WordPress Vulnerability Report

This week, 140 total vulnerabilities emerged in public disclosure. They may affect over 13 million WordPress sites. There are 116 plugin vulnerabilities and one theme vulnerability that has security patches available, so run those updates!

Additionally, there are 23 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WPForms Lite

Plugin: Contact Form by WPForms – Drag & Drop Form Builder for WordPress
Plugin Slug: wpforms-lite
Installations: 5,000,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.8.1.3
Severity Score: Medium
CVE: 2023-30500

Ninja Forms Contact Form

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Arbitrary File Deletion
Patched in Version: 3.6.25
Severity Score: Medium
CVE: 2023-36505

Complianz

Plugin: Complianz – GDPR/CCPA Cookie Consent
Plugin Slug: complianz-gdpr
Installations: 700,000+
Vulnerability: Cross Site Request Forgery (CSRF) lead to Site Wide Cross Site Scripting (XSS)
Patched in Version: 6.4.5
Severity Score: High
CVE: 2023-33333

Complianz

Plugin: Complianz – GDPR/CCPA Cookie Consent
Plugin Slug: complianz-gdpr
Installations: 700,000+
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 6.4.6
Severity Score: Medium
CVE: 2023-34030

MainWP Child

Plugin: MainWP Child – Securely Connects Sites to the MainWP WordPress Manager Dashboard
Plugin Slug: mainwp-child
Installations: 600,000+
Vulnerability: Information Disclosure via Back-Up Files
Patched in Version: 4.4.1.2
Severity Score: High
CVE: 2023-3132

WooCommerce Payments

Plugin: WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo
Plugin Slug: woocommerce-payments
Installations: 600,000+
Vulnerability: SQL Injection
Patched in Version: 5.9.1
Severity Score: High
CVE: 2023-35915

WooCommerce Payments

Plugin: WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo
Plugin Slug: woocommerce-payments
Installations: 600,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 5.9.1
Severity Score: High
CVE: 2023-35916

WooCommerce PayPal Payments

Plugin: WooCommerce PayPal Payments
Plugin Slug: woocommerce-paypal-payments
Installations: 600,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.5
Severity Score: Medium
CVE: 2023-35917

ProfilePress

Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug: wp-user-avatar
Installations: 300,000+
Vulnerability: Reflected Cross Site Scripting (XSS) via error message
Patched in Version: 4.11.0
Severity Score: High

Spam protection, AntiSpam, FireWall by CleanTalk

Plugin: Spam protection, AntiSpam, FireWall by CleanTalk
Plugin Slug: cleantalk-spam-protect
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 6.11
Severity Score: High
CVE: 2023-33996

Metform Elementor Contact Form Builder

Plugin: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Plugin Slug: metform
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF) via permalink_setup
Patched in Version: 3.3.3
Severity Score: Medium
CVE: 2023-2517

Photo Gallery by 10Web

Plugin: Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Plugin Slug: photo-gallery
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.16
Severity Score: Medium
CVE: 2023-33995

Ultimate Member

Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.6.1
Severity Score: Medium
CVE: 2023-31216

Unlimited Elements For Elementor

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Plugin Slug: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability: Multiple Broken Access Control
Patched in Version: 1.5.66
Severity Score: High
CVE: 2023-31080

Unlimited Elements For Elementor

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Plugin Slug: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 1.5.66
Severity Score: Critical
CVE: 2023-31231

WP Mail Logging

Plugin: WP Mail Logging
Plugin Slug: wp-mail-logging
Installations: 200,000+
Vulnerability: Missing Authorization to Notice Dismissal
Patched in Version: 1.12.0
Severity Score: Medium

WP Activity Log

Plugin: WP Activity Log
Plugin Slug: wp-security-audit-log
Installations: 200,000+
Vulnerability: Subscriber+ Information Leak
Patched in Version: 4.5.2
Severity Score: Medium
CVE: 2023-2261

Colibri Page Builder

Plugin: Colibri Page Builder
Plugin Slug: colibri-page-builder
Installations: 100,000+
Vulnerability: Auth. SQL Injection
Patched in Version: 1.0.229
Severity Score: High
CVE: 2023-2188

WordPress Button Plugin MaxButtons

Plugin: WordPress Button Plugin MaxButtons
Plugin Slug: maxbuttons
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.6
Severity Score: Medium
CVE: 2023-36503

WooCommerce Square

Plugin: WooCommerce Square
Plugin Slug: woocommerce-square
Installations: 100,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 3.8.2
Severity Score: High
CVE: 2023-35876

EmbedPress

Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.8.0
Severity Score: Medium
CVE: 2023-3371

Bookly

Plugin: WordPress Online Booking and Scheduling Plugin – Bookly
Plugin Slug: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS) via service titles
Patched in Version: 21.8
Severity Score: Medium
CVE: 2023-1159

Conditional Menus

Plugin: Conditional Menus
Plugin Slug: conditional-menus
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.1
Severity Score: High
CVE: 2023-2654

Tutor LMS

Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Installations: 70,000+
Vulnerability: Unauthenticated Access to Tutor LMS Lesson Resources via REST API
Patched in Version: 2.2.1
Severity Score: Medium
CVE: 2023-3133

Dokan

Plugin: Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Plugin Slug: dokan-lite
Installations: 60,000+
Vulnerability: PHP Object Injection
Patched in Version: 3.7.20
Severity Score: Medium
CVE: 2023-34382

CF7 Google Sheets Connector

Plugin: CF7 Google Sheets Connector
Plugin Slug: cf7-google-sheets-connector
Installations: 40,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.0.2
Severity Score: High
CVE: 2023-2320

ConvertKit

Plugin: ConvertKit – Email Marketing, Email Newsletter, Subscribers and Landing Pages
Plugin Slug: convertkit
Installations: 40,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.2.1
Severity Score: High
CVE: 2023-2337

Super Socializer

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Plugin Slug: super-socializer
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.13.53
Severity Score: Medium
CVE: 2023-35882

Super Socializer

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Plugin Slug: super-socializer
Installations: 40,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 7.13.52
Severity Score: High
CVE: 2023-2779

Login/Signup Popup

Plugin: Login/Signup Popup ( Inline Form + Woocommerce )
Plugin Slug: easy-login-woocommerce
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4
Severity Score: Medium

Float menu

Plugin: Float menu – awesome floating side menu
Plugin Slug: float-menu
Installations: 30,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 5.0.3
Severity Score: Medium
CVE: 2023-3225

Gutenverse – Gutenberg Blocks – Page Builder for Site Editor

Plugin: Gutenverse – Gutenberg Blocks – Page Builder for Site Editor
Plugin Slug: gutenverse
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.6
Severity Score: Medium
CVE: 2023-35875

Icegram

Plugin: Icegram Engage – The Best WordPress Popup, Optin, CTA and Lead Generation Plugin
Plugin Slug: icegram
Installations: 30,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.1.12
Severity Score: High
CVE: 2023-2398

Subscribe2

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 10.41
Severity Score: Medium
CVE: 2023-1844

Subscribe2

Plugin: Subscribe2 – Form, Email Subscribers & Newsletters
Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 10.41
Severity Score: Medium
CVE: 2023-3407

PostX – Gutenberg Post Grid Blocks

Plugin: PostX – Gutenberg Post Grid Blocks
Plugin Slug: ultimate-post
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.9.10
Severity Score: High
CVE: 2023-36385

Abandoned Cart Lite for WooCommerce

Plugin: Abandoned Cart Lite for WooCommerce
Plugin Slug: woocommerce-abandoned-cart
Installations: 30,000+
Vulnerability: Stored Cross Site Scripting (XSS)
Patched in Version: 5.2.0
Severity Score: High
CVE: 2019-25152

ND Shortcodes

Plugin: ND Shortcodes
Plugin Slug: nd-shortcodes
Installations: 20,000+
Vulnerability: Subscriber+ Local File Inclusion
Patched in Version: 7.0
Severity Score: High
CVE: 2023-1273

Supsystic Popup

Plugin: Popup by Supsystic
Plugin Slug: popup-by-supsystic
Installations: 20,000+
Vulnerability: Prototype Pollution
Patched in Version: 1.10.19
Severity Score: High
CVE: 2023-3186

Protect WP Admin

Plugin: Protect WP Admin
Plugin Slug: protect-wp-admin
Installations: 20,000+
Vulnerability: Unauthenticated Protection Bypass Vulnerability
Patched in Version: 4.0
Severity Score: Medium
CVE: 2023-3139

Quiz Maker

Plugin: Quiz Maker
Plugin Slug: quiz-maker
Installations: 20,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 6.4.2.7
Severity Score: High
CVE: 2023-2571

wpForo Forum

Plugin: wpForo Forum
Plugin Slug: wpforo
Installations: 20,000+
Vulnerability: Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
Patched in Version: 2.1.8
Severity Score: High
CVE: 2023-2249

WP ERP

Plugin: Afterpay Gateway for WooCommerce
Plugin Slug: afterpay-gateway-for-woocommerce
Installations: 10,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 1.12.4
Severity Score: High
CVE: 2023-2744

BookIt

Plugin: Booking Calendar | Appointment Booking | BookIt
Plugin Slug: bookit
Installations: 10,000+
Vulnerability: Authentication Bypass
Patched in Version: 2.3.8
Severity Score: Critical
CVE: 2023-2834

CMS Commander

Plugin: CMS Commander – Manage Multiple Sites
Plugin Slug: cms-commander-client
Installations: 10,000+
Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched in Version: 2.288
Severity Score: High
CVE: 2023-3325

Contact Form Email

Plugin: Contact Form Email
Plugin Slug: contact-form-to-email
Installations: 10,000+
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS)
Patched in Version: 1.3.38
Severity Score: High
CVE: 2023-2718

Custom 404 Pro

Plugin: Custom 404 Pro
Plugin Slug: custom-404-pro
Installations: 10,000+
Vulnerability: Multiple SQL Injection
Patched in Version: 3.8.1
Severity Score: High
CVE: 2023-2032

File Renaming on Upload

Plugin: File Renaming on Upload
Plugin Slug: file-renaming-on-upload
Installations: 10,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 2.5.2
Severity Score: Medium
CVE: 2023-2684

Accordion & FAQ

Plugin: Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin
Plugin Slug: helpie-faq
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.9.9
Severity Score: High
CVE: 2023-1891

Five Star Restaurant Reservations

Plugin: Five Star Restaurant Reservations – WordPress Booking Plugin
Plugin Slug: restaurant-reservations
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.6.8
Severity Score: High
CVE: 2023-34017

Restrict Content

Plugin: Membership Plugin – Restrict Content
Plugin Slug: restrict-content
Installations: 10,000+
Vulnerability: Missing Authorization to Notice Dismissal
Patched in Version: 3.2.3
Severity Score: Medium

Restrict Content

Plugin: Membership Plugin – Restrict Content
Plugin Slug: restrict-content
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.2.3
Severity Score: High

SupportCandy

Plugin: SupportCandy – Helpdesk & Support Ticket System
Plugin Slug: supportcandy
Installations: 10,000+
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 3.1.7
Severity Score: High
CVE: 2023-2719

SupportCandy

Plugin: SupportCandy – Helpdesk & Support Ticket System
Plugin Slug: supportcandy
Installations: 10,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.1.7
Severity Score: High
CVE: 2023-2805

Event Manager and Tickets Selling Plugin for WooCommerce

Plugin: Event Manager and Tickets Selling Plugin for WooCommerce
Plugin Slug: mage-eventpress
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.6
Severity Score: Medium
CVE: 2023-36383

Buy Me a Coffee

Plugin: Buy Me a Coffee – Button and Widget Plugin
Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 3.7
Severity Score: Medium
CVE: 2023-2578

FormCraft Premium

Plugin: FormCraft – Contact Form Builder for WordPress
Plugin Slug: formcraft-form-builder
Installations: 5,000+
Vulnerability: Auth. SQL Injection
Patched in Version: 3.9.7
Severity Score: High
CVE: 2023-2592

WPForms Google Sheet Connector

Plugin: WPForms Google Sheet Connector
Plugin Slug: gsheetconnector-wpforms
Installations: 5,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.4.6
Severity Score: High
CVE: 2023-2321

MStore API

Plugin: MStore API
Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: Unauth. SQL Injection
Patched in Version: 4.0.2
Severity Score: Critical
CVE: 2023-3197

MStore API

Plugin: MStore API
Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: SQL Injection
Patched in Version: 3.9.8
Severity Score: High
CVE: 2022-47614

Poll Maker

Plugin: Poll Maker – Best WordPress Poll Plugin
Plugin Slug: poll-maker
Installations: 5,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 4.6.3
Severity Score: Medium
CVE: 2023-34013

Simple Iframe

Plugin: Simple Iframe
Plugin Slug: simple-iframe
Installations: 5,000+
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: Medium
CVE: 2023-2964

WP Custom Cursors

Plugin: WP Custom Cursors | WordPress Cursor Plugin
Plugin Slug: wp-custom-cursors
Installations: 5,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.2
Severity Score: High
CVE: 2023-2221

AI ChatBot

Plugin: AI ChatBot
Plugin Slug: chatbot
Installations: 4,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium
CVE: 2023-2742

AI ChatBot

Plugin: AI ChatBot
Plugin Slug: chatbot
Installations: 4,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 4.5.6
Severity Score: Medium
CVE: 2023-2811

Survey Maker

Plugin: Survey Maker – Best WordPress Survey Plugin
Plugin Slug: survey-maker
Installations: 4,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.4.7
Severity Score: High
CVE: 2023-2572

Integration for Contact Form 7 and Zoho CRM, Bigin

Plugin: Integration for Contact Form 7 and Zoho CRM, Bigin
Plugin Slug: cf7-zoho
Installations: 3,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 1.2.4
Severity Score: High
CVE: 2023-2527

CHP Ads Block Detector

Plugin: CHP Ads Block Detector
Plugin Slug: chp-ads-block-detector
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 3.9.8
Severity Score: Medium
CVE: 2023-36509

Potent Donations for WooCommerce

Plugin: Potent Donations for WooCommerce
Plugin Slug: donations-for-woocommerce
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.10
Severity Score: Medium
CVE: 2023-35912

EventON

Plugin: EventON
Plugin Slug: eventon-lite
Installations: 3,000+
Vulnerability: Unauthenticated Event Access
Patched in Version: 2.1.2
Severity Score: Medium
CVE: 2023-2796

EventON

Plugin: EventON
Plugin Slug: eventon-lite
Installations: 3,000+
Vulnerability: Unauthenticated Post Access via Insecure Direct Object References (IDOR)
Patched in Version: 2.1.2
Severity Score: Medium
CVE: 2023-3219

Core Web Vitals & PageSpeed Booster

Plugin: Core Web Vitals & PageSpeed Booster
Plugin Slug: core-web-vitals-pagespeed-booster
Installations: 2,000+
Vulnerability: Open Redirection
Patched in Version: 1.0.13
Severity Score: Medium
CVE: 2023-35883

Extra User Details

Plugin: Extra User Details
Plugin Slug: extra-user-details
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.5.1
Severity Score: Medium
CVE: 2023-35877

Extra User Details

Plugin: Extra User Details
Plugin Slug: extra-user-details
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.5.1
Severity Score: Medium
CVE: 2023-35878

KiviCare Management System

Plugin: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.2.1
Severity Score: High
CVE: 2023-2624

KiviCare Management System

Plugin: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Subscriber+ Sensitive Data Exposure
Patched in Version: 3.2.1
Severity Score: Medium
CVE: 2023-2623

KiviCare Management System

Plugin: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Subscriber+ Unauthorised AJAX Calls
Patched in Version: 3.2.1
Severity Score: Medium
CVE: 2023-2627

KiviCare Management System

Plugin: KiviCare – Clinic & Patient Management System (EHR)
Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 3.2.1
Severity Score: Medium
CVE: 2023-2628

teachPress

Plugin: teachPress
Plugin Slug: teachpress
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.0.3
Severity Score: High
CVE: 2023-36501

WP Directory Kit

Plugin: WP Directory Kit
Plugin Slug: wpdirectorykit
Installations: 2,000+
Vulnerability: Unauthenticated Local File Inclusion
Patched in Version: 1.2.4
Severity Score: High
CVE: 2023-2278

Contact Form to DB by BestWebSoft

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
Plugin Slug: contact-form-to-db
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: 1.7.2
Severity Score: High
CVE: 2023-36508

EventPrime

Plugin: EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug: eventprime-event-calendar-management
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.6
Severity Score: High
CVE: 2023-35884

Photo Gallery by Ays

Plugin: Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug: gallery-photo-gallery
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.1.7
Severity Score: High
CVE: 2023-2568

Elementor Forms Google Sheet Connector

Plugin: Elementor Forms Google Sheet Connector
Plugin Slug: gsheetconnector-for-elementor-forms
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.0.7
Severity Score: High
CVE: 2023-2324

Ninja Forms Google Sheet Connector

Plugin: Ninja Forms Google Sheet Connector
Plugin Slug: gsheetconnector-ninja-forms
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.2.7
Severity Score: High
CVE: 2023-2333

MyCurator Content Curation

Plugin: MyCurator Content Curation
Plugin Slug: mycurator
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.75
Severity Score: Medium
CVE: 2023-32104

OOPSpam Anti-Spam

Plugin: OOPSpam Anti-Spam
Plugin Slug: oopspam-anti-spam
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.45
Severity Score: Medium
CVE: 2023-35913

ReDi Restaurant Reservation

Plugin: ReDi Restaurant Reservation
Plugin Slug: redi-restaurant-reservation
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 23.0212
Severity Score: High
CVE: 2023-36510

Booking Calendar Contact Form

Plugin: Booking Calendar Contact Form
Plugin Slug: booking-calendar-contact-form
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.41
Severity Score: High
CVE: 2023-36384

Customer Service Software & Support Ticket System

Plugin: Customer Service Software & Support Ticket System
Plugin Slug: wp-ticket
Installations: 600+
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
Patched in Version: 5.13
Severity Score: Medium

WP Sticky Social

Plugin: WP Sticky Social
Plugin Slug: wp-sticky-social
Installations: 300+
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: 1.0.2
Severity Score: High
CVE: 2023-3320

Mail Queue

Plugin: Mail Queue
Plugin Slug: mail-queue
Installations: 80+
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched in Version: 1.2
Severity Score: High
CVE: 2023-3167

Lana Shortcodes

Plugin: Lana Shortcodes
Plugin Slug: lana-shortcodes
Installations: 70+
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched in Version: 1.2.0
Severity Score: Medium

Mailtree Log Mail

Plugin: Mailtree Log Mail
Plugin Slug: mailtree-log-mail
Installations: 10+
Vulnerability: Unauth. Stored Cross Site Scripting (XSS)
Patched in Version: 1.0.1
Severity Score: High
CVE: 2023-3135

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.7.6
Severity Score: Medium
CVE: 2023-36513

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Broken Access Control
Patched in Version: 5.7.6
Severity Score: Medium
CVE: 2023-36512

Complianz Premium

Plugin: Complianz Premium
Plugin Slug: complianz-gdpr-premium
Vulnerability: Cross Site Request Forgery (CSRF) to Site Wide Cross Site Scripting (XSS
Patched in Version: 6.4.7
Severity Score: High
CVE: 2023-33333

Complianz Premiumy

Plugin: Complianz Premium
Plugin Slug: complianz-gdpr-premium
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 6.4.8
Severity Score: Medium
CVE: 2023-34030

Elementor Pro

Plugin: Elementor Pro
Plugin Slug: elementor-pro
Vulnerability: Auth. Broken Access Control
Patched in Version: 3.13.1
Severity Score: Medium
CVE: 2023-35050

Go Pricing – WordPress Responsive Pricing Tables

Plugin: Go Pricing
Plugin Slug: go-pricing-wordpress-responsive-pricing-tables
Vulnerability: Broken Access Control
Patched in Version: 3.4
Severity Score: Medium
CVE: 2023-2494

Go Pricing – WordPress Responsive Pricing Tables

Plugin: Go Pricing
Plugin Slug: go-pricing-wordpress-responsive-pricing-tables
Vulnerability: Contributor+ Cross Site Scripting (XSS)
Patched in Version: 3.4
Severity Score: Medium
CVE: 2023-2498

MonsterInsights Pro

Plugin: MonsterInsights Pro
Plugin Slug: google-analytics-premium
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.15
Severity Score: Medium
CVE: 2023-32291

Gravity Forms

Plugin: Gravity Forms
Plugin Slug: gravityforms
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.7.5
Severity Score: High
CVE: 2023-2701

WPBakery Page Builder

Plugin: WPBakery Page Builder
Plugin Slug: js_composer
Vulnerability: Contributor+ Cross Site Scripting (XSS)
Patched in Version: 6.13.0
Severity Score: Medium
CVE: 2023-31213

Lana Text to Image

Plugin: Lana Text to Image
Plugin Slug: lana-text-to-image
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 1.1.0
Severity Score: Medium
CVE: 2023-3387

PixelYourSite PRO

Plugin: PixelYourSite PRO
Plugin Slug: pixelyoursite-pro
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 9.6.2
Severity Score: Medium
CVE: 2023-2584

USM Premium

Plugin: USM Premium
Plugin Slug: ultimate-premium-plugin
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 16.3
Severity Score: Medium
CVE: 2023-1166

Abandoned Cart Pro for WooCommerce

Plugin: Abandoned Cart Pro
Plugin Slug: woocommerce-abandoned-cart-pro
Vulnerability: Stored Cross Site Scripting (XSS)
Patched in Version: 7.13.0
Severity Score: High
CVE: 2019-25152

WooCommerce Brands

Plugin: WooCommerce Brands
Plugin Slug: woocommerce-brands
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.50
Severity Score: Medium
CVE: 2023-35880

WooCommerce Bulk Stock Management

Plugin: WooCommerce Bulk Stock Management
Plugin Slug: woocommerce-bulk-stock-management
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.34
Severity Score: High
CVE: 2023-35918

WooCommerce Order Barcodes

Plugin: WooCommerce Order Barcodes
Plugin Slug: woocommerce-order-barcodes
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.5
Severity Score: Medium
CVE: 2023-36511

WooCommerce Product Vendors

Plugin: WooCommerce Product Vendors
Plugin Slug: woocommerce-product-vendors
Vulnerability: Shop Manager+ SQL Injection
Patched in Version: 2.1.79
Severity Score: High
CVE: 2023-35879

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8.6
Severity Score: Medium
CVE: 2023-36514

WooCommerce Subscriptions

Plugin: WooCommerce Subscriptions
Plugin Slug: woocommerce-subscriptions
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 5.1.3
Severity Score: High
CVE: 2023-35914

WordPress File Upload

Plugin: File Uploader
Plugin Slug: wp-file-uploader
Vulnerability: Admin+ Path Traversal
Patched in Version: 4.19.2
Severity Score: Medium
CVE: 2023-2688

WPForms Pro

Plugin: WPForms Pro
Plugin Slug: wpforms
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.8.1.3
Severity Score: Medium
CVE: 2023-30500

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent

Plugin: WP Cookie Notice for GDPR, CCPA & ePrivacy Consent
Plugin Slug: gdpr-cookie-consent
Installations: 9,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23678

Form Builder

Plugin: Form Builder | Create Responsive Contact Forms
Plugin Slug: contact-form-add
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-23795

ApplyOnline – Application Form Builder and Manager

Plugin: ApplyOnline – Application Form Builder and Manager
Plugin Slug: apply-online
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24391

JS Help Desk – Best Help Desk & Support Plugin

Plugin: JS Help Desk – Best Help Desk & Support Plugin
Plugin Slug: js-support-ticket
Installations: 5,000+
Vulnerability: Insecure Direct Object References (IDOR) Leading To Ticket Deletion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23679

MojoPlug Slide Panel

Plugin: MojoPlug Slide Panel
Plugin Slug: mojoplug-slide-panel
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23807

Smoothscroller

Plugin: Smoothscroller
Plugin Slug: smoothscroller
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23811

Enable SVG Uploads

Plugin: Enable SVG Uploads
Plugin Slug: enable-svg-uploads
Installations: 300+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2529

Caldera Forms Google Sheets Connector

Plugin: Caldera Forms Google Sheets Connector
Plugin Slug: gsheetconnector-caldera-forms
Installations: 200+
Vulnerability: Access Code Update via Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2330

About Me 3000 widget

Plugin: About Me 3000 widget
Plugin Slug: about-me-3000
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3369

AN_GradeBook

Plugin: AN_GradeBook
Plugin Slug: an-gradebook
Vulnerability: Auth. Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2709

BBS e-Popup

Plugin: BBS e-Popup
Plugin Slug: bbs-e-popup
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-36504

CF7 Google Sheets Connector Pro

Plugin: CF7 Google Sheets Connector Pro
Plugin Slug: cf7-google-sheets-connector-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2320

Contact Form by WD

Plugin: Contact Form by WD
Plugin Slug: contact-form-maker
Vulnerability: Admin+ SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2655

Image Protector

Plugin: Defa Online Image Protector
Plugin Slug: defa-online-image-protector
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2026

Gallery Metabox

Plugin: Gallery Metabox
Plugin Slug: gallery-metabox
Vulnerability: Missing Authorization via gallery_remove
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2561

Gallery Metabox

Plugin: Gallery Metabox
Plugin Slug: gallery-metabox
Vulnerability: Missing Authorization
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2562

Greeklish-permalink

Plugin: Greeklish-permalink
Plugin Slug: greeklish-permalink
Vulnerability: Unauth. Post Slug Update
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2495

Image Map Pro

Plugin: Image Map Pro
Plugin Slug: image-map-pro-lite
Vulnerability: Missing Authorization to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3412

InventoryPress

Plugin: InventoryPress
Plugin Slug: inventorypress
Vulnerability: Author+ Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2579

PrePost SEO

Plugin: PrePost SEO
Plugin Slug: prepost-seo
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2029

Quick Post Duplicator

Plugin: Quick Post Duplicator
Plugin Slug: rduplicator
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2229

Upload Resume

Plugin: Upload Resume
Plugin Slug: resume-upload-form
Vulnerability: Captcha Bypass Vulnerability
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2751

User Email Verification for WooCommerce

Plugin: User Email Verification for WooCommerce
Plugin Slug: woo-confirmation-email
Vulnerability: Authentication bypass via weak token generation
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-2781

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Balkon

Theme: Balkon
Theme Slug: balkon
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.3.3
Severity Score: High
CVE: 2023-36502

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.