Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Disaster Week is coming
March 8 – 10, 2022
A FREE ONLINE TRAINING EVENT
Are you ready if disaster strikes your WordPress website today? From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. To help you combat the threat of website disasters, we’re hosting the biggest free, online WordPress security training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.
Can’t make the live training? Go ahead and register and we’ll email you the replays.
WordPress Core Vulnerabilities
WordPress 5.9.1 was released on February 22, 2022 as a maintenance update with 33 bug fixes. Be sure to update to WordPress 5.9.1 as soon as possible!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
UpdraftPlus Free

- Plugin
- UpdraftPlus WordPress Backup Plugin
- Installations
- 3,000,000+
- Vulnerability
- INCORRECT AUTHORIZATION
- Patched in Version
- 1.22.3
- Severity Score
- High
Essential Addons for Elementor Lite

- Plugin
- Essential Addons for Elementor
- Installations
- 1,000,000+
- Vulnerability
- XSS
- Patched in Version
- 5.0.9
- Severity Score
- Medium
WP Statistics

- Plugin
- WP Statistics
- Installations
- 600,000+
- Vulnerability
- Unauthenticated Blind SQL Injection via IP; Unauthenticated Blind SQL Injection via current_page_id; Unauthenticated Blind SQL Injection via current_page_type; Multiple Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- 13.1.6
- Severity Score
- Critical
Photo Gallery by 10Web

- Plugin
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery
- Installations
- 300,000+
- Vulnerability
- Unauthenticated SQL Injection
- Patched in Version
- 1.6.0
- Severity Score
- High
Relevanssi

- Plugin
- Relevanssi – A Better Search
- Installations
- 100,000+
- Vulnerability
- Unauthorised AJAX Calls
- Patched in Version
- 4.14.6
- Severity Score
- Medium
WP Content Copy Protection & No Right Click

- Plugin
- WP Content Copy Protection & No Right Click
- Installations
- 100,000+
- Vulnerability
- Settings Update via CSRF
- Patched in Version
- 3.4.5
- Severity Score
- Medium
Cookie Information

- Plugin
- Cookie Information | Free GDPR Consent Solution
- Installations
- 100,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.0.8
- Severity Score
- Medium
Profile Builder

- Plugin
- Profile Builder – User Profile & User Registration Forms
- Installations
- 60,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 3.6.2
- Severity Score
- Medium
Contact Form Submissions

- Plugin
- Contact Form Submissions
- Installations
- 50,000+
- Vulnerability
- Unauthenticated Stored XSS
- Patched in Version
- 1.7.3
- Severity Score
- High
Zero Spam

- Plugin
- Zero Spam for WordPress
- Installations
- 30,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 5.2.11
- Severity Score
- Medium
Master Addons for Elementor

- Plugin
- Master Addons for Elementor
- Installations
- 30,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.8.2
- Severity Score
- Medium
Hide Admin Bar Based on User Roles

- Plugin
- Hide Admin Bar Based on User Roles
- Installations
- 20,000+
- Vulnerability
- Settings Update via CSRF; Subscriber+ Settings Update
- Patched in Version
- 3.1.0
- Severity Score
- Medium
Advanced Product Labels for WooCommerce

- Plugin
- Advanced Product Labels for WooCommerce
- Installations
- 20,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.2.3.7
- Severity Score
- Medium
Powerkit

- Plugin
- Powerkit – Supercharge your WordPress Site
- Installations
- 10,000+
- Vulnerability
- Post Views Settings Update/Reset via CSRF
- Patched in Version
- 2.5.9
- Severity Score
- Medium
Countdown & Clock
- Plugin
- Countdown, Coming Soon, Maintenance – Countdown & Clock
- Installations
- 10,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.2.9
- Severity Score
- Medium
WPCargo

- Plugin
- WPCargo Track & Trace
- Installations
- 10,000+
- Vulnerability
- Unauthenticated RCE
- Patched in Version
- 6.9.0
- Severity Score
- Critical
ARI Fancy Lightbox

- Plugin
- ARI Fancy Lightbox – WordPress Popup
- Installations
- 10,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.3.9
- Severity Score
- Medium
Event Manager for WooCommerce

- Plugin
- Event Manager and Tickets Selling Plugin for WooCommerce
- Installations
- 9,000+
- Vulnerability
- Contributor+ SQL Injection
- Patched in Version
- 3.5.8
- Severity Score
- High
Patreon WordPress

- Plugin
- Patreon WordPress
- Installations
- 5,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 1.8.2
- Severity Score
- Low
WP Home Page Menu

- Plugin
- WP Home Page Menu
- Installations
- 900+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 3.1
- Severity Score
- Low
Kunze Law

- Plugin
- Kunze Law
- Installations
- 800+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 2.1
- Severity Score
- Low
Team Circle Image Slider With Lightbox

- Plugin
- Team Circle Image Slider With Lightbox
- Installations
- 800+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.0.16
- Severity Score
- Medium
Login with phone number

- Plugin
- Login with phone number
- Installations
- 600+
- Vulnerability
- Unauthenticated Remote Plugin Deletion
- Patched in Version
- 1.3.7
- Severity Score
- Medium
Sync iCloud COS

- Plugin
- Sync QCloud COS
- Installations
- 300+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 2.0.1
- Severity Score
- Low
Flexi – Guest Submit

- Plugin
- Flexi – Guest Submit
- Installations
- 200+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 4.20
- Severity Score
- Medium
CommonsBooking

- Plugin
- CommonsBooking
- Installations
- 100+
- Vulnerability
- Unauthenticated SQL Injection
- Patched in Version
- 2.6.8
- Severity Score
- High
Multisite Content Copier/Updater
- Plugin
- WordPress Multisite Content Copier/Updater
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 2.1.2
- Severity Score
- Medium
Relevanssi – Subscriber+
- Plugin
- Vulnerability
- Unauthorised AJAX Calls
- Patched in Version
- 2.16.5
- Severity Score
- Medium
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Persian Woocommerce

- Plugin
- ??????? ?????
- Installations
- 80,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Better WordPress Google XML Sitemaps
- Plugin
- Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News)
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- High
Page Builder KingComposer
- Plugin
- Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
- Vulnerability
- Open Redirect
- Patched in Version
- No Fix
- Severity Score
- Medium
hub2word
- Plugin
- Easy Embed for HubSpot Forms, CTAs, Links, Files & add HubSpot to WP Search Results
- Vulnerability
- Subscriber+ Arbitrary Options Update
- Patched in Version
- No Fix
- Severity Score
- Critical
Simple Theme Options
- Plugin
- Simple Theme Options
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
SEO 301 Meta
- Plugin
- Seo 301 Meta
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
Simple Quotation
- Plugin
- Simple Quotation
- Vulnerability
- Subscriber+ SQL injection; Quote Creation/Edition via CSRF to Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- High
GD Mylist
- Plugin
- GDMylist
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
WP Voting Contest
- Plugin
- WP Voting Contest
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Petfinder Listings
- Plugin
- Petfinder Listings
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.