WordPress Vulnerability Report

WordPress Vulnerability Report – February 8, 2023

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. In the past, we've listed vulnerabilities on a per-plugin or per-theme basis.

Avatar photo
SolidWP Editorial Team

Updated:Aug 4, 2023
Published:Feb 8, 2023

Filed Under:WordPress Vulnerability Report

Reading Time:10 min.

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

In the past, we’ve listed vulnerabilities on a per-plugin or per-theme basis. To better describe the vulnerabilities listed, we’re now adding additional listings when a plugin has patched multiple vulnerabilities. While this makes the report somewhat longer, we feel that more information will help you understand the full scope of the vulnerabilities that have been patched so that you can more effectively make good decisions about your site’s security. We welcome your feedback!

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Download the Infographic

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 1

WordPress 6.2 Beta 1 is ready for download and testing! The current target for the final release is March 28, 2023.

No new WordPress core vulnerabilities were disclosed this week.

Get SolidWP tips direct in your inbox

Sign up

This field is for validation purposes and should be left unchanged.
Placeholder text
Placeholder text
Thanks

Oops something went wrong, please try submitting again

Get started with confidence — risk free, guaranteed

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

Ocean Extra

Plugin:
Ocean Extra
Plugin Slug:
ocean-extra
Installations:
700,000+
Vulnerability:
Contributor+ Stored XSS
Patched in Version:
2.1.2
Severity Score:
Medium
CVE:
2023-23891
The vulnerability has been patched, so you should update to version 2.1.2.

VK All in One Expansion Unit

Plugin:
VK All in One Expansion Unit
Plugin Slug:
vk-all-in-one-expansion-unit
Installations:
100,000+
Vulnerability:
Contributor+ Stored XSS
Patched in Version:
9.86.0.0
Severity Score:
Medium
CVE:
2023-0230
The vulnerability has been patched, so you should update to version 9.86.0.0.

Print Invoice & Delivery Notes for WooCommerce

Plugin:
Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:
woocommerce-delivery-notes
Installations:
40,000+
Vulnerability:
Reflected XSS
Patched in Version:
4.7.2
Severity Score:
High
CVE:
2023-0479
The vulnerability has been patched, so you should update to version 4.7.2.

Wufoo Shortcode

Plugin:
Wufoo Shortcode
Plugin Slug:
wufoo-shortcode
Installations:
20,000+
Vulnerability:
Contributor+ Stored XSS via Shortcode
Patched in Version:
1.52
Severity Score:
Medium
CVE:
2022-4679
The vulnerability has been patched, so you should update to version 1.52.

Arigato Autoresponder and Newsletter

Plugin:
Arigato Autoresponder and Newsletter
Plugin Slug:
bft-autoresponder
Installations:
1,000+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
2.1.7.2
Severity Score:
Low
CVE:
2023-0543
The vulnerability has been patched, so you should update to version 2.1.7.2.

Donation Block For PayPal

Plugin:
Donation Block For PayPal
Plugin Slug:
donations-block
Installations:
800+
Vulnerability:
Contributor+ Stored XSS
Patched in Version:
2.1.0
Severity Score:
Medium
CVE:
2023-0535
The vulnerability has been patched, so you should update to version 2.1.0.

Namaste! LMS

Plugin:
Namaste! LMS
Plugin Slug:
namaste-lms
Installations:
700+
Vulnerability:
Admin+ Stored XSS
Patched in Version:
2.5.9.4
Severity Score:
Low
CVE:
2023-0548
The vulnerability has been patched, so you should update to version 2.5.9.4.

GS Insever Portfolio

Plugin:
GS Insever Portfolio
Plugin Slug:
gs-instagram-portfolio
Installations:
100+
Vulnerability:
Contributor+ Stored XSS
Patched in Version:
1.4.5
Severity Score:
Medium
CVE:
2023-0539
The vulnerability has been patched, so you should update to version 1.4.5.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

User Activity

Plugin:
User Activity
Plugin Slug:
user-activity
Installations:
300+
Vulnerability:
IP Spoofing
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2022-4550
The vulnerability has not been patched. You should deactivate the plugin.

GigPress

Plugin:
GigPress
Plugin Slug:
gigpress
Vulnerability:
Subscriber+ SQLi
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-0381
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Embed PDF

Plugin:
Embed PDF
Plugin Slug:
dirtysuds-embed-pdf
Vulnerability:
Contributor+ Stored XSS via Shortcode
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2022-4788
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Custom Add User

Plugin:
Custom Add User
Plugin Slug:
custom-add-user
Vulnerability:
Reflected Cross-Site Scripting
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-0043
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Show-Hide / Collapse-Expand

Plugin:
Show-Hide / Collapse-Expand
Plugin Slug:
show-hidecollapse-expand
Vulnerability:
Contributor+ Stored XSS via Shortcode
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2022-4829
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

List Pages Shortcode

Plugin:
List Pages Shortcode
Plugin Slug:
list-pages-shortcode
Vulnerability:
Contributor+ Stored XSS via Shortcode
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2022-4757
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Galleries by Angie Makes

Plugin:
Galleries by Angie Makes
Plugin Slug:
wc-gallery
Vulnerability:
Contributor+ Stored XSS via Shortcode
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2022-4795
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Correos Oficial

Plugin:
Correos Oficial
Plugin Slug:
correosoficial
Vulnerability:
Unauthenticated Arbitrary File Download
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-0331
The vulnerability has not been patched. You should deactivate the plugin.

Olevmedia Shortcodes

Plugin:
Olevmedia Shortcodes
Plugin Slug:
olevmedia-shortcodes
Vulnerability:
Contributor+ Stored XSS
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-0168
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

0mk Shortener

Plugin:
0mk Shortener
Plugin Slug:
0mk-shortener
Vulnerability:
Stored XSS via CSRF
Patched in Version:
No Fix
Severity Score:
High
CVE:
2022-2933
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.

No new WordPress theme vulnerabilities were disclosed this week.

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Avatar photoSolidWP Editorial Team

Each week, the team at SolidWP team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, SolidWP has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Looking for iThemes?

Browse all of SolidWP's articles

Did you like this article? Spread the word:

Author:

Avatar photoSolidWP Editorial Team

Each week, the team at SolidWP team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, SolidWP has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Looking for iThemes?

Browse all of SolidWP's articles