WordPress Vulnerability Report – July 5, 2023

This week, 70 total vulnerabilities emerged in public disclosure. They may affect over one million WordPress sites. There are 36 plugin vulnerabilities that have security patches available, so run those updates!

Additionally, there are 33 plugin vulnerabilities and one theme vulnerability with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Formidable Forms

Plugin

Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder

Plugin Slug

formidable

Installations

300,000+

Vulnerability

Auth. Remote Code Execution (RCE)

Patched in Version

6.3.1

Severity Score

Critical

CVE

2023-2877

Chaty

Plugin

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty

Plugin Slug

chaty

Installations

200,000+

Vulnerability

Authenticated Stored Cross Site Scripting (XSS)

Patched in Version

3.1.2

Severity Score

Medium

CVE

2023-3245

Ultimate Member

Plugin

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Plugin Slug

ultimate-member

Installations

200,000+

Vulnerability

Unauthenticated Privilege Escalation

Patched in Version

2.6.7

Severity Score

Critical

CVE

2023-3460

EmbedPress

Plugin

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor

Plugin Slug

embedpress

Installations

80,000+

Vulnerability

Sensitive Data Exposure

Patched in Version

3.8.0

Severity Score

Medium

CVE

2023-3371

Login/Signup Popup

Plugin

Login/Signup Popup ( Inline Form + Woocommerce )

Plugin Slug

easy-login-woocommerce

Installations

30,000+

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

2.4

Severity Score

Medium

Social Login and Register

Plugin

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)

Plugin Slug

miniorange-login-openid

Installations

30,000+

Vulnerability

Authentication Broken Authentication

Patched in Version

7.6.5

Severity Score

Critical

CVE

2023-2982

Subscribe2

Plugin

Subscribe2 – Form, Email Subscribers & Newsletters

Plugin Slug

subscribe2

Installations

30,000+

Vulnerability

Broken Access Control

Patched in Version

10.41

Severity Score

Medium

CVE

2023-1844

Subscribe2

Plugin

Subscribe2 – Form, Email Subscribers & Newsletters

Plugin Slug

subscribe2

Installations

30,000+

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

10.41

Severity Score

Medium

CVE

2023-3407

Contact Form & Lead Form Elementor Builder

Plugin

Responsive Contact Form Builder & Lead Generation Plugin

Plugin Slug

lead-form-builder

Installations

20,000+

Vulnerability

Broken Access Control

Patched in Version

1.8.5

Severity Score

Medium

CVE

2023-25969

Supsystic Popup

Plugin

Popup by Supsystic

Plugin Slug

popup-by-supsystic

Installations

20,000+

Vulnerability

Prototype Pollution

Patched in Version

1.10.19

Severity Score

High

CVE

2023-3186

WPGraphQL

Plugin

WPGraphQL

Plugin Slug

wp-graphql

Installations

20,000+

Vulnerability

Server Side Request Forgery (SSRF)

Patched in Version

1.14.6

Severity Score

Medium

CVE

2023-23684

WP ERP

Plugin

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Plugin Slug

erp

Installations

9,000+

Vulnerability

Reflected Cross Site Scripting (XSS)

Patched in Version

1.12.4

Severity Score

High

CVE

2023-2743

Active Directory Integration / LDAP Integration

Plugin

Active Directory Integration / LDAP Integration

Plugin Slug

ldap-login-for-intranet-sites

Installations

5,000+

Vulnerability

Unauthenticated LDAP Injection

Patched in Version

4.1.6

Severity Score

High

CVE

2023-3447

MStore API

Plugin

MStore API

Plugin Slug

mstore-api

Installations

5,000+

Vulnerability

Unauth. SQL Injection

Patched in Version

4.0.2

Severity Score

Critical

CVE

2023-3197

Poll Maker

Plugin

Poll Maker – Best WordPress Poll Plugin

Plugin Slug

poll-maker

Installations

5,000+

Vulnerability

Server Side Request Forgery (SSRF)

Patched in Version

4.6.3

Severity Score

Medium

CVE

2023-34013

Th Product Compare

Plugin

Product Compare for WooCommerce

Plugin Slug

th-product-compare

Installations

5,000+

Vulnerability

Broken Access Control

Patched in Version

1.2.6

Severity Score

Medium

CVE

2023-25969

Waitlist WooCommerce ( Back in stock notifier )

Plugin

Waitlist Woocommerce ( Back in stock notifier )

Plugin Slug

waitlist-woocommerce

Installations

5,000+

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

2.5.3

Severity Score

Medium

Short URL

Plugin

Short URL

Plugin Slug

shorten-url

Installations

2,000+

Vulnerability

Authenticated Stored Cross Site Scripting (XSS)

Patched in Version

1.6.5

Severity Score

Medium

CVE

2023-1602

Short URL

Plugin

Short URL

Plugin Slug

shorten-url

Installations

2,000+

Vulnerability

SQL Injection

Patched in Version

1.6.5

Severity Score

High

CVE

2022-46860

WP Inventory Manager

Plugin

WP Inventory Manager

Plugin Slug

wp-inventory-manager

Installations

2,000+

Vulnerability

Inventory Items Deletion via Cross Site Request Forgery (CSRF)

Patched in Version

2.1.0.14

Severity Score

Medium

CVE

2023-2842

Kanban Boards for WordPress

Plugin

Kanban Boards for WordPress

Plugin Slug

kanban

Installations

1,000+

Vulnerability

Auth. Stored Cross Site Scripting (XSS)

Patched in Version

2.5.21

Severity Score

Medium

CVE

2023-0873

Request a Quote

Plugin

Request a Quote

Plugin Slug

request-a-quote

Installations

1,000+

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

2.3.11

Severity Score

Medium

LiquidPoll

Plugin

LiquidPoll – Advanced Polls for Creators and Brands

Plugin Slug

wp-poll

Installations

1,000+

Vulnerability

Broken Access Control

Patched in Version

3.3.69

Severity Score

Medium

CVE

2023-36531

Front User Submit / Front Editor

Plugin

Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor

Plugin Slug

front-editor

Installations

200+

Vulnerability

Auth. Stored Cross Site Scripting (XSS)

Patched in Version

3.8.5

Severity Score

Medium

TrustProfile

Plugin

TrustProfile and reviews for WordPress

Plugin Slug

trustprofile

Installations

200+

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

3.25

Severity Score

Medium

Knowledge Center

Plugin

Easy Accordion FAQ and Knowledge Base Software for WordPress

Plugin Slug

knowledge-center

Installations

20+

Vulnerability

Authenticated Cross Site Scripting (XSS)

Patched in Version

2.8

Severity Score

Medium

Catalyst Connect Zoho CRM Client Portal

Plugin

Catalyst Connect Zoho CRM Client Portal

Plugin Slug

catalyst-connect-client-portal

Installations

10+

Vulnerability

Auth. Stored Cross Site Scripting (XSS)

Patched in Version

2.1.0

Severity Score

Medium

CVE

2022-44629

ARMember

Plugin

ARMember

Plugin Slug

armember-membership

Vulnerability

Stored Cross Site Scripting (XSS) on Common Messages Settings

Patched in Version

4.0.5

Severity Score

Medium

CVE

2022-47421

AutomateWoo

Plugin

AutomateWoo

Plugin Slug

automatewoo

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

5.7.6

Severity Score

Medium

CVE

2023-36513

AutomateWoo

Plugin

AutomateWoo

Plugin Slug

automatewoo

Vulnerability

Broken Access Control

Patched in Version

5.7.6

Severity Score

Medium

CVE

2023-36512

Houzez CRM

Plugin

Houzez CRM

Plugin Slug

houzez-crm

Vulnerability

SQL Injection

Patched in Version

1.3.5

Severity Score

Critical

CVE

2023-36529

Salon Booking System

Plugin

Salon booking system

Plugin Slug

salon-booking-system

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

8.4.8

Severity Score

Medium

CVE

2023-3427

LearnDash LMS

Plugin

LearnDash LMS

Plugin Slug

sfwd-lms

Vulnerability

Authenticated IDOR to Account Takeover

Patched in Version

4.6.0.1

Severity Score

High

CVE

2023-3105

WooCommerce Order Barcodes

Plugin

WooCommerce Order Barcodes

Plugin Slug

woocommerce-order-barcodes

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

1.6.5

Severity Score

Medium

CVE

2023-36511

WooCommerce Ship to Multiple Addresses

Plugin

WooCommerce Ship to Multiple Addresses

Plugin Slug

woocommerce-shipping-multiple-addresses

Vulnerability

Cross Site Request Forgery (CSRF)

Patched in Version

3.8.6

Severity Score

Medium

CVE

2023-36514

WP Post Author

Plugin

WP Post Author

Plugin Slug

wp-post-author

Vulnerability

Privilege Escalation

Patched in Version

3.3.0

Severity Score

Critical

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.