This week, 160 vulnerabilities may affect over 8 million WordPress sites. There are 68 plugin vulnerabilities with security patches available, so run those updates if you use these plugins! Additionally, there are 92 plugin vulnerabilities with no patch available yet. At least eight of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.
For reference, these reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
WordPress Core News
WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Elementor
- Plugin Slug
- elementor
- Installations
- 5,000,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.12.2
- Severity Score
- Medium
Autoptimize
- Plugin
- Autoptimize
- Plugin Slug
- autoptimize
- Installations
- 1,000,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.1.7
- Severity Score
- Medium
Limit Login Attempts
- Plugin
- Limit Login Attempts
- Plugin Slug
- limit-login-attempts
- Installations
- 600,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.2
- Severity Score
- Medium
- CVE
- 2023-1861
CMP – Coming Soon & Maintenance
- Plugin Slug
- cmp-coming-soon-maintenance
- Installations
- 200,000+
- Vulnerability
- Bypass Vulnerability
- Patched in Version
- 4.1.8
- Severity Score
- Medium
- CVE
- 2023-2159
Photo Gallery by 10Web
- Plugin Slug
- photo-gallery
- Installations
- 200,000+
- Vulnerability
- Directory Traversal
- Patched in Version
- 1.8.15
- Severity Score
- Medium
- CVE
- 2023-1427
Photo Gallery by 10Web
- Plugin Slug
- photo-gallery
- Installations
- 200,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.8.3
- Severity Score
- Medium
- CVE
- 2022-4058
Blocksy Companion
- Plugin
- Blocksy Companion
- Plugin Slug
- blocksy-companion
- Installations
- 100,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 1.8.82
- Severity Score
- Medium
- CVE
- 2023-1911
Essential Blocks
- Plugin Slug
- essential-blocks
- Installations
- 80,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 4.0.7
- Severity Score
- Medium
- CVE
- 2023-2084
Ninja Tables – Best Data Table Plugin for WordPress
- Plugin Slug
- ninja-tables
- Installations
- 80,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.3.5
- Severity Score
- Medium
- CVE
- 2022-47137
Ninja Tables – Best Data Table Plugin for WordPress
- Plugin Slug
- ninja-tables
- Installations
- 80,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.3.5
- Severity Score
- Medium
- CVE
- 2022-47136
Stream
- Plugin
- Stream
- Plugin Slug
- stream
- Installations
- 80,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.9.3
- Severity Score
- Medium
- CVE
- 2022-43490
CMS Tree Page View
- Plugin
- CMS Tree Page View
- Plugin Slug
- cms-tree-page-view
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.6.8
- Severity Score
- High
- CVE
- 2023-30868
TaxoPress
- Plugin Slug
- simple-tags
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.6.5
- Severity Score
- Medium
- CVE
- 2023-2168
OoohBoi Steroids for Elementor
- Plugin Slug
- ooohboi-steroids-for-elementor
- Installations
- 60,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 2.1.5
- Severity Score
- Medium
- CVE
- 2023-1169
PowerPress Podcasting plugin by Blubrry
- Plugin Slug
- powerpress
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 10.0.2
- Severity Score
- Medium
- CVE
- 2023-30778
Visual CSS Style Editor
- Plugin
- Visual CSS Style Editor
- Plugin Slug
- yellow-pencil-visual-theme-customizer
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 7.5.9
- Severity Score
- Medium
- CVE
- 2022-33961
Jetpack CRM
- Plugin Slug
- zero-bs-crm
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.4.0
- Severity Score
- Medium
- CVE
- 2022-3342
miniOrange’s Google Authenticator
- Plugin Slug
- miniorange-2-factor-authentication
- Installations
- 20,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 5.6.6
- Severity Score
- High
- CVE
- 2022-4943
Donation Forms by Charitable
- Plugin Slug
- charitable
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.0.11
- Severity Score
- High
- CVE
- 2022-47441
Helpie FAQ
- Plugin Slug
- helpie-faq
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.9.7
- Severity Score
- High
Image Optimizer by 10web
- Plugin Slug
- image-optimizer-wd
- Installations
- 10,000+
- Vulnerability
- Directory Traversal
- Patched in Version
- 1.0.26
- Severity Score
- Medium
Kaya QR Code Generator
- Plugin
- Kaya QR Code Generator
- Plugin Slug
- kaya-qr-code-generator
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.3
- Severity Score
- Medium
- CVE
- 2023-30784
Ultimate Addons for Contact Form 7
- Plugin Slug
- ultimate-addons-for-contact-form-7
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.1.24
- Severity Score
- High
- CVE
- 2023-30495
YML for Yandex Market
- Plugin
- YML for Yandex Market
- Plugin Slug
- yml-for-yandex-market
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.10.8
- Severity Score
- High
- CVE
- 2023-30473
WP Original Media Path
- Plugin
- WP Original Media Path
- Plugin Slug
- wp-original-media-path
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.4.1
- Severity Score
- Medium
- CVE
- 2023-23674
LearnPress Export Import
- Plugin Slug
- learnpress-import-export
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.0.3
- Severity Score
- High
- CVE
- 2023-30487
Integration for Contact Form 7 HubSpot
- Plugin Slug
- cf7-hubspot
- Installations
- 7,000+
- Vulnerability
- Open Redirection
- Patched in Version
- 1.2.9
- Severity Score
- Medium
- CVE
- 2023-31095
Category Specific RSS feed Subscription
- Plugin Slug
- category-specific-rss-feed-menu
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- v2.3
- Severity Score
- Medium
- CVE
- 2023-22685
Captcha Them All
- Plugin
- Captcha Them All
- Plugin Slug
- captcha-them-all
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.4
- Severity Score
- Medium
- CVE
- 2023-30786
Live Chat by Formilla
- Plugin Slug
- formilla-live-chat
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.3.1
- Severity Score
- Medium
- CVE
- 2023-23727
Album Gallery – WordPress Gallery
- Plugin Slug
- new-album-gallery
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.5.0
- Severity Score
- Medium
- CVE
- 2023-23646
Tablesome
- Plugin
- Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT )
- Plugin Slug
- tablesome
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.9
- Severity Score
- High
XML for Google Merchant Center
- Plugin Slug
- xml-for-google-merchant-center
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0.2
- Severity Score
- High
- CVE
- 2023-30877
ChatBot
- Plugin
- AI ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.4.9
- Severity Score
- Medium
- CVE
- 2023-1651
ChatBot
- Plugin
- AI ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.4.9
- Severity Score
- High
- CVE
- 2023-1660
ChatBot
- Plugin
- AI ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 4.4.7
- Severity Score
- Medium
- CVE
- 2023-1650
ChatBot
- Plugin
- AI ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.4.5
- Severity Score
- High
- CVE
- 2023-1011
Vimeotheque
- Plugin
- Vimeotheque / Vimeo
- Plugin Slug
- codeflavors-vimeo-video-post-lite
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.2.2
- Severity Score
- High
- CVE
- 2023-30498
WooCommerce Easy Duplicate Product
- Plugin Slug
- woo-easy-duplicate-product
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 0.3.0.1
- Severity Score
- High
- CVE
- 2023-30747
Thumbnail carousel slider
- Plugin Slug
- wp-responsive-thumbnail-slider
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1.10
- Severity Score
- High
- CVE
- 2023-2120
WPJAM Basic
- Plugin
- WPJAM Basic
- Plugin Slug
- wpjam-basic
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.2.1.1
- Severity Score
- Medium
- CVE
- 2023-23709
File Gallery
- Plugin
- File Gallery
- Plugin Slug
- file-gallery
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.8.5.4
- Severity Score
- Medium
- CVE
- 2023-23676
WP-FormAssembly
- Plugin
- WP-FormAssembly
- Plugin Slug
- formassembly-web-forms
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.0.8
- Severity Score
- Medium
Robokassa payment gateway for Woocommerce
- Plugin Slug
- robokassa
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.4.6
- Severity Score
- Medium
Recipe Maker For Your Food Blog from Zip Recipes
- Plugin Slug
- zip-recipes
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 8.0.7
- Severity Score
- High
- CVE
- 2023-31076
Locatoraid Store Locator
- Plugin
- Locatoraid Store Locator
- Plugin Slug
- locatoraid
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.9.15
- Severity Score
- Medium
- CVE
- 2023-2031
WP Custom Author URL
- Plugin
- WP Custom Author URL
- Plugin Slug
- wp-custom-author-url
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.5
- Severity Score
- Medium
- CVE
- 2023-1614
WP Inventory Manager
- Plugin
- WP Inventory Manager
- Plugin Slug
- wp-inventory-manager
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.1.0.12
- Severity Score
- High
- CVE
- 2023-1806
BSK Forms Blacklist
- Plugin
- BSK Forms Blacklist
- Plugin Slug
- bsk-gravityforms-blacklist
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.6.3
- Severity Score
- High
- CVE
- 2023-30872
Church Admin
- Plugin
- Church Admin
- Plugin Slug
- church-admin
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.7.6
- Severity Score
- High
- CVE
- 2023-30782
Contact Form to DB by BestWebSoft
- Plugin Slug
- contact-form-to-db
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 1.7.1
- Severity Score
- High
- CVE
- 2023-29096
Contact Form to DB
- Plugin Slug
- contact-form-to-db
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.1
- Severity Score
- Medium
Extensions for Leaflet Map
- Plugin Slug
- extensions-leaflet-map
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.4.2
- Severity Score
- High
- CVE
- 2023-31074
Modal Dialog
- Plugin
- Modal Dialog
- Plugin Slug
- modal-dialog
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.5.15
- Severity Score
- High
- CVE
- 2023-31071
Query Wrangler
- Plugin
- Query Wrangler
- Plugin Slug
- query-wrangler
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.52
- Severity Score
- High
- CVE
- 2023-30779
Shortcode to display post and user data
- Plugin Slug
- shortcode-to-display-post-and-user-data
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.2.1
- Severity Score
- Medium
- CVE
- 2023-31073
Stock Exporter for WooCommerce
- Plugin Slug
- stock-exporter-for-woocommerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.0
- Severity Score
- High
- CVE
- 2023-30871
Stock Sync for WooCommerce
- Plugin Slug
- stock-sync-for-woocommerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.4.1
- Severity Score
- High
- CVE
- 2023-31094
Video Grid
- Plugin
- Video Grid
- Plugin Slug
- video-grid
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.22
- Severity Score
- High
- CVE
- 2023-30785
WP Docs
- Plugin
- WP Docs
- Plugin Slug
- wp-docs
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.9.9
- Severity Score
- Medium
- CVE
- 2023-30873
Panorama
- Plugin Slug
- project-panorama-lite
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.1
- Severity Score
- Medium
- CVE
- 2023-23810
Formilla Chat and Marketing Automation
- Plugin Slug
- formilla-chat-and-marketing
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1
- Severity Score
- Medium
Formilla Edge
- Plugin Slug
- formilla-edge
- Installations
- 90+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1
- Severity Score
- Medium
ChatBot
- Plugin Slug
- xatkit-chatbot-connector
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.5.1
- Severity Score
- Medium
- CVE
- 2023-1649
Form Block
- Plugin
- Form Block
- Plugin Slug
- form-block
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.0.2
- Severity Score
- Medium
Google Analytics Top Content Widget
- Plugin
- Google Analytics Top Content Widget
- Plugin Slug
- google-analytics-top-posts-widget
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.6
- Severity Score
- High
- CVE
- 2015-10101
Ruby Help Desk
- Plugin
- Ruby Help Desk
- Plugin Slug
- ruby-help-desk
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 1.3.4
- Severity Score
- Medium
- CVE
- 2023-1125
WP Cerber Security
- Plugin
- WP Cerber Security
- Plugin Slug
- wp-cerber
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 9.2
- Severity Score
- High
- CVE
- 2022-4712
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Yet Another Related Posts Plugin (YARPP)
- Plugin Slug
- yet-another-related-posts-plugin
- Installations
- 100,000+
- Vulnerability
- Local File Inclusion
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2022-45374
Simple Share Buttons Adder
- Plugin Slug
- simple-share-buttons-adder
- Installations
- 80,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47178
Themify Portfolio Post
- Plugin
- Themify Portfolio Post
- Plugin Slug
- themify-portfolio-post
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-32970
GDPR Compliance & Cookie Consent
- Plugin Slug
- gdpr-compliance-cookie-consent
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45815
ShopEngine
- Plugin Slug
- shopengine
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45371
Pearl
- Plugin Slug
- pearl-header-builder
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-38356
ReviewX – Multi-criteria Rating & Reviews for WooCommerce
- Plugin Slug
- reviewx
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-26325
Simple Tooltips
- Plugin
- Simple Tooltips
- Plugin Slug
- simple-tooltips
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25958
Smart WooCommerce Search
- Plugin
- Smart WooCommerce Search
- Plugin Slug
- smart-woocommerce-search
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-30783
WP Page Numbers
- Plugin
- WP Page Numbers
- Plugin Slug
- wp-page-numbers
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27623
I Recommend This
- Plugin
- I Recommend This
- Plugin Slug
- i-recommend-this
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23673
Motors
- Plugin Slug
- motors-car-dealership-classified-listings
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-38716
Redirect After Login
- Plugin
- Redirect After Login
- Plugin Slug
- redirect-after-login
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27624
SparkPost
- Plugin
- SparkPost
- Plugin Slug
- sparkpost
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23654
White Label Branding for Elementor Page Builder
- Plugin Slug
- white-label-branding-elementor
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23683
Arconix Shortcodes
- Plugin
- Arconix Shortcodes
- Plugin Slug
- arconix-shortcodes
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23703
Rating-Widget: Star Review System
- Plugin Slug
- rating-widget
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23831
BBSpoiler
- Plugin
- BBSpoiler
- Plugin Slug
- bbspoiler
- Installations
- 7,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23873
Mail Subscribe List
- Plugin
- Mail Subscribe List
- Plugin Slug
- mail-subscribe-list
- Installations
- 7,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23657
SiteAlert
- Plugin Slug
- my-wp-health-check
- Installations
- 7,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46857
Social Share Boost
- Plugin
- Social Share Boost
- Plugin Slug
- social-share-boost
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23688
FormCraft
- Plugin Slug
- formcraft-form-builder
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-22717
WP-dTree
- Plugin
- WP-dTree
- Plugin Slug
- wp-dtree-30
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47423
WP Links Page
- Plugin
- WP Links Page
- Plugin Slug
- wp-links-page
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-22720
BadgeOS
- Plugin
- BadgeOS
- Plugin Slug
- badgeos
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-41987
Booking calendar, Appointment Booking System
- Plugin Slug
- booking-calendar
- Installations
- 4,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47428
Email posts to subscribers
- Plugin Slug
- email-posts-to-subscribers
- Installations
- 4,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2022-46818
Layer Slider
- Plugin
- Layer Slider
- Plugin Slug
- slider-slideshow
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-23671
Zendesk Support for WordPress
- Plugin Slug
- zendesk
- Installations
- 4,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23716
Button Builder – Buttons X
- Plugin Slug
- buttons-x
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23867
Subscribers
- Plugin Slug
- subscribers-com
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-22684
Uji Popup
- Plugin
- Uji Popup
- Plugin Slug
- uji-popup
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23641
Update Image Tag Alt Attribute
- Plugin Slug
- update-alt-attribute
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-27455
WCP Contact Form
- Plugin
- WCP Contact Form
- Plugin Slug
- wcp-contact-form
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-22703
WP BrowserUpdate
- Plugin
- WP BrowserUpdate
- Plugin Slug
- wp-browser-update
- Installations
- 3,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31078
WP BrowserUpdate
- Plugin
- WP BrowserUpdate
- Plugin Slug
- wp-browser-update
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28690
ARMember
- Plugin Slug
- armember-membership
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2022-47140
Progress Bar
- Plugin
- Progress Bar
- Plugin Slug
- progress-bar
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23699
PropertyHive
- Plugin
- PropertyHive
- Plugin Slug
- propertyhive
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-22706
Updraft
- Plugin
- Updraft
- Plugin Slug
- updraft
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-26530
Advanced Category Template
- Plugin Slug
- advanced-category-template
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-31072
Continuous announcement scroller
- Plugin Slug
- continuous-announcement-scroller
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46819
Easy Slider Revolution
- Plugin
- Easy Slider Revolution
- Plugin Slug
- easy-slider-revolution
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28622
Ebook Store
- Plugin
- Ebook Store
- Plugin Slug
- ebook-store
- Installations
- 1,000+
- Vulnerability
- Broken Authentication
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-22701
Ebook Store
- Plugin
- Ebook Store
- Plugin Slug
- ebook-store
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-22690
Gallery Metabox
- Plugin
- Gallery Metabox
- Plugin Slug
- gallery-metabox
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47134
Simple Giveaways
- Plugin Slug
- giveasap
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31086
Inactive User Deleter
- Plugin
- Inactive User Deleter
- Plugin Slug
- inactive-user-deleter
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27424
Kodex Posts likes
- Plugin
- Kodex Posts likes
- Plugin Slug
- kodex-posts-likes
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46814
Verified Reviews (Avis Vérifiés)
- Plugin Slug
- netreviews
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23720
Accessibility Suite by Online ADA
- Plugin Slug
- online-accessibility
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47420
Premmerce
- Plugin
- Premmerce
- Plugin Slug
- premmerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23719
The School Management
- Plugin Slug
- school-management-system
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47430
Shortcode IMDB
- Plugin
- Shortcode IMDB
- Plugin Slug
- shortcode-imdb
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47432
Tippy
- Plugin
- Tippy
- Plugin Slug
- tippy
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31079
Video XML Sitemap Generator
- Plugin Slug
- video-xml-sitemap-generator
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31089
Yatra
- Plugin
- Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra
- Plugin Slug
- yatra
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47436
Semalt Blocker
- Plugin
- Semalt Blocker
- Plugin Slug
- semalt
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23794
Woocommerce Products Designer by ORION
- Plugin Slug
- woocommerce-products-designer
- Installations
- 900+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46856
ApexChat
- Plugin
- ApexChat
- Plugin Slug
- apexchat
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28414
eRocket
- Plugin
- eRocket
- Plugin Slug
- erocket
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28174
Flyzoo Chat
- Plugin
- Flyzoo Chat
- Plugin Slug
- flyzoo
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46817
Cab Grid
- Plugin
- Cab Grid
- Plugin Slug
- cab-grid
- Installations
- 300+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28533
Clock In Portal
- Plugin Slug
- clock-in-portal
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0761
Clock In Portal
- Plugin Slug
- clock-in-portal
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0762
Clock In Portal
- Plugin Slug
- clock-in-portal
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0763
GPS Plotter
- Plugin
- Gps Plotter
- Plugin Slug
- gps-plotter
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-30874
Woocommerce Tip/Donation
- Plugin
- Woocommerce Tip/Donation
- Plugin Slug
- woo-tipdonation
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28783
Dynamically Register Sidebars
- Plugin Slug
- dynamically-register-sidebars
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31091
Easy Bet
- Plugin
- Easy Bet
- Plugin Slug
- easy-bet
- Installations
- 100+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31092
Logo Scheduler
- Plugin Slug
- logo-scheduler-great-for-holidays-events-and-more
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-30875
Woocommerce Email Report
- Plugin
- Woocommerce Email Report
- Plugin Slug
- wooemailreport
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-27627
Pickup | Delivery | Dine-in date time
- Plugin Slug
- restaurant-pickup-delivery-dine-in
- Installations
- 70+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0894
Advanced Youtube Channel Pagination
- Plugin Slug
- advanced-youtube-channel-pagination
- Installations
- 60+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-28693
hiWeb Migration Simple
- Plugin
- hiWeb Migration Simple
- Plugin Slug
- hiweb-migration-simple
- Installations
- 20+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-0769
UserPlus
- Plugin Slug
- userplus
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-0824
Chronosly Events Calendar
- Plugin
- Chronosly Events Calendar
- Plugin Slug
- chronosly-events-calendar
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31093
Cloud Manager
- Plugin
- Cloud Manager
- Plugin Slug
- cloud-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-0421
CRM Memberships
- Plugin
- CRM Memberships
- Plugin Slug
- crm-memberships
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27427
Dave’s WordPress Live Search
- Plugin
- Dave’s WordPress Live Search
- Plugin Slug
- daves-wordpress-live-search
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-30876
Decon WP SMS
- Plugin
- Decon WP SMS
- Plugin Slug
- decon-wp-sms
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27416
Easy Ad Manager
- Plugin
- Easy Ad Manager
- Plugin Slug
- easy-ad-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25460
EZP Maintenance Mode
- Plugin
- EZP Maintenance Mode
- Plugin Slug
- easy-pie-maintenance-mode
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23682
Forms Ada
- Plugin
- Forms Ada – Form Builder
- Plugin Slug
- forms-ada-form-builder
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-27613
Login Page Styler
- Plugin
- Login Page Styler
- Plugin Slug
- login-page-styler
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46861
NS Coupon to Become Customer
- Plugin Slug
- ns-coupon-to-become-customer
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27422
Reservation.Studio widget
- Plugin Slug
- reservation-studio-widget
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25468
Sloth Logo Customizer
- Plugin
- Sloth Logo Customizer
- Plugin Slug
- sloth-logo-customizer
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0603
vSlider Multi Image Slider for WordPress
- Plugin
- vSlider Multi Image Slider for WordPress
- Plugin Slug
- vslider
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-22672
WP Login Box
- Plugin
- WP Login Box
- Plugin Slug
- wp-login-box
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0544
ZM Ajax Login & Register
- Plugin
- ZM Ajax Login & Register
- Plugin Slug
- zm-ajax-login-register
- Vulnerability
- Bypass Vulnerability
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-2027
ZM Ajax Login & Register
- Plugin
- ZM Ajax Login & Register
- Plugin Slug
- zm-ajax-login-register
- Vulnerability
- Broken Authentication
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-2027
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.
