Since last week, 82 total vulnerabilities emerged in public disclosure. They may affect over 4 million WordPress sites. There are 46 plugin vulnerabilities and one theme vulnerability with security patches available, so run those updates!
Additionally, there are 34 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you discover you are using an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.
From WPTavern: All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0. AIOS is used by over a million sites. See Sarah Gooding’s post at the Tavern for more details. Ideally, AIOS users should apply the security update and reset all user passwords.
WordPress Core Vulnerabilities — Patched
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress Plugin Vulnerabilities — Patched
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WP-Optimize

- Plugin Slug
- wp-optimize
- Installations
- 1,000,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.2.13
- Severity Score
- High
- CVE
- 2023-1119
Ninja Forms

- Plugin Slug
- ninja-forms
- Installations
- 900,000+
- Vulnerability
- Denial of Service Attack
- Patched in Version
- 3.6.26
- Severity Score
- Medium
- CVE
- 2023-35909
Forminator

- Plugin Slug
- forminator
- Installations
- 400,000+
- Vulnerability
- Unauth. Race Condition
- Patched in Version
- 1.24.1
- Severity Score
- Low
- CVE
- 2023-2010
POST SMTP Mailer

- Plugin Slug
- post-smtp
- Installations
- 300,000+
- Vulnerability
- Account Takeover via Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.5.7
- Severity Score
- High
- CVE
- 2023-3179
POST SMTP Mailer

- Plugin Slug
- post-smtp
- Installations
- 300,000+
- Vulnerability
- Arbitrary Log Deletion via Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.5.7
- Severity Score
- Medium
- CVE
- 2023-3178
ShopLentor

- Plugin Slug
- woolentor-addons
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.6.3
- Severity Score
- Medium
- CVE
- 2022-47172
WP Content Copy Protection & No Right Click

- Plugin Slug
- wp-content-copy-protector
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.5.6
- Severity Score
- Medium
- CVE
- 2023-36678
LearnPress

- Plugin Slug
- learnpress
- Installations
- 90,000+
- Vulnerability
- Authenticated Broken Access Control
- Patched in Version
- 4.2.3.1
- Severity Score
- High
- CVE
- 2023-36516
LearnPress

- Plugin Slug
- learnpress
- Installations
- 90,000+
- Vulnerability
- Unauthenticated Broken Access Control
- Patched in Version
- 4.2.3.1
- Severity Score
- High
- CVE
- 2023-36515
HTTP Headers

- Plugin
- HTTP Headers
- Plugin Slug
- http-headers
- Installations
- 40,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.19.0
- Severity Score
- Medium
- CVE
- 2023-37874
HTTP Headers

- Plugin
- HTTP Headers
- Plugin Slug
- http-headers
- Installations
- 40,000+
- Vulnerability
- Admin+ Remote Code Execution (RCE)
- Patched in Version
- 1.18.11
- Severity Score
- High
- CVE
- 2023-1208
All-in-one Floating Contact Form

- Plugin Slug
- mystickyelements
- Installations
- 40,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 2.1.2
- Severity Score
- Medium
- CVE
- 2023-3248
JetFormBuilder

- Plugin Slug
- jetformbuilder
- Installations
- 30,000+
- Vulnerability
- Authenticated Privilege Escalation
- Patched in Version
- 3.0.9
- Severity Score
- High
- CVE
- 2023-37866
Visibility Logic for Elementor

- Plugin Slug
- visibility-logic-elementor
- Installations
- 30,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.3.5
- Severity Score
- Medium
- CVE
- 2022-47169
IP2Location Country Blocker

- Plugin Slug
- ip2location-country-blocker
- Installations
- 20,000+
- Vulnerability
- IP Bypass Vulnerability
- Patched in Version
- 2.29.2
- Severity Score
- Medium
- CVE
- 2023-37865
ND Shortcodes

- Plugin
- ND Shortcodes
- Plugin Slug
- nd-shortcodes
- Installations
- 20,000+
- Vulnerability
- Auth. Cross Site Scripting (XSS)
- Patched in Version
- 7.0
- Severity Score
- Medium
- CVE
- 2022-4623
wpForo Forum

- Plugin
- wpForo Forum
- Plugin Slug
- wpforo
- Installations
- 20,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 2.1.9
- Severity Score
- High
- CVE
- 2023-2309
Yasr – Yet Another Stars Rating

- Plugin Slug
- yet-another-stars-rating
- Installations
- 20,000+
- Vulnerability
- Race Condition
- Patched in Version
- 3.3.9
- Severity Score
- Low
- CVE
- 2023-37867
Booking Package SAASPROJECT

- Plugin
- Booking Package
- Plugin Slug
- booking-package
- Installations
- 10,000+
- Vulnerability
- Unauthenticated Privilege Escalation
- Patched in Version
- 1.5.99
- Severity Score
- High
- CVE
- 2023-37389
Cryptocurrency Widgets – Price Ticker & Coins List

- Plugin Slug
- cryptocurrency-price-ticker-widget
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 2.6.3
- Severity Score
- Medium
- CVE
- 2023-36681
Image Regenerate & Select Crop

- Plugin Slug
- image-regenerate-select-crop
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 7.2.0
- Severity Score
- Medium
- CVE
- 2023-36680
WP Mail Log

- Plugin
- WP Mail Log
- Plugin Slug
- wp-mail-log
- Installations
- 10,000+
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS) via Email
- Patched in Version
- 1.1.2
- Severity Score
- High
- CVE
- 2023-3088
Companion Sitemap Generator

- Plugin Slug
- companion-sitemap-generator
- Installations
- 9,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 4.5.3
- Severity Score
- High
- CVE
- 2023-1780
Buy Me a Coffee – Button and Widget Plugin

- Plugin Slug
- buymeacoffee
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.8
- Severity Score
- Medium
- CVE
- 2023-2079
Buy Me a Coffee – Button and Widget Plugin

- Plugin Slug
- buymeacoffee
- Installations
- 6,000+
- Vulnerability
- Missing Authorization
- Patched in Version
- 3.8
- Severity Score
- Medium
- CVE
- 2023-2078
Buy Me a Coffee

- Plugin Slug
- buymeacoffee
- Installations
- 6,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.8
- Severity Score
- Medium
- CVE
- 2023-25030
WP Dummy Content Generator

- Plugin Slug
- wp-dummy-content-generator
- Installations
- 4,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.0.0
- Severity Score
- Medium
- CVE
- 2023-37394
WP Dummy Content Generator

- Plugin Slug
- wp-dummy-content-generator
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.0.0
- Severity Score
- Medium
- CVE
- 2023-37392
WebwinkelKeu
- Plugin Slug
- webwinkelkeur
- Installations
- 3,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.25
- Severity Score
- Medium
- CVE
- 2023-36691
ARMember

- Plugin Slug
- armember-membership
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.0.6
- Severity Score
- Medium
- CVE
- 2022-47424
Gift Cards

- Plugin Slug
- gift-voucher
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF) in new_voucher_template.php
- Patched in Version
- 4.3.6
- Severity Score
- Medium
Masteriyo – LMS

- Plugin Slug
- learning-management-system
- Installations
- 2,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 1.6.8
- Severity Score
- Medium
BuddyBuilder BuddyPress Builder for Elementor

- Plugin Slug
- stax-buddy-builder
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.7.4
- Severity Score
- Medium
Terms descriptions

- Plugin
- Terms descriptions
- Plugin Slug
- terms-descriptions
- Installations
- 2,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.4.5
- Severity Score
- High
- CVE
- 2023-28779
Sublanguage

- Plugin
- Sublanguage
- Plugin Slug
- sublanguage
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 2.10
- Severity Score
- Medium
- CVE
- 2023-36695
WP Reroute Email

- Plugin
- WP Reroute Email
- Plugin Slug
- wp-reroute-email
- Installations
- 1,000+
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
- Patched in Version
- 1.5.0
- Severity Score
- High
- CVE
- 2023-3168
WPFactory Helper

- Plugin
- WPFactory Helper
- Plugin Slug
- wpcodefactory-helper
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.5.3
- Severity Score
- High
- CVE
- 2023-36689
RSVPMaker

- Plugin
- RSVPMaker
- Plugin Slug
- rsvpmaker
- Installations
- 400+
- Vulnerability
- SQL Injection
- Patched in Version
- 10.5.5
- Severity Score
- High
- CVE
- 2023-29095
Getnet Argentina para Woocommerce

- Plugin Slug
- integrar-getnet-con-woo
- Installations
- 200+
- Vulnerability
- Authorization Bypass via webhook
- Patched in Version
- 0.0.5
- Severity Score
- High
- CVE
- 2023-3525
My Content Management

- Plugin
- My Content Management
- Plugin Slug
- my-content-management
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.7
- Severity Score
- Medium
- CVE
- 2023-34377
Auto Location for WP Job Manager via Google
- Plugin Slug
- auto-location-for-wp-job-manager
- Installations
- 100+
- Vulnerability
- Admin+ Cross Site Scripting (XSS)
- Patched in Version
- 1.1
- Severity Score
- Medium
- CVE
- 2023-3344
tagDiv Cloud Library
- Plugin
- tagDiv Cloud Library
- Plugin Slug
- td-cloud-library
- Vulnerability
- Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
- Patched in Version
- 2.7
- Severity Score
- Critical
- CVE
- 2023-1597
WooCommerce GoCardless Gateway
- Plugin
- WooCommerce GoCardless Gateway
- Plugin Slug
- woocommerce-gateway-gocardless
- Vulnerability
- Unauth. Insecure Direct Object References (IDOR)
- Patched in Version
- 2.5.7
- Severity Score
- High
- CVE
- 2023-37871
WooCommerce Ship to Multiple Addresses
- Plugin
- WooCommerce Ship to Multiple Addresses
- Plugin Slug
- woocommerce-shipping-multiple-addresses
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.8.6
- Severity Score
- High
- CVE
- 2023-37873
WooCommerce Ship to Multiple Addresses
- Plugin
- WooCommerce Ship to Multiple Addresses
- Plugin Slug
- woocommerce-shipping-multiple-addresses
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.8.6
- Severity Score
- Medium
- CVE
- 2023-37872
WooCommerce Warranty Requests
- Plugin
- WooCommerce Warranty Requests
- Plugin Slug
- woocommerce-warranty
- Vulnerability
- Broken Access Control
- Patched in Version
- 2.2.0
- Severity Score
- High
- CVE
- 2023-37870
WordPress Plugin Vulnerabilities — Unpatched
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
oAuth Twitter Feed for Developers
- Plugin Slug
- oauth-twitter-feed-for-developers
- Installations
- 60,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25042
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP

- Plugin Slug
- yotuwp-easy-youtube-embed
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25477
Media Library Helper by Codexin

- Plugin Slug
- media-library-helper
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-37386
Secondary Title

- Plugin
- Secondary Title
- Plugin Slug
- secondary-title
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28773
Classified Listing

- Plugin Slug
- classified-listing
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF) Leading To Thumbnail Removal
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-37387
Mobile Call Now & Map Buttons

- Plugin Slug
- mobile-call-now-map-buttons
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24401
Social Share Boost
- Plugin
- Social Share Boost
- Plugin Slug
- social-share-boost
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25044
Simple Light Weight Social Share (Tweet, Like, Share and Linkedin)

- Plugin Slug
- only-tweet-like-share-and-google-1
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-37388
WPFunnels

- Plugin Slug
- wpfunnels
- Installations
- 5,000+
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- No Fix
- Severity Score
- Medium
Animated Number Counters

- Plugin
- Animated Number Counters
- Plugin Slug
- animated-number-counters
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24393
Social Media Icons Widget
- Plugin Slug
- spoontalk-social-media-icons-widget
- Installations
- 3,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25036
Kingkong Board

- Plugin
- Kingkong Board
- Plugin Slug
- kingkong-board
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36694
Menubar
- Plugin
- Menubar
- Plugin Slug
- menubar
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36687
Product Category Tree

- Plugin
- Product Category Tree
- Plugin Slug
- product-category-tree
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-29173
WP RSS Images
- Plugin
- WP RSS Images
- Plugin Slug
- wp-rss-images
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36693
Image Social Feed Plugin

- Plugin
- Image Social Feed Plugin
- Plugin Slug
- add-instagram
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24412
Simple Giveaways

- Plugin Slug
- giveasap
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23893
Coming Soon Page

- Plugin Slug
- responsive-coming-soon-page
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2022-46849
Simple Site Verify

- Plugin
- Simple Site Verify
- Plugin Slug
- simple-site-verify
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36688
WP-Cirrus
- Plugin
- WP-Cirrus
- Plugin Slug
- wp-cirrus
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36692
WP Full Stripe Free

- Plugin
- WP Full Stripe Free
- Plugin Slug
- wp-full-stripe-free
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28934
Baidu Tongji generator
- Plugin
- Baidu Tongji generator
- Plugin Slug
- baidu-tongji-generator
- Installations
- 100+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-31230
Querlo Chatbot
- Plugin
- Querlo Chatbot
- Plugin Slug
- querlo-chatbots
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-3418
BadgeOS
- Plugin
- BadgeOS
- Plugin Slug
- badgeos
- Vulnerability
- Authenticated (Subscriber+) Insecure Direct Object References (IDOR) to Arbitrary Post Title Overwrite
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2172
BadgeOS
- Plugin
- BadgeOS
- Plugin Slug
- badgeos
- Vulnerability
- Authenticated (Subscriber+) Insecure Direct Object References (IDOR) to Arbitrary Post Deletion
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2173
BadgeOS
- Plugin
- BadgeOS
- Plugin Slug
- badgeos
- Vulnerability
- Authenticated (Contributor+) Stored Cross Site Scripting (XSS) via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2171
Livestream Notice

- Plugin
- Livestream Notice
- Plugin Slug
- livestream-notice
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27621
Mail Control
- Plugin
- Mail Control
- Plugin Slug
- mail-control
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-3158
Premium Addons PRO
- Plugin
- Premium Addons PRO
- Plugin Slug
- premium-addons-pro
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-37869
Premium Addons PRO
- Plugin
- Premium Addons PRO
- Plugin Slug
- premium-addons-pro
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-37868
Reservation.Studio Widget

- Plugin Slug
- reservation-studio-widget
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24397
SMTP Mail
- Plugin
- SMTP Mail
- Plugin Slug
- smtp-mail
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-3092
WordPress Mobile Pack
- Plugin
- WordPress Mobile Pack
- Plugin Slug
- wordpress-mobile-pack
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-37391
WP Default Feature Image

- Plugin
- WP Default Feature Image
- Plugin Slug
- wp-default-feature-image
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25488
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Consulting

- Theme
- Consulting
- Theme Slug
- consulting
- Downloads
- 382,480
- Vulnerability
- Local File Inclusion
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-37385
WPLMS
- Theme
- WPLMS
- Theme Slug
- wplms
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.900
- Severity Score
- High
- CVE
- 2023-36690
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.