Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
WordPress News
As the busiest online shopping time of the year is in full swing, cybercriminals have been busy with attempts to “hack the planet.” Wordfence recently reported a massive wave of attacks that targeted 1.6 million WordPress sites over the course of just 36 hours!
Finally, BleepingComputer recently reported that hackers have been installing skimmer code into random plugins. To tighten security for e-commerce sites, we recommend requiring two-factor authentication for all admin users, activating trusted devices, file change detection, and that WordPress security logs be read and reviewed regularly.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Elementor

Plugin: Elementor
Vulnerability: DOM Cross-Site-Scripting
Active Installation: 5+ million
Patched in Version: 3.4.8
Severity Score: High
2. UpdraftPlus

Plugin: UpdraftPlus
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 3+ million
Patched in Version: 1.16.66
Severity Score: High
3. WooCommerce PDF Invoices & Packing Slips

Plugin: WooCommerce PDF Invoices & Packing Slips
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 300,000+
Patched in Version: 2.10.5
Severity Score: High
4. PublishPress Capabilities

Plugin: PublishPress Capabilities
Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise
Active Installation: 100,000+
Patched in Version: 2.3.1
Severity Score: Critical
Plugin: PublishPress Capabilities Pro
Vulnerability: Unauthenticated Arbitrary Options Update to Blog Compromise
Patched in Version: 2.3.1
Severity Score: Critical
5. Chaty Free

Plugin: Chaty Free
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 100,000+
Patched in Version: 2.8.3
Severity Score: High
Plugin: Chaty Pro
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.8.2
Severity Score: High
6. PowerPack Addons for Elementor

Plugin: PowerPack Addons for Elementor
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 60,000+
Patched in Version: 2.6.2
Severity Score: High
7. Booking Calendar

Plugin: Booking Calendar
Vulnerability: Reflected Cross-Site Scripting
Active Installation: 60,000+
Patched in Version: 8.9.2
Severity Score: High
8. 10Web Social Photo Feed

Plugin: 10Web Social Photo Feed
Vulnerability: Reflected Cross-Site Scripting (XSS)
Active Installation: 60,000+
Patched in Version: 1.4.29
Severity Score: High
9. Site Reviews

Plugin: Site Reviews
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Active Installation: 40,000+
Patched in Version: 5.17.3
Severity Score: High
10. Speed Booster Pack

Plugin: Speed Booster Pack
Vulnerability: Admin+ SQL Injection
Active Installation: 30,000+
Patched in Version: 4.3.3.1
Severity Score: Medium
11. Multivendor Marketplace Solution for WooCommerce

Plugin: Multivendor Marketplace Solution for WooCommerce
Vulnerability: Unauthenticated AJAX Calls
Active Installation: 10,000+
Patched in Version: 3.8.4
Severity Score: High
12. Modal Window

Plugin: Modal Window
Vulnerability: RFI leading to RCE via CSRF
Active Installation: 10,000+
Patched in Version: 5.2.2
Severity Score: High
13. WP Coder

Plugin: WP Coder
Vulnerability: RFI leading to RCE via CSRF
Active Installation: 10,000+
Patched in Version: 2.5.2
Severity Score: High
14. RegistrationMagic

Plugin: RegistrationMagic
Vulnerability: Admin+ SQL Injection
Active Installation: 10,000+
Patched in Version: 5.0.1.6
Severity Score: Medium
Plugin: RegistrationMagic
Vulnerability: Authentication Bypass
Active Installation: 10,000+
Patched in Version: 5.0.1.8
Severity Score: Critical
15. Events Made Easy

Plugin: Events Made Easy
Vulnerability: Subscriber+ SQL Injection
Active Installation: 6,000+
Patched in Version: 2.2.36
Severity Score: High
16. Button Generator

Plugin: Button Generator
Vulnerability: RFI leading to RCE via CSRF
Active Installation: 5,000+
Patched in Version: 2.3.3
Severity Score: High
17. Tab – Accordion, FAQ

Plugin: Tab – Accordion, FAQ
Vulnerability: Unauthenticated AJAX Calls
Active Installation: 2000+
Patched in Version: 1.3.2
Severity Score: Critical
18. Stars Rating

Plugin: Stars Rating
Vulnerability: Comments Denial of Service
Active Installation: 800+
Patched in Version: 3.5.1
Severity Score: Medium
19. WPcalc
Plugin: WPcalc
Vulnerability: Authenticated SQL Injection
Patched in Version: No known fix – plugin closed
Severity Score: Medium
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.

Get iThemes Security Pro

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.