WordPress Vulnerability Report

Since last week, 56 total vulnerabilities emerged in public disclosure. They may affect over two million WordPress sites. There are 28 plugin vulnerabilities with security patches, so run those updates!

Additionally, there are 28 plugin vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core News

“Lionel” was released on August 8, 2023. This release of WordPress was built to help you “create beautiful and compelling websites more efficiently than ever.” See what’s new in WordPress 6.3.

Don’t forget to fully back up your website before installing WordPress 6.3. BackupBuddy, the industry-leading data protection and recovery solution for WordPress, will help you build a strong backup strategy to manage all updates. Embrace the enhanced content creation experience of WordPress 6.3 with confidence — and a backup copy of your website safely stored on a remote server.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

ElementsKit Lite

Plugin: ElementsKit Elementor addons
Plugin Slug: elementskit-lite
Installations: 1,000,000+
Vulnerability: Broken Access Control
Patched in Version: 2.9.1
Severity Score: Medium
CVE: 2023-39993

Hide My WP Ghost – Security Plugin

Plugin: Hide My WP Ghost – Security Plugin
Plugin Slug: hide-my-wp
Installations: 200,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 5.0.26
Severity Score: Medium
CVE: 2023-34001

Slimstat Analytics

Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: Broken Access Control
Patched in Version: 5.0.6
Severity Score: Medium
CVE: 2023-33994

Slimstat Analytics

Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.0.9
Severity Score: Medium
CVE: 2023-40676

Folders

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug: folders
Installations: 60,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 2.9.3
Severity Score: Critical
CVE: 2023-40204

iThemes Sync

Plugin: iThemes Sync
Plugin Slug: ithemes-sync
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: 2.1.14
Severity Score: Medium
CVE: 2023-40001

FV Flowplayer Video Player

Plugin: FV Flowplayer Video Player
Plugin Slug: fv-wordpress-flowplayer
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.5.39.7212
Severity Score: High
CVE: 2023-4520

Donation Forms by Charitable

Plugin: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
Plugin Slug: charitable
Installations: 10,000+
Vulnerability: Privilege Escalation
Patched in Version: 1.7.0.13
Severity Score: Critical
CVE: 2023-4404

ReviewX

Plugin: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Plugin Slug: reviewx
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.6.18
Severity Score: Medium
CVE: 2023-40670

URL Shortify

Plugin: URL Shortify – Simple, Powerful and Easy URL Shortener Plugin For WordPress
Plugin Slug: url-shortify
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.6
Severity Score: High
CVE: 2023-4294

Min Max Control

Plugin: Min Max Control – Min Max Quantity & Step Control for WooCommerce
Plugin Slug: woo-min-max-quantity-step-control-single
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.6
Severity Score: High
CVE: 2023-4270

Category Slider for WooCommerce

Plugin: Category Slider for WooCommerce
Plugin Slug: woo-category-slider-grid
Installations: 9,000+
Vulnerability: Broken Access Control
Patched in Version: 1.4.16
Severity Score: Medium
CVE: 2023-41132

Herd Effects

Plugin: Herd Effects – fake notifications and social proof plugin
Plugin Slug: mwp-herd-effect
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.2.4
Severity Score: Medium
CVE: 2023-4318

Order Tracking Pro

Plugin: Order Tracking – WordPress Status Tracking Plugin
Plugin Slug: order-tracking
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.7
Severity Score: Medium
CVE: 2023-4500

Order Tracking Pro

Plugin: Order Tracking – WordPress Status Tracking Plugin
Plugin Slug: order-tracking
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.7
Severity Score: High
CVE: 2023-4471

DoLogin Security

Plugin: DoLogin Security
Plugin Slug: dologin
Installations: 3,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 3.7
Severity Score: Medium

WooCommerce PDF Invoice Builder

Plugin: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
Plugin Slug: woo-pdf-invoice-builder
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.92
Severity Score: Medium
CVE: 2023-4245

WooCommerce PDF Invoice Builder

Plugin: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
Plugin Slug: woo-pdf-invoice-builder
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.91
Severity Score: Medium
CVE: 2023-4160

WP Adminify

Plugin: WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders
Plugin Slug: adminify
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.6
Severity Score: Medium
CVE: 2023-4060

Premmerce User Roles

Plugin: Premmerce User Roles
Plugin Slug: premmerce-user-roles
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.0.13
Severity Score: High
CVE: 2023-41130

Save as PDF plugin by Pdfcrowd

Plugin: Save as PDF plugin by Pdfcrowd
Plugin Slug: save-as-pdf-by-pdfcrowd
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.16.1
Severity Score: Medium
CVE: 2023-40668

Event Tickets with Ticket Scanner

Plugin: Event Tickets with Ticket Scanner
Plugin Slug: event-tickets-with-ticket-scanner
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.5
Severity Score: Medium

Push Notification for Post and BuddyPress

Plugin: Push Notification for Post and BuddyPress
Plugin Slug: push-notification-for-post-and-buddypress
Installations: 200+
Vulnerability: Broken Access Control
Patched in Version: 1.64
Severity Score: Medium

WP VK-??????

Plugin: WP VK-???????????/??/?????????
Plugin Slug: wp-vk
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.4
Severity Score: Medium

Save as Image plugin by Pdfcrowd

Plugin: Save as Image plugin by Pdfcrowd
Plugin Slug: save-as-image-by-pdfcrowd
Installations: 30+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.16.1
Severity Score: Medium
CVE: 2023-40665

Appointment booking addon for Gravity Forms

Plugin: gAppointments
Plugin Slug: gAppointments
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.10.0
Severity Score: High
CVE: 2023-2705

Jupiter X Core

Plugin: JupiterX Core
Plugin Slug: jupiterx-core
Vulnerability: Arbitrary File Upload
Patched in Version: 3.3.8
Severity Score: Critical
CVE: 2023-38388

Jupiter X Core

Plugin: JupiterX Core
Plugin Slug: jupiterx-core
Vulnerability: Privilege Escalation
Patched in Version: 3.4.3
Severity Score: Critical
CVE: 2023-38389

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Royal Elementor Addons

Plugin: Royal Elementor Addons and Templates
Plugin Slug: royal-elementor-addons
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47175

Post and Page Builder by BoldGrid

Plugin: Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
Plugin Slug: post-and-page-builder
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25480

Collapse-O-Matic

Plugin: Collapse-O-Matic
Plugin Slug: jquery-collapse-o-matic
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40669

Master Elementor Addons

Plugin: Master Addons for Elementor
Plugin Slug: master-addons
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40679

Ultimate Addons for Contact Form 7

Plugin: Ultimate Addons for Contact Form 7
Plugin Slug: ultimate-addons-for-contact-form-7
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30493

URL Shortener by MyThemeShop

Plugin: URL Shortener by MyThemeShop
Plugin Slug: mts-url-shortener
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30472

Landing Page Builder

Plugin: Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages
Plugin Slug: page-builder-add
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40675

WP Super Minify

Plugin: WP Super Minify
Plugin Slug: wp-super-minify
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27615

Easy Coming Soon

Plugin: Easy Coming Soon
Plugin Slug: easy-coming-soon
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25483

LuckyWP Scripts Control

Plugin: LuckyWP Scripts Control
Plugin Slug: luckywp-scripts-control
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29239

Social Share Boost

Plugin: Social Share Boost
Plugin Slug: social-share-boost
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25033

MakeStories (for Google Web Stories)

Plugin: MakeStories (for Google Web Stories)
Plugin Slug: makestories-helper
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27448

Simple URLs

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Plugin Slug: simple-urls
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40678

Simple URLs

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Plugin Slug: simple-urls
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40674

Simple URLs

Plugin: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Plugin Slug: simple-urls
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-40667

Vertical Marquee Plugin

Plugin: Vertical marquee plugin
Plugin Slug: vertical-marquee-plugin
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40677

WP users media

Plugin: WP Users Media
Plugin Slug: wp-users-media
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27428

WP Search Analytics

Plugin: WP Search Analytics
Plugin Slug: search-analytics
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30471

Sitekit

Plugin: Sitekit
Plugin Slug: sitekit
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27628

Olive One Click Demo Import

Plugin: Olive One Click Demo Import
Plugin Slug: olive-one-click-demo-import
Installations: 1,000+
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-29102

Secure Admin IP

Plugin: Secure Admin IP
Plugin Slug: secure-admin-ip
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41133

Cartpauj Register Captcha

Plugin: Cartpauj Register Captcha
Plugin Slug: cartpauj-register-captcha
Vulnerability: Bypass Vulnerability
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40673

DX-auto-save-images

Plugin: DX-auto-save-images
Plugin Slug: dx-auto-save-images
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40671

FTP Access

Plugin: FTP Access
Plugin Slug: ftp-access
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3510

GuruWalk Affiliates

Plugin: GuruWalk Affiliates
Plugin Slug: guruwalk-affiliates
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27622

Lock User Account

Plugin: Lock User Account
Plugin Slug: lock-user-account
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4307

Maintenance Switch

Plugin: Maintenance Switch
Plugin Slug: maintenance-switch
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29235

Sticky Social Media Icons

Plugin: Sticky Social Media Icons
Plugin Slug: sticky-social-media-icons
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-40672

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – August 30, 2023

WordPress Core News

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report