WordPress Vulnerability Report

Since last week, 329 total vulnerabilities emerged in public disclosure. They may affect over 9 million WordPress sites. There are 209 plugin vulnerabilities and 18 theme vulnerabilities with security patches, so run those updates!

Additionally, there are 66 plugin vulnerabilities and 36 theme vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

Such an unusually high number of vulnerability reports is due to outdated versions of many plugins and themes that may use a common third-party dependency, Freemius’ WordPress SDK 2.5.9. Please see the Freemius WordPress SDK 2.5.9 Security Disclosure for more details.

New Today: Patchstack lists multiple high-severity vulnerabilities in the Ninja Forms plugin, potentially affecting 900k active WordPress sites. These vulnerabilities include a POST-based reflected XSS and broken access control on the form submissions export feature. Please update to version 3.6.26.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

Essential Addons For Elementor

Plugin: Essential Addons for Elementor
Plugin Slug: essential-addons-for-elementor-lite
Installations: 1,000,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 5.8.2
Severity Score: Medium
CVE: 2023-3779

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6.26
Severity Score: High
CVE: 2023-37979

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Broken Access Control
Patched in Version: 3.6.26
Severity Score: High
CVE: 2023-38393

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Broken Access Control
Patched in Version: 3.6.26
Severity Score: High
CVE: 2023-38386

The Events Calendar

Plugin: The Events Calendar
Plugin Slug: the-events-calendar
Installations: 800,000+
Vulnerability: Broken Access Control
Patched in Version: 6.1.3
Severity Score: Medium
CVE: 2023-35777

The Events Calendar

Plugin: The Events Calendar
Plugin Slug: the-events-calendar
Installations: 800,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.0
Severity Score: High
CVE: 2023-33999

Popup Maker

Plugin: Popup Maker – Popup for opt-ins, lead gen, & more
Plugin Slug: popup-maker
Installations: 700,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.10.0
Severity Score: High
CVE: 2023-33999

NextGEN Gallery

Plugin: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug: nextgen-gallery
Installations: 600,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.4.7
Severity Score: High
CVE: 2023-33999

WP Activity Log

Plugin: WP Activity Log
Plugin Slug: wp-security-audit-log
Installations: 200,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.4.3
Severity Score: High
CVE: 2023-33999

404 to 301

Plugin: 404 to 301 – Redirect, Log and Notify 404 Errors
Plugin Slug: 404-to-301
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.6
Severity Score: High
CVE: 2023-33999

Elementor Addon Elements

Plugin: Elementor Addon Elements
Plugin Slug: addon-elements-for-elementor-page-builder
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.12
Severity Score: High
CVE: 2023-33999

CAPTCHA 4WP

Plugin: CAPTCHA 4WP
Plugin Slug: advanced-nocaptcha-recaptcha
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.0.6
Severity Score: High
CVE: 2023-33999

WP AutoTerms: Privacy Policy Generator (GDPR & CCPA), Terms & Conditions Generator, Cookie Notice Banner

Plugin: WP AutoTerms: Privacy Policy Generator (GDPR & CCPA), Terms & Conditions Generator, Cookie Notice Banner
Plugin Slug: auto-terms-of-service-and-privacy-policy
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

Blocksy Companion

Plugin: Blocksy Companion
Plugin Slug: blocksy-companion
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.47
Severity Score: High
CVE: 2023-33999

Meta Tag Manager

Plugin: Meta Tag Manager
Plugin Slug: meta-tag-manager
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: High
CVE: 2023-33999

Pods

Plugin: Pods – Custom Content Types and Fields
Plugin Slug: pods
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.8.23
Severity Score: High
CVE: 2023-33999

TI WooCommerce Wishlist

Plugin: TI WooCommerce Wishlist
Plugin Slug: ti-woocommerce-wishlist
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.0
Severity Score: High
CVE: 2023-33999

Asset CleanUp: Page Speed Booster

Plugin: Asset CleanUp: Page Speed Booster
Plugin Slug: wp-asset-clean-up
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.5.5
Severity Score: High
CVE: 2023-33999

AnyWhere Elementor

Plugin: AnyWhere Elementor
Plugin Slug: anywhere-elementor
Installations: 90,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.8
Severity Score: High
CVE: 2023-33999

EmbedPress

Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.3
Severity Score: High
CVE: 2023-33999

Event Tickets

Plugin: Event Tickets and Registration
Plugin Slug: event-tickets
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.6.0
Severity Score: High
CVE: 2023-33999

Easy Watermark

Plugin: Easy Watermark
Plugin Slug: easy-watermark
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.7
Severity Score: High
CVE: 2023-33999

Simple Author Box

Plugin: Simple Author Box
Plugin Slug: simple-author-box
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4
Severity Score: High
CVE: 2023-33999

WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to fix Insecure Content

Plugin: WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, SSL Score
Plugin Slug: wp-letsencrypt-ssl
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.3.0
Severity Score: High
CVE: 2023-33999

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Plugin: Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
Plugin Slug: gutentor
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.3
Severity Score: High
CVE: 2023-33999

Preloader Plus – WordPress Loading Screen Plugin

Plugin: Preloader Plus – WordPress Loading Screen Plugin
Plugin Slug: preloader-plus
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: High
CVE: 2023-33999

Spotlight Social Media Feeds

Plugin: Spotlight Social Feeds [Block, Shortcode, and Widget]
Plugin Slug: spotlight-social-photo-feeds
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.1
Severity Score: High
CVE: 2023-33999

Weglot Translate – Translate your WordPress website and go multilingual

Plugin: Weglot Translate – Translate your WordPress website and go multilingual
Plugin Slug: weglot
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.9.3
Severity Score: High
CVE: 2023-33999

Better Notifications for WP

Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP
Plugin Slug: bnfw
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7
Severity Score: High
CVE: 2023-33999

Stop User Enumeration

Plugin: Stop User Enumeration
Plugin Slug: stop-user-enumeration
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.0
Severity Score: High
CVE: 2023-33999

Mail Bank – #1 Mail SMTP Plugin for WordPress

Plugin: Mail Bank – #1 Mail SMTP Plugin for WordPress
Plugin Slug: wp-mail-bank
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.13
Severity Score: High
CVE: 2023-33999

Gutenberg Block Editor Toolkit

Plugin: Gutenberg Block Editor Toolkit – EditorsKit
Plugin Slug: block-options
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.17
Severity Score: High
CVE: 2023-33999

Divi Contact Form 7

Plugin: Contact Form 7 Module For Divi Builder
Plugin Slug: cf7-styler-for-divi
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.3
Severity Score: High
CVE: 2023-33999

Cost Calculator Builder

Plugin: Cost Calculator Builder
Plugin Slug: cost-calculator-builder
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.3
Severity Score: High
CVE: 2023-33999

Image Photo Gallery Final Tiles Grid

Plugin: Image Photo Gallery Final Tiles Grid
Plugin Slug: final-tiles-grid-gallery-lite
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.5.8
Severity Score: High
CVE: 2023-33999

Hide Admin Bar Based on User Roles

Plugin: Hide Admin Bar Based on User Roles
Plugin Slug: hide-admin-bar-based-on-user-roles
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8
Severity Score: High
CVE: 2023-33999

Divi Carousel Lite

Plugin: Divi Carousel Lite
Plugin Slug: wow-carousel-for-divi-lite
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.12
Severity Score: High
CVE: 2023-33999

WP Google Review Slider

Plugin: WP Google Review Slider
Plugin Slug: wp-google-places-review-slider
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 12.6
Severity Score: High
CVE: 2023-33999

DiviTorque – Divi Theme, Divi Builder and Extra Theme

Plugin: Divi Torque Lite
Plugin Slug: addons-for-divi
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6.0
Severity Score: High
CVE: 2023-33999

Contact Form 7 Skins

Plugin: CF7 Skins for Contact Form 7
Plugin Slug: contact-form-7-skins
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.1
Severity Score: High
CVE: 2023-33999

Greenshift – animation and page builder blocks

Plugin: Greenshift – animation and page builder blocks
Plugin Slug: greenshift-animation-and-page-builder-blocks
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.8.1
Severity Score: High
CVE: 2023-33999

New User Approve

Plugin: New User Approve
Plugin Slug: new-user-approve
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.1
Severity Score: High
CVE: 2023-33999

HP Everywhere

Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Installations: 20,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.0.0
Severity Score: Critical
CVE: 2022-24664

PHP Everywhere

Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Installations: 20,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.0.0
Severity Score: Critical
CVE: 2022-24665

PHP Everywhere

Plugin: PHP Everywhere
Plugin Slug: php-everywhere
Installations: 20,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.0.0
Severity Score: Critical
CVE: 2022-24663

Redirect 404 Error Page to Homepage or Custom Page with Logs

Plugin: Redirect 404 Error Page to Homepage or Custom Page with Logs
Plugin Slug: redirect-404-error-page-to-homepage-or-custom-page
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.0
Severity Score: High
CVE: 2023-33999

Gallery Blocks with Lightbox

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Plugin Slug: simply-gallery-block
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.5
Severity Score: High
CVE: 2023-33999

Disable Emojis & Disable Embeds for WordPress Performance & SpeedUp

Plugin: Reduce HTTP Requests, Disable Emojis & Disable Embeds, Speedup WooCommerce
Plugin Slug: wp-disable
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.0
Severity Score: High
CVE: 2023-33999

Media Library Categories

Plugin: Media Library Categories
Plugin Slug: wp-media-library-categories
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.1
Severity Score: Medium
CVE: 2023-36382

WP to Twitter

Plugin: WP to Twitter
Plugin Slug: wp-to-twitter
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.0
Severity Score: High
CVE: 2023-33999

Product Feed Manager

Plugin: Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces
Plugin Slug: best-woocommerce-feed
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0
Severity Score: High
CVE: 2023-33999

DeMomentSomTres WordPress Export Posts With Images

Plugin: DeMomentSomTres WordPress Export Posts With Images
Plugin Slug: demomentsomtres-wp-export
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 20200610
Severity Score: High
CVE: 2023-33999

Enjoy Social Feed plugin for WordPress website

Plugin: Enjoy Social Feed plugin for WordPress website
Plugin Slug: enjoy-instagram-instagram-responsive-images-gallery-and-carousel
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.2.1
Severity Score: High
CVE: 2023-33999

eRoom – Zoom Meetings & Webinar

Plugin: eRoom – Zoom Meetings & Webinars
Plugin Slug: eroom-zoom-meetings-webinar
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.4
Severity Score: High
CVE: 2023-33999

MasterStudy LMS

Plugin: MasterStudy LMS WordPress Plugin – for Online Courses and Education
Plugin Slug: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.8.0
Severity Score: High
CVE: 2023-33999

Notification

Plugin: Notification – Custom Notifications and Alerts for WordPress
Plugin Slug: notification
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.0
Severity Score: High
CVE: 2023-33999

PowerPack Lite for Beaver Builder

Plugin: PowerPack Lite for Beaver Builder
Plugin Slug: powerpack-addon-for-beaver-builder
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.9.3
Severity Score: High
CVE: 2023-33999

Seo Optimized Images

Plugin: Seo Optimized Images
Plugin Slug: seo-optimized-images
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: High
CVE: 2023-33999

WP News and Scrolling Widgets

Plugin: WP News and Scrolling Widgets
Plugin Slug: sp-news-and-widget
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.2
Severity Score: High
CVE: 2023-33999

Stop WP Emails Going to Spam

Plugin: Stop WP Emails Going to Spam
Plugin Slug: stop-wp-emails-going-to-spam
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

WooCommerce Tiered Price Table

Plugin: Tiered Pricing Table for WooCommerce
Plugin Slug: tier-pricing-table
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.5.1
Severity Score: High
CVE: 2023-33999

WP Review Slider

Plugin: WP Review Slider
Plugin Slug: wp-facebook-reviews
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6
Severity Score: High
CVE: 2023-33999

WP Mail Log

Plugin: WP Mail Log
Plugin Slug: wp-mail-log
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.1
Severity Score: High
CVE: 2023-33999

WP VR

Plugin: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Plugin Slug: wpvr
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.2
Severity Score: High
CVE: 2023-33999

ACF Frontend – Add and edit posts, pages, users and more all from the frontend

Plugin: Frontend Admin by DynamiApps
Plugin Slug: acf-frontend-form-element
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.8.0
Severity Score: High
CVE: 2023-33999

HuCommerce | Magyar WooCommerce kiegészítések

Plugin: HuCommerce | Magyar WooCommerce kiegészítések
Plugin Slug: surbma-magyar-woocommerce
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2022.0.3
Severity Score: High
CVE: 2023-33999

Post to Google My Business (Google Business Profile)

Plugin: Post to Google My Business (Google Business Profile)
Plugin Slug: post-to-google-my-business
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.14
Severity Score: High
CVE: 2023-33999

PublishPress Planner: Organize and Schedule Your WordPress Content

Plugin: PublishPress Planner: Organize and Schedule Your WordPress Content
Plugin Slug: publishpress
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.9.5
Severity Score: High
CVE: 2023-33999

Salon booking system

Plugin: Salon booking system
Plugin Slug: salon-booking-system
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.4.9
Severity Score: High
CVE: 2023-33999

Easy Photography Portfolio

Plugin: Easy Photography Portfolio
Plugin Slug: photography-portfolio
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.9
Severity Score: High
CVE: 2023-33999

Quiz Cat

Plugin: Quiz Cat – WordPress Quiz Plugin
Plugin Slug: quiz-cat
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: High
CVE: 2023-33999

WooCommerce Google Ads Dynamic Remarketing

Plugin: WooCommerce Google Ads Dynamic Remarketing
Plugin Slug: woocommerce-google-dynamic-retargeting-tag
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.17
Severity Score: High
CVE: 2023-33999

WP Travel

Plugin: WP Travel – Best Travel Booking WordPress Plugin, Tour Management Engine
Plugin Slug: wp-travel
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.2.0
Severity Score: High
CVE: 2023-33999

WpStream – Live Streaming, Video on Demand, Pay Per View

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Plugin Slug: wpstream
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.5.5
Severity Score: Medium
CVE: 2023-38512

ACF-VC Integrator

Plugin: ACF-VC Integrator
Plugin Slug: acf-vc-integrator
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-33999

AnyComment

Plugin: AnyComment
Plugin Slug: anycomment
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.0.99
Severity Score: High
CVE: 2023-33999

WordPress Tag Cloud Plugin – Tag Groups

Plugin: Tag Groups is the Advanced Way to Display Your Taxonomy Terms
Plugin Slug: tag-groups
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

Search Console

Plugin: Search Console
Plugin Slug: search-console
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.2
Severity Score: High
CVE: 2023-33999

Discussion Board

Plugin: Discussion Board – WordPress Forum Plugin
Plugin Slug: wp-discussion-board
Installations: 3,000+
Vulnerability: Content Injection
Patched in Version: 2.4.9
Severity Score: Medium
CVE: 2023-39161

Photo Engine

Plugin: Photo Engine (Media Organizer & Lightroom)
Plugin Slug: wplr-sync
Installations: 3,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 6.2.6
Severity Score: Medium
CVE: 2023-38513

Image Carousel For Divi

Plugin: Image Carousel For Divi
Plugin Slug: image-carousel-for-divi
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.1
Severity Score: High
CVE: 2023-33999

Market Exporter

Plugin: Market Exporter
Plugin Slug: market-exporter
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.19
Severity Score: High
CVE: 2023-33999

Multiple Page Generator Plugin – MPG

Plugin: Multiple Page Generator Plugin – MPG
Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.0
Severity Score: High
CVE: 2023-33999

Share This Image

Plugin: Share This Image
Plugin Slug: share-this-image
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.81
Severity Score: High
CVE: 2023-33999

Client Invoicing by Sprout Invoices

Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Plugin Slug: sprout-invoices
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 19.1
Severity Score: High
CVE: 2023-33999

Integration for WooCommerce and Zoho CRM

Plugin: Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin
Plugin Slug: woo-zoho
Installations: 2,000+
Vulnerability: Open Redirection
Patched in Version: 1.3.7
Severity Score: Medium
CVE: 2023-38481

Spanish Market Enhancements for WooCommerce

Plugin: Spanish Market Enhancements for WooCommerce
Plugin Slug: woocommerce-es
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: High
CVE: 2023-33999

Pay For Post with WooCommerce

Plugin: Pay For Post with WooCommerce
Plugin Slug: woocommerce-pay-per-post
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.11
Severity Score: High
CVE: 2023-33999

360 Javascript Viewer

Plugin: 360 Javascript Viewer
Plugin Slug: 360deg-javascript-viewer
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.3
Severity Score: High
CVE: 2023-33999

Activity Log For MainWP

Plugin: Activity Log For MainWP
Plugin Slug: activity-log-mainwp
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

WooCommerce Attribute Stock – Share Stock Between Products (Lite Version)

Plugin: WooCommerce Attribute Stock – Share Stock Between Products (Lite Version)
Plugin Slug: attribute-stock-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.0
Severity Score: High
CVE: 2023-33999

Message Filter for Contact Form 7

Plugin: Message Filter for Contact Form 7
Plugin Slug: cf7-message-filter
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.3
Severity Score: High
CVE: 2023-33999

Church Admin

Plugin: Church Admin
Plugin Slug: church-admin
Installations: 1,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 3.8.0
Severity Score: Medium
CVE: 2023-38515

TempTool [Show Current Template Info]

Plugin: TempTool [Show Current Template Info]
Plugin Slug: current-template-name
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.10
Severity Score: High
CVE: 2023-33999

XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin]

Plugin: XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin]
Plugin Slug: faq-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.0
Severity Score: High
CVE: 2023-33999

WordPress Team Members – GS Plugins

Plugin: Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More
Plugin Slug: gs-team-members
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.2
Severity Score: High
CVE: 2023-33999

Remove Duplicate Posts

Plugin: Remove Duplicate Posts
Plugin Slug: remove-duplicate-posts
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3
Severity Score: High
CVE: 2023-33999

WP Required Taxonomies – Categories and Tags Mandatory

Plugin: WP Required Taxonomies – Categories and Tags Mandatory
Plugin Slug: required-taxonomies
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.8
Severity Score: High
CVE: 2023-33999

SV Proven Expert

Plugin: SV Proven Expert
Plugin Slug: sv-provenexpert
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.00
Severity Score: High
CVE: 2023-33999

SV Tracking Manager

Plugin: SV Tracking Manager
Plugin Slug: sv-tracking-manager
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.00
Severity Score: High
CVE: 2023-33999

UltraAddons Elementor Lite (Header & Footer Builder, Menu Builder, Cart Icon, Shortcode)

Plugin: UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Plugin Slug: ultraaddons-elementor-lite
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.0
Severity Score: High
CVE: 2023-33999

WooBuddy

Plugin: BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
Plugin Slug: wc4bp
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.4.16
Severity Score: High
CVE: 2023-33999

Live Sales Notification for Woocommerce – Woomotiv

Plugin: Live Sales Notification for Woocommerce – Woomotiv
Plugin Slug: woomotiv
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.4
Severity Score: High
CVE: 2023-33999

Integration for WooCommerce and QuickBooks

Plugin: Integration for WooCommerce and QuickBooks
Plugin Slug: wp-woocommerce-quickbooks
Installations: 1,000+
Vulnerability: Open Redirection
Patched in Version: 1.2.4
Severity Score: Medium
CVE: 2023-38478

wpShopGermany IT-RECHT KANZLEI

Plugin: wpShopGermany IT-RECHT KANZLEI
Plugin Slug: wpshopgermany-it-recht-kanzlei
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8
Severity Score: Medium
CVE: 2023-37993

WordPress Gallery Plugin – Limb Image Gallery

Plugin: Limb Gallery | Create Beautiful Image & Video Galleries
Plugin Slug: limb-gallery
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.6
Severity Score: High
CVE: 2023-33999

GraphComment Comment system

Plugin: GraphComment Comment system
Plugin Slug: graphcomment-comment-system
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.5
Severity Score: High
CVE: 2023-33999

Terms & Conditions Per Product

Plugin: Terms & Conditions Per Product
Plugin Slug: terms-and-conditions-per-product
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.6
Severity Score: High
CVE: 2023-33999

Chamber Dashboard Business Directory

Plugin: Chamber Dashboard Business Directory
Plugin Slug: chamber-dashboard-business-directory
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.2
Severity Score: High
CVE: 2023-33999

Embed Docs – Elementor Files Addon,Elementor Docs Addon,Embed PDF, Word, PowerPoint and Excel Files in Gutenberg & Elementor

Plugin: Embed Docs – Elementor Files Addon,Elementor Docs Addon,Embed PDF, Word, PowerPoint and Excel Files in Gutenberg & Elementor
Plugin Slug: embed-docs
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.1
Severity Score: High
CVE: 2023-33999

Embed Video Thumbnail

Plugin: Embed Video Thumbnail
Plugin Slug: embed-video-thumbnail
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-33999

WordPress Form Builder Plugin – Gutenberg Forms

Plugin: Gutenberg Forms – WordPress Form Builder Plugin
Plugin Slug: forms-gutenberg
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.0
Severity Score: High
CVE: 2023-33999

FormsCRM

Plugin: FormsCRM
Plugin Slug: formscrm
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6
Severity Score: High
CVE: 2023-33999

WZ Followed Posts – Display what visitors are reading

Plugin: WZ Followed Posts – Display what visitors are reading
Plugin Slug: where-did-they-go-from-here
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: High
CVE: 2023-33999

Member Profile Forms / Custom Registration / Post From Profile in BuddyPress / BuddyBoss

Plugin: Member Profile Forms / Custom Registration / Post From Profile in BuddyPress / BuddyBoss
Plugin Slug: buddyforms-members
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.12
Severity Score: High
CVE: 2023-33999

WPEventPartners Demo Import

Plugin: WPEventPartners Demo Import
Plugin Slug: wep-demo-import
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.4
Severity Score: High
CVE: 2023-33999

Advanced WC Analytics – Google Analytics Dashboard for WooCommerce

Plugin: WooCommerce Google Analytics Integration By Advanced WC Analytics
Plugin Slug: advance-wc-analytics
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.4.0
Severity Score: High
CVE: 2023-33999

Display WP Admin Pages in the Frontend – WP Frontend Admin

Plugin: WP Frontend Admin – Display WP Admin Pages in the Frontend
Plugin Slug: display-admin-page-on-frontend
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.21.1
Severity Score: High
CVE: 2023-33999

Product Filter Widget for Elementor

Plugin: Product Filter Widget for Elementor
Plugin Slug: product-filter-widget-for-elementor
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.2
Severity Score: High
CVE: 2023-33999

what3words Address Field

Plugin: what3words Address Field
Plugin Slug: 3-word-address-validation-field
Installations: 300+
Vulnerability: Sensitive Data Exposure
Patched in Version: 4.0.1
Severity Score: Medium
CVE: 2021-4428

Advanced Custom Fields Frontend Forms – ACF Forms – ACF Post Form – ACF Registration Form – ACF Content Form – ACF Profile Form

Plugin: Advanced Custom Fields Frontend Forms – ACF Forms – ACF Post Form – ACF Registration Form – ACF Content Form – ACF Profile Form
Plugin Slug: buddyforms-acf
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.5
Severity Score: High
CVE: 2023-33999

BuddyForms Ultimate Member

Plugin: BuddyForms Ultimate Member
Plugin Slug: buddyforms-ultimate-member
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.8
Severity Score: High
CVE: 2023-33999

Gift Message for WooCommerce

Plugin: Gift Message for WooCommerce
Plugin Slug: gift-message-for-woocommerce
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.5
Severity Score: High
CVE: 2023-33999

Ultimate LinkedIn Integration

Plugin: Ultimate LinkedIn Integration
Plugin Slug: linkedin-login
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0
Severity Score: High
CVE: 2023-33999

Shipping for Nova Poshta

Plugin: Shipping for Nova Poshta
Plugin Slug: nova-poshta-ttn
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.1
Severity Score: High
CVE: 2023-33999

Spice Blocks

Plugin: Spice Blocks
Plugin Slug: spice-blocks
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3
Severity Score: High
CVE: 2023-33999

WooCommerce Country Catalogs – Product Country Restrictions

Plugin: WooCommerce Country Catalogs – Product Country Restrictions
Plugin Slug: woo-country-restrictions-advanced
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.14.3
Severity Score: High
CVE: 2023-33999

2MB Autocode

Plugin: 2MB Autocode
Plugin Slug: 2mb-autocode
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.6
Severity Score: High
CVE: 2023-33999

Checkbox

Plugin: Checkbox
Plugin Slug: checkbox
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.8.5
Severity Score: High
CVE: 2023-33999

WordPress Image Compression and Optimizer Plugin – CheetahO

Plugin: WordPress Image Compression and Optimizer Plugin – CheetahO
Plugin Slug: cheetaho-image-optimizer
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.3.1
Severity Score: High
CVE: 2023-33999

Multicollab – Google Doc-Style Editorial Commenting for WordPress

Plugin: Multicollab – Google Docs-Style Editorial Collaboration in WordPress
Plugin Slug: commenting-feature
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2
Severity Score: High
CVE: 2023-33999

Content Blocks Builder

Plugin: Content Blocks Builder
Plugin Slug: content-blocks-builder
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.17
Severity Score: High
CVE: 2023-33999

WordPress Job Board and Recruitment Plugin – JobWP

Plugin: WordPress Job Board and Recruitment Plugin – JobWP
Plugin Slug: jobwp
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0
Severity Score: High
CVE: 2023-33999

Joli FAQ SEO – WordPress FAQ Plugin

Plugin: Joli FAQ SEO – WordPress FAQ Plugin
Plugin Slug: joli-faq-seo
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-33999

RSS Control

Plugin: RSS Control
Plugin Slug: rss-control
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.8
Severity Score: High
CVE: 2023-33999

Simple Tour Guide

Plugin: Simple Tour Guide
Plugin Slug: simple-tour-guide
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.6
Severity Score: High
CVE: 2023-33999

Coming Soon Pages for WordPress – Coming Soon Booster

Plugin: Coming Soon Pages for WordPress – Coming Soon Booster
Plugin Slug: wp-coming-soon-booster
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.7
Severity Score: High
CVE: 2023-33999

WP SPID Italia

Plugin: WP SPID Italia
Plugin Slug: wp-spid-italia
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5
Severity Score: High
CVE: 2023-33999

AI Tools – Chatbot, ChatGPT, Content Generator, Image Generator, Artificial Intelligence GPT

Plugin: AI Tools – Chatbot, ChatGPT, Content Generator, Image Generator, Artificial Intelligence GPT
Plugin Slug: artificial-intelligence-auto-content-generator
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.0
Severity Score: High
CVE: 2023-33999

Coming Soon Master

Plugin: Coming Soon Master
Plugin Slug: coming-soon-master
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2
Severity Score: High
CVE: 2023-33999

EthereumICO

Plugin: EthereumICO
Plugin Slug: ethereumico
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4.4
Severity Score: High
CVE: 2023-33999

Files Download Delay

Plugin: Files Download Delay
Plugin Slug: files-download-delay
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.9
Severity Score: High
CVE: 2023-33999

Bulk Landing Page Creator for WordPress – LPagery

Plugin: Bulk Landing Page Creator for WordPress – LPagery
Plugin Slug: lpagery
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.6
Severity Score: High
CVE: 2023-33999

Mobile App Editor – WordPress to Android App Builder

Plugin: Mobile App Editor – WordPress to Android App Builder
Plugin Slug: mobile-app-editor
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: High
CVE: 2023-33999

Search Field for Gravity Forms

Plugin: Search Field for Gravity Forms
Plugin Slug: search-field-for-gravity-forms
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.6
Severity Score: High
CVE: 2023-33999

Stellar Places

Plugin: Stellar Places
Plugin Slug: stellar-places
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1
Severity Score: High
CVE: 2023-33999

Subaccounts for WooCommerce

Plugin: Subaccounts for WooCommerce
Plugin Slug: subaccounts-for-woocommerce
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.0
Severity Score: High
CVE: 2023-33999

WN Flipbox Pro

Plugin: WN Flipbox Pro
Plugin Slug: wn-flipbox-pro
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1
Severity Score: High
CVE: 2023-33999

Bing Custom Search for WordPress

Plugin: Bing Custom Search for WordPress
Plugin Slug: wp-bing-search
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.6.3
Severity Score: High
CVE: 2023-33999

WP Tools Divi Blog Carousel

Plugin: WP Tools Divi Blog Carousel
Plugin Slug: wp-tools-divi-blog-carousel
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-33999

Display Data on your site! Create Dynamic Content Templates from any form of data. Works with ACF, Pods, BuddyPress/ BuddyBoss

Plugin: Display Data on your site! Create Dynamic Content Templates from any form of data. Works with ACF, Pods, BuddyPress/ BuddyBoss
Plugin Slug: buddyforms-hook-fields
Installations: 90+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.2
Severity Score: High
CVE: 2023-33999

Contact Form By Mega Forms – Drag and Drop Form Builder

Plugin: Contact Form By Mega Forms – Drag and Drop Form Builder
Plugin Slug: mega-forms
Installations: 90+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.3
Severity Score: High
CVE: 2023-33999

Ultimate Custom ScrollBar

Plugin: Ultimate Custom ScrollBar
Plugin Slug: ultimate-custom-scrollbar
Installations: 90+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2
Severity Score: High
CVE: 2023-33999

WPGutenBlog Demo Import

Plugin: WPGutenBlog Demo Import
Plugin Slug: layouts-importer
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.3
Severity Score: High
CVE: 2023-33999

SV100 Companion

Plugin: SV100 Companion
Plugin Slug: sv100-companion
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.00
Severity Score: High
CVE: 2023-33999

Blocks Product Editor for WooCommerce

Plugin: Blocks Product Editor for WooCommerce
Plugin Slug: blocks-product-editor-for-woocommerce
Installations: 70+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.2
Severity Score: High
CVE: 2023-33999

Variable Inspector

Plugin: Variable Inspector
Plugin Slug: variable-inspector
Installations: 70+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4.0
Severity Score: High
CVE: 2023-33999

Stripe Express

Plugin: Stripe Express
Plugin Slug: wp-stripe-express
Installations: 60+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.12.1
Severity Score: High
CVE: 2023-33999

BuddyForms Form Elements for WooCommerce

Plugin: BuddyForms Form Elements for WooCommerce
Plugin Slug: buddyforms-woocommerce-form-elements
Installations: 50+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.3
Severity Score: High
CVE: 2023-33999

Order Redirects for WooCommerce

Plugin: Order Redirects for WooCommerce
Plugin Slug: order-redirects-for-woocommerce
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.8.1
Severity Score: High
CVE: 2023-33999

Simple blueprint installer

Plugin: Simple blueprint installer
Plugin Slug: simple-blueprint-installer
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.2
Severity Score: High
CVE: 2023-33999

BuddyForms Moderation ( Former: Review Logic )

Plugin: BuddyForms Moderation ( Former: Review Logic )
Plugin Slug: buddyforms-review
Installations: 30+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.8
Severity Score: High
CVE: 2023-33999

Import Holded for WooCommerce or Easy Digital Downloads

Plugin: Connect WooCommerce Holded
Plugin Slug: import-holded-products-woocommerce
Installations: 30+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0
Severity Score: High
CVE: 2023-33999

Order Picking For WooCommerce

Plugin: Order Picking For WooCommerce
Plugin Slug: order-picking-for-woocommerce
Installations: 30+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.2
Severity Score: High
CVE: 2023-33999

ShortcodeHub – MultiPurpose Shortcode Builder

Plugin: ShortcodeHub – MultiPurpose Shortcode Builder
Plugin Slug: shortcodehub
Installations: 30+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.0
Severity Score: High
CVE: 2023-33999

WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms

Plugin: WPEForm Lite – Drag and Drop Live Form Builder for Contact, Payment & Quiz Forms
Plugin Slug: wpeform-lite
Installations: 30+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.5
Severity Score: High
CVE: 2023-33999

CO2ok: carbon offsetting for e-commerce

Plugin: ClimateClick: Climate Action for all
Plugin Slug: co2ok-for-woocommerce
Installations: 20+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.4
Severity Score: High
CVE: 2023-33999

SV Forms

Plugin: SV Forms
Plugin Slug: sv-forms
Installations: 20+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.02
Severity Score: High
CVE: 2023-33999

SV Posts

Plugin: SV Posts
Plugin Slug: sv-posts
Installations: 20+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.00
Severity Score: High
CVE: 2023-33999

Video Analytics for Cloudflare Stream

Plugin: Video Analytics for Cloudflare Stream
Plugin Slug: video-analytics-for-cloudflare-stream
Installations: 20+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2
Severity Score: High
CVE: 2023-33999

WP Table Pixie

Plugin: WP Table Pixie
Plugin Slug: wp-table-pixie
Installations: 20+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: High
CVE: 2023-33999

CF7 ReCaptcha Mine

Plugin: CF7 ReCaptcha Mine
Plugin Slug: cf7-recaptcha-mine
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

Convoworks WP

Plugin: Convoworks WP
Plugin Slug: convoworks-wp
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.22.15
Severity Score: High
CVE: 2023-33999

Custom Welcome Guide

Plugin: Custom Welcome Guide
Plugin Slug: custom-welcome-guide
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.9
Severity Score: High
CVE: 2023-33999

DeMomentSomTres Gravity Forms Improvements

Plugin: DeMomentSomTres Gravity Forms Improvements
Plugin Slug: demomentsomtres-gravity-forms-improvements
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 201805021810
Severity Score: High
CVE: 2023-33999

Fast Custom Social Share by CodeBard

Plugin: Fast Custom Social Share by CodeBard
Plugin Slug: fast-custom-social-share-by-codebard
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.0
Severity Score: High
CVE: 2023-33999

Contact form builder for Gutenberg – Formello

Plugin: Contact form builder for Gutenberg – Formello
Plugin Slug: formello
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-33999

Menukaart – Restaurant Menu & Online Ordering with WooCommerce

Plugin: Menukaart – Restaurant Menu & Online Ordering with WooCommerce
Plugin Slug: menukaart
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4
Severity Score: High
CVE: 2023-33999

SV Columns Manager

Plugin: SV Columns Manager
Plugin Slug: sv-columns-manager
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.00
Severity Score: High
CVE: 2023-33999

Divi Testimonial Plus

Plugin: Divi Testimonial Plus
Plugin Slug: website-testimonials
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.1
Severity Score: High
CVE: 2023-33999

WP Signals

Plugin: WP Signals
Plugin Slug: wp-signals
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

BuddyForms Anonymous Author

Plugin: BuddyForms Anonymous Author
Plugin Slug: buddyforms-anonymous-author
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1
Severity Score: High
CVE: 2023-33999

BuddyForms Attach Post with Group

Plugin: BuddyForms Attach Post with Group
Plugin Slug: buddyforms-attach-posts-to-groups-extension
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.3
Severity Score: High
CVE: 2023-33999

BuddyForms Hierarchical Posts

Plugin: BuddyForms Hierarchical Posts
Plugin Slug: buddyforms-hierarchical-posts
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.4
Severity Score: High
CVE: 2023-33999

BuddyForms Posts 2 Posts

Plugin: BuddyForms Posts 2 Posts
Plugin Slug: buddyforms-posts-to-posts-integration
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1
Severity Score: High
CVE: 2023-33999

BuddyForms Remote

Plugin: BuddyForms Remote
Plugin Slug: buddyforms-remote
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.5
Severity Score: High
CVE: 2023-33999

Caldera Forms

Plugin: Caldera Forms
Plugin Slug: caldera-forms
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.5.1
Severity Score: High
CVE: 2023-33999

Simple Freemius Shop

Plugin: Simple Freemius Shop
Plugin Slug: checkout-freemius-rewamped
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

Convert Pro

Plugin: Convert Pro
Plugin Slug: convertpro
Vulnerability: Broken Access Control
Patched in Version: 1.7.6
Severity Score: High
CVE: 2023-36684

DeMomentSomTres Subscribe

Plugin: DeMomentSomTres Subscribe
Plugin Slug: demomentsomtres-mailchimp-subscribe
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.201903272301
Severity Score: High
CVE: 2023-33999

DEV.LAND

Plugin: DEV.LAND
Plugin Slug: dev-land
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.5
Severity Score: High
CVE: 2023-33999

DokoBuilder : DIY Product Bundle for WooCommerce

Plugin: DokoBuilder : DIY Product Bundle for WooCommerce
Plugin Slug: doko-box-builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.1
Severity Score: High
CVE: 2023-33999

Expandable Paywall

Plugin: Expandable Paywall
Plugin Slug: expandable-paywall
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.17
Severity Score: High
CVE: 2023-33999

External Media Upload

Plugin: External Media Upload
Plugin Slug: external-media-upload
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.4
Severity Score: High
CVE: 2023-33999

Frontend Admin – Add and edit posts, pages, users and more all from the frontend

Plugin: Frontend Admin – Add and edit posts, pages, users and more all from the frontend
Plugin Slug: frontend-admin
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.8.0
Severity Score: High
CVE: 2023-33999

Gallery Bank

Plugin: Gallery Bank
Plugin Slug: gallery-bank
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.0.19
Severity Score: High
CVE: 2023-33999

Map Plugin alternative to Google Maps using MapQuest, with directions

Plugin: Map Plugin alternative to Google Maps using MapQuest, with directions
Plugin Slug: get-directions
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.16.2
Severity Score: High
CVE: 2023-33999

Information for help

Plugin: Information for help
Plugin Slug: information-for-help
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.0.3
Severity Score: High
CVE: 2023-33999

Google Maps Plugin by Intergeo

Plugin: Google Maps Plugin by Intergeo
Plugin Slug: intergeo-maps
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.6
Severity Score: High
CVE: 2023-33999

Oxygen Builder

Plugin: Oxygen Builder
Plugin Slug: oxygen
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4
Severity Score: Medium
CVE: 2022-46841

Popups

Plugin: Popups
Plugin Slug: popups
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8
Severity Score: High
CVE: 2023-33999

Remove WP Update Nags

Plugin: Remove WP Update Nags
Plugin Slug: remove-wp-update-nags
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.0
Severity Score: High
CVE: 2023-33999

SV Media Library

Plugin: SV Media Library
Plugin Slug: sv-media-library
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.00
Severity Score: High
CVE: 2023-33999

BuddyPress Groups Integration for WooCommerce

Plugin: BuddyPress Groups Integration for WooCommerce
Plugin Slug: wc4bp-groups
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.1
Severity Score: High
CVE: 2023-33999

WP Cloud Server

Plugin: WP Cloud Server
Plugin Slug: wp-cloud-server
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-33999

WP Native Articles – Instant Articles Plugin for WordPress

Plugin: WP Native Articles – Instant Articles Plugin for WordPress
Plugin Slug: wp-native-articles
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: High
CVE: 2023-33999

Schema Pro

Plugin: Schema Pro
Plugin Slug: wp-schema-pro
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.7.8
Severity Score: Medium
CVE: 2023-36682

WP Scrive by Webbstart

Plugin: WP Scrive by Webbstart
Plugin Slug: wp-scrive
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.4
Severity Score: High
CVE: 2023-33999

WPCasa Mail Alert

Plugin: WPCasa Mail Alert
Plugin Slug: wpcasa-mail-alert
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.0
Severity Score: High
CVE: 2023-33999

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WPS Limit Login

Plugin: WPS Limit Login
Plugin Slug: wps-limit-login
Installations: 60,000+
Vulnerability: Race Condition
Patched in Version: No Fix
Severity Score: Low
CVE: 2023-39160

Custom Field Template

Plugin: Custom Field Template
Plugin Slug: custom-field-template
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-38392

Social Share Icons & Social Share Buttons

Plugin: Social Share Icons & Social Share Buttons
Plugin Slug: ultimate-social-media-plus
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38514

WP-CopyProtect [Protect your blog posts]

Plugin: WP-CopyProtect [Protect your blog posts]
Plugin Slug: wp-copyprotect
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25025

Elastic Email Sender

Plugin: Elastic Email Sender
Plugin Slug: elastic-email-sender
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38387

GTmetrix for WordPress

Plugin: GTmetrix for WordPress
Plugin Slug: gtmetrix-for-wordpress
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37996

Molongui

Plugin: Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui
Plugin Slug: molongui-authorship
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39164

Pinpoint Booking System

Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Plugin Slug: booking-system
Installations: 5,000+
Vulnerability: Content Spoofing
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38520

Borderless

Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Plugin Slug: borderless
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38518

Art Decoration Shortcode

Plugin: Art Decoration Shortcode
Plugin Slug: art-decoration-shortcode
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37994

Banner Management For WooCommerce

Plugin: Banner Management For WooCommerce
Plugin Slug: banner-management-for-woocommerce
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-39158

Fraud Prevention For Woocommerce

Plugin: Fraud Prevention For Woocommerce
Plugin Slug: woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-39159

Google Map Shortcode

Plugin: Google Map Shortcode
Plugin Slug: google-map-shortcode
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38396

MultiParcels Shipping For WooCommerce

Plugin: MultiParcels Shipping For WooCommerce
Plugin Slug: multiparcels-shipping-for-woocommerce
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

Server Info

Plugin: Server Info
Plugin Slug: server-info
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Language

Plugin: WordPress Language
Plugin Slug: wordpress-language
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38383

WP Emoji One

Plugin: WP Emoji One
Plugin Slug: wp-emoji-one
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37991

WP Quick Post Duplicator

Plugin: WP Quick Post Duplicator
Plugin Slug: wp-quick-post-duplicator
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31214

Booster Elementor Addons

Plugin: Booster Elementor Addons
Plugin Slug: booster-for-elementor
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38480

Instant CSS

Plugin: Instant CSS
Plugin Slug: instant-css
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38483

CodeBard’s Patron Button and Widgets for Patreon

Plugin: CodeBard's Patron Button and Widgets for Patreon
Plugin Slug: patron-button-and-widgets-by-codebard
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30491

Simple Googlebot Visit

Plugin: Simple Googlebot Visit
Plugin Slug: simple-googlebot-visit
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38479

QR code MeCard/vCard generator

Plugin: QR code MeCard/vCard generator
Plugin Slug: wp-qrcode-me-v-card
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38477

WRC Pricing Tables

Plugin: WRC Pricing Tables
Plugin Slug: wrc-pricing-tables
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38517

Audio Player with Playlist Ultimate

Plugin: Audio Player with Playlist Ultimate
Plugin Slug: audio-player-with-playlist-ultimate
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38516

Client Portal : SuiteDash Direct Login

Plugin: Client Portal : SuiteDash Direct Login
Plugin Slug: client-portal-suitedash-login
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38476

Go Fetch Jobs (for WP Job Manager)

Plugin: Go Fetch Jobs (for WP Job Manager)
Plugin Slug: go-fetch-jobs-wp-job-manager
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Mobile Address Bar Changer

Plugin: Mobile Address Bar Changer
Plugin Slug: mobile-address-bar-changer
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38390

Perelink Pro

Plugin: Perelink Pro
Plugin Slug: perelink
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37990

Post List With Featured Image

Plugin: Post List With Featured Image
Plugin Slug: post-list-with-featured-image
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-37997

Post Affiliate Pro

Plugin: Post Affiliate Pro
Plugin Slug: postaffiliatepro
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38482

Remove Duplicate Posts

Plugin: Remove Duplicate Posts
Plugin Slug: remove-duplicate-posts
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29237

Donations Made Easy – Smart Donations

Plugin: Donations Made Easy – Smart Donations
Plugin Slug: smart-donations
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38475

Taboola

Plugin: Taboola
Plugin Slug: taboola
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38398

Exifography

Plugin: Exifography
Plugin Slug: thesography
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38521

Onepage Builder – Easiest Landing Page Builder For WordPress

Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress
Plugin Slug: tx-onepager
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38391

eaSYNC

Plugin: Free Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC
Plugin Slug: easync-booking
Installations: 300+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-38384

Post Connector

Plugin: Post Connector
Plugin Slug: post-connector
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28931

Smarty for WordPress

Plugin: Smarty for WordPress
Plugin Slug: smarty-for-wordpress
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37992

Gestion-Pymes

Plugin: Gestion-Pymes
Plugin Slug: gestion-pymes
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38397

Woocommerce Delivery Date Premium

Plugin: Woocommerce Delivery Date Premium
Plugin Slug: woocommerce-delivery-date
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

bbResolutions

Plugin: bbResolutions
Plugin Slug: bbresolutions
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

BlogPost – BlogPost Widgets – Amazing Blog Layouts

Plugin: BlogPost – BlogPost Widgets – Amazing Blog Layouts
Plugin Slug: blogpost-widgets
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

CF7 Constant Contact Fields Mapping

Plugin: CF7 Constant Contact Fields Mapping
Plugin Slug: cf7-constant-contact-fields-mapping
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

WP Clone Menu

Plugin: WP Clone Menu
Plugin Slug: clone-menu
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38395

DancePress (TRWA)

Plugin: DancePress (TRWA)
Plugin Slug: dancepress-trwa
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

DeMomentSomTres Immediate Send

Plugin: DeMomentSomTres Immediate Send
Plugin Slug: demomentsomtres-mailchimp-immediate-send
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Disabler

Plugin: Disabler
Plugin Slug: disabler
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37998

WordPress Easy Call Now Button by elixirs.io

Plugin: WordPress Easy Call Now Button by elixirs.io
Plugin Slug: easy-call-now-button
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Extend Filter Products By Price Widget

Plugin: Extend Filter Products By Price Widget
Plugin Slug: extend-filter-products-by-price-widget
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Easy Responsive Pricing Tables

Plugin: Easy Responsive Pricing Tables
Plugin Slug: fullworks-pricing-tables
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Jupiter X Core

Plugin: JupiterX Core
Plugin Slug: jupiterx-core
Vulnerability: Arbitrary File Download
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3813

WP Logger

Plugin: WP Logger
Plugin Slug: lite-wp-logger
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

LWS Affiliation

Plugin: LWS Affiliation
Plugin Slug: lws-affiliation
Vulnerability: Local File Inclusion
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-32297

Menu Item Scheduler

Plugin: Menu Item Scheduler
Plugin Slug: menu-item-scheduler
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Protect Uploads with Login – Protect Your Uploads

Plugin: Protect Uploads with Login – Protect Your Uploads
Plugin Slug: protect-uploads-with-login-page
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Quasar form

Plugin: Quasar form
Plugin Slug: quasar-form
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-35910

Role Based Bulk Quantity Pricing

Plugin: Role Based Bulk Quantity Pricing
Plugin Slug: role-based-bulk-quantity-pricing
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Page Builder for Gutenberg – StarterBlocks

Plugin: Page Builder for Gutenberg – StarterBlocks
Plugin Slug: starterblocks
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Subscribe to Category

Plugin: Subscribe to Category
Plugin Slug: subscribe-to-category
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-32590

tagDiv Composer

Plugin: tagDiv Composer
Plugin Slug: td-composer
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39166

Ultra Elementor Addons

Plugin: Ultra Elementor Addons
Plugin Slug: ultra-elementor-addons
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

WordPress Auto SEO Plugin – Upfiv SEO Wizard

Plugin: WordPress Auto SEO Plugin – Upfiv SEO Wizard
Plugin Slug: upfiv-complete-all-in-one-seo-wizard
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

User Email Verification for WooCommerce

Plugin: User Email Verification for WooCommerce
Plugin Slug: woo-confirmation-email
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-39162

WP-FlyBox

Plugin: WP-FlyBox
Plugin Slug: wp-flybox
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-38381

WooCommerce Sync for Google Sheet

Plugin: WordPress WooCommerce Sync for Google Sheet
Plugin Slug: wp-woo-commerce-sync-for-g-sheet
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

Bootstrap Blog

Theme: Bootstrap Blog
Theme Slug: bootstrap-blog
Downloads: 87,177
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 10.2.3
Severity Score: High
CVE: 2023-33999

Ona

Theme: Ona
Theme Slug: ona
Downloads: 86,847
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.18.3
Severity Score: High
CVE: 2023-33999

Yuki

Theme: Yuki
Theme Slug: yuki
Downloads: 74,316
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Techism

Theme: Techism
Theme Slug: techism
Downloads: 58,069
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Chic Lifestyle

Theme: Chic Lifestyle
Theme Slug: chic-lifestyle
Downloads: 57,532
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 10.0.8
Severity Score: High
CVE: 2023-33999

Lifestyle Magazine

Theme: Lifestyle Magazine
Theme Slug: lifestyle-magazine
Downloads: 49,638
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 10.2.1
Severity Score: High
CVE: 2023-33999

SalesZone

Theme: SalesZone
Theme Slug: saleszone
Downloads: 45,813
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Travel Tour

Theme: Travel Tour
Theme Slug: travel-tour
Downloads: 39,431
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: High
CVE: 2023-33999

Brand

Theme: Brand
Theme Slug: brand
Downloads: 32,911
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

WP Sierra

Theme: WP Sierra
Theme Slug: wp-sierra
Downloads: 31,861
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Eighteen tags

Theme: Eighteen tags
Theme Slug: eighteen-tags
Downloads: 26,056
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Hasium

Theme: Hasium
Theme Slug: hasium
Downloads: 23,338
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Broadcast Lite

Theme: Broadcast Lite
Theme Slug: broadcast-lite
Downloads: 21,268
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.8
Severity Score: High
CVE: 2023-33999

Salzburg Blog

Theme: Salzburg Blog
Theme Slug: salzburg-blog
Downloads: 21,114
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Everse

Theme: Everse
Theme Slug: everse
Downloads: 19,143
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.12
Severity Score: High
CVE: 2023-33999

Speculor

Theme: Speculor
Theme Slug: speculor
Downloads: 17,306
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Meridia

Theme: Meridia
Theme Slug: meridia
Downloads: 16,976
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.8
Severity Score: High
CVE: 2023-33999

Aquarella Lite

Theme: Aquarella Lite
Theme Slug: aquarella-lite
Downloads: 16,673
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Consultpress Lite

Theme: ConsultPress Lite
Theme Slug: consultpress-lite
Downloads: 15,868
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Topcat Lite

Theme: Topcat Lite
Theme Slug: topcat-lite
Downloads: 15,747
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Shuban

Theme: Shuban
Theme Slug: shuban
Downloads: 13,783
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Purus

Theme: Purus
Theme Slug: purus
Downloads: 13,561
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Elation

Theme: Elation
Theme Slug: elation
Downloads: 13,250
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

GutenBook

Theme: GutenBook
Theme Slug: gutenbook
Downloads: 13,216
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Chained

Theme: Chained
Theme Slug: chained
Downloads: 12,157
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Elasta

Theme: Elasta
Theme Slug: elasta
Downloads: 11,744
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.9
Severity Score: High
CVE: 2023-33999

Purosa

Theme: Purosa
Theme Slug: purosa
Downloads: 11,224
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.3
Severity Score: High
CVE: 2023-33999

LearnMore

Theme: LearnMore
Theme Slug: learnmore
Downloads: 9,915
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

WPCake

Theme: WPCake
Theme Slug: wpcake
Downloads: 8,708
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Nokke

Theme: Nokke
Theme Slug: nokke
Downloads: 8,472
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.4
Severity Score: High
CVE: 2023-33999

Arendelle

Theme: Arendelle
Theme Slug: arendelle
Downloads: 8,463
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.13
Severity Score: High
CVE: 2023-33999

PixiGo

Theme: PixiGo
Theme Slug: pixigo
Downloads: 7,670
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

WP Moose

Theme: WP Moose
Theme Slug: wp-moose
Downloads: 7,516
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

G Blog

Theme: G Blog
Theme Slug: g-blog
Downloads: 6,993
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

NicheBase

Theme: NicheBase
Theme Slug: nichebase
Downloads: 6,985
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.3
Severity Score: High
CVE: 2023-33999

Cuisine Palace

Theme: Cuisine Palace
Theme Slug: cuisine-palace
Downloads: 6,091
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Amela

Theme: Amela
Theme Slug: amela
Downloads: 6,063
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.14
Severity Score: High
CVE: 2023-33999

Agncy

Theme: Agncy
Theme Slug: agncy
Downloads: 6,032
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Travel Agency Booking

Theme: Travel Agency Booking
Theme Slug: travel-agency-booking
Downloads: 5,703
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Bootstrap Fitness

Theme: Bootstrap Fitness
Theme Slug: bootstrap-fitness
Downloads: 5,569
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.6
Severity Score: High
CVE: 2023-33999

Bootstrap Coach

Theme: Bootstrap Coach
Theme Slug: bootstrap-coach
Downloads: 5,146
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.2
Severity Score: High
CVE: 2023-33999

Blockst

Theme: Blockst
Theme Slug: blockst
Downloads: 3,309
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.9
Severity Score: High
CVE: 2023-33999

Relax Spa

Theme: Relax Spa
Theme Slug: relax-spa
Downloads: 2,572
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.1
Severity Score: High
CVE: 2023-33999

Villar

Theme: Villar
Theme Slug: villar
Downloads: 3,995
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

BlogHub

Theme: BlogHub
Theme Slug: bloghub
Downloads: 3,575
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Viralike

Theme: Viralike
Theme Slug: viralike
Downloads: 3,245
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

NewsHit

Theme: NewsHit
Theme Slug: newshit
Downloads: 3,073
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Simplifii

Theme: Simplifii
Theme Slug: simplifii
Downloads: 2,700
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Roven Blog

Theme: Roven Blog
Theme Slug: roven-blog
Downloads: 2,598
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Krste

Theme: Krste
Theme Slug: krste
Downloads: 2,526
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Unakit

Theme: Unakit
Theme Slug: unakit
Downloads: 2,259
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Temp Mail X

Theme: Temp Mail X
Theme Slug: temp-mail-x
Downloads: 2,215
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Rovenstart

Theme: Rovenstart
Theme Slug: rovenstart
Downloads: 1,845
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Bani

Theme: Bani
Theme Slug: bani
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33999

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – July 27, 2023

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched