WordPress Vulnerability Report

Since last week, 94 total vulnerabilities emerged in public disclosure. They may affect over 7 million WordPress sites. There are 56 plugin vulnerabilities with security patches, so run those updates!

Additionally, there are 35 plugin vulnerabilities and three theme vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

FREE ONLINE TRAINING EVENT AUG 8TH @ 1:00 P.M. (CT)

New research from Snicco, WeWatchYourWebsite, Automattic-backed GridPane, and PatchStack claims WordPress security plugins with malware scanners are fundamentally flawed. And they’re being actively defeated by malware in the wild right now!

In this webinar, StellarWP technical writer Dan Knauss will explain the problem with malware scanners and the WordPress security best practices you need to implement to keep your sites truly safe.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

WPCode

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Plugin Slug: insert-headers-and-footers
Installations: 2,000,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.0.13.1
Severity Score: High
CVE: 2023-3524

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 800,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.6.26
Severity Score: High
CVE: 2023-37979

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 800,000+
Vulnerability: Subscriber+ Broken Access Control
Patched in Version: 3.6.26
Severity Score: High
CVE: 2023-38393

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 800,000+
Vulnerability: Contributor+ Broken Access Control
Patched in Version: 3.6.26
Severity Score: High
CVE: 2023-38386

The Events Calendar

Plugin: The Events Calendar
Plugin Slug: the-events-calendar
Installations: 800,000+
Vulnerability: Broken Access Control
Patched in Version: 6.1.3
Severity Score: Medium
CVE: 2023-35777

Duplicate Post

Plugin: Duplicate Post
Plugin Slug: copy-delete-posts
Installations: 200,000+
Vulnerability: Missing Authorization on handle_installation function
Patched in Version: 1.4.0
Severity Score: Medium
CVE: 2023-0958

Duplicate Post

Plugin: Duplicate Post
Plugin Slug: copy-delete-posts
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.0
Severity Score: Medium
CVE: 2023-3977

Social Media Share Buttons & Social Sharing Icons

Plugin: Social Media Share Buttons & Social Sharing Icons
Plugin Slug: ultimate-social-media-icons
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 2.8.2
Severity Score: Medium
CVE: 2023-0958

Social Media Share Buttons & Social Sharing Icons

Plugin: Social Media Share Buttons & Social Sharing Icons
Plugin Slug: ultimate-social-media-icons
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.8.2
Severity Score: Medium
CVE: 2023-3977

TI WooCommerce Wishlist

Plugin: TI WooCommerce Wishlist
Plugin Slug: ti-woocommerce-wishlist
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 2.7.4
Severity Score: Critical

Clone

Plugin: Clone
Plugin Slug: wp-clone-by-wp-academy
Installations: 100,000+
Vulnerability: Broken Access Control
Patched in Version: 2.3.8
Severity Score: Medium
CVE: 2023-0958

Clone

Plugin: Clone
Plugin Slug: wp-clone-by-wp-academy
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.8
Severity Score: Medium
CVE: 2023-3977

Change WP Admin

Plugin: Change WP Admin Login
Plugin Slug: change-wp-admin-login
Installations: 90,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 1.1.4
Severity Score: Medium
CVE: 2023-3604

Backup Migration

Plugin: Backup Migration
Plugin Slug: backup-backup
Installations: 80,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.8
Severity Score: Medium
CVE: 2023-0958

Backup Migration

Plugin: Backup Migration
Plugin Slug: backup-backup
Installations: 80,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.8
Severity Score: Medium
CVE: 2023-3977

Simple Author Box

Plugin: Simple Author Box
Plugin Slug: simple-author-box
Installations: 60,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 2.52
Severity Score: Medium
CVE: 2023-3601

Custom Field Template

Plugin: Custom Field Template
Plugin Slug: custom-field-template
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.6.0
Severity Score: High
CVE: 2023-38392

Enhanced Text Widget

Plugin: Enhanced Text Widget
Plugin Slug: enhanced-text-widget
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: 1.5.8
Severity Score: Medium
CVE: 2023-0958

Enhanced Text Widget

Plugin: Enhanced Text Widget
Plugin Slug: enhanced-text-widget
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.5.8
Severity Score: Medium
CVE: 2023-3977

ACF Photo Gallery Field

Plugin: ACF Photo Gallery Field
Plugin Slug: navz-photo-gallery
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: 2.0
Severity Score: Medium
CVE: 2023-3957

Quiz And Survey Master

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.1.11
Severity Score: Medium
CVE: 2023-3575

Redirect Redirection

Plugin: Redirection
Plugin Slug: redirect-redirection
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.4
Severity Score: Medium
CVE: 2023-0958

Redirect Redirection

Plugin: Redirection
Plugin Slug: redirect-redirection
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.4
Severity Score: Medium
CVE: 2023-3977

Media from FTP

Plugin: Media from FTP
Plugin Slug: media-from-ftp
Installations: 20,000+
Vulnerability: Broken Access Control
Patched in Version: 11.16
Severity Score: Medium

PHP Everywhere

Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Installations: 20,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.0.0
Severity Score: Critical
CVE: 2022-24664

PHP Everywhere

Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Installations: 20,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.0.0
Severity Score: Critical
CVE: 2022-24665

PHP Everywhere

Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Installations: 20,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.0.0
Severity Score: Critical
CVE: 2022-24663

Video Conferencing with Zoom

Plugin: Video Conferencing with Zoom
Plugin Slug: video-conferencing-with-zoom-api
Installations: 20,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 4.2.2
Severity Score: Low
CVE: 2023-3947

SSL Mixed Content Fix

Plugin: SSL Mixed Content Fix
Plugin Slug: http-https-remover
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 3.2.4
Severity Score: Medium
CVE: 2023-0958

SSL Mixed Content Fix

Plugin: SSL Mixed Content Fix
Plugin Slug: http-https-remover
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.2.4
Severity Score: Medium
CVE: 2023-3977

Pop-up

Plugin: Pop-up
Plugin Slug: pop-up-pop-up
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.0
Severity Score: Medium
CVE: 2023-0958

Pop-up

Plugin: Pop-up
Plugin Slug: pop-up-pop-up
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.0
Severity Score: Medium
CVE: 2023-3977

Ultimate Posts Widget

Plugin: Ultimate Posts Widget
Plugin Slug: ultimate-posts-widget
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 2.2.5
Severity Score: Medium
CVE: 2023-0958

Ultimate Posts Widget

Plugin: Ultimate Posts Widget
Plugin Slug: ultimate-posts-widget
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.2.5
Severity Score: Medium
CVE: 2023-3977

User Activity Log

Plugin: User Activity Log
Plugin Slug: user-activity-log
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 1.6.5
Severity Score: Critical
CVE: 2023-3435

Assistant

Plugin: AI Content Writing Assistant (Content Writer, GPT 3 & 4, ChatGPT, Image Generator) All in One
Plugin Slug: ai-content-writing-assistant
Installations: 4,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 1.4.4
Severity Score: Medium

Simple Blog Card

Plugin: Simple Blog Card
Plugin Slug: simple-blog-card
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.31
Severity Score: Medium

Discussion Board

Plugin: Discussion Board – WordPress Forum Plugin
Plugin Slug: wp-discussion-board
Installations: 3,000+
Vulnerability: Content Injection
Patched in Version: 2.4.9
Severity Score: Medium
CVE: 2023-39161

Contact Form Builder by Bit Form

Plugin: Contact Form Builder by Bit Form – Easiest Contact Form, Payment Form, Order Form, Calculator Form Builder Plugin for WordPress
Plugin Slug: bit-form
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.0
Severity Score: Medium
CVE: 2023-3645

RSS Redirect & Feedburner Alternative

Plugin: RSS Redirect & Feedburner Alternative
Plugin Slug: feedburner-alternative-and-rss-redirect
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-0958

RSS Redirect & Feedburner Alternative

Plugin: RSS Redirect & Feedburner Alternative
Plugin Slug: feedburner-alternative-and-rss-redirect
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-3977

CodeBard’s Patron Button and Widgets for Patreon

Plugin: CodeBard's Patron Button and Widgets for Patreon
Plugin Slug: patron-button-and-widgets-by-codebard
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.9
Severity Score: High
CVE: 2023-30491

QR code MeCard/vCard generator

Plugin: QR code MeCard/vCard generator
Plugin Slug: wp-qrcode-me-v-card
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.6.1
Severity Score: Medium
CVE: 2023-38477

Church Admin

Plugin: Church Admin
Plugin Slug: church-admin
Installations: 1,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 3.8.0
Severity Score: Medium
CVE: 2023-38515

InstaWP Connect

Plugin: InstaWP Connect – 1-click WP Staging & Migration (beta)
Plugin Slug: instawp-connect
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 0.0.9.19
Severity Score: Critical
CVE: 2023-3956

Bit Assist

Plugin: Chat Button: WhatsApp Chat, Facebook Messenger, Telegram Chat, WeChat, Line Chat, Discord Chat for Customer Support Chat with floating Chat Widget
Plugin Slug: bit-assist
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.9
Severity Score: Medium
CVE: 2023-3667

WordPress Job Board and Recruitment Plugin – JobWP

Plugin: WordPress Job Board and Recruitment Plugin – JobWP
Plugin Slug: jobwp
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0
Severity Score: High
CVE: 2023-33999

Local Development

Plugin: Local Development
Plugin Slug: local-development
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.8.3
Severity Score: Medium

CartFlows Pro

Plugin: CartFlows Pro
Plugin Slug: cartflows-pro
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.11.13
Severity Score: Medium
CVE: 2023-36685

Shop as a Customer for WooCommerce

Plugin: Shop as a Customer for WooCommerce
Plugin Slug: shop-as-a-customer-for-woocommerce
Vulnerability: Privilege Escalation
Patched in Version: 1.2.4
Severity Score: High

Shop as a Customer for WooCommerce

Plugin: Shop as a Customer for WooCommerce
Plugin Slug: shop-as-a-customer-for-woocommerce
Vulnerability: Privilege Escalation
Patched in Version: 1.1.8
Severity Score: High

Social Share Icons & Social Share Buttons

Plugin: Social Share Icons & Social Share Buttons
Plugin Slug: ultimate-social-media-plus
Vulnerability: Broken Access Control
Patched in Version: 3.5.8
Severity Score: Medium
CVE: 2023-0958

Social Share Icons & Social Share Buttons

Plugin: Social Share Icons & Social Share Buttons
Plugin Slug: ultimate-social-media-plus
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.5.8
Severity Score: Medium
CVE: 2023-3977

Schema Pro

Plugin: Schema Pro
Plugin Slug: wp-schema-pro
Vulnerability: Broken Access Control
Patched in Version: 2.7.9
Severity Score: Medium
CVE: 2023-36683

WP Brutal AI

Plugin: WP Brutal AI
Plugin Slug: wpbrutalai
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.06
Severity Score: Medium
CVE: 2023-2606

WPML String Translation

Plugin: WPML String Translation
Plugin Slug: wpml-string-translation
Vulnerability: SQL Injection
Patched in Version: 3.2.6
Severity Score: High

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Optimize Database after Deleting Revisions

Plugin: Optimize Database after Deleting Revisions
Plugin Slug: rvg-optimize-database
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25980

Booster for Woocommerce

Plugin: Booster for WooCommerce
Plugin Slug: woocommerce-jetpack
Installations: 60,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: High

WPS Limit Login

Plugin: WPS Limit Login
Plugin Slug: wps-limit-login
Installations: 60,000+
Vulnerability: Race Condition
Patched in Version: No Fix
Severity Score: Low
CVE: 2023-39160

Molongui

Plugin: Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui
Plugin Slug: molongui-authorship
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39164

Banner Management For WooCommerce

Plugin: Banner Management For WooCommerce
Plugin Slug: banner-management-for-woocommerce
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-39158

Fraud Prevention For Woocommerce

Plugin: Fraud Prevention For Woocommerce
Plugin Slug: woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-39159

MultiParcels Shipping For WooCommerce

Plugin: MultiParcels Shipping For WooCommerce
Plugin Slug: multiparcels-shipping-for-woocommerce
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

WP Quick Post Duplicator

Plugin: WP Quick Post Duplicator
Plugin Slug: wp-quick-post-duplicator
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31214

Mobile Address Bar Changer

Plugin: Mobile Address Bar Changer
Plugin Slug: mobile-address-bar-changer
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38390

Remove Duplicate Posts

Plugin: Remove Duplicate Posts
Plugin Slug: remove-duplicate-posts
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29237

APIExperts Square for WooCommerce

Plugin: APIExperts Square for WooCommerce
Plugin Slug: woosquare
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47182

Web Accessibility By accessiBe

Plugin: Web Accessibility By accessiBe
Plugin Slug: accessibe
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

Web Accessibility By accessiBe

Plugin: Web Accessibility By accessiBe
Plugin Slug: accessibe
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

AGP Font Awesome Collection

Plugin: AGP Font Awesome Collection
Plugin Slug: agp-font-awesome-collection
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30481

Booster Elementor Addons

Plugin: Booster Elementor Addons
Plugin Slug: booster-for-elementor
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38480

WP Clone Menu

Plugin: WP Clone Menu
Plugin Slug: clone-menu
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38395

Google Map Shortcode

Plugin: Google Map Shortcode
Plugin Slug: google-map-shortcode
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38396

HTTP Auth

Plugin: HTTP Auth
Plugin Slug: http-auth
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27435

Instant CSS

Plugin: Instant CSS
Plugin Slug: instant-css
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38483

LWS Affiliation

Plugin: LWS Affiliation
Plugin Slug: lws-affiliation
Vulnerability: Local File Inclusion
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-32297

Meks Smart Social Widget

Plugin: Meks Smart Social Widget
Plugin Slug: meks-smart-social-widget
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25989

Perelink Pro

Plugin: Perelink Pro
Plugin Slug: perelink
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37990

Quasar form

Plugin: Quasar form
Plugin Slug: quasar-form
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-35910

Saphali Woocommerce Lite

Plugin: Saphali Woocommerce Lite
Plugin Slug: saphali-woocommerce-lite
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25788

Simple Googlebot Visit

Plugin: Simple Googlebot Visit
Plugin Slug: simple-googlebot-visit
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38479

Simple Wp Sitemap

Plugin: Simple Wp Sitemap
Plugin Slug: simple-wp-sitemap
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24380

Slider Carousel – Responsive Image Slider

Plugin: Slider Carousel – Responsive Image Slider
Plugin Slug: slider-images
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25457

Donations Made Easy – Smart Donations

Plugin: Donations Made Easy – Smart Donations
Plugin Slug: smart-donations
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38475

Taboola

Plugin: Taboola
Plugin Slug: taboola
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38398

tagDiv Composer

Plugin: tagDiv Composer
Plugin Slug: td-composer
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39166

Update Theme and Plugins from Zip File

Plugin: Update Theme and Plugins from Zip File
Plugin Slug: update-theme-and-plugins-from-zip-file
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25489

User Email Verification for WooCommerce

Plugin: User Email Verification for WooCommerce
Plugin Slug: woo-confirmation-email
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39162

WordPress Database Administrator

Plugin: WP Database Administrator
Plugin Slug: wp-database-admin
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-3211

wp tell a friend popup form

Plugin: wp tell a friend popup form
Plugin Slug: wp-tell-a-friend-popup-form
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25465

wp tell a friend popup form

Plugin: wp tell a friend popup form
Plugin Slug: wp-tell-a-friend-popup-form
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25463

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

nsc

Theme: nsc
Theme Slug: nsc
Vulnerability: Prototype Pollution to Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3965

Winters

Theme: winters
Theme Slug: winters
Vulnerability: Prototype Pollution to Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3962

Your Journey

Theme: yourjourney
Theme Slug: yourjourney
Vulnerability: Prototype Pollution to Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3933

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – August 2, 2023

FREE ONLINE TRAINING EVENT AUG 8TH @ 1:00 P.M. (CT)

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report