WordPress Vulnerability Report

This week, 101 total vulnerabilities emerged in public disclosure. They may affect over 6 million WordPress sites. Additionally, there are 64 plugin vulnerabilities with no patch available yet, but no new theme vulnerabilities surfaced. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Jetpack

Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Plugin Slug: jetpack
Installations: 5,000,000+
Vulnerability: Arbitrary File Overwrite
Patched in Version: 12.1.1
Severity Score: Critical

Formidable Forms

Plugin: Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
Plugin Slug: formidable
Installations: 300,000+
Vulnerability: Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Patched in Version: 6.3.1
Severity Score: Medium

Social Media Share Buttons & Social Sharing Icons

Plugin: Social Media Share Buttons & Social Sharing Icons
Plugin Slug: ultimate-social-media-icons
Installations: 200,000+
Vulnerability: Broken Access Control + CSRF
Patched in Version: 2.8.2
Severity Score: Medium
CVE: 2023-34009

Download Manager

Plugin: Download Manager
Plugin Slug: download-manager
Installations: 100,000+
Vulnerability: Broken Access Control
Patched in Version: 3.2.71
Severity Score: Medium
CVE: 2023-1524

Download Monitor

Plugin: Download Monitor
Plugin Slug: download-monitor
Installations: 100,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 4.8.2
Severity Score: Medium
CVE: 2023-31219

Brizy Page Builder

Plugin: Brizy – Page Builder
Plugin Slug: brizy
Installations: 90,000+
Vulnerability: IP Address Spoofing to Protection Mechanism Bypass
Patched in Version: 2.4.19
Severity Score: Low
CVE: 2023-2897

Nested Pages

Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Installations: 90,000+
Vulnerability: Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
Patched in Version: 3.2.4
Severity Score: Low
CVE: 2023-2434

Tutor LMS

Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Installations: 70,000+
Vulnerability: Unauthenticated SQL Injection
Patched in Version: 2.2.0
Severity Score: High
CVE: 2023-25700

Tutor LMS

Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Installations: 70,000+
Vulnerability: Multiple Student+ SQL Injection
Patched in Version: 2.2.1
Severity Score: High
CVE: 2023-25800

Tutor LMS

Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Installations: 70,000+
Vulnerability: Multiple Tutor Instructor+ SQL Injection
Patched in Version: 2.2.0
Severity Score: High
CVE: 2023-25990

VK Blocks

Plugin: VK Blocks
Plugin Slug: vk-blocks
Installations: 70,000+
Vulnerability: Auth. Settings Update
Patched in Version: 1.57.1.2
Severity Score: Medium
CVE: 2023-0583

Uncanny Toolkit for LearnDash

Plugin: Uncanny Toolkit for LearnDash
Plugin Slug: uncanny-learndash-toolkit
Installations: 30,000+
Vulnerability: Open Redirection
Patched in Version: 3.6.4.4
Severity Score: Medium
CVE: 2023-34020

Uncanny Toolkit for LearnDash

Plugin: Uncanny Toolkit for LearnDash
Plugin Slug: uncanny-learndash-toolkit
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 3.6.4.4
Severity Score: Medium
CVE: 2023-34019

Draw Attention

Plugin: Interactive Image Map Plugin – Draw Attention
Plugin Slug: draw-attention
Installations: 20,000+
Vulnerability: Missing Authorization to Arbitrary Post Featured Image Modification
Patched in Version: 2.0.12
Severity Score: Medium
CVE: 2023-2764

Favorites

Plugin: Favorites
Plugin Slug: favorites
Installations: 20,000+
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched in Version: 2.3.3
Severity Score: Medium
CVE: 2023-2304

ReviewX

Plugin: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Plugin Slug: reviewx
Installations: 10,000+
Vulnerability: Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
Patched in Version: 1.6.14
Severity Score: High
CVE: 2023-2833

WP ERP

Plugin: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Plugin Slug: erp
Installations: 9,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.12.4
Severity Score: High
CVE: 2023-34008

bbp style pack

Plugin: bbp style pack
Plugin Slug: bbp-style-pack
Installations: 8,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.5.6
Severity Score: High
CVE: 2023-33997

Drop Shadow Boxes

Plugin: Drop Shadow Boxes
Plugin Slug: drop-shadow-boxes
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.11
Severity Score: Medium
CVE: 2023-23833

WOLF

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Plugin Slug: bulk-editor
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.7.1
Severity Score: Medium
CVE: 2023-34028

CRM Perks Forms

Plugin: CRM Perks Forms – WordPress Form Builder
Plugin Slug: crm-perks-forms
Installations: 2,000+
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched in Version: 1.1.2
Severity Score: Medium
CVE: 2023-2836

Donation Platform for WooCommerce: Fundraising & Donation Management

Plugin: Donation Platform for WooCommerce: Fundraising & Donation Management
Plugin Slug: wc-donation-platform
Installations: 2,000+
Vulnerability: Cross-Site Request Forgery to Survey Submission
Patched in Version: 1.2.10
Severity Score: Medium

WP Inventory Manager

Plugin: WP Inventory Manager
Plugin Slug: wp-inventory-manager
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.0.14
Severity Score: Medium
CVE: 2023-34002

WP Directory Kit

Plugin: WP Directory Kit
Plugin Slug: wpdirectorykit
Installations: 2,000+
Vulnerability: Reflected Cross-Site Scripting via ‘search’
Patched in Version: 1.2.4
Severity Score: High
CVE: 2023-2835

Advanced Flat rate shipping Woocommerce

Plugin: Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping
Plugin Slug: advanced-free-flat-shipping-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.4.6
Severity Score: Medium
CVE: 2023-34015

GDPR Cookie Consent Notice Box

Plugin: GDPR Cookie Consent Notice Box
Plugin Slug: cookie-consent-box
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.7
Severity Score: Medium
CVE: 2023-32294

JS Jobs Manager

Plugin: JS Job Manager
Plugin Slug: js-jobs
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.1
Severity Score: Medium
CVE: 2023-31087

Kanban Boards for WordPress

Plugin: Kanban Boards for WordPress
Plugin Slug: kanban
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.21
Severity Score: Medium
CVE: 2023-34368

Telegram Bot & Channel

Plugin: Telegram Bot & Channel
Plugin Slug: telegram-bot
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6.3
Severity Score: Medium
CVE: 2023-34006

Quick/Bulk Order Form for WooCommerce

Plugin: Quick/Bulk Order Form for WooCommerce
Plugin Slug: woocommerce-bulk-order-form
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6.0
Severity Score: Medium
CVE: 2023-34170

WP User Switch

Plugin: WP User Switch
Plugin Slug: wp-user-switch
Installations: 1,000+
Vulnerability: Authentication Bypass via Cookie
Patched in Version: 1.0.3
Severity Score: High
CVE: 2023-2546

Front End Users

Plugin: Front End Users
Plugin Slug: front-end-only-users
Installations: 900+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.2.25
Severity Score: Medium
CVE: 2023-34005

Call Now Accessibility Button

Plugin: Call Now Accessibility Button
Plugin Slug: accessibility-help-button
Installations: 50+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2
Severity Score: Medium
CVE: 2023-28933

B2BKing

Plugin: B2BKing Premium
Plugin Slug: b2bking
Vulnerability: Authenticated Product Price Change
Patched in Version: 4.6.20
Severity Score: Medium

Premium Addons PRO

Plugin: Premium Addons PRO
Plugin Slug: premium-addons-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.8.25
Severity Score: High
CVE: 2023-34012

WooCommerce Box Office

Plugin: WooCommerce Box Office
Plugin Slug: woocommerce-box-office
Vulnerability: Unauthenticated Save Ticket Barcode
Patched in Version: 1.1.52
Severity Score: Medium
CVE: 2023-34003

WooCommerce Box Office

Plugin: WooCommerce Box Office
Plugin Slug: woocommerce-box-office
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: 1.1.51
Severity Score: Medium
CVE: 2023-34004

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

VK Blocks

Plugin: VK Blocks
Plugin Slug: vk-blocks
Installations: 70,000+
Vulnerability: Auth. Settings Update
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0584

WPC Smart Wishlist for WooCommerce

Plugin: WPC Smart Wishlist for WooCommerce
Plugin Slug: woo-smart-wishlist
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34386

Constant Contact Forms

Plugin: Constant Contact Forms
Plugin Slug: constant-contact-forms
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34387

TS Webfonts

Plugin: TS Webfonts for ???????????
Plugin Slug: ts-webfonts-for-sakura
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34169

WordPress Social Login

Plugin: WordPress Social Login
Plugin Slug: wordpress-social-login
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34023

WordPress Social Login

Plugin: WordPress Social Login
Plugin Slug: wordpress-social-login
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34172

`OSM – OpenStreetMap

Plugin: OSM – OpenStreetMap
Plugin Slug: osm
Installations: 20,000+
Vulnerability: Contributor+ Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4676

Yandex Metrica Counter

Plugin: Yandex Metrica Counter
Plugin Slug: counter-yandex-metrica
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34173

LWS Hide Login

Plugin: LWS Hide Login
Plugin Slug: lws-hide-login
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34025

Unite Gallery Lite

Plugin: Unite Gallery Lite
Plugin Slug: unite-gallery-lite
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34183

WP Hide Post

Plugin: WP Hide Post
Plugin Slug: wp-hide-post
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF) Leading To Post Status Change
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34378

Disable WordPress Update Notifications

Plugin: Disable WordPress Update Notifications and auto-update Email Notifications
Plugin Slug: disable-update-notifications
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34029

Call Now Icon Animate

Plugin: Call Now Icon Animate
Plugin Slug: call-now-icon-animate
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34187

Change WooCommerce Add To Cart Button Text

Plugin: Change WooCommerce Add To Cart Button Text
Plugin Slug: change-woocommerce-add-to-cart-button-text
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34376

Google Fonts For WordPress

Plugin: Google Fonts For WordPress
Plugin Slug: free-google-fonts
Installations: 3,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34180

Ajax Pagination and Infinite Scroll

Plugin: Ajax Pagination and Infinite Scroll
Plugin Slug: malinky-ajax-pagination
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34033

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug: meeting-scheduler-by-vcita
Installations: 3,000+
Vulnerability: Unauth. Stored Cross-Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2298

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug: meeting-scheduler-by-vcita
Installations: 3,000+
Vulnerability: Missing Authorization to Account Logout
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2415

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug: meeting-scheduler-by-vcita
Installations: 3,000+
Vulnerability: Missing Authorization on REST-API
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2299

Online Booking & Scheduling Calendar for WordPress by vcita

Plugin: Online Booking & Scheduling Calendar for WordPress by vcita
Plugin Slug: meeting-scheduler-by-vcita
Installations: 3,000+
Vulnerability: Missing Authorization to Settings Update and Media Upload
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2414

BBS e-Popup

Plugin: BBS e-Popup
Plugin Slug: bbs-e-popup
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34174

Contact Form Builder by vcita

Plugin: Contact Form Builder by vcita
Plugin Slug: contact-form-with-a-meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2301

Contact Form Builder by vcita

Plugin: Contact Form Builder by vcita
Plugin Slug: contact-form-with-a-meeting-scheduler-by-vcita
Installations: 2,000+
Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2300

Groundhogg

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug: groundhogg
Installations: 2,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34179

Groundhogg

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug: groundhogg
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34178

SpamReferrerBlock

Plugin: SpamReferrerBlock
Plugin Slug: spamreferrerblock
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34372

SpamReferrerBlock

Plugin: SpamReferrerBlock
Plugin Slug: spamreferrerblock
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34371

WordPress Tables

Plugin: WordPress Tables
Plugin Slug: wptables
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-25453

bbPress Toolkit

Plugin: bbPress Toolkit
Plugin Slug: bbp-toolkit
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34031

bbPress Toolkit

Plugin: bbPress Toolkit
Plugin Slug: bbp-toolkit
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34032

Chilexpress woo oficial

Plugin: Chilexpress woo oficial
Plugin Slug: chilexpress-oficial
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34176

Dynamic QR Code Generator

Plugin: Dynamic QR Code Generator
Plugin Slug: dynamic-qr-code-generator
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34022

Extended Post Status

Plugin: Extended Post Status
Plugin Slug: extended-post-status
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32094

Floating Action Button

Plugin: Floating Action Button
Plugin Slug: floating-action-button
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31088

Headless CMS

Plugin: Headless CMS
Plugin Slug: headless-cms
Installations: 1,000+
Vulnerability: Broken Authentication
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34186

Woocommerce Order address Print

Plugin: Woocommerce Order address Print
Plugin Slug: woocommerce-order-address-print
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34184

WordPress NextGen GalleryView

Plugin: WordPress NextGen GalleryView
Plugin Slug: wordpress-nextgen-galleryview
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34185

WP-Cache.com

Plugin: WP-Cache.com
Plugin Slug: wp-cachecom
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34177

WP-Cirrus

Plugin: WP-Cirrus
Plugin Slug: wp-cirrus
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34181

WP Full Auto Tags Manager

Plugin: WP Full Auto Tags Manager
Plugin Slug: wp-full-auto-tags-manager
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34024

WP Report Post

Plugin: WP Report Post
Plugin Slug: wp-report-post
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34168

WP Report Post

Plugin: WP Report Post
Plugin Slug: wp-report-post
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34171

Worthy – VG WORT Integration für WordPress

Plugin: Worthy – VG WORT Integration für WordPress
Plugin Slug: wp-worthy
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24417

Contact Form and Calls To Action by vcita

Plugin: Contact Form and Calls To Action by vcita
Plugin Slug: lead-capturing-call-to-actions-by-vcita
Installations: 400+
Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2302

Contact Form and Calls To Action by vcita

Plugin: Contact Form and Calls To Action by vcita
Plugin Slug: lead-capturing-call-to-actions-by-vcita
Installations: 400+
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2303

CRM and Lead Management by vcita

Plugin: CRM and Lead Management by vcita
Plugin Slug: crm-customer-relationship-management-by-vcita
Installations: 200+
Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2404

CRM and Lead Management by vcita

Plugin: CRM and Lead Management by vcita
Plugin Slug: crm-customer-relationship-management-by-vcita
Installations: 200+
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2405

LH Password Changer

Plugin: LH Password Changer
Plugin Slug: lh-password-changer
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34182

TPG Redirect

Plugin: TPG Redirect
Plugin Slug: tpg-redirect
Installations: 20+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32093

Blog-in-Blog

Plugin: Blog-in-Blog
Plugin Slug: blog-in-blog
Vulnerability: Authenticated (Editor+) Local File Inclusion via Shortcode
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2435

Blog-in-Blog

Plugin: Blog-in-Blog
Plugin Slug: blog-in-blog
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2436

Cart2Cart: Magento to WooCommerce Migration

Plugin: Cart2Cart: Magento to WooCommerce Migration
Plugin Slug: cart2cart-magento-to-woocommerce-migration
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34379

Display post meta, term meta, comment meta, and user meta

Plugin: Display post meta, term meta, comment meta, and user meta
Plugin Slug: display-metadata
Vulnerability: Authenticated(Contributor+) Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-1661

Feather Login Page

Plugin: Feather Login Page
Plugin Slug: feather-login-page
Vulnerability: Missing Authorization to Authentication Bypass and Privilege Escalation
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2545

Feather Login Page

Plugin: Feather Login Page
Plugin Slug: feather-login-page
Vulnerability: Missing Authorization to Non-Arbitrary User Deletion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2547

Feather Login Page

Plugin: Feather Login Page
Plugin Slug: feather-login-page
Vulnerability: Cross Site Request Forgery (CSRF) to Privilege Escalation
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2549

Kebo Twitter Feed

Plugin: Kebo Twitter Feed
Plugin Slug: kebo-twitter-feed
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-34384

Login Configurator

Plugin: Login Configurator
Plugin Slug: login-configurator
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34175

Page Builder by AZEXO

Plugin: Page Builder with Image Map by AZEXO
Plugin Slug: page-builder-by-azexo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3052

Page Builder by AZEXO

Plugin: Page Builder with Image Map by AZEXO
Plugin Slug: page-builder-by-azexo
Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3051

Page Builder by AZEXO

Plugin: Page Builder with Image Map by AZEXO
Plugin Slug: page-builder-by-azexo
Vulnerability: Missing Authorization to Post Creation
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3053

Page Builder by AZEXO

Plugin: Page Builder with Image Map by AZEXO
Plugin Slug: page-builder-by-azexo
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3055

Web Directory Free

Plugin: Web Directory Free
Plugin Slug: web-directory-free
Vulnerability: Authenticated (Contributor+) SQL Injection via post_id
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2201

Wordapp

Plugin: Wordapp
Plugin Slug: wordapp
Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-2987

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – June 7, 2023

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

iThemes is Becoming SolidWP

We have been working hard for almost a year to bring you incredible new features in the form of our new and improved brand: SolidWP. Discover what’s new!

Get the Weekly WordPress Vulnerability Report