WordPress Vulnerability Report

Since last week, 82 total vulnerabilities emerged in public disclosure. They may affect over 4 million WordPress sites. There are 46 plugin vulnerabilities and one theme vulnerability with security patches available, so run those updates!

Additionally, there are 34 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you discover you are using an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

From WPTavern: All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0. AIOS is used by over a million sites. See Sarah Gooding’s post at the Tavern for more details. Ideally, AIOS users should apply the security update and reset all user passwords.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WP-Optimize

Plugin: WP-Optimize – Cache, Clean, Compress.
Plugin Slug: wp-optimize
Installations: 1,000,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.2.13
Severity Score: High
CVE: 2023-1119

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Denial of Service Attack
Patched in Version: 3.6.26
Severity Score: Medium
CVE: 2023-35909

Forminator

Plugin: Forminator – Contact Form, Payment Form & Custom Form Builder
Plugin Slug: forminator
Installations: 400,000+
Vulnerability: Unauth. Race Condition
Patched in Version: 1.24.1
Severity Score: Low
CVE: 2023-2010

POST SMTP Mailer

Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Installations: 300,000+
Vulnerability: Account Takeover via Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.7
Severity Score: High
CVE: 2023-3179

POST SMTP Mailer

Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Installations: 300,000+
Vulnerability: Arbitrary Log Deletion via Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.7
Severity Score: Medium
CVE: 2023-3178

ShopLentor

Plugin: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor)
Plugin Slug: woolentor-addons
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.6.3
Severity Score: Medium
CVE: 2022-47172

WP Content Copy Protection & No Right Click

Plugin: WP Content Copy Protection & No Right Click
Plugin Slug: wp-content-copy-protector
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.5.6
Severity Score: Medium
CVE: 2023-36678

LearnPress

Plugin: LearnPress – WordPress LMS Plugin
Plugin Slug: learnpress
Installations: 90,000+
Vulnerability: Authenticated Broken Access Control
Patched in Version: 4.2.3.1
Severity Score: High
CVE: 2023-36516

LearnPress

Plugin: LearnPress – WordPress LMS Plugin
Plugin Slug: learnpress
Installations: 90,000+
Vulnerability: Unauthenticated Broken Access Control
Patched in Version: 4.2.3.1
Severity Score: High
CVE: 2023-36515

HTTP Headers

Plugin: HTTP Headers
Plugin Slug: http-headers
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.19.0
Severity Score: Medium
CVE: 2023-37874

HTTP Headers

Plugin: HTTP Headers
Plugin Slug: http-headers
Installations: 40,000+
Vulnerability: Admin+ Remote Code Execution (RCE)
Patched in Version: 1.18.11
Severity Score: High
CVE: 2023-1208

All-in-one Floating Contact Form

Plugin: All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements
Plugin Slug: mystickyelements
Installations: 40,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 2.1.2
Severity Score: Medium
CVE: 2023-3248

JetFormBuilder

Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug: jetformbuilder
Installations: 30,000+
Vulnerability: Authenticated Privilege Escalation
Patched in Version: 3.0.9
Severity Score: High
CVE: 2023-37866

Visibility Logic for Elementor

Plugin: Visibility Logic for Elementor
Plugin Slug: visibility-logic-elementor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.5
Severity Score: Medium
CVE: 2022-47169

IP2Location Country Blocker

Plugin: IP2Location Country Blocker
Plugin Slug: ip2location-country-blocker
Installations: 20,000+
Vulnerability: IP Bypass Vulnerability
Patched in Version: 2.29.2
Severity Score: Medium
CVE: 2023-37865

ND Shortcodes

Plugin: ND Shortcodes
Plugin Slug: nd-shortcodes
Installations: 20,000+
Vulnerability: Auth. Cross Site Scripting (XSS)
Patched in Version: 7.0
Severity Score: Medium
CVE: 2022-4623

wpForo Forum

Plugin: wpForo Forum
Plugin Slug: wpforo
Installations: 20,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.1.9
Severity Score: High
CVE: 2023-2309

Yasr – Yet Another Stars Rating

Plugin: Yasr – Yet Another Stars Rating
Plugin Slug: yet-another-stars-rating
Installations: 20,000+
Vulnerability: Race Condition
Patched in Version: 3.3.9
Severity Score: Low
CVE: 2023-37867

Booking Package SAASPROJECT

Plugin: Booking Package
Plugin Slug: booking-package
Installations: 10,000+
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 1.5.99
Severity Score: High
CVE: 2023-37389

Cryptocurrency Widgets – Price Ticker & Coins List

Plugin: Cryptocurrency Widgets – Price Ticker & Coins List
Plugin Slug: cryptocurrency-price-ticker-widget
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 2.6.3
Severity Score: Medium
CVE: 2023-36681

Image Regenerate & Select Crop

Plugin: Image Regenerate & Select Crop
Plugin Slug: image-regenerate-select-crop
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 7.2.0
Severity Score: Medium
CVE: 2023-36680

WP Mail Log

Plugin: WP Mail Log
Plugin Slug: wp-mail-log
Installations: 10,000+
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS) via Email
Patched in Version: 1.1.2
Severity Score: High
CVE: 2023-3088

Companion Sitemap Generator

Plugin: Companion Sitemap Generator – HTML & XML
Plugin Slug: companion-sitemap-generator
Installations: 9,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 4.5.3
Severity Score: High
CVE: 2023-1780

Buy Me a Coffee – Button and Widget Plugin

Plugin: Buy Me a Coffee – Button and Widget Plugin
Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-2079

Buy Me a Coffee – Button and Widget Plugin

Plugin: Buy Me a Coffee – Button and Widget Plugin
Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Missing Authorization
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-2078

Buy Me a Coffee

Plugin: Buy Me a Coffee – Button and Widget Plugin
Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-25030

WP Dummy Content Generator

Plugin: WP Dummy Content Generator
Plugin Slug: wp-dummy-content-generator
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: 3.0.0
Severity Score: Medium
CVE: 2023-37394

WP Dummy Content Generator

Plugin: WP Dummy Content Generator
Plugin Slug: wp-dummy-content-generator
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.0
Severity Score: Medium
CVE: 2023-37392

WebwinkelKeu

Plugin: WebwinkelKeur: Webshop keurmerk & reviews for WordPress
Plugin Slug: webwinkelkeur
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.25
Severity Score: Medium
CVE: 2023-36691

ARMember

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Plugin Slug: armember-membership
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.6
Severity Score: Medium
CVE: 2022-47424

Gift Cards

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Plugin Slug: gift-voucher
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF) in new_voucher_template.php
Patched in Version: 4.3.6
Severity Score: Medium

Masteriyo – LMS

Plugin: LMS by Masteriyo – WordPress Learning Management System, eLearning Platform, Online Education System & Online Course Builder
Plugin Slug: learning-management-system
Installations: 2,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 1.6.8
Severity Score: Medium

BuddyBuilder BuddyPress Builder for Elementor

Plugin: BuddyPress Builder for Elementor – BuddyBuilder
Plugin Slug: stax-buddy-builder
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.7.4
Severity Score: Medium

Terms descriptions

Plugin: Terms descriptions
Plugin Slug: terms-descriptions
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.4.5
Severity Score: High
CVE: 2023-28779

Sublanguage

Plugin: Sublanguage
Plugin Slug: sublanguage
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 2.10
Severity Score: Medium
CVE: 2023-36695

WP Reroute Email

Plugin: WP Reroute Email
Plugin Slug: wp-reroute-email
Installations: 1,000+
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
Patched in Version: 1.5.0
Severity Score: High
CVE: 2023-3168

WPFactory Helper

Plugin: WPFactory Helper
Plugin Slug: wpcodefactory-helper
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.5.3
Severity Score: High
CVE: 2023-36689

RSVPMaker

Plugin: RSVPMaker
Plugin Slug: rsvpmaker
Installations: 400+
Vulnerability: SQL Injection
Patched in Version: 10.5.5
Severity Score: High
CVE: 2023-29095

Getnet Argentina para Woocommerce

Plugin: Getnet Argentina para Woocommerce
Plugin Slug: integrar-getnet-con-woo
Installations: 200+
Vulnerability: Authorization Bypass via webhook
Patched in Version: 0.0.5
Severity Score: High
CVE: 2023-3525

My Content Management

Plugin: My Content Management
Plugin Slug: my-content-management
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.7
Severity Score: Medium
CVE: 2023-34377

Auto Location for WP Job Manager via Google

Plugin: Auto Location for WP Job Manager via Google
Plugin Slug: auto-location-for-wp-job-manager
Installations: 100+
Vulnerability: Admin+ Cross Site Scripting (XSS)
Patched in Version: 1.1
Severity Score: Medium
CVE: 2023-3344

tagDiv Cloud Library

Plugin: tagDiv Cloud Library
Plugin Slug: td-cloud-library
Vulnerability: Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
Patched in Version: 2.7
Severity Score: Critical
CVE: 2023-1597

WooCommerce GoCardless Gateway

Plugin: WooCommerce GoCardless Gateway
Plugin Slug: woocommerce-gateway-gocardless
Vulnerability: Unauth. Insecure Direct Object References (IDOR)
Patched in Version: 2.5.7
Severity Score: High
CVE: 2023-37871

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.8.6
Severity Score: High
CVE: 2023-37873

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Broken Access Control
Patched in Version: 3.8.6
Severity Score: Medium
CVE: 2023-37872

WooCommerce Warranty Requests

Plugin: WooCommerce Warranty Requests
Plugin Slug: woocommerce-warranty
Vulnerability: Broken Access Control
Patched in Version: 2.2.0
Severity Score: High
CVE: 2023-37870

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

oAuth Twitter Feed for Developers

Plugin: oAuth Twitter Feed for Developers
Plugin Slug: oauth-twitter-feed-for-developers
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25042

Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

Plugin: Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
Plugin Slug: yotuwp-easy-youtube-embed
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25477

Media Library Helper by Codexin

Plugin: Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin
Plugin Slug: media-library-helper
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37386

Secondary Title

Plugin: Secondary Title
Plugin Slug: secondary-title
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28773

Classified Listing

Plugin: Classified Listing – Classified ads & Business Directory Plugin
Plugin Slug: classified-listing
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Thumbnail Removal
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37387

Mobile Call Now & Map Buttons

Plugin: Mobile Call Now & Map Buttons
Plugin Slug: mobile-call-now-map-buttons
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24401

Social Share Boost

Plugin: Social Share Boost
Plugin Slug: social-share-boost
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25044

Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)

Plugin: Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)
Plugin Slug: only-tweet-like-share-and-google-1
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37388

WPFunnels

Plugin: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels
Plugin Slug: wpfunnels
Installations: 5,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: Medium

Animated Number Counters

Plugin: Animated Number Counters
Plugin Slug: animated-number-counters
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24393

Social Media Icons Widget

Plugin: Social Media Icons Widget
Plugin Slug: spoontalk-social-media-icons-widget
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25036

Kingkong Board

Plugin: Kingkong Board
Plugin Slug: kingkong-board
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36694

Menubar

Plugin: Menubar
Plugin Slug: menubar
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36687

Product Category Tree

Plugin: Product Category Tree
Plugin Slug: product-category-tree
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29173

WP RSS Images

Plugin: WP RSS Images
Plugin Slug: wp-rss-images
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36693

Image Social Feed Plugin

Plugin: Image Social Feed Plugin
Plugin Slug: add-instagram
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24412

Simple Giveaways

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Plugin Slug: giveasap
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23893

Coming Soon Page

Plugin: Coming Soon Page – Responsive Coming Soon & Maintenance Mode
Plugin Slug: responsive-coming-soon-page
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2022-46849

Simple Site Verify

Plugin: Simple Site Verify
Plugin Slug: simple-site-verify
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36688

WP-Cirrus

Plugin: WP-Cirrus
Plugin Slug: wp-cirrus
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36692

WP Full Stripe Free

Plugin: WP Full Stripe Free
Plugin Slug: wp-full-stripe-free
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28934

Baidu Tongji generator

Plugin: Baidu Tongji generator
Plugin Slug: baidu-tongji-generator
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31230

Querlo Chatbot

Plugin: Querlo Chatbot
Plugin Slug: querlo-chatbots
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3418

BadgeOS

Plugin: BadgeOS
Plugin Slug: badgeos
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object References (IDOR) to Arbitrary Post Title Overwrite
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2172

BadgeOS

Plugin: BadgeOS
Plugin Slug: badgeos
Vulnerability: Authenticated (Subscriber+) Insecure Direct Object References (IDOR) to Arbitrary Post Deletion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2173

BadgeOS

Plugin: BadgeOS
Plugin Slug: badgeos
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting (XSS) via Shortcode
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2171

Livestream Notice

Plugin: Livestream Notice
Plugin Slug: livestream-notice
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27621

Mail Control

Plugin: Mail Control
Plugin Slug: mail-control
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3158

Premium Addons PRO

Plugin: Premium Addons PRO
Plugin Slug: premium-addons-pro
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37869

Premium Addons PRO

Plugin: Premium Addons PRO
Plugin Slug: premium-addons-pro
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37868

Reservation.Studio Widget

Plugin: Reservation.Studio widget
Plugin Slug: reservation-studio-widget
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24397

SMTP Mail

Plugin: SMTP Mail
Plugin Slug: smtp-mail
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3092

WordPress Mobile Pack

Plugin: WordPress Mobile Pack
Plugin Slug: wordpress-mobile-pack
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37391

WP Default Feature Image

Plugin: WP Default Feature Image
Plugin Slug: wp-default-feature-image
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25488

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Consulting

Theme: Consulting
Theme Slug: consulting
Downloads: 382,480
Vulnerability: Local File Inclusion
Patched in Version: No Fix
Severity Score: High
CVE: 2023-37385

WPLMS

Theme: WPLMS
Theme Slug: wplms
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.900
Severity Score: High
CVE: 2023-36690

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – July 12, 2023

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report