WordPress Vulnerability Report

Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 4

WordPress 6.2 Beta 4 rolled out today for testing after being postponed for a few days to deal with a regression. As of Beta 4, over 400 Trac issues have been raised and closed this cycle. The current target for the final release date is still March 28, 2023.

So far, the 6.2 release cycle has made more than 292 enhancements and 354 bug fixes just for the editor. A running total of 289 tickets have been closed in Trac for the 6.2 milestone, with more to come.

In the final 6.2 release, expect to see tight integration with Openverse in the editor and media library. The Navigation block has been significantly improved. A new Style Book feature displays all blocks in the current global styles, and there’s new custom CSS support for your full site and individual blocks. For more details on new features in 6.2, see the Beta 1 release news.

With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.

Gutenberg 15.2

The latest release of the Gutenberg plugin, version 15.2, is available now if you’d like to get a preview of bleeding-edge features. Please note the 15.2 release offers new features that will be included in the WordPress 6.3 core release but not 6.2. These features include revisions for the full site template editor so you can roll back changes to site templates.

Other new features of note in Gutenberg 15.2 are CSS aspect-ratio controls for the Featured Image block for posts and support for border color, style, and width in the Button block. There’s new typography support for the Latest Comments block, and the Post Excerpt block will have an excerpt length limit control. You’ll find accessibility improvements to labeling, tab, arrow key navigation, and the hierarchy of headings in the editor interface. See the version notes for the full details about many other enhancements and bug fixes.

No new WordPress core vulnerabilities were disclosed this week.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WordPress All in One SEO Pack plugin

Plugin: All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic
Plugin Slug: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched in Version: 4.3.0
Severity Score: Medium
CVE: 2023-0585

WordPress All in One SEO Pack plugin

Plugin: All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic
Plugin Slug: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched in Version: 4.3.0
Severity Score: Medium
CVE: 2023-0586

WordPress Starter Templates plugin

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Plugin Slug: astra-sites
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.21
Severity Score: Medium
CVE: 2022-46851

WordPress ProfilePress plugin

Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug: wp-user-avatar
Installations: 300,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: High
CVE: 2023-23830

WordPress Advanced Database Cleaner plugin

Plugin: Advanced Database Cleaner
Plugin Slug: advanced-database-cleaner
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.2
Severity Score: Medium
CVE: 2022-46813

WordPress Strong Testimonials plugin

Plugin: Strong Testimonials
Plugin Slug: strong-testimonials
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.3
Severity Score: Medium
CVE: 2023-26013

WordPress VK All in One Expansion Unit plugin

Plugin: VK All in One Expansion Unit
Plugin Slug: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched in Version: 9.87.1.0
Severity Score: High

WordPress Contextual Related Posts plugin

Plugin: Contextual Related Posts
Plugin Slug: contextual-related-posts
Installations: 70,000+
Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched in Version: 3.3.2
Severity Score: Medium

WordPress Media Library Assistant plugin

Plugin: Media Library Assistant
Plugin Slug: media-library-assistant
Installations: 70,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.06
Severity Score: Medium
CVE: 2023-0279

WordPress wpDataTables – WordPress Tables & Table Charts Plugin plugin

Plugin: wpDataTables – WordPress Tables & Table Charts Plugin
Plugin Slug: wpdatatables
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.50
Severity Score: Medium
CVE: 2023-23876

WordPress WP Table Builder – WordPress Table Plugin plugin

Plugin: WP Table Builder – WordPress Table Plugin
Plugin Slug: wp-table-builder
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.7
Severity Score: Medium
CVE: 2022-46852

WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin

Plugin: Drag and Drop Multiple File Upload – Contact Form 7
Plugin Slug: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.6.6
Severity Score: Medium
CVE: 2022-45364

WordPress Feed Them Social – for Twitter feed, Youtube and more plugin

Plugin: Feed Them Social – Page, Post, Video, and Photo Galleries
Plugin Slug: feed-them-social
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.0
Severity Score: Medium
CVE: 2023-25056

WordPress The Post Grid plugin

Plugin: The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid
Plugin Slug: the-post-grid
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.0.5
Severity Score: Medium
CVE: 2022-46853

WordPress 10Web Booster

Plugin: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Plugin Slug: tenweb-speed-optimizer
Installations: 30,000+
Vulnerability: Authorization in Settings Import to Stored Cross-Site Scripting
Patched in Version: 2.13.45
Severity Score: High

WordPress Top 10 plugin

Plugin: Top 10 – Popular posts plugin for WordPress
Plugin Slug: top-10
Installations: 30,000+
Vulnerability: Insufficient Authorization
Patched in Version: 3.2.5
Severity Score: Medium

WordPress Top 10 plugin

Plugin: Top 10 – Popular posts plugin for WordPress
Plugin Slug: top-10
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.5
Severity Score: Medium
CVE: 2023-26008

WordPress Minify HTML plugin

Plugin: Minify HTML
Plugin Slug: minify-html-markup
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.8
Severity Score: Medium
CVE: 2023-26014

WordPress Redirect Redirection plugin

Plugin: Redirection
Plugin Slug: redirect-redirection
Installations: 20,000+
Vulnerability: Multiple Missing Authorization
Patched in Version: 1.1.4
Severity Score: Medium

WordPress Wholesale Suite plugin

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
Plugin Slug: woocommerce-wholesale-prices
Installations: 20,000+
Vulnerability: Settings Change
Patched in Version: 2.1.5.1
Severity Score: Medium
CVE: 2022-34344

WordPress WP Meta SEO plugin

Plugin: WP Meta SEO
Plugin Slug: wp-meta-seo
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF) via ‘regenerateSitemaps’
Patched in Version: 4.5.4
Severity Score: Medium
CVE: 2023-1029

WordPress WP Meta SEO plugin

Plugin: WP Meta SEO
Plugin Slug: wp-meta-seo
Installations: 20,000+
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched in Version: 4.5.3
Severity Score: High

WordPress Maspik – Spam blacklist plugin

Plugin: Maspik – Spam blacklist
Plugin Slug: contact-forms-anti-spam
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.7.9
Severity Score: Medium
CVE: 2023-24008

WordPress Video Gallery – YouTube Gallery plugin

Plugin: Video Gallery – Best WordPress YouTube Gallery Plugin
Plugin Slug: gallery-videos
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.7.7
Severity Score: High
CVE: 2023-25988

WordPress Video Gallery – YouTube Gallery plugin

Plugin: Video Gallery – Best WordPress YouTube Gallery Plugin
Plugin Slug: gallery-videos
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.7
Severity Score: Medium
CVE: 2023-25979

WordPress Paytm Payment Gateway plugin

Plugin: Paytm Payment Gateway
Plugin Slug: paytm-payments
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 2.7.7
Severity Score: High
CVE: 2022-45805

WordPress UsersWP plugin

Plugin: UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress
Plugin Slug: userswp
Installations: 10,000+
Vulnerability: CSV Injection
Patched in Version: 1.2.3.10
Severity Score: Medium
CVE: 2022-47442

WordPress Japanized For WooCommerce plugin

Plugin: Japanized For WooCommerce
Plugin Slug: woocommerce-for-japan
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.5
Severity Score: High
CVE: 2023-0942

WordPress My YouTube Channel plugin

Plugin: My YouTube Channel
Plugin Slug: youtube-channel
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.23.4
Severity Score: Medium
CVE: 2023-25987

WordPress WordPress Tooltips plugin

Plugin: WordPress Tooltips
Plugin Slug: wordpress-tooltips
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.2.7
Severity Score: Medium
CVE: 2023-25985

WordPress Client Portal plugin

Plugin: Client Portal – Private user pages and login
Plugin Slug: client-portal
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.9
Severity Score: Medium
CVE: 2023-25968

WordPress Etsy Shop plugin

Plugin: Etsy Shop
Plugin Slug: etsy-shop
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.4
Severity Score: Medium
CVE: 2023-25975

WordPress WPMobile.App — Android and iOS Mobile Application plugin

Plugin: WPMobile.App — Android and iOS Mobile Application
Plugin Slug: wpappninja
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 11.19
Severity Score: Medium
CVE: 2023-26010

WordPress Dashboard Widgets Suite plugin

Plugin: Dashboard Widgets Suite
Plugin Slug: dashboard-widgets-suite
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.2
Severity Score: Medium
CVE: 2023-26517

WordPress Publish to Schedule plugin

Plugin: Publish to Schedule
Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium
CVE: 2023-26519

WordPress Publish to Schedule plugin

Plugin: Publish to Schedule
Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.5.4
Severity Score: Medium
CVE: 2023-25994

WordPress Read More Excerpt Link plugin

Plugin: Read More Excerpt Link
Plugin Slug: read-more-excerpt-link
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.1
Severity Score: Medium
CVE: 2023-26011

WordPress Auto Affiliate Links plugin

Plugin: Auto Affiliate Links
Plugin Slug: wp-auto-affiliate-links
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.3.0.3
Severity Score: Medium
CVE: 2023-25973

WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin

Plugin: Integration for Contact Form 7 and Zoho CRM, Bigin
Plugin Slug: cf7-zoho
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.3
Severity Score: Medium
CVE: 2023-25976

WordPress Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin

Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Plugin Slug: peepso-core
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.0.3.0
Severity Score: Medium
CVE: 2023-25967

WordPress Community by PeepSo plugin

Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Plugin Slug: peepso-core
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.0.3.0
Severity Score: Medium
CVE: 2022-41633

WordPress Sp*tify Play Button for WordPress plugin

Plugin: Sp*tify Play Button for WordPress
Plugin Slug: spotify-play-button-for-wordpress
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.06
Severity Score: Medium
CVE: 2023-26536

WordPress Drag and Drop Multiple File Upload for WooCommerce plugin

Plugin: Drag and Drop Multiple File Upload for WooCommerce
Plugin Slug: drag-and-drop-multiple-file-upload-for-woocommerce
Installations: 3,000+
Vulnerability: Unauth. Non-arbitrary file upload/deletion
Patched in Version: 1.0.9
Severity Score: Medium
CVE: 2022-45377

WordPress We’re Open! plugin

Plugin: We’re Open!
Plugin Slug: opening-hours
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.47
Severity Score: Medium
CVE: 2023-25964

WordPress Simple YouTube Responsive plugin

Plugin: Simple YouTube Responsive
Plugin Slug: simple-youtube-responsive
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0
Severity Score: Medium
CVE: 2023-25982

WordPress WP Custom Fields Search plugin

Plugin: WP Custom Fields Search
Plugin Slug: wp-custom-fields-search
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.35
Severity Score: Medium
CVE: 2022-47157

WordPress BuddyForms plugin

Plugin: Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions
Plugin Slug: buddyforms
Installations: 2,000+
Vulnerability: PHP Object Injection
Patched in Version: 2.7.8
Severity Score: Medium

WordPress CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin

Plugin: CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce
Plugin Slug: css-js-manager
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4.49.1
Severity Score: Medium
CVE: 2022-47154

WordPress KB Support – WordPress Help Desk plugin

Plugin: KB Support – WordPress Help Desk
Plugin Slug: kb-support
Installations: 2,000+
Vulnerability: CSV Injection
Patched in Version: 1.5.85
Severity Score: Medium
CVE: 2023-25983

WordPress Multiple Pages Generator by Themeisle plugin

Plugin: Multiple Page Generator Plugin – MPG
Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.3.10
Severity Score: Medium
CVE: 2022-47143

WordPress Simple Slug Translate plugin

Plugin: Simple Slug Translate
Plugin Slug: simple-slug-translate
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.3
Severity Score: Medium
CVE: 2023-26515

WordPress WordPress Books Gallery plugin

Plugin: WordPress Books Gallery
Plugin Slug: wp-books-gallery
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4.9
Severity Score: Medium
CVE: 2023-23705

WordPress Accordions – Multiple Accordions or FAQs Builder plugin

Plugin: Accordion – Multiple Accordion or FAQs Builder
Plugin Slug: accordions-or-faqs
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.1
Severity Score: Medium
CVE: 2023-25962

WordPress Clio Grow plugin

Plugin: Clio Grow
Plugin Slug: clio-grow-form
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.1
Severity Score: Medium
CVE: 2023-22683

WordPress Calendar Event Multi View plugin

Plugin: Calendar Event Multi View
Plugin Slug: cp-multi-view-calendar
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.4.15
Severity Score: Low
CVE: 2023-23814

WordPress Sheets To WP Table Live Sync plugin

Plugin: Sheets To WP Table Live Sync
Plugin Slug: sheets-to-wp-table-live-sync
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.13.0
Severity Score: Medium
CVE: 2023-26535

WordPress Broadcast Live Video plugin

Plugin: Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Plugin Slug: videowhisper-live-streaming-integration
Installations: 1,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 5.5.16
Severity Score: Critical
CVE: 2023-25699

WordPress WP Dynamic Keywords Injector plugin

Plugin: WP Dynamic Keywords Injector
Plugin Slug: wp-dynamic-keywords-injector
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.16
Severity Score: Medium
CVE: 2022-47141

WordPress WordPress Stripe Donation plugin

Plugin: Accept Stripe Donation – AidWP
Plugin Slug: wp-stripe-donation
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.6
Severity Score: Medium
CVE: 2022-47422

WordPress CM Answers plugin

Plugin: CM Answers
Plugin Slug: cm-answers
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.0
Severity Score: Medium
CVE: 2023-25992

WordPress Coupon Zen plugin

Plugin: Coupon Zen
Plugin Slug: coupon-zen
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.6
Severity Score: Medium

WordPress Houzez Login Register plugin

Plugin: Houzez Login Register
Plugin Slug: houzez-login-register
Vulnerability: Privilege Escalation
Patched in Version: 2.6.4
Severity Score: Critical
CVE: 2023-26009

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WordPress All In One Favicon plugin

Plugin: All In One Favicon
Plugin Slug: all-in-one-favicon
Installations: 100,000+
Vulnerability: Arbitrary File Deletion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24416

WordPress Apollo13 Framework Extensions plugin

Plugin: Apollo13 Framework Extensions
Plugin Slug: apollo13-framework-extensions
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25959

WordPress Markup plugin

Plugin: Markup (JSON-LD) structured in schema.org
Plugin Slug: wp-structuring-markup
Installations: 30,000+
Vulnerability: Contributor+ Stored XSS via Shortcode
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4666

WordPress TypeSquare Webfonts for ConoHa plugin

Plugin: TypeSquare Webfonts for ConoHa
Plugin Slug: ts-webfonts-for-conoha
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25458

WordPress All-in-one search automatic push management plug-in – support Baidu/Google/Bing/IndexNow/Yandex/ headlines plugin

Plugin: All-in-one search automatic push management plug-in – support Baidu/Google/Bing/IndexNow/Yandex/headlines
Plugin Slug: baidu-submit-link
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26531

WordPress Login Logout Menu plugin

Plugin: Login Logout Menu
Plugin Slug: baw-login-logout-menu
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4622

WordPress Jobs for WordPress plugin

Plugin: Jobs for WordPress
Plugin Slug: job-postings
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26017

WordPress For the visually impaired plugin

Plugin: For the visually impaired
Plugin Slug: for-the-visually-impaired
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25038

WordPress Admin Block Country plugin

Plugin: Admin Block Country
Plugin Slug: admin-block-country
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24007

WordPress Hero Banner Ultimate plugin

Plugin: Hero Banner Ultimate
Plugin Slug: hero-banner-ultimate
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45818

WordPress Theme Tweaker plugin

Plugin: Theme Tweaker
Plugin Slug: theme-tweaker-lite
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23713

WordPress Booking Ultra Pro Appointments Booking Calendar Plugin plugin

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Plugin Slug: booking-ultra-pro
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-46816

WordPress Easy Google Analytics for WordPress plugin

Plugin: Easy Google Analytics for WordPress
Plugin Slug: easy-google-analytics-for-wordpress
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23887

WordPress GMAce plugin

Plugin: GMAce
Plugin Slug: gmace
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23861

WordPress GMAce plugin

Plugin: GMAce
Plugin Slug: gmace
Installations: 1,000+
Vulnerability: Arbitrary File Download
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23872

WordPress JS Job Manager plugin

Plugin: JS Job Manager
Plugin Slug: js-jobs
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25963

WordPress phpinfo() WP plugin

Plugin: phpinfo() WP
Plugin Slug: phpinfo-wp
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26542

WordPress WP Google Tag Manager plugin

Plugin: WP Google Tag Manager
Plugin Slug: wp-google-tag-manager
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-22693

WordPress Bing Site Verification plugin using Meta Tag plugin

Plugin: Bing Site Verification plugin using Meta Tag
Plugin Slug: bing-site-verification-using-meta-tag
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23875

WordPress WordPress Custom Settings plugin

Plugin: WordPress Custom Settings
Plugin Slug: custom-settings
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23806

WordPress Exquisite PayPal Donation plugin

Plugin: Exquisite PayPal Donation
Plugin Slug: exquisite-paypal-donation
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23785

WordPress Sitemap Index plugin

Plugin: Sitemap Index
Plugin Slug: sitemap-index
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23816

WordPress Sponsors Carousel plugin

Plugin: Sponsors Carousel
Plugin Slug: sponsors-carousel
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23808

WordPress Stock market charts from finviz plugin

Plugin: Stock market charts from finviz
Plugin Slug: stock-market-charts-from-finviz
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23809

WordPress WP-RecentComments plugin

Plugin: WP-RecentComments
Plugin Slug: wp-recentcomments
Installations: 900+
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium

WordPress WP-RecentComments plugin

Plugin: WP-RecentComments
Plugin Slug: wp-recentcomments
Installations: 900+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23886

WordPress Circles Gallery plugin

Plugin: Circles Gallery
Plugin Slug: circles-gallery
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23881

WordPress Upload Resume plugin

Plugin: Upload Resume
Plugin Slug: resume-upload-form
Installations: 600+
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25965

WordPress Educare – Students & Result Management System plugin

Plugin: Educare – Students & Result Management System
Plugin Slug: educare
Installations: 300+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25971

WordPress Custom Login Page plugin

Plugin: Custom Login Page
Plugin Slug: wp-custom-login-page
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26012

WordPress asMember plugin

Plugin: asMember
Plugin Slug: asmember
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26541

WordPress Chat Bee plugin

Plugin: Chat Bee
Plugin Slug: chat-bee
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26538

WordPress Simple Portfolio Gallery plugin

Plugin: Simple Portfolio Gallery
Plugin Slug: simple-portfolio-gallery
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26016

WordPress Conditional Checkout Fields for WooCommerce plugin

Plugin: Conditional Checkout Fields for WooCommerce
Plugin Slug: conditional-checkout-fields-for-woocommerce
Vulnerability: Broken Authentication
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45070

WordPress CPT – Speakers plugin

Plugin: CPT – Speakers
Plugin Slug: cpt-speakers
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25977

WordPress PayGreen plugin

Plugin: PayGreen
Plugin Slug: paygreen-woocommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25986

WordPress Social Login WP plugin

Plugin: Social Login WP
Plugin Slug: social-login-wp
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-38063

WordPress Zendrop – Global Dropshipping plugin

Plugin: Zendrop – Global Dropshipping
Plugin Slug: zendrop-dropshipping-and-fulfillment
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-25960

WordPress Zendrop – Global Dropshipping plugin

Plugin: Zendrop – Global Dropshipping
Plugin Slug: zendrop-dropshipping-and-fulfillment
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-25970

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

WordPress OceanWP theme

Theme: OceanWP
Theme Slug: oceanwp
Downloads: 5,960,838
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 3.4.2
Severity Score: High
CVE: 2023-23700

WordPress darcie theme

Theme: Darcie
Theme Slug: darcie
Downloads: 14,649
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.6
Severity Score: High
CVE: 2023-25961

WordPress Houzez theme

Theme: Houzez
Theme Slug: houzez
Vulnerability: Privilege Escalation
Patched in Version: 2.7.2
Severity Score: Critical
CVE: 2023-26540

WordPress Real Estate 7 theme

Theme: Real Estate 7
Theme Slug: realestate-7
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.2
Severity Score: High
CVE: 2022-47146

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

WordPress Vulnerability Report – March 1, 2023

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

WordPress Core News

WordPress 6.2 Beta 4

Gutenberg 15.2

WordPress Plugin Vulnerabilities

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report