WordPress Vulnerability Report

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since our last report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes […]

Am I Vulnerable?

If you are an iThemes Security or Security Pro user, the Site Scan feature will notify you of any vulnerabilities in WordPress, plugins, and themes you have installed. You can also review the following list of new vulnerabilities and check them against your installed plugins and themes.

Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

How Bad Is It?

Each vulnerability will have a severity rating of low, medium, high, or critical. Severity levels do not indicate whether a vulnerability is being actively exploited or not. A severity rating indicates how easy it would be for an attacker to exploit the vulnerability and how damaging the impact of an effective exploit could be.

We will highlight active exploits as we become aware of them.

Vulnerabilities are assessed by many different authorities, who each interpret risk with their own perspective and priorities. We are providing you with Patchstack’s risk assessment for WordPress site owners like you.

Is There An Update?

The most important information about a vulnerability is whether it has been patched or not.

If a patch or security release exists to secure the vulnerability, you will see a note about this in a green footer closing the individual vulnerability report. You should immediately update the vulnerable software to the highest version available.

Please be aware that even a deactivated plugin or theme may be exploited by attackers as long as it remains installed in WordPress. You should either update or delete vulnerable plugins and themes as soon as possible when a vulnerability emerges in them.

What Should I Do?

If no update is available for a vulnerable plugin or theme that you are actively using, you will see a red footer closing the individual vulnerability report with a warning that no update has been provided yet. We will also highlight vulnerable plugins and themes that have no known fix.

Popular, widely used plugins and themes that remain vulnerable form a uniquely large and attractive attack surface so we will call special attention to them.

You should weigh the costs and benefits of removing vulnerable plugins and themes with no known fix. If they have been dropped from the wordpress.org repositories, we will note their status is “closed.” We recommend adopting a different, secure solution as soon as possible for plugins designated “closed” or that have “no known fix” forthcoming.

It is urgent to remove unpatched themes and plugins with vulnerabilities of any severity if they are being actively exploited and there’s no security update available.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 1

WordPress 6.2 Beta 1 is ready for download and testing! The current target for the final release is March 28, 2023. With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.

No new WordPress core vulnerabilities were disclosed this week.

There is a known unpatched vulnerability in WordPress core affecting all versions of WordPress. If you’re using iThemes Security, you’ve probably been alerted to this. As we are unsure when this very low-severity vulnerability will be patched, emails from iThemes Security will no longer alert for this specific vulnerability. Read our blog post about this vulnerability.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

WordPress All In One WP Security & Firewall plugin

Plugin: All-In-One Security (AIOS) – Security and Firewall
Plugin Slug: all-in-one-wp-security-and-firewall
Installations: 1,000,000+
Vulnerability: Authenticated(Admin+) Directory Traversal vulnerability
Patched in Version: 5.1.5
Severity Score: Medium

WordPress Starter Templates plugin

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Plugin Slug: astra-sites
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.21
Severity Score: Medium
CVE: 2022-46851

WordPress Ocean Extra plugin

Plugin: Ocean Extra
Plugin Slug: ocean-extra
Installations: 700,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.3
Severity Score: Medium
CVE: 2023-24399

WordPress Ocean Extra plugin

Plugin: Ocean Extra
Plugin Slug: ocean-extra
Installations: 700,000+
Vulnerability: Subscriber+ Arbitrary Post Content Disclosure
Patched in Version: 2.1.3
Severity Score: Medium
CVE: 2023-0749

WordPress WordPress Gallery Plugin – NextGEN Gallery plugin

Plugin: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug: nextgen-gallery
Installations: 600,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.29
Severity Score: Medium
CVE: 2022-38468

WordPress ProfilePress plugin

Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug: wp-user-avatar
Installations: 300,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium
CVE: 2023-23820

WordPress Contextual Related Posts plugin

Plugin: Contextual Related Posts
Plugin Slug: contextual-related-posts
Installations: 70,000+
Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched in Version: 3.3.2
Severity Score: Medium

WordPress Media Library Assistant plugin

Plugin: Media Library Assistant
Plugin Slug: media-library-assistant
Installations: 70,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.06
Severity Score: Medium
CVE: 2023-0279

WordPress wpDataTables – WordPress Tables & Table Charts Plugin plugin

Plugin: wpDataTables – WordPress Tables & Table Charts Plugin
Plugin Slug: wpdatatables
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.50
Severity Score: Medium
CVE: 2023-23876

WordPress Profile Builder plugin

Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Installations: 60,000+
Vulnerability: Sensitive Information Disclosure via Shortcode
Patched in Version: 3.9.1
Severity Score: Medium
CVE: 2023-0814

WordPress WP Table Builder – WordPress Table Plugin plugin

Plugin: WP Table Builder – WordPress Table Plugin
Plugin Slug: wp-table-builder
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.7
Severity Score: Medium
CVE: 2022-46852

WordPress Ditty plugin

Plugin: Ditty WordPress Plugin – Responsive Slider, List, and Ticker Display
Plugin Slug: ditty-news-ticker
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.33
Severity Score: Medium
CVE: 2023-23874

WordPress Quiz And Survey Master plugin

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: Unauthenticated Arbitrary Media Deletion
Patched in Version: 8.0.9
Severity Score: Medium
CVE: 2023-0291

WordPress The Post Grid plugin

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug: the-post-grid
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.0.5
Severity Score: Medium
CVE: 2022-46853

WordPress Visualizer: Tables and Charts Manager for WordPress plugin

Plugin: Visualizer: Tables and Charts Manager for WordPress
Plugin Slug: visualizer
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.5
Severity Score: Medium
CVE: 2023-23708

WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug: miniorange-login-openid
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 7.6.0
Severity Score: Medium
CVE: 2023-23706

WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin

Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug: miniorange-login-openid
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.6.0
Severity Score: Medium
CVE: 2023-23710

WordPress Top 10 – Popular posts plugin for WordPress plugin

Plugin: Top 10 – Popular posts plugin for WordPress
Plugin Slug: top-10
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 3.2.4
Severity Score: Medium
CVE: 2023-25993

WordPress Uncanny Toolkit for LearnDash plugin

Plugin: Uncanny Toolkit for LearnDash
Plugin Slug: uncanny-learndash-toolkit
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.6.4.2
Severity Score: Medium
CVE: 2023-23714

WordPress Advanced Dynamic Pricing for WooCommerce plugin

Plugin: Advanced Dynamic Pricing for WooCommerce
Plugin Slug: advanced-dynamic-pricing-for-woocommerce
Installations: 20,000+
Vulnerability: Broken Access Control
Patched in Version: 4.1.6
Severity Score: Medium
CVE: 2022-40203

WordPress Interactive Geo Maps plugin

Plugin: Interactive Geo Maps
Plugin Slug: interactive-geo-maps
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.9
Severity Score: Medium
CVE: 2023-23866

WordPress Link Juice Keeper plugin

Plugin: Link Juice Keeper
Plugin Slug: link-juice-keeper
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.3
Severity Score: Medium
CVE: 2023-25793

WordPress TeraWallet – For WooCommerce plugin

Plugin: TeraWallet – For WooCommerce
Plugin Slug: woo-wallet
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.0
Severity Score: Medium
CVE: 2022-40198

WordPress Wp-Insert plugin

Plugin: Wp-Insert
Plugin Slug: wp-insert
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.1
Severity Score: Medium
CVE: 2023-25461

WordPress WordPress Robots.txt optimization (+ XML Sitemap) – Website traffic, SEO & ranking Booster plugin

Plugin: WordPress Robots.txt optimization (+ XML Sitemap) – Website traffic, SEO & ranking Booster
Plugin Slug: better-robots-txt
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.6
Severity Score: Medium
CVE: 2023-25706

WordPress Conditional Payments for WooCommerce plugin

Plugin: Conditional Payments for WooCommerce
Plugin Slug: conditional-payments-for-woocommerce
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.2
Severity Score: Medium
CVE: 2022-46805

WordPress RegistrationMagic plugin

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Installations: 10,000+
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 5.1.9.3
Severity Score: Medium
CVE: 2023-25991

WordPress Video Gallery – YouTube Gallery plugin

Plugin: Video Gallery – Best WordPress YouTube Gallery Plugin
Plugin Slug: gallery-videos
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.7.7
Severity Score: High
CVE: 2023-25988

WordPress Video Gallery – YouTube Gallery plugin

Plugin: Video Gallery – Best WordPress YouTube Gallery Plugin
Plugin Slug: gallery-videos
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.7
Severity Score: Medium
CVE: 2023-25979

WordPress GamiPress plugin

Plugin: GamiPress – The most flexible and powerful gamification plugin for WordPress
Plugin Slug: gamipress
Installations: 10,000+
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 2.5.7.1
Severity Score: High
CVE: 2023-24000

WordPress GamiPress plugin

Plugin: GamiPress – The most flexible and powerful gamification plugin for WordPress
Plugin Slug: gamipress
Installations: 10,000+
Vulnerability: CSRF Leading to Settings Change
Patched in Version: 2.5.7
Severity Score: Medium
CVE: 2023-25697

WordPress GamiPress plugin

Plugin: GamiPress – The most flexible and powerful gamification plugin for WordPress
Plugin Slug: gamipress
Installations: 10,000+
Vulnerability: Missing Authorization Leading to Points Manipulation
Patched in Version: 2.5.7
Severity Score: Medium
CVE: 2023-25715

WordPress Opt-Out for Google Analytics plugin

Plugin: Google Analytics Opt-Out
Plugin Slug: google-analytics-opt-out
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.5
Severity Score: Medium
CVE: 2023-25712

WordPress Scriptless Social Sharing plugin

Plugin: Scriptless Social Sharing
Plugin Slug: scriptless-social-sharing
Installations: 10,000+
Vulnerability: Contributor+ Stored XSS
Patched in Version: 3.2.2
Severity Score: Medium
CVE: 2023-0377

WordPress UsersWP plugin

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Plugin Slug: userswp
Installations: 10,000+
Vulnerability: CSV Injection
Patched in Version: 1.2.3.10
Severity Score: Medium
CVE: 2022-47442

WordPress ALD Dropshipping and Fulfillment for AliExpress and WooCommerce plugin

Plugin: ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce
Plugin Slug: woo-alidropship
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.0.22
Severity Score: Medium
CVE: 2022-46811

WordPress WP Coder plugin

Plugin: WP Coder – add custom html, css and js code
Plugin Slug: wp-coder
Installations: 10,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 2.5.4
Severity Score: Medium
CVE: 2023-0895

WordPress WP VR 360 Panorama and Virtual Tour Builder plugin

Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Plugin Slug: wpvr
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.2.8
Severity Score: Medium
CVE: 2023-25708

WordPress TinyMCE Custom Styles plugin

Plugin: TinyMCE Custom Styles
Plugin Slug: tinymce-custom-styles
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-23995

WordPress Cart All In One For WooCommerce plugin

Plugin: Cart All In One For WooCommerce
Plugin Slug: woo-cart-all-in-one
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.11
Severity Score: Medium
CVE: 2022-46806

WordPress JSON Content Importer plugin

Plugin: JSON Content Importer
Plugin Slug: json-content-importer
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.16
Severity Score: Medium
CVE: 2023-25485

WordPress Shoppable Images plugin

Plugin: Shoppable Images
Plugin Slug: mabel-shoppable-images-lite
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.4
Severity Score: Medium
CVE: 2023-25698

WordPress Simple Yearly Archive plugin

Plugin: Simple Yearly Archive
Plugin Slug: simple-yearly-archive
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.9
Severity Score: Medium
CVE: 2023-25484

WordPress Gutenberg Blocks by WordPress Download Manager plugin

Plugin: Gutenberg Blocks by WordPress Download Manager
Plugin Slug: wpdm-gutenberg-blocks
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.9
Severity Score: Medium
CVE: 2023-22713

WordPress Meta slider and carousel with lightbox plugin

Plugin: Meta Slider and Carousel with Lightbox
Plugin Slug: meta-slider-and-carousel-with-lightbox
Installations: 7,000+
Vulnerability: Broken Access Control
Patched in Version: 1.7
Severity Score: Medium
CVE: 2023-25703

WordPress Podlove Podcast Publisher plugin

Plugin: Podlove Podcast Publisher
Plugin Slug: podlove-podcasting-plugin-for-wordpress
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8.4
Severity Score: Medium
CVE: 2023-25472

WordPress Portfolio – WordPress Portfolio Plugin plugin

Plugin: Portfolio – WordPress Portfolio Plugin
Plugin Slug: tlp-portfolio
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.8.11
Severity Score: Medium
CVE: 2023-23685

WordPress Zeno Font Resizer plugin

Plugin: Zeno Font Resizer
Plugin Slug: zeno-font-resizer
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.0
Severity Score: Medium
CVE: 2023-25442

WordPress AutomatorWP plugin

Plugin: AutomatorWP – The most flexible and powerful no-code automation plugin for WordPress
Plugin Slug: automatorwp
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.9
Severity Score: Medium

WordPress Blockonomics plugin

Plugin: WordPress Bitcoin Payments – Blockonomics
Plugin Slug: blockonomics-bitcoin-payments
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.5.8
Severity Score: High
CVE: 2022-47145

WordPress Fancy Comments WordPress plugin

Plugin: Fancy Comments WordPress
Plugin Slug: fancy-facebook-comments
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.11
Severity Score: Medium
CVE: 2023-23670

WordPress Publish to Schedule plugin

Plugin: Publish to Schedule
Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.5.4
Severity Score: Medium
CVE: 2023-25994

WordPress Tickera – WordPress Event Ticketing plugin

Plugin: Tickera – WordPress Event Ticketing
Plugin Slug: tickera-event-ticketing-system
Installations: 5,000+
Vulnerability: CSRF Leading To Post Status Change
Patched in Version: 3.5.1.1
Severity Score: Medium
CVE: 2023-23726

WordPress VikBooking Hotel Booking Engine & PMS plugin

Plugin: VikBooking Hotel Booking Engine & PMS
Plugin Slug: vikbooking
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.0
Severity Score: Medium
CVE: 2023-25707

WordPress OAuth Single Sign On – SSO (OAuth Client) plugin

Plugin: OAuth Single Sign On – SSO (OAuth Client)
Plugin Slug: miniorange-login-with-eve-online-google-facebook
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.24.2
Severity Score: Medium

WordPress Community by PeepSo plugin

Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Plugin Slug: peepso-core
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.0.3
Severity Score: Medium
CVE: 2022-41633

WordPress Podlove Subscribe Button plugin

Plugin: Podlove Subscribe button
Plugin Slug: podlove-subscribe-button
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.9
Severity Score: Medium
CVE: 2023-25481

WordPress Podlove Subscribe button plugin

Plugin: Podlove Subscribe button
Plugin Slug: podlove-subscribe-button
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.9
Severity Score: Medium
CVE: 2023-25479

WordPress Multi Rating plugin

Plugin: Multi Rating
Plugin Slug: multi-rating
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.0.6
Severity Score: High
CVE: 2022-47433

WordPress Product Reviews Import Export for WooCommerce plugin

Plugin: Product Reviews Import Export for WooCommerce
Plugin Slug: product-reviews-import-export-for-woocommerce
Installations: 3,000+
Vulnerability: Unauth. CSV Injection
Patched in Version: 1.4.9
Severity Score: Medium
CVE: 2022-46802

WordPress Quick Contact Form plugin

Plugin: Quick Contact Form
Plugin Slug: quick-contact-form
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.0.4
Severity Score: Medium
CVE: 2022-47608

WordPress Quick Event Manager plugin

Plugin: Quick Event Manager
Plugin Slug: quick-event-manager
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.6.5
Severity Score: Medium
CVE: 2022-46863

WordPress Quick Paypal Payments plugin

Plugin: Quick Paypal Payments
Plugin Slug: quick-paypal-payments
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.7.26
Severity Score: High
CVE: 2023-25713

WordPress Quick Paypal Payments plugin

Plugin: Quick Paypal Payments
Plugin Slug: quick-paypal-payments
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 5.7.26
Severity Score: High
CVE: 2023-25714

WordPress Quick Paypal Payments plugin

Plugin: Quick Paypal Payments
Plugin Slug: quick-paypal-payments
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.7.26
Severity Score: Medium
CVE: 2023-25702

WordPress Quick Paypal Payments plugin

Plugin: Quick Paypal Payments
Plugin Slug: quick-paypal-payments
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.7.26
Severity Score: Medium
CVE: 2023-23889

WordPress WP Custom Fields Search plugin

Plugin: WP Custom Fields Search
Plugin Slug: wp-custom-fields-search
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.35
Severity Score: Medium
CVE: 2022-47157

WordPress WordPress Email Marketing Plugin – WP Email Capture plugin

Plugin: WordPress Email Marketing Plugin – WP Email Capture
Plugin Slug: wp-email-capture
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.10
Severity Score: Medium
CVE: 2023-23724

WordPress WordPress Email Marketing Plugin – WP Email Capture plugin

Plugin: WordPress Email Marketing Plugin – WP Email Capture
Plugin Slug: wp-email-capture
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.10
Severity Score: Medium
CVE: 2023-23723

WordPress BuddyForms plugin

Plugin: Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions
Plugin Slug: buddyforms
Installations: 2,000+
Vulnerability: PHAR Deserialization
Patched in Version: 2.7.8
Severity Score: Medium

WordPress CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin

Plugin: CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce
Plugin Slug: css-js-manager
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4.49.1
Severity Score: Medium
CVE: 2022-47154

WordPress Locatoraid Store Locator plugin

Plugin: Locatoraid Store Locator
Plugin Slug: locatoraid
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.9.12
Severity Score: Medium
CVE: 2023-25709

WordPress Multiple Pages Generator by Themeisle plugin

Plugin: Multiple Page Generator Plugin – MPG
Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.3.10
Severity Score: Medium
CVE: 2022-47143

WordPress Protected Posts Logout Button plugin

Plugin: Protected Posts Logout Button
Plugin Slug: protected-posts-logout-button
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.4.6
Severity Score: Medium
CVE: 2023-25454

WordPress Protected Posts Logout Button plugin

Plugin: Protected Posts Logout Button
Plugin Slug: protected-posts-logout-button
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.6
Severity Score: Medium
CVE: 2023-25978

WordPress WordPress Books Gallery plugin

Plugin: WordPress Books Gallery
Plugin Slug: wp-books-gallery
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4.9
Severity Score: Medium
CVE: 2023-23705

WordPress WPGlobus Translate Options plugin

Plugin: WPGlobus Translate Options
Plugin Slug: wpglobus-translate-options
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.0
Severity Score: Medium
CVE: 2023-25711

WordPress Archivist – Custom Archive Templates plugin

Plugin: Archivist – Custom Archive Templates
Plugin Slug: archivist-custom-archive-templates
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.7.5
Severity Score: Medium
CVE: 2023-25448

WordPress Archivist – Custom Archive Templates plugin

Plugin: Archivist – Custom Archive Templates
Plugin Slug: archivist-custom-archive-templates
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.5
Severity Score: Medium
CVE: 2023-25490

WordPress Click to Call or Chat Buttons plugin

Plugin: Click to Call or Chat Buttons
Plugin Slug: click-to-call-or-chat-buttons
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.0
Severity Score: Medium
CVE: 2023-25710

WordPress Clio Grow plugin

Plugin: Clio Grow
Plugin Slug: clio-grow-form
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.1
Severity Score: Medium
CVE: 2023-22683

WordPress Calendar Event Multi View plugin

Plugin: Calendar Event Multi View
Plugin Slug: cp-multi-view-calendar
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.4.15
Severity Score: Low
CVE: 2023-23814

WordPress Get URL Cron plugin

Plugin: Get URL Cron
Plugin Slug: get-url-cron
Installations: 1,000+
Vulnerability: Broken Access Control via geturlcron_action_handle
Patched in Version: 1.4.8
Severity Score: High

WordPress My Tickets plugin

Plugin: My Tickets
Plugin Slug: my-tickets
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.9.11
Severity Score: Medium
CVE: 2022-47440

WordPress Twitch Player plugin

Plugin: Twitch Player
Plugin Slug: ttv-easy-embed-player
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.1
Severity Score: Medium
CVE: 2023-25464

WordPress Broadcast Live Video plugin

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Plugin Slug: videowhisper-live-streaming-integration
Installations: 1,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 5.5.16
Severity Score: Critical
CVE: 2023-25699

WordPress WP Dynamic Keywords Injector plugin

Plugin: WP Dynamic Keywords Injector
Plugin Slug: wp-dynamic-keywords-injector
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.16
Severity Score: Medium
CVE: 2022-47141

WordPress WP Prayer plugin

Plugin: WP Prayer
Plugin Slug: wp-prayer
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.9.7
Severity Score: Medium
CVE: 2023-25705

WordPress WordPress Stripe Donation plugin

Plugin: Accept Stripe Donation – AidWP
Plugin Slug: wp-stripe-donation
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.6
Severity Score: Medium
CVE: 2022-47422

WordPress Easy Panorama plugin

Plugin: Easy Panorama
Plugin Slug: easy-panorama
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.5
Severity Score: Medium
CVE: 2023-23799

WordPress Inline Tweet Sharer – Twitter Sharing Plugin plugin

Plugin: Inline Tweet Sharer – Twitter Sharing Plugin
Plugin Slug: inline-tweet-sharer
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.6
Severity Score: Medium
CVE: 2023-24005

WordPress Campaign URL Builder plugin

Plugin: Campaign URL Builder
Plugin Slug: campaign-url-builder
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.2
Severity Score: Medium
CVE: 2023-0538

WordPress Campaign URL Builder plugin

Plugin: Campaign URL Builder
Plugin Slug: campaign-url-builder
Installations: 400+
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting via Create Link
Patched in Version: 1.8.2
Severity Score: Medium

WordPress WatchTowerHQ plugin

Plugin: WatchTowerHQ
Plugin Slug: watchtowerhq
Installations: 100+
Vulnerability: Privilege Escalation
Patched in Version: 3.6.17
Severity Score: Critical
CVE: 2023-25701

WordPress Interactive SVG Image Map Builder plugin

Plugin: Interactive SVG Image Map Builder
Plugin Slug: interactive-image-map-builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1
Severity Score: Medium
CVE: 2023-25704

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin from WordPress to ensure it cannot be exploited.

WordPress Google Maps v3 Shortcode plugin

Plugin: Google Maps v3 Shortcode
Plugin Slug: google-maps-v3-shortcode
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23827

WordPress Portfolio Slideshow plugin

Plugin: Portfolio Slideshow
Plugin Slug: portfolio-slideshow
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23717

WordPress Simple PDF Viewer plugin

Plugin: Simple PDF Viewer
Plugin Slug: simple-pdf-viewer
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23817

WordPress Ultimate WP Query Search Filter plugin

Plugin: Ultimate WP Query Search Filter
Plugin Slug: ultimate-wp-query-search-filter
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23832

WordPress Theme Tweaker plugin

Plugin: Theme Tweaker
Plugin Slug: theme-tweaker-lite
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23713

WordPress Easy Google Analytics for WordPress plugin

Plugin: Easy Google Analytics for WordPress
Plugin Slug: easy-google-analytics-for-wordpress
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23887

WordPress WP Post Rating plugin

Plugin: WP Post Rating
Plugin Slug: wp-post-comment-rating
Installations: 1,000+
Vulnerability: Other Vulnerability Type
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25785

WordPress WP-RecentComments plugin

Plugin: WP-RecentComments
Plugin Slug: wp-recentcomments
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23886

WordPress Bing Site Verification plugin using Meta Tag plugin

Plugin: Bing Site Verification plugin using Meta Tag
Plugin Slug: bing-site-verification-using-meta-tag
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23875

WordPress WordPress Custom Settings plugin

Plugin: WordPress Custom Settings
Plugin Slug: custom-settings
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23806

WordPress Exquisite PayPal Donation plugin

Plugin: Exquisite PayPal Donation
Plugin Slug: exquisite-paypal-donation
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23785

WordPress Sitemap Index plugin

Plugin: Sitemap Index
Plugin Slug: sitemap-index
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23816

WordPress Sponsors Carousel plugin

Plugin: Sponsors Carousel
Plugin Slug: sponsors-carousel
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23808

WordPress Stock market charts from finviz plugin

Plugin: Stock market charts from finviz
Plugin Slug: stock-market-charts-from-finviz
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23809

WordPress Circles Gallery plugin

Plugin: Circles Gallery
Plugin Slug: circles-gallery
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23881

WordPress PayGreen plugin

Plugin: PayGreen – Ancienne version
Plugin Slug: paygreen-woocommerce
Installations: 500+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25986

WordPress WP Resource download management plugin

Plugin: WP Resource download management
Plugin Slug: download-info-page
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25787

WordPress Eyes Only: User Access Shortcode plugin

Plugin: Eyes Only: User Access Shortcode
Plugin Slug: eyes-only-user-access-shortcode
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25786

WordPress Peadig’s Like & Share Button plugin

Plugin: Peadig’s Like & Share Button
Plugin Slug: facebook-like-send-button
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25783

WordPress Feed Changer plugin

Plugin: Feed Changer
Plugin Slug: feed-changer
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25795

WordPress Fontiran plugin

Plugin: Fontiran
Plugin Slug: fontiran
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25791

WordPress Nooz plugin

Plugin: Nooz
Plugin Slug: nooz
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25794

WordPress Olevmedia Shortcodes plugin

Plugin: Olevmedia Shortcodes
Plugin Slug: olevmedia-shortcodes
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25798

WordPress WP Open Social plugin

Plugin: WP Open Social
Plugin Slug: open-social
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25792

WordPress Service Area Postcode Checker plugin

Plugin: Service Area Postcode Checker
Plugin Slug: service-area-postcode-checker
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25782

WordPress Social Login WP plugin

Plugin: Social Login WP
Plugin Slug: social-login-wp
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-38063

WordPress Sticky Ad Bar Plugin plugin

Plugin: Sticky Ad Bar Plugin
Plugin Slug: sticky-ad-bar
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25784

WordPress Tapfiliate plugin

Plugin: Tapfiliate
Plugin Slug: tapfiliate
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25789

WordPress Upload File Type Settings Plugin plugin

Plugin: Upload File Type Settings Plugin
Plugin Slug: upload-file-type-settings-plugin
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25781

WordPress vSlider Multi Image Slider for WordPress plugin

Plugin: vSlider Multi Image Slider for WordPress
Plugin Slug: vslider
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25797

WordPress WP BaiDu Submit plugin

Plugin: WP BaiDu Submit
Plugin Slug: wp-baidu-submit
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25796

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

WordPress Real Estate 7 theme

Theme: Real Estate 7
Theme Slug: realestate-7
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.2
Severity Score: High
CVE: 2022-47146

WordPress WoodMart theme

Theme: WoodMart
Theme Slug: woodmart
Vulnerability: Unauth Arbitrary Shortcodes Injection
Patched in Version: 7.1.1
Severity Score: Medium
CVE: 2023-25790

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

WordPress Vulnerability Report – February 22, 2023

Am I Vulnerable?

How Bad Is It?

Is There An Update?

What Should I Do?

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

WordPress Core News

WordPress 6.2 Beta 1

WordPress Plugin Vulnerabilities

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report