WordPress Vulnerability Report – January 25, 2023
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. Each vulnerability will have a severity rating of low, medium, high, or critical.
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.
There is a known unpatched vulnerability in WordPress core affecting all versions of WordPress. If you’re using iThemes Security, you’ve probably been alerted to this. As we are unsure when this very low-severity vulnerability will be patched, emails from iThemes Security will no longer alert for this specific vulnerability. Read our blog post about this vulnerability.
Get SolidWP tips direct in your inbox
Sign up
Get started with confidence — risk free, guaranteed
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Enable Media Replace
- Plugin:
- Enable Media Replace
- Plugin Slug:
- enable-media-replace
- Installations:
- 600,000+
- Vulnerability:
- Author+ Arbitrary File Upload
- Patched in Version:
- 4.0.2
- Severity Score:
- Critical
- CVE:
- 2023-0255
Spectra
- Plugin Slug:
- ultimate-addons-for-gutenberg
- Installations:
- 400,000+
- Vulnerability:
- Stored Cross-Side Scripting
- Patched in Version:
- 1.15.0
- Severity Score:
- Medium
- CVE:
- 2020-36656
GiveWP
- Plugin Slug:
- give
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS; Unauthenticated SQLi
- Patched in Version:
- 2.24.1
- Severity Score:
- Medium
- CVE:
- 2022-4448
Parsi Date
- Plugin:
- Parsi Date
- Plugin Slug:
- wp-parsidate
- Installations:
- 100,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 4.0.2
- Severity Score:
- Medium
Better Font Awesome
- Plugin:
- Better Font Awesome
- Plugin Slug:
- better-font-awesome
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.0.4
- Severity Score:
- Medium
- CVE:
- 2022-4512
LearnPress Plugin
- Plugin Slug:
- learnpress
- Installations:
- 100,000+
- Vulnerability:
- Unauthenticated LFI; Subscriber+ SQLi; Unauthenticated SQLi
- Patched in Version:
- 4.2.0
- Severity Score:
- Critical
- CVE:
- 2022-47615
Customer Reviews for WooCommerce
- Plugin Slug:
- customer-reviews-woocommerce
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ LFI; Contributor+ Stored XSS
- Patched in Version:
- 5.17.0
- Severity Score:
- Critical
- CVE:
- 2023-0080
Themify Portfolio Post
- Plugin:
- Themify Portfolio Post
- Plugin Slug:
- themify-portfolio-post
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.2.2
- Severity Score:
- Medium
- CVE:
- 2023-0362
Spotlight Social Feeds
- Plugin Slug:
- spotlight-social-photo-feeds
- Installations:
- 50,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.4.3
- Severity Score:
- Medium
- CVE:
- 2023-0379
Meks Flexible Shortcodes
- Plugin:
- Meks Flexible Shortcodes
- Plugin Slug:
- meks-flexible-shortcodes
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.3.5
- Severity Score:
- Medium
- CVE:
- 2022-4562
WP Visitor Statistics (Real Time Traffic)
- Plugin Slug:
- wp-stats-manager
- Installations:
- 20,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 6.5
- Severity Score:
- Medium
- CVE:
- 2022-4656
WP Google Review Slider
- Plugin:
- WP Google Review Slider
- Plugin Slug:
- wp-google-places-review-slider
- Installations:
- 20,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 11.8
- Severity Score:
- High
- CVE:
- 2023-0259
TemplatesNext ToolKit
- Plugin:
- TemplatesNext ToolKit
- Plugin Slug:
- templatesnext-toolkit
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode; Contributor+ Stored XSS
- Patched in Version:
- 3.2.9
- Severity Score:
- Medium
- CVE:
- 2022-4678
WP Customer Area
- Plugin:
- WP Customer Area
- Plugin Slug:
- customer-area
- Installations:
- 10,000+
- Vulnerability:
- Unauthorised Actions via CSRF
- Patched in Version:
- 8.1.4
- Severity Score:
- Medium
- CVE:
- 2022-4745
Easy Accept Payments for PayPal
- Plugin Slug:
- wordpress-easy-paypal-payment-or-donation-accept-plugin
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 4.9.10
- Severity Score:
- Medium
- CVE:
- 2023-0275
Easy Affiliate Links
- Plugin:
- Easy Affiliate Links
- Plugin Slug:
- easy-affiliate-links
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.7.1
- Severity Score:
- Medium
- CVE:
- 2023-0375
WP TripAdvisor Review Slider
- Plugin:
- WP TripAdvisor Review Slider
- Plugin Slug:
- wp-tripadvisor-review-slider
- Installations:
- 10,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 10.8
- Severity Score:
- High
- CVE:
- 2023-0261
Custom 404 Pro
- Plugin:
- Custom 404 Pro
- Plugin Slug:
- custom-404-pro
- Installations:
- 10,000+
- Vulnerability:
- Logs Deletion via CSRF
- Patched in Version:
- 3.7.2
- Severity Score:
- Medium
- CVE:
- 2023-0385
PickPlugins Product Slider for WooCommerce
- Plugin Slug:
- woocommerce-products-slider
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.13.42
- Severity Score:
- Medium
- CVE:
- 2023-0166
YaMaps for WordPress Plugin
- Plugin:
- YaMaps for WordPress Plugin
- Plugin Slug:
- yamaps
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 0.6.26
- Severity Score:
- Medium
- CVE:
- 2023-0270
Social Like Box and Page by WpDevArt
- Plugin Slug:
- like-box
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 0.8.41
- Severity Score:
- Medium
- CVE:
- 2023-0177
WP FullCalendar
- Plugin:
- WP FullCalendar
- Plugin Slug:
- wp-fullcalendar
- Installations:
- 10,000+
- Vulnerability:
- Unauthenticated Arbitrary Post Access
- Patched in Version:
- 1.5
- Severity Score:
- High
- CVE:
- 2022-3891
WP Font Awesome
- Plugin:
- WP Font Awesome
- Plugin Slug:
- wp-font-awesome
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.7.9
- Severity Score:
- Medium
- CVE:
- 2023-0271
WP Review Slider
- Plugin:
- WP Review Slider
- Plugin Slug:
- wp-facebook-reviews
- Installations:
- 10,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 12.2
- Severity Score:
- High
- CVE:
- 2023-0260
Product Slider and Carousel with Category for WooCommerce
- Plugin Slug:
- woo-product-slider-and-carousel-with-category
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 2.8
- Severity Score:
- Medium
- CVE:
- 2022-4791
Zoho Forms
- Plugin Slug:
- zoho-forms
- Installations:
- 10,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 3.0.1
- Severity Score:
- Medium
- CVE:
- 2023-0169
Youzify
- Plugin:
- Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
- Plugin Slug:
- youzify
- Installations:
- 9,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.2.2
- Severity Score:
- Medium
- CVE:
- 2023-0059
Judge.me Product Reviews for WooCommerce
- Plugin Slug:
- judgeme-product-reviews-woocommerce
- Installations:
- 8,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.3.21
- Severity Score:
- Medium
- CVE:
- 2023-0061
Timed Content
- Plugin:
- Timed Content
- Plugin Slug:
- timed-content
- Installations:
- 8,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.73
- Severity Score:
- Medium
- CVE:
- 2023-0067
Location Weather
- Plugin:
- Location Weather
- Plugin Slug:
- location-weather
- Installations:
- 8,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.3.4
- Severity Score:
- Medium
- CVE:
- 2023-0360
Responsive Gallery Grid
- Plugin:
- Responsive Gallery Grid
- Plugin Slug:
- responsive-gallery-grid
- Installations:
- 7,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.3.9
- Severity Score:
- Medium
- CVE:
- 2023-0060
Watu Quiz
Lightweight Accordion
- Plugin:
- Lightweight Accordion
- Plugin Slug:
- lightweight-accordion
- Installations:
- 6,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.5.15
- Severity Score:
- Medium
- CVE:
- 2023-0373
Pinpoint Booking System
- Plugin Slug:
- booking-system
- Installations:
- 6,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 2.9.9.2.9
- Severity Score:
- High
- CVE:
- 2023-0220
Simple URLs
- Plugin Slug:
- simple-urls
- Installations:
- 6,000+
- Vulnerability:
- Subscriber+ SQLi; Multiple Reflected XSS
- Patched in Version:
- 115
- Severity Score:
- High
- CVE:
- 2023-0098
WP Helper Lite
- Plugin:
- WP Helper Premium
- Plugin Slug:
- wp-helper-lite
- Installations:
- 3,000+
- Vulnerability:
- Reflected Cross-Site Scripting
- Patched in Version:
- 4.3
- Severity Score:
- High
- CVE:
- 2023-0448
GPT3 AI Content Writer
- Plugin:
- GPT AI Power: Content Writer & ChatGPT & Image Generator & WooCommerce Product Writer & AI Training
- Plugin Slug:
- gpt3-ai-content-generator
- Installations:
- 3,000+
- Vulnerability:
- Subscriber+ Arbitrary Post Content Update
- Patched in Version:
- 1.4.38
- Severity Score:
- Medium
- CVE:
- 2023-0405
WP Airbnb Review Slider
- Plugin:
- WP Airbnb Review Slider
- Plugin Slug:
- wp-airbnb-review-slider
- Installations:
- 2,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 3.3
- Severity Score:
- High
- CVE:
- 2023-0262
WP Yelp Review Slider
- Plugin:
- WP Yelp Review Slider
- Plugin Slug:
- wp-yelp-review-slider
- Installations:
- 1,000+
- Vulnerability:
- Subscriber+ SQLi
- Patched in Version:
- 7.1
- Severity Score:
- High
- CVE:
- 2023-0263
Shortcode for Font Awesome
- Plugin:
- Shortcode for Font Awesome
- Plugin Slug:
- shortcode-for-font-awesome
- Installations:
- 700+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.4.1
- Severity Score:
- Medium
- CVE:
- 2023-0419
uTubeVideo Gallery
- Plugin:
- uTubeVideo Gallery
- Plugin Slug:
- utubevideo-gallery
- Installations:
- 500+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 2.0.8
- Severity Score:
- Medium
- CVE:
- 2023-0151
GigPress
Lightbox Gallery
- Plugin:
- Lightbox Gallery
- Plugin Slug:
- lightbox-gallery
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- 0.9.5
- Severity Score:
- Medium
- CVE:
- 2022-4682
Rich Table of Contents
- Plugin:
- Rich Table of Contents
- Plugin Slug:
- rich-table-of-content
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- 1.3.8
- Severity Score:
- Medium
- CVE:
- 2022-4551
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
YARPP – Yet Another Related Posts Plugin
- Plugin Slug:
- yet-another-related-posts-plugin
- Installations:
- 100,000+
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4471
Easy PayPal Buy Now Button
- Plugin:
- Easy PayPal Buy Now Button
- Plugin Slug:
- wp-ecommerce-paypal
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS in Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4628
Markup
- Plugin Slug:
- wp-structuring-markup
- Installations:
- 30,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4666
Page Builder: Live Composer
- Plugin:
- Page Builder: Live Composer
- Plugin Slug:
- live-composer-page-builder
- Installations:
- 20,000+
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4669
FL3R FeelBox
- Plugin:
- FL3R FeelBox
- Plugin Slug:
- fl3r-feelbox
- Vulnerability:
- Unauthenticated SQLi
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2022-4445
Oi Yandex.Maps
- Plugin:
- Oi Yandex.Maps for WordPress
- Plugin Slug:
- oi-yamaps
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-22721
Youtube Channel Gallery
- Plugin:
- Youtube Channel Gallery
- Plugin Slug:
- youtube-channel-gallery
- Vulnerability:
- Contributor+ Stored XSS via Shortcode
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4783
Intuitive Custom Post Order
- Plugin:
- Intuitive Custom Post Order
- Plugin Slug:
- intuitive-custom-post-order
- Vulnerability:
- Subscriber+ Arbitrary Menu Order Update
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4385
Youtube Shortcode
- Plugin:
- Youtube shortcode
- Plugin Slug:
- youtube-shortcode
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-23687
Amazon JS
Widget Shortcode
- Plugin:
- Widget Shortcode
- Plugin Slug:
- widget-shortcode
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4473
Amr Shortcode Any Widget
- Plugin:
- amr shortcode any widget
- Plugin Slug:
- amr-shortcode-any-widget
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4458
WP TopBar
- Plugin:
- WP-TopBar
- Plugin Slug:
- wp-topbar
- Vulnerability:
- Admin+ SQLi
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-23824
Widgets on Pages
- Plugin:
- Widgets on Pages
- Plugin Slug:
- widgets-on-pages
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4488
Twenty20 Image Before-After
- Plugin:
- Twenty20 Image Before-After
- Plugin Slug:
- twenty20
- Vulnerability:
- Contributor+ Stored XSS
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2022-4580
Mapwiz
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
