WordPress Vulnerability Report

Since last week, 90 total vulnerabilities emerged in public disclosure. They may affect over one million WordPress sites. There are 49 plugin vulnerabilities and five theme vulnerabilities with security patches, so run those updates!

Additionally, there are 35 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core News

WordPress 6.3 “Lionel” is out! This new release of WordPress was built to help you “create beautiful and compelling websites more efficiently than ever.” See what’s new in WordPress 6.3.

Don’t forget to fully back up your website before installing WordPress 6.3. BackupBuddy, the industry-leading data protection and recovery solution for WordPress, will help you build a strong backup strategy to manage all updates. Embrace the enhanced content creation experience of WordPress 6.3 with confidence — and a backup copy of your website safely stored on a remote server.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

Header Footer Code Manager

Plugin: Header Footer Code Manager
Plugin Slug: header-footer-code-manager
Installations: 400,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.35
Severity Score: Medium
CVE: 2023-39989

Gutenberg Blocks by Kadence Blocks – Page Builder

Plugin: Gutenberg Blocks by Kadence Blocks – Page Builder Features
Plugin Slug: kadence-blocks
Installations: 300,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 3.1.11
Severity Score: Critical

Ultimate Member

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.6.9
Severity Score: Medium

EmbedPress

Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.8.3
Severity Score: Medium
CVE: 2023-4283

EmbedPress

Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Broken Access Control
Patched in Version: 3.8.3
Severity Score: Medium
CVE: 2023-4282

The Post Grid

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug: the-post-grid
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 7.2.8
Severity Score: Medium
CVE: 2023-39923

Post Grid Combo

Plugin: Post Grid Combo – 36+ Blocks for Gutenberg
Plugin Slug: post-grid
Installations: 50,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 2.2.51
Severity Score: High
CVE: 2023-40211

Profile Builder

Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: 3.9.8
Severity Score: Medium

Chatbot

Plugin: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
Plugin Slug: ai-engine
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.7.8
Severity Score: Medium
CVE: 2023-4254

Chatbot

Plugin: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
Plugin Slug: ai-engine
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.7.8
Severity Score: Medium
CVE: 2023-4253

Popup by Supsystic

Plugin: Popup by Supsystic
Plugin Slug: popup-by-supsystic
Installations: 20,000+
Vulnerability: Broken Access Control
Patched in Version: 1.10.20
Severity Score: Medium
CVE: 2023-39997

Themesflat Addons For Elementor

Plugin: Themesflat Addons For Elementor
Plugin Slug: themesflat-addons-for-elementor
Installations: 20,000+
Vulnerability: PHP Object Injection
Patched in Version: 2.0.1
Severity Score: High
CVE: 2023-37390

Booking Package

Plugin: Booking Package
Plugin Slug: booking-package
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.02
Severity Score: High
CVE: 2023-39918

Justified Gallery

Plugin: Justified Gallery
Plugin Slug: justified-gallery
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.0
Severity Score: Medium
CVE: 2023-40213

Qubely

Plugin: Qubely – Advanced Gutenberg Blocks
Plugin Slug: qubely
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.6
Severity Score: Medium
CVE: 2021-24916

User Activity Log

Plugin: User Activity Log
Plugin Slug: user-activity-log
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.6.6
Severity Score: Medium

WP Project Manager

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug: wedevs-project-manager
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 2.6.5
Severity Score: High
CVE: 2023-3636

Premium Packages

Plugin: Premium Packages – Sell Digital Products Securely
Plugin Slug: wpdm-premium-packages
Installations: 5,000+
Vulnerability: Privilege Escalation
Patched in Version: 5.7.5
Severity Score: High
CVE: 2023-4293

Stock Ticker

Plugin: Stock Ticker
Plugin Slug: stock-ticker
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.23.4
Severity Score: High
CVE: 2023-40208

Stock Ticker

Plugin: Stock Ticker
Plugin Slug: stock-ticker
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.23.3
Severity Score: High
CVE: 2022-45365

Accordion and Accordion Slider

Plugin: Accordion and Accordion Slider
Plugin Slug: accordion-and-accordion-slider
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.5
Severity Score: Medium
CVE: 2023-39996

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug: meeting-scheduler-by-vcita
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.3.3
Severity Score: High
CVE: 2023-39992

Paid Memberships Pro

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Plugin Slug: pmpro-courses
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.4
Severity Score: Medium
CVE: 2023-39990

Paid Memberships Pro

Plugin: Premium Courses & eLearning with Paid Memberships Pro for LearnDash, LifterLMS, Sensei LMS & TutorLMS
Plugin Slug: pmpro-courses
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.5
Severity Score: Medium

User Activity Tracking and Log

Plugin: User Activity Tracking and Log
Plugin Slug: user-activity-tracking-and-log
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.9
Severity Score: Medium
CVE: 2023-4150

WooCommerce PDF Invoice Builder

Plugin: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
Plugin Slug: woo-pdf-invoice-builder
Installations: 3,000+
Vulnerability: SQL Injection
Patched in Version: 1.2.90
Severity Score: High
CVE: 2023-3677

WooCommerce PDF Invoice Builder

Plugin: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
Plugin Slug: woo-pdf-invoice-builder
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.91
Severity Score: Medium
CVE: 2023-3764

ImageRecycle pdf & image compression

Plugin: ImageRecycle pdf & image compression
Plugin Slug: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.12
Severity Score: High
CVE: 2023-40196

ImageRecycle pdf & image compression

Plugin: ImageRecycle pdf & image compression
Plugin Slug: imagerecycle-pdf-image-compression
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.11
Severity Score: High
CVE: 2023-30494

Leyka

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.30.3
Severity Score: High
CVE: 2023-39314

Portfolio and Projects

Plugin: Portfolio and Projects
Plugin Slug: portfolio-and-projects
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.3.8
Severity Score: Medium
CVE: 2023-39995

WP Testimonials

Plugin: WP Testimonials
Plugin Slug: testimonial-widgets
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.3
Severity Score: Medium
CVE: 2023-2830

Atarim

Plugin: Visual Website Collaboration, Feedback & Project Management – Atarim
Plugin Slug: atarim-visual-collaboration
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.4
Severity Score: High
CVE: 2023-37393

Bubble Menu

Plugin: Bubble Menu – circle floating menu
Plugin Slug: bubble-menu
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.5
Severity Score: Medium
CVE: 2023-3650

Photo Gallery by Ays – Responsive Image Gallery

Plugin: Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug: gallery-photo-gallery
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.2.7
Severity Score: Medium
CVE: 2023-39917

POEditor

Plugin: POEditor
Plugin Slug: poeditor
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.9.8
Severity Score: Medium
CVE: 2023-4209

Sign-up Sheets

Plugin: Sign-up Sheets
Plugin Slug: sign-up-sheets
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.2.9
Severity Score: Medium
CVE: 2023-39165

Post Timeline

Plugin: Post Timeline
Plugin Slug: post-timeline
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.6
Severity Score: High
CVE: 2023-4284

wpShopGermany – Protected Shops

Plugin: wpShopGermany – Protected Shops
Plugin Slug: wpshopgermany-protectedshops
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: Medium
CVE: 2023-39919

Advanced Custom Fields Pro premium

Plugin: Advanced Custom Fields PRO
Plugin Slug: advanced-custom-fields-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.8
Severity Score: Medium

ARMember Premium

Plugin: ARMember Premium
Plugin Slug: armember
Vulnerability: Broken Access Control
Patched in Version: 5.9.3
Severity Score: Medium
CVE: 2023-39994

Biometric Login for WooCommerce

Plugin: Biometric Login for WooCommerce
Plugin Slug: biometric-login-for-woocommerce
Vulnerability: Privilege Escalation
Patched in Version: 1.0.4
Severity Score: Critical

Avada Builder

Plugin: Fusion Builder
Plugin Slug: fusion-builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.11.2
Severity Score: High
CVE: 2023-39306

Avada Builder

Plugin: Fusion Builder
Plugin Slug: fusion-builder
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.11.2
Severity Score: High
CVE: 2023-39311

Avada Builder

Plugin: Fusion Builder
Plugin Slug: fusion-builder
Vulnerability: Broken Access Control
Patched in Version: 3.11.2
Severity Score: Medium
CVE: 2023-39310

Avada Builder

Plugin: Fusion Builder
Plugin Slug: fusion-builder
Vulnerability: SQL Injection
Patched in Version: 3.11.2
Severity Score: High
CVE: 2023-39309

Jupiter X Core

Plugin: JupiterX Core
Plugin Slug: jupiterx-core
Vulnerability: Broken Access Control
Patched in Version: 3.3.5
Severity Score: Medium
CVE: 2023-38394

Jupiter X Core

Plugin: JupiterX Core
Plugin Slug: jupiterx-core
Vulnerability: Broken Access Control
Patched in Version: 3.3.5
Severity Score: High
CVE: 2023-38385

WooCommerce One Page Checkout

Plugin: WooCommerce One Page Checkout
Plugin Slug: woocommerce-one-page-checkout
Vulnerability: Local File Inclusion
Patched in Version: 2.4.0
Severity Score: High
CVE: 2023-35881

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Printful Integration for WooCommerce

Plugin: Printful Integration for WooCommerce
Plugin Slug: printful-shipping-for-woocommerce
Installations: 60,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47168

WP 404 Auto Redirect to Similar Post

Plugin: WP 404 Auto Redirect to Similar Post
Plugin Slug: wp-404-auto-redirect-to-similar-post
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40206

MailChimp Forms by MailMunch

Plugin: MailChimp Forms by MailMunch
Plugin Slug: mailchimp-forms-by-mailmunch
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40203

flowpaper

Plugin: flowpaper
Plugin Slug: flowpaper-lite-pdf-flipbook
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40197

Futurio Extra

Plugin: Futurio Extra
Plugin Slug: futurio-extra
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40201

Email Template Designer – WP HTML Mail

Plugin: Email Template Designer – WP HTML Mail
Plugin Slug: wp-html-mail
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40202

PixTypes

Plugin: PixTypes
Plugin Slug: pixtypes
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-40205

Theme Demo Import

Plugin: Theme Demo Import
Plugin Slug: theme-demo-import
Installations: 10,000+
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-28170

WP Categories Widget

Plugin: WP Categories Widget
Plugin Slug: wp-categories-widget
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-31220

Product Attachment for WooCommerce

Plugin: Product Attachment for WooCommerce
Plugin Slug: woo-product-attachment
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40212

SendPress Newsletters

Plugin: SendPress Newsletters
Plugin Slug: sendpress
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-35040

YITH WooCommerce Waitlist

Plugin: YITH WooCommerce Waitlist
Plugin Slug: yith-woocommerce-waiting-list
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36506

BigBlueButton

Plugin: BigBlueButton
Plugin Slug: bigbluebutton
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39991

Easy Cookie Law

Plugin: Easy Cookie Law
Plugin Slug: easy-cookie-law
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40198

Make Paths Relative

Plugin: Make Paths Relative
Plugin Slug: make-paths-relative
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27433

WP Like Button

Plugin: WP Like Button
Plugin Slug: wp-like-button
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40199

LINE Notify

Plugin: WP LINE Notify
Plugin Slug: wp-line-notify
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30497

Password Reset with Code for WordPress REST API

Plugin: Password Reset with Code for WordPress REST API
Plugin Slug: bdvs-password-reset
Installations: 1,000+
Vulnerability: Broken Authentication
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-35039

Highcompress Image Compressor

Plugin: Highcompress Image Compressor
Plugin Slug: high-compress
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40209

Kangu para WooCommerce

Plugin: Kangu para WooCommerce
Plugin Slug: kangu
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-32296

SB Child List

Plugin: SB Child List
Plugin Slug: sb-child-list
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40210

WxSync

Plugin: WxSync-??????????????-?????????????
Plugin Slug: wxsync
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-39988

wSecure Lite

Plugin: wSecure Lite
Plugin Slug: wsecure
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-39987

Easy!Appointments

Plugin: Easy!Appointments
Plugin Slug: easyappointments
Installations: 800+
Vulnerability: Arbitrary File Deletion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32295

Avartan Slider Lite

Plugin: Responsive WordPress Slider – Avartan Slider Lite
Plugin Slug: avartan-slider-lite
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30485

WebLibrarian

Plugin: WebLibrarian
Plugin Slug: weblibrarian
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-29441

demon image annotation

Plugin: demon image annotation
Plugin Slug: demon-image-annotation
Installations: 10+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-40215

Absolute Privacy

Plugin: Absolute Privacy
Plugin Slug: absolute-privacy
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4276

All Users Messenger

Plugin: All Users Messenger
Plugin Slug: all-users-messenger
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4023

Canto

Plugin: Canto
Plugin Slug: canto
Vulnerability: Remote File Inclusion
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-3452

FULL Customer

Plugin: FULL Customer
Plugin Slug: full-customer
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4242

FULL Customer

Plugin: FULL Customer
Plugin Slug: full-customer
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: High
CVE: 2023-4243

Real Estate Manager

Plugin: Real Estate Manager
Plugin Slug: real-estate-manager
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: High
CVE: 2023-4239

Realia

Plugin: Realia
Plugin Slug: realia
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4277

Donations Made Easy – Smart Donations

Plugin: Donations Made Easy – Smart Donations
Plugin Slug: smart-donations
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-40207

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

Avada

Theme: Avada
Theme Slug: avada
Vulnerability: Broken Access Control
Patched in Version: 7.11.2
Severity Score: Medium
CVE: 2023-39922

Avada

Theme: Avada
Theme Slug: avada
Vulnerability: Arbitrary File Upload
Patched in Version: 7.11.2
Severity Score: High
CVE: 2023-39307

Avada

Theme: Avada
Theme Slug: avada
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 7.11.2
Severity Score: High
CVE: 2023-39313

Avada

Theme: Avada
Theme Slug: avada
Vulnerability: Arbitrary File Upload
Patched in Version: 7.11.2
Severity Score: Critical
CVE: 2023-39312

BeTheme

Theme: Betheme
Theme Slug: betheme
Vulnerability: Broken Access Control
Patched in Version: 27.1.2
Severity Score: High
CVE: 2023-39998

Business Pro

Theme: Business Pro
Theme Slug: business-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-40214

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – August 16, 2023

WordPress Core News

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report