WordPress Vulnerability Report – February 1, 2023
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. In the past, we've listed vulnerabilities on a per-plugin or per-theme basis.
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
In the past, we’ve listed vulnerabilities on a per-plugin or per-theme basis. To better describe the vulnerabilities listed, we’re now adding additional listings when a plugin has patched multiple vulnerabilities. While this makes the report somewhat longer, we feel that more information will help you understand the full scope of the vulnerabilities that have been patched so that you can more effectively make good decisions about your site’s security. We welcome your feedback!
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.
There is a known unpatched vulnerability in WordPress core affecting all versions of WordPress. If you’re using iThemes Security, you’ve probably been alerted to this. As we are unsure when this very low-severity vulnerability will be patched, emails from iThemes Security will no longer alert for this specific vulnerability. Read our blog post about this vulnerability.
Get SolidWP tips direct in your inbox
Sign up
Get started with confidence — risk free, guaranteed
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Spectra
- Plugin Slug:
- ultimate-addons-for-gutenberg
- Installations:
- 400,000+
- Vulnerability:
- Contributor+ Stored Cross-Side Scripting
- Patched in Version:
- 1.15.0
- Severity Score:
- Medium
- CVE:
- 2020-36656
LearnPress Plugin
- Plugin Slug:
- learnpress
- Installations:
- 100,000+
- Vulnerability:
- Unauthenticated LFI
- Patched in Version:
- 4.2.0
- Severity Score:
- Critical
- CVE:
- 2022-47615
LearnPress Plugin
- Plugin Slug:
- learnpress
- Installations:
- 100,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 4.2.0
- Severity Score:
- High
- CVE:
- 2022-45820
LearnPress Plugin
- Plugin Slug:
- learnpress
- Installations:
- 100,000+
- Vulnerability:
- Unauthenticated SQLi
- Patched in Version:
- 4.2.0
- Severity Score:
- High
- CVE:
- 2022-45808
Paid Memberships Pro
- Plugin Slug:
- paid-memberships-pro
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 2.9.9
- Severity Score:
- Medium
- CVE:
- 2022-4830
ShopLentor
- Plugin Slug:
- woolentor-addons
- Installations:
- 90,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 2.5.4
- Severity Score:
- Medium
- CVE:
- 2023-0232
ShopLentor
- Plugin Slug:
- woolentor-addons
- Installations:
- 90,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.5.4
- Severity Score:
- Medium
- CVE:
- 2023-0231
Real Media Library
- Plugin Slug:
- real-media-library-lite
- Installations:
- 60,000+
- Vulnerability:
- Author+ Stored XSS
- Patched in Version:
- 4.18.29
- Severity Score:
- Medium
- CVE:
- 2023-0285
Easy Digital Downloads
- Plugin Slug:
- easy-digital-downloads
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.1.0.5
- Severity Score:
- Medium
- CVE:
- 2023-0380
Customer Reviews for WooCommerce
- Plugin Slug:
- customer-reviews-woocommerce
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 5.17.0
- Severity Score:
- Medium
- CVE:
- 2023-0079
Easy Affiliate Links
- Plugin:
- Easy Affiliate Links
- Plugin Slug:
- easy-affiliate-links
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.7.1
- Severity Score:
- Medium
- CVE:
- 2023-0375
WP Font Awesome
- Plugin:
- WP Font Awesome
- Plugin Slug:
- wp-font-awesome
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.7.9
- Severity Score:
- Medium
- CVE:
- 2023-0271
Product Slider and Carousel with Category for WooCommerce
- Plugin Slug:
- woo-product-slider-and-carousel-with-category
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 2.8
- Severity Score:
- Medium
- CVE:
- 2022-4791
WP Dark Mode
- Plugin Slug:
- wp-dark-mode
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS in Shortcode
- Patched in Version:
- 4.0.0
- Severity Score:
- Medium
- CVE:
- 2022-4714
Greenshift
- Plugin Slug:
- greenshift-animation-and-page-builder-blocks
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 5.0
- Severity Score:
- Medium
- CVE:
- 2023-0378
Youzify
- Plugin:
- Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
- Plugin Slug:
- youzify
- Installations:
- 9,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.2.2
- Severity Score:
- Medium
- CVE:
- 2023-0059
Timed Content
- Plugin:
- Timed Content
- Plugin Slug:
- timed-content
- Installations:
- 8,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.73
- Severity Score:
- Medium
- CVE:
- 2023-0067
Extensive VC Addons for WPBakery page builder
- Plugin Slug:
- extensive-vc-addon
- Installations:
- 8,000+
- Vulnerability:
- Unauthenticated LFI
- Patched in Version:
- 1.9.1
- Severity Score:
- High
- CVE:
- 2023-0159
Watu Quiz
Watu Quiz
EmbedSocial
- Plugin Slug:
- embedalbum-pro
- Installations:
- 4,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.1.28
- Severity Score:
- Medium
- CVE:
- 2023-0371
GS Portfolio for Envato
- Plugin:
- GS Portfolio for Envato
- Plugin Slug:
- gs-envato-portfolio
- Installations:
- 900+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.4.0
- Severity Score:
- Medium
- CVE:
- 2023-0559
Shortcode for Font Awesome
- Plugin:
- Shortcode for Font Awesome
- Plugin Slug:
- shortcode-for-font-awesome
- Installations:
- 700+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.4.1
- Severity Score:
- Medium
- CVE:
- 2023-0419
EmbedStories
- Plugin Slug:
- embedstories
- Installations:
- 600+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 0.7.5
- Severity Score:
- Medium
- CVE:
- 2023-0372
Loan Comparison
- Plugin:
- Loan Comparison
- Plugin Slug:
- loan-comparison
- Installations:
- 500+
- Vulnerability:
- Reflected XSS via shortcode
- Patched in Version:
- 1.5.3
- Severity Score:
- Medium
- CVE:
- 2023-0442
Loan Comparison
- Plugin:
- Loan Comparison
- Plugin Slug:
- loan-comparison
- Installations:
- 500+
- Vulnerability:
- Contributor+ Stored XSS via shortcode
- Patched in Version:
- 1.5.3
- Severity Score:
- Medium
- CVE:
- 2023-0366
GS Products Slider for WooCommerce
- Plugin Slug:
- gs-woocommerce-products-slider
- Installations:
- 400+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.5.9
- Severity Score:
- Medium
- CVE:
- 2023-0492
GS Filterable Portfolio
- Plugin:
- GS Filterable Portfolio
- Plugin Slug:
- gs-portfolio
- Installations:
- 400+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.6.1
- Severity Score:
- Medium
- CVE:
- 2023-0540
GS Books Showcase
- Plugin:
- GS Books Showcase
- Plugin Slug:
- gs-books-showcase
- Installations:
- 400+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.3.1
- Severity Score:
- Medium
- CVE:
- 2023-0541
PrivateContent
- Plugin:
- Private Content
- Plugin Slug:
- private-content
- Vulnerability:
- Brute Force Protection Bypass
- Patched in Version:
- 8.4.4
- Severity Score:
- Medium
- CVE:
- 2023-0581
BackupBuddy
- Plugin:
- BackupBuddy
- Plugin Slug:
- backupbuddy
- Vulnerability:
- Multiple Reflected Cross-Site Scripting
- Patched in Version:
- 8.8.3
- Severity Score:
- High
- CVE:
- 2022-4897
WP Private Message
- Plugin:
- WP Private Message
- Plugin Slug:
- wp-private-message
- Vulnerability:
- Private Message Disclosure via IDOR
- Patched in Version:
- 1.0.6
- Severity Score:
- Medium
- CVE:
- 2023-0453
Quick Restaurant Menu
- Plugin:
- Quick Restaurant Menu
- Plugin Slug:
- quick-restaurant-menu
- Vulnerability:
- Menu Items Update via CSRF
- Patched in Version:
- 2.1.0
- Severity Score:
- Medium
- CVE:
- 2023-0554
Quick Restaurant Menu
- Plugin:
- Quick Restaurant Menu
- Plugin Slug:
- quick-restaurant-menu
- Vulnerability:
- Admin+ Stored XSS
- Patched in Version:
- 2.1.0
- Severity Score:
- Low
- CVE:
- 2023-0553
Quick Restaurant Menu
- Plugin:
- Quick Restaurant Menu
- Plugin Slug:
- quick-restaurant-menu
- Vulnerability:
- Subscriber+ Arbitrary Post Deletion/Updating
- Patched in Version:
- 2.1.0
- Severity Score:
- Medium
- CVE:
- 2023-0550
ContentStudio < 1.2.6 - Authorisation Bypass
- Plugin
- ContentStudio
- Plugin Slug
- contentstudio
- Vulnerability
- Authorisation Bypass
- Patched in Version
- 1.2.6
- Severity Score
- High
- CVE
- 2023-0558
ContentStudio
- Plugin:
- ContentStudio
- Plugin Slug:
- contentstudio
- Vulnerability:
- Nonce Disclosure
- Patched in Version:
- 1.2.6
- Severity Score:
- High
- CVE:
- 2023-0557
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Markup
- Plugin Slug:
- wp-structuring-markup
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4666
Page Builder: Live Composer
- Plugin:
- Page Builder: Live Composer
- Plugin Slug:
- live-composer-page-builder
- Installations:
- 20,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4669
Login Logout Menu
- Plugin:
- Login Logout Menu
- Plugin Slug:
- baw-login-logout-menu
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS in Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4622
Easy Social Box
- Plugin Slug:
- easy-facebook-like-box
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4754
Intuitive Custom Post Order
- Plugin:
- Intuitive Custom Post Order
- Plugin Slug:
- intuitive-custom-post-order
- Vulnerability:
- Arbitrary Menu Order Update via CSRF
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4386
Intuitive Custom Post Order
- Plugin:
- Intuitive Custom Post Order
- Plugin Slug:
- intuitive-custom-post-order
- Vulnerability:
- Subscriber+ Arbitrary Menu Order Update
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4385
Simple File Downloader
- Plugin:
- Simple File Downloader
- Plugin Slug:
- simple-file-downloader
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4764
Post Views Count
- Plugin Slug:
- baw-post-views-count
- Vulnerability:
- Contributor+ Stored XSS in Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4761
WP Responsive Testimonials Slider And Widget
- Plugin Slug:
- wp-responsive-testimonials-slider-and-widget
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4750
Opening Hours
- Plugin:
- Opening Hours
- Plugin Slug:
- wp-opening-hours
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4752
Hueman Addons
- Plugin:
- Hueman Addons
- Plugin Slug:
- hueman-addons
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4784
Video.js – HTML5 Video Player for WordPress
- Plugin Slug:
- videojs-html5-video-player-for-wordpress
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4786
Download Video Sidebar Widgets
- Plugin:
- Video Sidebar Widgets
- Plugin Slug:
- video-sidebar-widgets
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4785
Bootstrap Shortcodes
- Plugin:
- Bootstrap Shortcodes
- Plugin Slug:
- bootstrap-shortcodes
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4777
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed