Score: Medium
CVE: 2023-0157

WP Fastest Cache

Plugin: WP Fastest Cache
Plugin Slug: wp-fastest-cache
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-1926

WP Fastest Cache

Plugin: WP Fastest Cache
Plugin Slug: wp-fastest-cache
Installations: 1,000,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-1931

Limit Login Attempts

Plugin: Limit Login Attempts
Plugin Slug: limit-login-attempts
Installations: 600,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.2
Severity Score: Medium
CVE: 2023-1861

Forminator

Plugin: Forminator – Contact Form, Payment Form & Custom Form Builder
Plugin Slug: forminator
Installations: 400,000+
Vulnerability: Broken Access Control
Patched in Version: 1.23.3
Severity Score: Medium

FluentForm

Plugin: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Plugin Slug: fluentform
Installations: 300,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.3.25
Severity Score: Medium
CVE: 2023-0546

Shortlinks by Pretty Links

Plugin: Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin
Plugin Slug: pretty-link
Installations: 300,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.4.1
Severity Score: Medium
CVE: 2022-47149

FooGallery

Plugin: Best WordPress Gallery Plugin – FooGallery
Plugin Slug: foogallery
Installations: 200,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.41
Severity Score: High
CVE: 2023-29439

Photo Gallery by 10Web

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Plugin Slug: photo-gallery
Installations: 200,000+
Vulnerability: Directory Traversal
Patched in Version: 1.8.15
Severity Score: Medium
CVE: 2023-1427

Photo Gallery by 10Web

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Plugin Slug: photo-gallery
Installations: 200,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.3
Severity Score: Medium
CVE: 2022-4058

Blocksy Companion

Plugin: Blocksy Companion
Plugin Slug: blocksy-companion
Installations: 100,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 1.8.82
Severity Score: Medium
CVE: 2023-1911

Cyr to Lat

Plugin: Cyr to Lat enhanced
Plugin Slug: cyr3lat
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 3.7
Severity Score: High
CVE: 2022-4290

Download Manager Pro

Plugin: Download Manager
Plugin Slug: download-manager
Installations: 100,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 6.3.0
Severity Score: Medium
CVE: 2023-1809

Hummingbird

Plugin: Hummingbird – Optimize Speed, Enable Cache, Minify CSS & Defer Critical JS
Plugin Slug: hummingbird-performance
Installations: 100,000+
Vulnerability: Path Traversal
Patched in Version: 3.4.2
Severity Score: High
CVE: 2023-1478

Slimstat Analytics

Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 4.9.4
Severity Score: High

Easy Forms for MailChimp

Plugin: Easy Forms for Mailchimp
Plugin Slug: yikes-inc-easy-mailchimp-extender
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.8.7
Severity Score: Medium
CVE: 2023-1325

Easy Forms for MailChimp

Plugin: Easy Forms for Mailchimp
Plugin Slug: yikes-inc-easy-mailchimp-extender
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.8.7
Severity Score: High
CVE: 2023-1324

PowerPress Podcasting plugin by Blubrry

Plugin: PowerPress Podcasting plugin by Blubrry
Plugin Slug: powerpress
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 10.0.2
Severity Score: Medium
CVE: 2023-30778

PowerPress

Plugin: PowerPress Podcasting plugin by Blubrry
Plugin Slug: powerpress
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 10.0.1
Severity Score: Medium
CVE: 2023-1917

Site Reviews

Plugin: Site Reviews
Plugin Slug: site-reviews
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.7.1
Severity Score: Medium
CVE: 2023-1525

Quiz And Survey Master

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: SQL Injection
Patched in Version: 8.1.5
Severity Score: Critical
CVE: 2023-28787

Klaviyo

Plugin: Klaviyo
Plugin Slug: klaviyo
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.10
Severity Score: Medium
CVE: 2023-0874

Redirection

Plugin: Redirection
Plugin Slug: redirect-redirection
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.5
Severity Score: Medium
CVE: 2023-1331

Easy Appointments

Plugin: Easy Appointments
Plugin Slug: easy-appointments
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.11.1
Severity Score: Medium
CVE: 2023-30748

Gallery by BestWebSoft

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Plugin Slug: gallery-plugin
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.7.0
Severity Score: Medium
CVE: 2023-0764

Gallery by BestWebSoft

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Plugin Slug: gallery-plugin
Installations: 20,000+
Vulnerability: SQL Injection
Patched in Version: 4.7.0
Severity Score: High
CVE: 2023-0765

SupportCandy

Plugin: SupportCandy – Helpdesk & Support Ticket System
Plugin Slug: supportcandy
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 3.1.5
Severity Score: Critical
CVE: 2023-1730

WP VR

Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Plugin Slug: wpvr
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.2.9
Severity Score: High
CVE: 2023-1413

Better Search

Plugin: Better Search – Relevant search results for WordPress
Plugin Slug: better-search
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.2.0
Severity Score: Medium

LearnPress Export Import

Plugin: LearnPress Export Import – WordPress extension for LearnPress
Plugin Slug: learnpress-import-export
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.0.3
Severity Score: High
CVE: 2023-30487

Product Catalog Feed by PixelYourSite

Plugin: Product Catalog Feed by PixelYourSite
Plugin Slug: product-catalog-feed
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.1
Severity Score: High
CVE: 2023-1805

MyCryptoCheckout

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 175+ altcoins for WooCommerce
Plugin Slug: mycryptocheckout
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.124
Severity Score: High
CVE: 2023-1546

Watu Quiz

Plugin: Watu Quiz
Plugin Slug: watu
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.9.3
Severity Score: High
CVE: 2023-30483

Vimeotheque

Plugin: Vimeotheque / Vimeo
Plugin Slug: codeflavors-vimeo-video-post-lite
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.2
Severity Score: High
CVE: 2023-30498

Ultimate Noindex Nofollow Tool II

Plugin: Ultimate Noindex Nofollow Tool II
Plugin Slug: ultimate-noindex-nofollow-tool-ii
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.4
Severity Score: Medium
CVE: 2023-30474

WooCommerce Easy Duplicate Product

Plugin: WooCommerce Easy Duplicate Product
Plugin Slug: woo-easy-duplicate-product
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.3.0.1
Severity Score: High
CVE: 2023-30747

Thumbnail carousel slider

Plugin: Thumbnail carousel slider
Plugin Slug: wp-responsive-thumbnail-slider
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.10
Severity Score: High
CVE: 2023-2120

Email Subscription Popup

Plugin: Email Subscription Popup
Plugin Slug: email-subscribe
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.17
Severity Score: High
CVE: 2023-30489

Woo Bulk Price Update

Plugin: Bulk Price Update for Woocommerce
Plugin Slug: woo-bulk-price-update
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.2
Severity Score: High
CVE: 2023-28665

Coupon Affiliates

Plugin: Coupon Affiliates – WooCommerce Affiliate Plugin
Plugin Slug: woo-coupon-usage
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.4.6
Severity Score: High
CVE: 2023-30475

Groundhogg

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug: groundhogg
Installations: 2,000+
Vulnerability: SQL Injection
Patched in Version: 2.7.9.4
Severity Score: High
CVE: 2023-1425

Locatoraid Store Locator

Plugin: Locatoraid Store Locator
Plugin Slug: locatoraid
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.15
Severity Score: Medium
CVE: 2023-2031

WP Inventory Manager

Plugin: WP Inventory Manager
Plugin Slug: wp-inventory-manager
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0.12
Severity Score: High
CVE: 2023-1806

MDTF

Plugin: MDTF – Meta Data and Taxonomies Filter
Plugin Slug: wp-meta-data-filter-and-taxonomy-filter
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-28664

Contact Form to DB by BestWebSoft

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
Plugin Slug: contact-form-to-db
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: 1.7.1
Severity Score: High
CVE: 2023-29096

Contact Form to DB

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
Plugin Slug: contact-form-to-db
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.1
Severity Score: Medium

Simple Giveaways

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Plugin Slug: giveasap
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.45.1
Severity Score: Medium
CVE: 2023-1122

Simple Giveaways

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Plugin Slug: giveasap
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.45.1
Severity Score: Medium
CVE: 2023-1120

ShiftController Employee Shift Scheduling

Plugin: ShiftController Employee Shift Scheduling
Plugin Slug: shiftcontroller
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.9.26
Severity Score: High
CVE: 2023-1978

MC Woocommerce Wishlist

Plugin: WooCommerce Wishlist by MC + (Free Elementor & Email Marketing Automation)
Plugin Slug: smart-wishlist-for-more-convert
Installations: 900+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.5.5
Severity Score: Medium

Scheduled Announcements Widget

Plugin: Scheduled Announcements Widget
Plugin Slug: scheduled-announcements-widget
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0
Severity Score: Medium
CVE: 2023-0363

Photo Gallery by 10Web

Plugin: ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML5
Plugin Slug: 1-jquery-photo-gallery-slideshow-flash
Installations: 200+
Vulnerability: Path Traversal
Patched in Version: 1.8.15
Severity Score: Medium
CVE: 2023-1427

a3 Portfolio

Plugin: a3 Portfolio
Plugin Slug: a3-portfolio
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.1
Severity Score: Medium
CVE: 2023-29097

Auto Rename Media On Upload

Plugin: Auto Rename Media On Upload
Plugin Slug: auto-rename-media-on-upload
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.0
Severity Score: Medium
CVE: 2023-0605

Time Sheets

Plugin: Time Sheets
Plugin Slug: time-sheets
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.29.3
Severity Score: Medium
CVE: 2023-0893

Zyrex Popup

Plugin: ZYREX POPUP
Plugin Slug: popup-zyrex
Installations: 10+
Vulnerability: Arbitrary File Upload
Patched in Version: 1.1
Severity Score: Critical
CVE: 2023-0924

AI ChatBot

Plugin: Blog Navigator Chatbot by Xatkit
Plugin Slug: xatkit-chatbot-connector
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.1
Severity Score: Medium

Drag and Drop Multiple File Upload PRO

Plugin: Drag and Drop Multiple File Upload PRO
Plugin Slug: drag-n-drop-upload-cf7-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.0.6.4
Severity Score: High
CVE: 2023-1282

JetEngine

Plugin: JetEngine
Plugin Slug: jet-engine
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.1.3.1
Severity Score: Critical
CVE: 2023-1406

Responsive WordPress Slideshows

Plugin: Meta Slider
Plugin Slug: ml-slider1
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.29.1
Severity Score: High
CVE: 2023-1473

Pricing Tables For WPBakery Page Builder

Plugin: Pricing Tables For WPBakery Page Builder
Plugin Slug: pricing-tables-for-wpbakery-page-builder
Vulnerability: Local File Inclusion
Patched in Version: 3.0
Severity Score: High
CVE: 2023-1274

Pricing Tables For WPBakery Page Builder

Plugin: Pricing Tables For WPBakery Page Builder
Plugin Slug: pricing-tables-for-wpbakery-page-builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0
Severity Score: Medium
CVE: 2023-0367

Ruby Help Desk

Plugin: Ruby Help Desk
Plugin Slug: ruby-help-desk
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 1.3.4
Severity Score: Medium
CVE: 2023-1125

Stylish Cost Calculator Premium

Plugin: Stylish Cost Calculator Premium
Plugin Slug: stylish-cost-calculator-premium
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.9.0
Severity Score: High
CVE: 2023-0983

W4 Post List

Plugin: W4 Post List
Plugin Slug: w4-post-list
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4.6
Severity Score: High
CVE: 2023-1373

W4 Post List

Plugin: W4 Post List
Plugin Slug: w4-post-list
Vulnerability: Sensitive Data Exposure
Patched in Version: 2.4.6
Severity Score: Medium
CVE: 2023-1371

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Shortcodes by Angie Makes

Plugin: Shortcodes by Angie Makes
Plugin Slug: wc-shortcodes
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23725

Custom Order Numbers for WooCommerce

Plugin: Custom Order Numbers for WooCommerce
Plugin Slug: custom-order-numbers-for-woocommerce
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45367

Enable Accessibility

Plugin: Enable Accessibility
Plugin Slug: enable-accessibility
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30484

Optima Express + MarketBoost IDX Plugin

Plugin: Optima Express + MarketBoost IDX Plugin
Plugin Slug: optima-express
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30749

ReviewX

Plugin: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Plugin Slug: reviewx
Installations: 10,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-46809

CoSchedule

Plugin: CoSchedule
Plugin Slug: coschedule-by-todaymade
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47165

Fantastic Content Protector Free

Plugin: Fantastic Content Protector Free
Plugin Slug: fantastic-content-protector-free
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25048

Affiliate Links Lite

Plugin: Affiliate Links Lite
Plugin Slug: affiliate-links
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-22696

Neshan Maps

Plugin: Neshan Maps
Plugin Slug: neshan-maps
Installations: 3,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47426

Newsletters

Plugin: Newsletters
Plugin Slug: newsletters-lite
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30478

WP EasyPay – Square for WordPress

Plugin: WP EasyPay – Square for WordPress
Plugin Slug: wp-easy-pay
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47177

Stamped.io Product Reviews & UGC for WooCommerce

Plugin: Stamped.io Product Reviews & UGC for WooCommerce
Plugin Slug: stampedio-product-reviews
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30479

AdFoxly – Ad Manager, AdSense Ads & Ads.txt

Plugin: AdFoxly – Ad Manager, AdSense Ads & Ads.txt
Plugin Slug: adfoxly
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30754

Booqable Rental Plugin

Plugin: Booqable Rental Plugin
Plugin Slug: booqable-rental-reservations
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30746

Database Collation Fix

Plugin: Database Collation Fix
Plugin Slug: database-collation-fix
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23997

Simple PopUp

Plugin: Simple PopUp
Plugin Slug: simple-popup
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24406

Landing Page Builder – Free Landing Page Templates

Plugin: Landing Page Builder – Free Landing Page Templates
Plugin Slug: ultimate-landing-page
Installations: 1,000+
Vulnerability: Local File Inclusion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24379

Paytm Payment Donation

Plugin: Paytm – Donation Plugin
Plugin Slug: paytm-donation
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-28535

WP Roles at Registration

Plugin: WP Roles at Registration
Plugin Slug: wp-roles-at-registration
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27609

External Videos

Plugin: External Videos
Plugin Slug: external-videos
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30752

Motor Racing League

Plugin: Motor Racing League
Plugin Slug: motor-racing-league
Installations: 90+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27614

Pickup | Delivery | Dine-in date time

Plugin: Pickup | Delivery | Dine-in date time
Plugin Slug: restaurant-pickup-delivery-dine-in
Installations: 70+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0894

hiWeb Migration Simple

Plugin: hiWeb Migration Simple
Plugin Slug: hiweb-migration-simple
Installations: 20+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0769

Electric Studio Client Login

Plugin: Electric Studio Client Login
Plugin Slug: electric-studio-client-login
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27425

UserPlus

Plugin: User registration & user profile – UserPlus
Plugin Slug: userplus
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0824

AFFILIATE Solution

Plugin: AFFILIATE Solution
Plugin Slug: affiliate-solution
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30477

Amr Ical Events Lists

Plugin: Amr Ical Events Lists
Plugin Slug: amr-ical-events-list
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1021

Article Directory

Plugin: Article Directory
Plugin Slug: article-directory
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0422

Article Directory Redux

Plugin: Article Directory Redux
Plugin Slug: article-directory-redux
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30751

Cloud Manager

Plugin: Cloud Manager
Plugin Slug: cloud-manager
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0421

Custom Post Type and Taxonomy GUI Manager

Plugin: Custom Post Type and Taxonomy GUI Manager
Plugin Slug: custom-post-type-cpt-cusom-taxonomy-ct-manager
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0420

Events Made Easy

Plugin: Events Made Easy
Plugin Slug: events-made-easy
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-28660

InPost Gallery

Plugin: InPost Gallery
Plugin Slug: inpost-gallery
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-28666

MS-Reviews

Plugin: MS-Reviews
Plugin Slug: ms-reviews
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0424

Random Text

Plugin: Random Text
Plugin Slug: randomtext
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0388

Video Central

Plugin: Video Central
Plugin Slug: video-central
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0418

Waiting: One-click Countdowns

Plugin: Waiting: One-click countdowns
Plugin Slug: waiting
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-28659

WP FEvents Book

Plugin: WP FEvents Book
Plugin Slug: wp-fevents-book
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1126

WP Reroute Email

Plugin: WP Reroute Email
Plugin Slug: wp-reroute-email
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27606

WP Reroute Email

Plugin: WP Reroute Email
Plugin Slug: wp-reroute-email
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27605

Steveas WP Live Chat Shoutbox

Plugin: Steveas WP Live Chat Shoutbox
Plugin Slug: wp-shoutbox-live-chat
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0899

Steveas WP Live Chat Shoutbox

Plugin: Steveas WP Live Chat Shoutbox
Plugin Slug: wp-shoutbox-live-chat
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-1020

WP Tiles

Plugin: WP Tiles
Plugin Slug: wp-tiles
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1426

WP Tiles

Plugin: WP Tiles
Plugin Slug: wp-tiles
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4827

ZM Ajax Login & Register

Plugin: ZM Ajax Login & Register
Plugin Slug: zm-ajax-login-register
Vulnerability: Broken Authentication
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-2027

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Square

Theme: Square
Theme Slug: square
Downloads: 468,498
Vulnerability: Broken Access Control
Patched in Version: 2.0.1
Severity Score: Medium
CVE: 2023-30486

BeTheme

Theme: Betheme
Theme Slug: betheme
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 26.8
Severity Score: High
CVE: 2023-29101

Educenter

Theme: Educenter
Theme Slug: educenter
Downloads: 136,704
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30480

Blogger Buzz

Theme: Blogger Buzz
Theme Slug: blogger-buzz
Downloads: 47,897
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30476

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – April 19, 2023

WordPress Core News

WordPress Plugin Vulnerabilities with Patches

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report