WordPress Vulnerability Report

There are no vulnerabilities to report in WordPress core this week. The ColorWay theme had a vulnerability emerge that has not been patched. 77 plugin vulnerabilities have new patches. Wicked Folders accounts for 18 of these. WordPress Shortcodes Ultimate and GamiPress each patched 3 vulnerabilities. Quick Contact Form, RSVP Maker, and Arigato Autoresponder each patched 2 vulnerabilities. Only 3 plugins with new vulnerabilities have not been patched as of this writing.

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since our last report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

Am I Vulnerable?

If you are an iThemes Security or Security Pro user, the Site Scan feature will notify you of any vulnerabilities in WordPress, plugins, and themes you have installed. You can also review the following list of new vulnerabilities and check them against your installed plugins and themes.

Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

How Bad Is It?

Each vulnerability will have a severity rating of low, medium, high, or critical. Severity levels do not indicate whether a vulnerability is being actively exploited or not. A severity rating indicates how easy it would be for an attacker to exploit the vulnerability and how damaging the impact of an effective exploit could be.

We will highlight active exploits as we become aware of them.

Vulnerabilities are assessed by many different authorities, who each interpret risk with their own perspective and priorities. We are providing you with Patchstack’s risk assessment for WordPress site owners like you.

Is There An Update?

The most important information about a vulnerability is whether it has been patched or not.

If a patch or security release exists to secure the vulnerability, you will see a note about this in a green footer closing the individual vulnerability report. You should immediately update the vulnerable software to the highest version available.

Please be aware that even a deactivated plugin or theme may be exploited by attackers as long as it remains installed in WordPress. You should either update or delete vulnerable plugins and themes as soon as possible when a vulnerability emerges in them.

What Should I Do?

If no update is available for a vulnerable plugin or theme that you are actively using, you will see a red footer closing the individual vulnerability report with a warning that no update has been provided yet. We will also highlight vulnerable plugins and themes that have no known fix.

Popular, widely used plugins and themes that remain vulnerable form a uniquely large and attractive attack surface so we will call special attention to them.

You should weigh the costs and benefits of removing vulnerable plugins and themes with no known fix. If they have been dropped from the wordpress.org repositories, we will note their status is “closed.” We recommend adopting a different, secure solution as soon as possible for plugins designated “closed” or that have “no known fix” forthcoming.

It is urgent to remove unpatched themes and plugins with vulnerabilities of any severity if they are being actively exploited and there’s no security update available.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 1

WordPress 6.2 Beta 1 is ready for download and testing! The current target for the final release is March 28, 2023. With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.

No new WordPress core vulnerabilities were disclosed this week.

There is a known unpatched vulnerability in WordPress core affecting all versions of WordPress. If you’re using iThemes Security, you’ve probably been alerted to this. As we are unsure when this very low-severity vulnerability will be patched, emails from iThemes Security will no longer alert for this specific vulnerability. Read our blog post about this vulnerability.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

WordPress Rank Math SEO plugin

$Product image for Rank Math SEO.$

Plugin: Rank Math SEO
Plugin Slug: seo-by-rank-math
Installations: 1,000,000+
Vulnerability: Local File Inclusion vulnerability
Patched in Version: 1.0.107.3
Severity Score: High
CVE: 2023-23888

WordPress WP-Optimize plugin

Plugin: WP-Optimize – Cache, Clean, Compress.
Plugin Slug: wp-optimize
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.2.12
Severity Score: Medium

WordPress Shortcodes Ultimate plugin

Plugin: WordPress Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug: shortcodes-ultimate
Installations: 700,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 5.12.7
Severity Score: High
CVE: 2023-23800

WordPress Shortcodes Ultimate plugin

Plugin: WordPress Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug: shortcodes-ultimate
Installations: 700,000+
Vulnerability: Arbitrary File Download
Patched in Version: 5.12.7
Severity Score: High
CVE: 2023-25050

WordPress Shortcodes Ultimate plugin

Plugin: WordPress Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug: shortcodes-ultimate
Installations: 700,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.12.7
Severity Score: Medium
CVE: 2023-25040

WordPress Under Construction Plugin

Plugin: Under Construction
Plugin Slug: under-construction-page
Installations: 600,000+
Vulnerability: Multiple CSRF Vulnerabilities
Patched in Version: 3.97
Severity Score: Medium

WordPress Redirection for Contact Form 7 plugin

Plugin: Redirection for Contact Form 7
Plugin Slug: wpcf7-redirect
Installations: 300,000+
Vulnerability: Privilege Escalation
Patched in Version: 2.8.0
Severity Score: High
CVE: 2023-23990

WordPress Icegram Express – Email Subscribers, Newsletters and Marketing Automation Plugin plugin

Plugin: Icegram Express – Email Subscribers, Newsletters and Marketing Automation Plugin
Plugin Slug: email-subscribers
Installations: 100,000+
Vulnerability: CSV Injection
Patched in Version: 5.5.3
Severity Score: Medium
CVE: 2022-45810

WordPress Plugin for Google Reviews plugin

Plugin: Plugin for Google Reviews
Plugin Slug: widget-google-reviews
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 2.2.4
Severity Score: Critical
CVE: 2022-44580

WordPress Mercado Pago payments for WooCommerce plugin

Plugin: Mercado Pago payments for WooCommerce
Plugin Slug: woocommerce-mercadopago
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.4.0
Severity Score: Medium
CVE: 2022-45068

WordPress Mercado Pago payments for WooCommerce plugin

Plugin: Mercado Pago payments for WooCommerce
Plugin Slug: woocommerce-mercadopago
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.4.0
Severity Score: Medium
CVE: 2022-45068

WordPress WooLentor plugin

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor)
Plugin Slug: woolentor-addons
Installations: 100,000+
Vulnerability: CSRF Leading to Plugin Settings Change Vulnerability
Patched in Version: 2.5.2
Severity Score: Medium
CVE: 2022-46798

WordPress Auto Featured Image (Auto Post Thumbnail) plugin

Plugin: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug: auto-post-thumbnail
Installations: 80,000+
Vulnerability: Authenticated(Admin+) Remote File Download vulnerability
Patched in Version: 3.9.16
Severity Score: Medium

WordPress Ajax Search Lite plugin

Plugin: Ajax Search Lite
Plugin Slug: ajax-search-lite
Installations: 70,000+
Vulnerability: Auth. Data Exposure vulnerability
Patched in Version: 4.11
Severity Score: Medium
CVE: 2022-38456

WordPress A2 Optimized WP plugin

Plugin: A2 Optimized WP – Turbocharge and secure your WordPress site
Plugin Slug: a2-optimized-wp
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.5
Severity Score: Medium
CVE: 2023-23711

WordPress Schema – All In One Schema Rich Snippets plugin

Plugin: Schema – All In One Schema Rich Snippets
Plugin Slug: all-in-one-schemaorg-rich-snippets
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.6
Severity Score: Medium
CVE: 2023-25058

WordPress Profile Builder plugin

Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Installations: 60,000+
Vulnerability: Sensitive Information Disclosure via Shortcode vulnerability
Patched in Version: 3.9.1
Severity Score: Medium
CVE: 2023-0814

WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin

Plugin: Void Contact Form 7 Widget For Elementor Page Builder
Plugin Slug: cf7-widget-elementor
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.2
Severity Score: Medium
CVE: 2022-47166

WordPress All-in-one Floating Contact Form plugin

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
Plugin Slug: mystickyelements
Installations: 40,000+
Vulnerability: Authenticated (Admin+) SQL Injection vulnerability
Patched in Version: 2.0.9
Severity Score: Medium
CVE: 2023-0487

WordPress Quiz And Survey Master plugin

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.0.8
Severity Score: Medium
CVE: 2022-46862

WordPress Visualizer: Tables and Charts Manager for WordPress plugin

Plugin: Visualizer: Tables and Charts Manager for WordPress
Plugin Slug: visualizer
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.2
Severity Score: Medium
CVE: 2022-46848

WordPress Actionable Google Analytics and Google Shopping plugin for WooCommerce plugin

Plugin: All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce
Plugin Slug: enhanced-e-commerce-for-woocommerce-store
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.2.4
Severity Score: Medium
CVE: 2022-46797

WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug: miniorange-login-openid
Installations: 30,000+
Vulnerability: Arbitrary Content Deletion
Patched in Version: 7.6.1
Severity Score: Medium
CVE: 2023-25455

WordPress Responsive Pricing Table plugin

Plugin: Responsive Pricing Table
Plugin Slug: dk-pricr-responsive-pricing-table
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.1.7
Severity Score: Medium
CVE: 2022-46855

WordPress Interactive Geo Maps plugin

Plugin: Interactive Geo Maps
Plugin Slug: interactive-geo-maps
Installations: 20,000+
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Patched in Version: 1.5.11
Severity Score: Medium
CVE: 2023-0731

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization via ajax_save_state vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0711

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_clone_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0715

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_save_sort_order vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0729

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_save_folder_order vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0720

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_clone_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0725

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_edit_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0726

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_edit_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0716

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization via ajax_delete_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0717

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_save_state vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0722

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_add_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0724

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_save_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0718

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery on ajax_move_object vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0723

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_save_sort_order vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0719

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_delete_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0727

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via ajax_save_folder_order vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0730

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_move_object vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0712

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery on ajax_save_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0728

WordPress Wicked Folders plugin

Plugin: Wicked Folders
Plugin Slug: wicked-folders
Installations: 20,000+
Vulnerability: Missing Authorization on ajax_add_folder vulnerability
Patched in Version: 2.18.17
Severity Score: Medium
CVE: 2023-0713

WordPress CURCY plugin

Plugin: CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 6.x
Plugin Slug: woo-multi-currency
Installations: 20,000+
Vulnerability: Unauthenticated plugin settings change vulnerability
Patched in Version: 2.1.26
Severity Score: Medium
CVE: 2022-46796

WordPress WordPress Robots.txt optimization (+ XML Sitemap) – Website traffic, SEO & ranking Booster plugin

Plugin: WordPress Robots.txt optimization (+ XML Sitemap) – Website traffic, SEO & ranking Booster
Plugin Slug: better-robots-txt
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.6
Severity Score: Medium
CVE: 2023-25706

WordPress eCommerce Product Catalog Plugin for WordPress plugin

Plugin: eCommerce Product Catalog Plugin for WordPress
Plugin Slug: ecommerce-product-catalog
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.5
Severity Score: Medium
CVE: 2023-25049

WordPress GamiPress plugin

Plugin: GamiPress – The most flexible and powerful gamification plugin for WordPress
Plugin Slug: gamipress
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 2.5.7.1
Severity Score: High
CVE: 2023-24000

WordPress GamiPress plugin

Plugin: GamiPress – The most flexible and powerful gamification plugin for WordPress
Plugin Slug: gamipress
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.7
Severity Score: Medium
CVE: 2023-25697

WordPress GamiPress plugin

Plugin: GamiPress – The most flexible and powerful gamification plugin for WordPress
Plugin Slug: gamipress
Installations: 10,000+
Vulnerability: Missing Authorization Leading to Points Manipulation Vulnerability
Patched in Version: 2.5.7
Severity Score: Medium
CVE: 2023-25715

WordPress Qubely plugin

Plugin: Qubely – Advanced Gutenberg Blocks
Plugin Slug: qubely
Installations: 10,000+
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting vulnerability
Patched in Version: 1.8.5
Severity Score: Medium

WordPress Cost of Goods for WooCommerce plugin

Plugin: Cost of Goods for WooCommerce
Plugin Slug: cost-of-goods-for-woocommerce
Installations: 8,000+
Vulnerability: Broken Access Control
Patched in Version: 2.8.7
Severity Score: Medium
CVE: 2023-23868

WordPress Shoppable Images plugin

Plugin: Shoppable Images
Plugin Slug: mabel-shoppable-images-lite
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.4
Severity Score: Medium
CVE: 2023-25698

WordPress Woocommerce Vietnam Checkout plugin

Plugin: Woocommerce Vietnam Checkout
Plugin Slug: woo-vietnam-checkout
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.5
Severity Score: High
CVE: 2022-46843

WordPress Google Maps CP plugin

Plugin: Google Maps CP
Plugin Slug: codepeople-post-map
Installations: 7,000+
Vulnerability: Missing Authorization Leading To Feedback Submission Vulnerability
Patched in Version: 1.0.44
Severity Score: Medium
CVE: 2023-25039

WordPress Portfolio – WordPress Portfolio Plugin plugin

Plugin: Portfolio – WordPress Portfolio Plugin
Plugin Slug: tlp-portfolio
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.8.11
Severity Score: Medium
CVE: 2023-23685

WordPress Announce from the Dashboard plugin

Plugin: Announce from the Dashboard
Plugin Slug: announce-from-the-dashboard
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.2
Severity Score: Medium
CVE: 2023-25716

WordPress Icegram Collect – Easy Form, Lead Collection and Subscription plugin

Plugin: Icegram Collect – Easy Form, Lead Collection and Subscription plugin
Plugin Slug: icegram-rainmaker
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.9
Severity Score: Medium
CVE: 2023-25024

WordPress Auto Hide Admin Bar plugin

Plugin: Auto Hide Admin Bar
Plugin Slug: auto-hide-admin-bar
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.2
Severity Score: Medium
CVE: 2023-23994

WordPress Fancy Comments WordPress plugin

Plugin: Fancy Comments WordPress
Plugin Slug: fancy-facebook-comments
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.11
Severity Score: Medium
CVE: 2023-23670

WordPress Tickera – WordPress Event Ticketing plugin

Plugin: Tickera – WordPress Event Ticketing
Plugin Slug: tickera-event-ticketing-system
Installations: 5,000+
Vulnerability: CSRF Leading To Post Status Change Vulnerability
Patched in Version: 3.5.1.1
Severity Score: Medium
CVE: 2023-23726

WordPress Auto Affiliate Links plugin

Plugin: Auto Affiliate Links
Plugin Slug: wp-auto-affiliate-links
Installations: 5,000+
Vulnerability: Unauth. Broken Access Control vulnerability
Patched in Version: 6.2.1.6
Severity Score: Medium
CVE: 2022-45840

WordPress WordPress Comments Import & Export plugin

Plugin: WordPress Comments Import & Export
Plugin Slug: comments-import-export-woocommerce
Installations: 3,000+
Vulnerability: CSV Injection
Patched in Version: 2.3.2
Severity Score: Medium
CVE: 2022-45370

WordPress Quick Contact Form plugin

Plugin: Quick Contact Form
Plugin Slug: quick-contact-form
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 8.0.4
Severity Score: Medium
CVE: 2023-25035

WordPress Quick Contact Form plugin

Plugin: Quick Contact Form
Plugin Slug: quick-contact-form
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.0.4
Severity Score: Medium
CVE: 2023-23885

WordPress Chained Quiz plugin

Plugin: Chained Quiz
Plugin Slug: chained-quiz
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.2.6
Severity Score: Medium
CVE: 2023-25027

WordPress Locatoraid Store Locator plugin

Plugin: Locatoraid Store Locator
Plugin Slug: locatoraid
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.9.12
Severity Score: Medium
CVE: 2023-25709

WordPress WPGlobus Translate Options plugin

Plugin: WPGlobus Translate Options
Plugin Slug: wpglobus-translate-options
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.0
Severity Score: Medium
CVE: 2023-25711

WordPress Auto YouTube Importer plugin

Plugin: Auto YouTube Importer
Plugin Slug: auto-youtube-importer
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.4
Severity Score: Medium
CVE: 2023-23797

WordPress Arigato Autoresponder and Newsletter plugin

Plugin: Arigato Autoresponder and Newsletter
Plugin Slug: bft-autoresponder
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.1.2
Severity Score: High
CVE: 2023-25020

WordPress Arigato Autoresponder and Newsletter plugin

Plugin: Arigato Autoresponder and Newsletter
Plugin Slug: bft-autoresponder
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.1.1
Severity Score: Medium
CVE: 2023-25031

WordPress OWM Weather plugin

Plugin: OWM Weather
Plugin Slug: owm-weather
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.6.12
Severity Score: Medium
CVE: 2022-47179

WordPress Twitch Player plugin

Plugin: Twitch Player
Plugin Slug: ttv-easy-embed-player
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.1
Severity Score: Medium
CVE: 2023-25464

WordPress Booking Calendar Contact Form plugin

Plugin: Booking Calendar Contact Form
Plugin Slug: booking-calendar-contact-form
Installations: 900+
Vulnerability: Broken Access Control
Patched in Version: 1.2.35
Severity Score: Medium
CVE: 2023-25037

WordPress Gutenberg Forms plugin

Plugin: Gutenberg Forms – WordPress Form Builder Plugin
Plugin Slug: forms-gutenberg
Installations: 700+
Vulnerability: Auth. Broken Access Control vulnerability
Patched in Version: 2.2.9
Severity Score: Medium
CVE: 2022-45803

WordPress RSVPMaker plugin

Plugin: RSVPMaker
Plugin Slug: rsvpmaker
Installations: 500+
Vulnerability: SQL Injection
Patched in Version: 9.9.4
Severity Score: Medium
CVE: 2023-25047

WordPress RSVPMaker plugin

Plugin: RSVPMaker
Plugin Slug: rsvpmaker
Installations: 500+
Vulnerability: SQL Injection
Patched in Version: 9.9.4
Severity Score: Medium
CVE: 2023-25045

WordPress PayPal Brasil para WooCommerce plugin

Plugin: PayPal Brasil para WooCommerce
Plugin Slug: paypal-brasil-para-woocommerce
Vulnerability: Broken Access Control
Patched in Version: 1.4.3
Severity Score: Medium
CVE: 2023-25026

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin from WordPress to ensure it cannot be exploited.

WordPress Slider by Supsystic plugin

Plugin: Slider by Supsystic
Plugin Slug: slider-by-supsystic
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47155

WordPress WeChat Robot plugin

Plugin: WeChat Robot Premium
Plugin Slug: weixin-robot-advanced
Installations: 300+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-45837

WordPress 0mk Shortener plugin

Plugin: 0mk Shortener
Plugin Slug: 0mk-shortener
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability
Patched in Version: No Fix
Severity Score: High
CVE: 2022-2933

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

WordPress Monolit Theme theme

Theme: Monolit Theme
Theme Slug: monolit
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.7
Severity Score: High
CVE: 2023-25041

WordPress Theme Vulnerabilities – No Known Fix

This section contains theme vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the theme.

WordPress ColorWay theme

Theme: ColorWay
Theme Slug: colorway
Downloads: 1,314,098
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25447

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

WordPress Vulnerability Report – February 15, 2023

Am I Vulnerable?

How Bad Is It?

Is There An Update?

What Should I Do?

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

WordPress Core News

WordPress 6.2 Beta 1

WordPress Plugin Vulnerabilities

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

WordPress Theme Vulnerabilities – No Known Fix

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report