This week, 140 total vulnerabilities emerged in public disclosure. They may affect over 13 million WordPress sites. There are 116 plugin vulnerabilities and one theme vulnerability that has security patches available, so run those updates!
Additionally, there are 23 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.
WordPress Core Vulnerabilities — Patched
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress Plugin Vulnerabilities — Patched
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WPForms Lite

- Plugin Slug
- wpforms-lite
- Installations
- 5,000,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.8.1.3
- Severity Score
- Medium
- CVE
- 2023-30500
Ninja Forms Contact Form

- Plugin Slug
- ninja-forms
- Installations
- 900,000+
- Vulnerability
- Arbitrary File Deletion
- Patched in Version
- 3.6.25
- Severity Score
- Medium
- CVE
- 2023-36505
Complianz

- Plugin Slug
- complianz-gdpr
- Installations
- 700,000+
- Vulnerability
- Cross Site Request Forgery (CSRF) lead to Site Wide Cross Site Scripting (XSS)
- Patched in Version
- 6.4.5
- Severity Score
- High
- CVE
- 2023-33333
Complianz

- Plugin Slug
- complianz-gdpr
- Installations
- 700,000+
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.4.6
- Severity Score
- Medium
- CVE
- 2023-34030
MainWP Child

- Plugin Slug
- mainwp-child
- Installations
- 600,000+
- Vulnerability
- Information Disclosure via Back-Up Files
- Patched in Version
- 4.4.1.2
- Severity Score
- High
- CVE
- 2023-3132
WooCommerce Payments

- Plugin Slug
- woocommerce-payments
- Installations
- 600,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 5.9.1
- Severity Score
- High
- CVE
- 2023-35915
WooCommerce Payments

- Plugin Slug
- woocommerce-payments
- Installations
- 600,000+
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 5.9.1
- Severity Score
- High
- CVE
- 2023-35916
WooCommerce PayPal Payments

- Plugin Slug
- woocommerce-paypal-payments
- Installations
- 600,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.0.5
- Severity Score
- Medium
- CVE
- 2023-35917
ProfilePress

- Plugin Slug
- wp-user-avatar
- Installations
- 300,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS) via error message
- Patched in Version
- 4.11.0
- Severity Score
- High
Spam protection, AntiSpam, FireWall by CleanTalk

- Plugin Slug
- cleantalk-spam-protect
- Installations
- 200,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 6.11
- Severity Score
- High
- CVE
- 2023-33996
Metform Elementor Contact Form Builder

- Plugin Slug
- metform
- Installations
- 200,000+
- Vulnerability
- Cross Site Request Forgery (CSRF) via permalink_setup
- Patched in Version
- 3.3.3
- Severity Score
- Medium
- CVE
- 2023-2517
Photo Gallery by 10Web

- Plugin Slug
- photo-gallery
- Installations
- 200,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.8.16
- Severity Score
- Medium
- CVE
- 2023-33995
Ultimate Member

- Plugin Slug
- ultimate-member
- Installations
- 200,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.6.1
- Severity Score
- Medium
- CVE
- 2023-31216
Unlimited Elements For Elementor

- Plugin Slug
- unlimited-elements-for-elementor
- Installations
- 200,000+
- Vulnerability
- Multiple Broken Access Control
- Patched in Version
- 1.5.66
- Severity Score
- High
- CVE
- 2023-31080
Unlimited Elements For Elementor

- Plugin Slug
- unlimited-elements-for-elementor
- Installations
- 200,000+
- Vulnerability
- Arbitrary File Upload
- Patched in Version
- 1.5.66
- Severity Score
- Critical
- CVE
- 2023-31231
WP Mail Logging

- Plugin
- WP Mail Logging
- Plugin Slug
- wp-mail-logging
- Installations
- 200,000+
- Vulnerability
- Missing Authorization to Notice Dismissal
- Patched in Version
- 1.12.0
- Severity Score
- Medium
WP Activity Log

- Plugin
- WP Activity Log
- Plugin Slug
- wp-security-audit-log
- Installations
- 200,000+
- Vulnerability
- Subscriber+ Information Leak
- Patched in Version
- 4.5.2
- Severity Score
- Medium
- CVE
- 2023-2261
Colibri Page Builder

- Plugin
- Colibri Page Builder
- Plugin Slug
- colibri-page-builder
- Installations
- 100,000+
- Vulnerability
- Auth. SQL Injection
- Patched in Version
- 1.0.229
- Severity Score
- High
- CVE
- 2023-2188
WordPress Button Plugin MaxButtons

- Plugin Slug
- maxbuttons
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 9.6
- Severity Score
- Medium
- CVE
- 2023-36503
WooCommerce Square

- Plugin
- WooCommerce Square
- Plugin Slug
- woocommerce-square
- Installations
- 100,000+
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 3.8.2
- Severity Score
- High
- CVE
- 2023-35876
EmbedPress

- Plugin Slug
- embedpress
- Installations
- 80,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 3.8.0
- Severity Score
- Medium
- CVE
- 2023-3371
Bookly

- Plugin Slug
- bookly-responsive-appointment-booking-tool
- Installations
- 70,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS) via service titles
- Patched in Version
- 21.8
- Severity Score
- Medium
- CVE
- 2023-1159
Conditional Menus
- Plugin
- Conditional Menus
- Plugin Slug
- conditional-menus
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.1
- Severity Score
- High
- CVE
- 2023-2654
Tutor LMS

- Plugin Slug
- tutor
- Installations
- 70,000+
- Vulnerability
- Unauthenticated Access to Tutor LMS Lesson Resources via REST API
- Patched in Version
- 2.2.1
- Severity Score
- Medium
- CVE
- 2023-3133
Dokan

- Plugin Slug
- dokan-lite
- Installations
- 60,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 3.7.20
- Severity Score
- Medium
- CVE
- 2023-34382
CF7 Google Sheets Connector

- Plugin Slug
- cf7-google-sheets-connector
- Installations
- 40,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 5.0.2
- Severity Score
- High
- CVE
- 2023-2320
ConvertKit

- Plugin Slug
- convertkit
- Installations
- 40,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 2.2.1
- Severity Score
- High
- CVE
- 2023-2337
Super Socializer

- Plugin Slug
- super-socializer
- Installations
- 40,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 7.13.53
- Severity Score
- Medium
- CVE
- 2023-35882
Super Socializer

- Plugin Slug
- super-socializer
- Installations
- 40,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 7.13.52
- Severity Score
- High
- CVE
- 2023-2779
Login/Signup Popup

- Plugin Slug
- easy-login-woocommerce
- Installations
- 30,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.4
- Severity Score
- Medium
Float menu

- Plugin Slug
- float-menu
- Installations
- 30,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 5.0.3
- Severity Score
- Medium
- CVE
- 2023-3225
Gutenverse – Gutenberg Blocks – Page Builder for Site Editor

- Plugin Slug
- gutenverse
- Installations
- 30,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.8.6
- Severity Score
- Medium
- CVE
- 2023-35875
Icegram

- Plugin Slug
- icegram
- Installations
- 30,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.1.12
- Severity Score
- High
- CVE
- 2023-2398
Subscribe2

- Plugin Slug
- subscribe2
- Installations
- 30,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 10.41
- Severity Score
- Medium
- CVE
- 2023-1844
Subscribe2

- Plugin Slug
- subscribe2
- Installations
- 30,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 10.41
- Severity Score
- Medium
- CVE
- 2023-3407
PostX – Gutenberg Post Grid Blocks

- Plugin Slug
- ultimate-post
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.9.10
- Severity Score
- High
- CVE
- 2023-36385
Abandoned Cart Lite for WooCommerce

- Plugin Slug
- woocommerce-abandoned-cart
- Installations
- 30,000+
- Vulnerability
- Stored Cross Site Scripting (XSS)
- Patched in Version
- 5.2.0
- Severity Score
- High
- CVE
- 2019-25152
ND Shortcodes

- Plugin
- ND Shortcodes
- Plugin Slug
- nd-shortcodes
- Installations
- 20,000+
- Vulnerability
- Subscriber+ Local File Inclusion
- Patched in Version
- 7.0
- Severity Score
- High
- CVE
- 2023-1273
Supsystic Popup

- Plugin
- Popup by Supsystic
- Plugin Slug
- popup-by-supsystic
- Installations
- 20,000+
- Vulnerability
- Prototype Pollution
- Patched in Version
- 1.10.19
- Severity Score
- High
- CVE
- 2023-3186
Protect WP Admin

- Plugin
- Protect WP Admin
- Plugin Slug
- protect-wp-admin
- Installations
- 20,000+
- Vulnerability
- Unauthenticated Protection Bypass Vulnerability
- Patched in Version
- 4.0
- Severity Score
- Medium
- CVE
- 2023-3139
Quiz Maker

- Plugin
- Quiz Maker
- Plugin Slug
- quiz-maker
- Installations
- 20,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 6.4.2.7
- Severity Score
- High
- CVE
- 2023-2571
wpForo Forum

- Plugin
- wpForo Forum
- Plugin Slug
- wpforo
- Installations
- 20,000+
- Vulnerability
- Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
- Patched in Version
- 2.1.8
- Severity Score
- High
- CVE
- 2023-2249
WP ERP

- Plugin Slug
- afterpay-gateway-for-woocommerce
- Installations
- 10,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 1.12.4
- Severity Score
- High
- CVE
- 2023-2744
BookIt

- Plugin Slug
- bookit
- Installations
- 10,000+
- Vulnerability
- Authentication Bypass
- Patched in Version
- 2.3.8
- Severity Score
- Critical
- CVE
- 2023-2834
CMS Commander

- Plugin Slug
- cms-commander-client
- Installations
- 10,000+
- Vulnerability
- Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
- Patched in Version
- 2.288
- Severity Score
- High
- CVE
- 2023-3325
Contact Form Email

- Plugin
- Contact Form Email
- Plugin Slug
- contact-form-to-email
- Installations
- 10,000+
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.3.38
- Severity Score
- High
- CVE
- 2023-2718
Custom 404 Pro

- Plugin
- Custom 404 Pro
- Plugin Slug
- custom-404-pro
- Installations
- 10,000+
- Vulnerability
- Multiple SQL Injection
- Patched in Version
- 3.8.1
- Severity Score
- High
- CVE
- 2023-2032
File Renaming on Upload

- Plugin
- File Renaming on Upload
- Plugin Slug
- file-renaming-on-upload
- Installations
- 10,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 2.5.2
- Severity Score
- Medium
- CVE
- 2023-2684
Accordion & FAQ

- Plugin Slug
- helpie-faq
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.9.9
- Severity Score
- High
- CVE
- 2023-1891
Five Star Restaurant Reservations

- Plugin Slug
- restaurant-reservations
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 2.6.8
- Severity Score
- High
- CVE
- 2023-34017
Restrict Content

- Plugin Slug
- restrict-content
- Installations
- 10,000+
- Vulnerability
- Missing Authorization to Notice Dismissal
- Patched in Version
- 3.2.3
- Severity Score
- Medium
Restrict Content

- Plugin Slug
- restrict-content
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.2.3
- Severity Score
- High
SupportCandy

- Plugin Slug
- supportcandy
- Installations
- 10,000+
- Vulnerability
- Subscriber+ SQL Injection
- Patched in Version
- 3.1.7
- Severity Score
- High
- CVE
- 2023-2719
SupportCandy

- Plugin Slug
- supportcandy
- Installations
- 10,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 3.1.7
- Severity Score
- High
- CVE
- 2023-2805
Event Manager and Tickets Selling Plugin for WooCommerce

- Plugin Slug
- mage-eventpress
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.9.6
- Severity Score
- Medium
- CVE
- 2023-36383
Buy Me a Coffee

- Plugin Slug
- buymeacoffee
- Installations
- 6,000+
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 3.7
- Severity Score
- Medium
- CVE
- 2023-2578
FormCraft Premium

- Plugin Slug
- formcraft-form-builder
- Installations
- 5,000+
- Vulnerability
- Auth. SQL Injection
- Patched in Version
- 3.9.7
- Severity Score
- High
- CVE
- 2023-2592
WPForms Google Sheet Connector

- Plugin Slug
- gsheetconnector-wpforms
- Installations
- 5,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.4.6
- Severity Score
- High
- CVE
- 2023-2321
MStore API

- Plugin
- MStore API
- Plugin Slug
- mstore-api
- Installations
- 5,000+
- Vulnerability
- Unauth. SQL Injection
- Patched in Version
- 4.0.2
- Severity Score
- Critical
- CVE
- 2023-3197
MStore API

- Plugin
- MStore API
- Plugin Slug
- mstore-api
- Installations
- 5,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.9.8
- Severity Score
- High
- CVE
- 2022-47614
Poll Maker

- Plugin Slug
- poll-maker
- Installations
- 5,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 4.6.3
- Severity Score
- Medium
- CVE
- 2023-34013
Simple Iframe
- Plugin
- Simple Iframe
- Plugin Slug
- simple-iframe
- Installations
- 5,000+
- Vulnerability
- Contributor+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.2.0
- Severity Score
- Medium
- CVE
- 2023-2964
WP Custom Cursors

- Plugin Slug
- wp-custom-cursors
- Installations
- 5,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 3.2
- Severity Score
- High
- CVE
- 2023-2221
AI ChatBot

- Plugin
- AI ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 4.5.5
- Severity Score
- Medium
- CVE
- 2023-2742
AI ChatBot

- Plugin
- AI ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 4.5.6
- Severity Score
- Medium
- CVE
- 2023-2811
Survey Maker

- Plugin Slug
- survey-maker
- Installations
- 4,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.4.7
- Severity Score
- High
- CVE
- 2023-2572
Integration for Contact Form 7 and Zoho CRM, Bigin

- Plugin Slug
- cf7-zoho
- Installations
- 3,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 1.2.4
- Severity Score
- High
- CVE
- 2023-2527
CHP Ads Block Detector

- Plugin
- CHP Ads Block Detector
- Plugin Slug
- chp-ads-block-detector
- Installations
- 3,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.9.8
- Severity Score
- Medium
- CVE
- 2023-36509
Potent Donations for WooCommerce

- Plugin Slug
- donations-for-woocommerce
- Installations
- 3,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.10
- Severity Score
- Medium
- CVE
- 2023-35912
EventON

EventON

Core Web Vitals & PageSpeed Booster

- Plugin Slug
- core-web-vitals-pagespeed-booster
- Installations
- 2,000+
- Vulnerability
- Open Redirection
- Patched in Version
- 1.0.13
- Severity Score
- Medium
- CVE
- 2023-35883
Extra User Details

- Plugin
- Extra User Details
- Plugin Slug
- extra-user-details
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 0.5.1
- Severity Score
- Medium
- CVE
- 2023-35877
Extra User Details

- Plugin
- Extra User Details
- Plugin Slug
- extra-user-details
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 0.5.1
- Severity Score
- Medium
- CVE
- 2023-35878
KiviCare Management System

- Plugin Slug
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.2.1
- Severity Score
- High
- CVE
- 2023-2624
KiviCare Management System

- Plugin Slug
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability
- Subscriber+ Sensitive Data Exposure
- Patched in Version
- 3.2.1
- Severity Score
- Medium
- CVE
- 2023-2623
KiviCare Management System

- Plugin Slug
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability
- Subscriber+ Unauthorised AJAX Calls
- Patched in Version
- 3.2.1
- Severity Score
- Medium
- CVE
- 2023-2627
KiviCare Management System

- Plugin Slug
- kivicare-clinic-management-system
- Installations
- 2,000+
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.2.1
- Severity Score
- Medium
- CVE
- 2023-2628
teachPress
- Plugin
- teachPress
- Plugin Slug
- teachpress
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 9.0.3
- Severity Score
- High
- CVE
- 2023-36501
WP Directory Kit

- Plugin
- WP Directory Kit
- Plugin Slug
- wpdirectorykit
- Installations
- 2,000+
- Vulnerability
- Unauthenticated Local File Inclusion
- Patched in Version
- 1.2.4
- Severity Score
- High
- CVE
- 2023-2278
Contact Form to DB by BestWebSoft

- Plugin Slug
- contact-form-to-db
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 1.7.2
- Severity Score
- High
- CVE
- 2023-36508
EventPrime

- Plugin Slug
- eventprime-event-calendar-management
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.0.6
- Severity Score
- High
- CVE
- 2023-35884
Photo Gallery by Ays

- Plugin Slug
- gallery-photo-gallery
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 5.1.7
- Severity Score
- High
- CVE
- 2023-2568
Elementor Forms Google Sheet Connector

- Plugin Slug
- gsheetconnector-for-elementor-forms
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.0.7
- Severity Score
- High
- CVE
- 2023-2324
Ninja Forms Google Sheet Connector

- Plugin Slug
- gsheetconnector-ninja-forms
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.2.7
- Severity Score
- High
- CVE
- 2023-2333
MyCurator Content Curation

- Plugin Slug
- mycurator
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.75
- Severity Score
- Medium
- CVE
- 2023-32104
OOPSpam Anti-Spam

- Plugin
- OOPSpam Anti-Spam
- Plugin Slug
- oopspam-anti-spam
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.45
- Severity Score
- Medium
- CVE
- 2023-35913
ReDi Restaurant Reservation

- Plugin Slug
- redi-restaurant-reservation
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 23.0212
- Severity Score
- High
- CVE
- 2023-36510
Booking Calendar Contact Form

- Plugin Slug
- booking-calendar-contact-form
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.41
- Severity Score
- High
- CVE
- 2023-36384
Customer Service Software & Support Ticket System

- Plugin Slug
- wp-ticket
- Installations
- 600+
- Vulnerability
- Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
- Patched in Version
- 5.13
- Severity Score
- Medium
WP Sticky Social

- Plugin
- WP Sticky Social
- Plugin Slug
- wp-sticky-social
- Installations
- 300+
- Vulnerability
- Cross-Site Request Forgery to Stored Cross-Site Scripting
- Patched in Version
- 1.0.2
- Severity Score
- High
- CVE
- 2023-3320
Mail Queue

- Plugin
- Mail Queue
- Plugin Slug
- mail-queue
- Installations
- 80+
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting via Email Subject
- Patched in Version
- 1.2
- Severity Score
- High
- CVE
- 2023-3167
Lana Shortcodes

- Plugin
- Lana Shortcodes
- Plugin Slug
- lana-shortcodes
- Installations
- 70+
- Vulnerability
- Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Patched in Version
- 1.2.0
- Severity Score
- Medium
Mailtree Log Mail

- Plugin
- Mailtree Log Mail
- Plugin Slug
- mailtree-log-mail
- Installations
- 10+
- Vulnerability
- Unauth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.0.1
- Severity Score
- High
- CVE
- 2023-3135
AutomateWoo
- Plugin
- AutomateWoo
- Plugin Slug
- automatewoo
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.7.6
- Severity Score
- Medium
- CVE
- 2023-36513
AutomateWoo
- Plugin
- AutomateWoo
- Plugin Slug
- automatewoo
- Vulnerability
- Broken Access Control
- Patched in Version
- 5.7.6
- Severity Score
- Medium
- CVE
- 2023-36512
Complianz Premium
- Plugin
- Complianz Premium
- Plugin Slug
- complianz-gdpr-premium
- Vulnerability
- Cross Site Request Forgery (CSRF) to Site Wide Cross Site Scripting (XSS
- Patched in Version
- 6.4.7
- Severity Score
- High
- CVE
- 2023-33333
Complianz Premiumy
- Plugin
- Complianz Premium
- Plugin Slug
- complianz-gdpr-premium
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.4.8
- Severity Score
- Medium
- CVE
- 2023-34030
Elementor Pro
- Plugin
- Elementor Pro
- Plugin Slug
- elementor-pro
- Vulnerability
- Auth. Broken Access Control
- Patched in Version
- 3.13.1
- Severity Score
- Medium
- CVE
- 2023-35050
Go Pricing – WordPress Responsive Pricing Tables
- Plugin
- Go Pricing
- Plugin Slug
- go-pricing-wordpress-responsive-pricing-tables
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.4
- Severity Score
- Medium
- CVE
- 2023-2494
Go Pricing – WordPress Responsive Pricing Tables
- Plugin
- Go Pricing
- Plugin Slug
- go-pricing-wordpress-responsive-pricing-tables
- Vulnerability
- Contributor+ Cross Site Scripting (XSS)
- Patched in Version
- 3.4
- Severity Score
- Medium
- CVE
- 2023-2498
MonsterInsights Pro
- Plugin
- MonsterInsights Pro
- Plugin Slug
- google-analytics-premium
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 8.15
- Severity Score
- Medium
- CVE
- 2023-32291
Gravity Forms
- Plugin
- Gravity Forms
- Plugin Slug
- gravityforms
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 2.7.5
- Severity Score
- High
- CVE
- 2023-2701
WPBakery Page Builder
- Plugin
- WPBakery Page Builder
- Plugin Slug
- js_composer
- Vulnerability
- Contributor+ Cross Site Scripting (XSS)
- Patched in Version
- 6.13.0
- Severity Score
- Medium
- CVE
- 2023-31213
Lana Text to Image

- Plugin
- Lana Text to Image
- Plugin Slug
- lana-text-to-image
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.1.0
- Severity Score
- Medium
- CVE
- 2023-3387
PixelYourSite PRO
- Plugin
- PixelYourSite PRO
- Plugin Slug
- pixelyoursite-pro
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 9.6.2
- Severity Score
- Medium
- CVE
- 2023-2584
USM Premium
- Plugin
- USM Premium
- Plugin Slug
- ultimate-premium-plugin
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 16.3
- Severity Score
- Medium
- CVE
- 2023-1166
Abandoned Cart Pro for WooCommerce
- Plugin
- Abandoned Cart Pro
- Plugin Slug
- woocommerce-abandoned-cart-pro
- Vulnerability
- Stored Cross Site Scripting (XSS)
- Patched in Version
- 7.13.0
- Severity Score
- High
- CVE
- 2019-25152
WooCommerce Brands
- Plugin
- WooCommerce Brands
- Plugin Slug
- woocommerce-brands
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.6.50
- Severity Score
- Medium
- CVE
- 2023-35880
WooCommerce Bulk Stock Management
- Plugin
- WooCommerce Bulk Stock Management
- Plugin Slug
- woocommerce-bulk-stock-management
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.2.34
- Severity Score
- High
- CVE
- 2023-35918
WooCommerce Order Barcodes
- Plugin
- WooCommerce Order Barcodes
- Plugin Slug
- woocommerce-order-barcodes
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.6.5
- Severity Score
- Medium
- CVE
- 2023-36511
WooCommerce Product Vendors
- Plugin
- WooCommerce Product Vendors
- Plugin Slug
- woocommerce-product-vendors
- Vulnerability
- Shop Manager+ SQL Injection
- Patched in Version
- 2.1.79
- Severity Score
- High
- CVE
- 2023-35879
WooCommerce Ship to Multiple Addresses
- Plugin
- WooCommerce Ship to Multiple Addresses
- Plugin Slug
- woocommerce-shipping-multiple-addresses
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.8.6
- Severity Score
- Medium
- CVE
- 2023-36514
WooCommerce Subscriptions
- Plugin
- WooCommerce Subscriptions
- Plugin Slug
- woocommerce-subscriptions
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 5.1.3
- Severity Score
- High
- CVE
- 2023-35914
WordPress File Upload
- Plugin
- File Uploader
- Plugin Slug
- wp-file-uploader
- Vulnerability
- Admin+ Path Traversal
- Patched in Version
- 4.19.2
- Severity Score
- Medium
- CVE
- 2023-2688
WPForms Pro
- Plugin
- WPForms Pro
- Plugin Slug
- wpforms
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.8.1.3
- Severity Score
- Medium
- CVE
- 2023-30500
WordPress Plugin Vulnerabilities — Unpatched
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WP Cookie Notice for GDPR, CCPA & ePrivacy Consent

- Plugin Slug
- gdpr-cookie-consent
- Installations
- 9,000+
- Vulnerability
- CSV Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23678
Form Builder

- Plugin Slug
- contact-form-add
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-23795
ApplyOnline – Application Form Builder and Manager

- Plugin Slug
- apply-online
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24391
JS Help Desk – Best Help Desk & Support Plugin

- Plugin Slug
- js-support-ticket
- Installations
- 5,000+
- Vulnerability
- Insecure Direct Object References (IDOR) Leading To Ticket Deletion
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23679
MojoPlug Slide Panel

- Plugin
- MojoPlug Slide Panel
- Plugin Slug
- mojoplug-slide-panel
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23807
Smoothscroller

- Plugin
- Smoothscroller
- Plugin Slug
- smoothscroller
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23811
Enable SVG Uploads

- Plugin
- Enable SVG Uploads
- Plugin Slug
- enable-svg-uploads
- Installations
- 300+
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2529
Caldera Forms Google Sheets Connector

- Plugin Slug
- gsheetconnector-caldera-forms
- Installations
- 200+
- Vulnerability
- Access Code Update via Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2330
About Me 3000 widget
- Plugin
- About Me 3000 widget
- Plugin Slug
- about-me-3000
- Vulnerability
- Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-3369
AN_GradeBook
- Plugin
- AN_GradeBook
- Plugin Slug
- an-gradebook
- Vulnerability
- Auth. Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2709
BBS e-Popup
- Plugin
- BBS e-Popup
- Plugin Slug
- bbs-e-popup
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-36504
CF7 Google Sheets Connector Pro
- Plugin
- CF7 Google Sheets Connector Pro
- Plugin Slug
- cf7-google-sheets-connector-pro
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-2320
Contact Form by WD
- Plugin
- Contact Form by WD
- Plugin Slug
- contact-form-maker
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-2655
Image Protector
- Plugin
- Defa Online Image Protector
- Plugin Slug
- defa-online-image-protector
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2026
Gallery Metabox
- Plugin
- Gallery Metabox
- Plugin Slug
- gallery-metabox
- Vulnerability
- Missing Authorization via gallery_remove
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2561
Gallery Metabox
- Plugin
- Gallery Metabox
- Plugin Slug
- gallery-metabox
- Vulnerability
- Missing Authorization
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2562
Greeklish-permalink
- Plugin
- Greeklish-permalink
- Plugin Slug
- greeklish-permalink
- Vulnerability
- Unauth. Post Slug Update
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2495
Image Map Pro
- Plugin
- Image Map Pro
- Plugin Slug
- image-map-pro-lite
- Vulnerability
- Missing Authorization to Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-3412
InventoryPress
- Plugin
- InventoryPress
- Plugin Slug
- inventorypress
- Vulnerability
- Author+ Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2579
PrePost SEO
- Plugin
- PrePost SEO
- Plugin Slug
- prepost-seo
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2029
Quick Post Duplicator
- Plugin
- Quick Post Duplicator
- Plugin Slug
- rduplicator
- Vulnerability
- Authenticated (Contributor+) SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-2229
Upload Resume
- Plugin
- Upload Resume
- Plugin Slug
- resume-upload-form
- Vulnerability
- Captcha Bypass Vulnerability
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2751
User Email Verification for WooCommerce
- Plugin
- User Email Verification for WooCommerce
- Plugin Slug
- woo-confirmation-email
- Vulnerability
- Authentication bypass via weak token generation
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-2781
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Balkon
- Theme
- Balkon
- Theme Slug
- balkon
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.3.3
- Severity Score
- High
- CVE
- 2023-36502
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.