Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
WordPress 6.2 Beta 4
WordPress 6.2 Beta 4 rolled out today for testing after being postponed for a few days to deal with a regression. As of Beta 4, over 400 Trac issues have been raised and closed this cycle. The current target for the final release date is still March 28, 2023.
So far, the 6.2 release cycle has made more than 292 enhancements and 354 bug fixes just for the editor. A running total of 289 tickets have been closed in Trac for the 6.2 milestone, with more to come.
In the final 6.2 release, expect to see tight integration with Openverse in the editor and media library. The Navigation block has been significantly improved. A new Style Book feature displays all blocks in the current global styles, and there’s new custom CSS support for your full site and individual blocks. For more details on new features in 6.2, see the Beta 1 release news.
With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.
Gutenberg 15.2
The latest release of the Gutenberg plugin, version 15.2, is available now if you’d like to get a preview of bleeding-edge features. Please note the 15.2 release offers new features that will be included in the WordPress 6.3 core release but not 6.2. These features include revisions for the full site template editor so you can roll back changes to site templates.
Other new features of note in Gutenberg 15.2 are CSS aspect-ratio controls for the Featured Image block for posts and support for border color, style, and width in the Button block. There’s new typography support for the Latest Comments block, and the Post Excerpt block will have an excerpt length limit control. You’ll find accessibility improvements to labeling, tab, arrow key navigation, and the hierarchy of headings in the editor interface. See the version notes for the full details about many other enhancements and bug fixes.
WordPress Plugin Vulnerabilities
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WordPress All in One SEO Pack plugin

- Plugin Slug
- all-in-one-seo-pack
- Installations
- 3,000,000+
- Vulnerability
- Authenticated (Administrator+) Stored Cross-Site Scripting
- Patched in Version
- 4.3.0
- Severity Score
- Medium
- CVE
- 2023-0585
WordPress All in One SEO Pack plugin

- Plugin Slug
- all-in-one-seo-pack
- Installations
- 3,000,000+
- Vulnerability
- Authenticated (Contributor+) Stored Cross-Site Scripting
- Patched in Version
- 4.3.0
- Severity Score
- Medium
- CVE
- 2023-0586
WordPress Starter Templates plugin

- Plugin Slug
- astra-sites
- Installations
- 1,000,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.21
- Severity Score
- Medium
- CVE
- 2022-46851
WordPress ProfilePress plugin

- Plugin Slug
- wp-user-avatar
- Installations
- 300,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.5.5
- Severity Score
- High
- CVE
- 2023-23830
WordPress Advanced Database Cleaner plugin

- Plugin Slug
- advanced-database-cleaner
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.2
- Severity Score
- Medium
- CVE
- 2022-46813
WordPress Strong Testimonials plugin

- Plugin
- Strong Testimonials
- Plugin Slug
- strong-testimonials
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0.3
- Severity Score
- Medium
- CVE
- 2023-26013
WordPress VK All in One Expansion Unit plugin

- Plugin Slug
- vk-all-in-one-expansion-unit
- Installations
- 100,000+
- Vulnerability
- Reflected Cross-Site Scripting via REQUEST_URI
- Patched in Version
- 9.87.1.0
- Severity Score
- High
WordPress Contextual Related Posts plugin

- Plugin
- Contextual Related Posts
- Plugin Slug
- contextual-related-posts
- Installations
- 70,000+
- Vulnerability
- Missing Authorization in crp_ajax_clearcache
- Patched in Version
- 3.3.2
- Severity Score
- Medium
WordPress Media Library Assistant plugin

- Plugin
- Media Library Assistant
- Plugin Slug
- media-library-assistant
- Installations
- 70,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 3.06
- Severity Score
- Medium
- CVE
- 2023-0279
WordPress wpDataTables – WordPress Tables & Table Charts Plugin plugin

- Plugin Slug
- wpdatatables
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.1.50
- Severity Score
- Medium
- CVE
- 2023-23876
WordPress WP Table Builder – WordPress Table Plugin plugin

- Plugin Slug
- wp-table-builder
- Installations
- 60,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.4.7
- Severity Score
- Medium
- CVE
- 2022-46852
WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin

- Plugin Slug
- drag-and-drop-multiple-file-upload-contact-form-7
- Installations
- 50,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.3.6.6
- Severity Score
- Medium
- CVE
- 2022-45364
WordPress Feed Them Social – for Twitter feed, Youtube and more plugin

- Plugin Slug
- feed-them-social
- Installations
- 50,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.0.0
- Severity Score
- Medium
- CVE
- 2023-25056
WordPress The Post Grid plugin

- Plugin Slug
- the-post-grid
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.0.5
- Severity Score
- Medium
- CVE
- 2022-46853
WordPress 10Web Booster

- Plugin Slug
- tenweb-speed-optimizer
- Installations
- 30,000+
- Vulnerability
- Authorization in Settings Import to Stored Cross-Site Scripting
- Patched in Version
- 2.13.45
- Severity Score
- High
WordPress Top 10 plugin

- Plugin Slug
- top-10
- Installations
- 30,000+
- Vulnerability
- Insufficient Authorization
- Patched in Version
- 3.2.5
- Severity Score
- Medium
WordPress Top 10 plugin

- Plugin Slug
- top-10
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.5
- Severity Score
- Medium
- CVE
- 2023-26008
WordPress Minify HTML plugin

- Plugin
- Minify HTML
- Plugin Slug
- minify-html-markup
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.1.8
- Severity Score
- Medium
- CVE
- 2023-26014
WordPress Redirect Redirection plugin

- Plugin
- Redirection
- Plugin Slug
- redirect-redirection
- Installations
- 20,000+
- Vulnerability
- Multiple Missing Authorization
- Patched in Version
- 1.1.4
- Severity Score
- Medium
WordPress Wholesale Suite plugin

- Plugin Slug
- woocommerce-wholesale-prices
- Installations
- 20,000+
- Vulnerability
- Settings Change
- Patched in Version
- 2.1.5.1
- Severity Score
- Medium
- CVE
- 2022-34344
WordPress WP Meta SEO plugin

- Plugin
- WP Meta SEO
- Plugin Slug
- wp-meta-seo
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF) via ‘regenerateSitemaps’
- Patched in Version
- 4.5.4
- Severity Score
- Medium
- CVE
- 2023-1029
WordPress WP Meta SEO plugin

- Plugin
- WP Meta SEO
- Plugin Slug
- wp-meta-seo
- Installations
- 20,000+
- Vulnerability
- Authenticated (Subscriber+) SQL Injection
- Patched in Version
- 4.5.3
- Severity Score
- High
WordPress Maspik – Spam blacklist plugin

- Plugin
- Maspik – Spam blacklist
- Plugin Slug
- contact-forms-anti-spam
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 0.7.9
- Severity Score
- Medium
- CVE
- 2023-24008
WordPress Video Gallery – YouTube Gallery plugin

- Plugin Slug
- gallery-videos
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.7.7
- Severity Score
- High
- CVE
- 2023-25988
WordPress Video Gallery – YouTube Gallery plugin

- Plugin Slug
- gallery-videos
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.7
- Severity Score
- Medium
- CVE
- 2023-25979
WordPress Paytm Payment Gateway plugin

- Plugin
- Paytm Payment Gateway
- Plugin Slug
- paytm-payments
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 2.7.7
- Severity Score
- High
- CVE
- 2022-45805
WordPress UsersWP plugin

- Plugin Slug
- userswp
- Installations
- 10,000+
- Vulnerability
- CSV Injection
- Patched in Version
- 1.2.3.10
- Severity Score
- Medium
- CVE
- 2022-47442
WordPress Japanized For WooCommerce plugin

- Plugin Slug
- woocommerce-for-japan
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.5.5
- Severity Score
- High
- CVE
- 2023-0942
WordPress My YouTube Channel plugin

- Plugin
- My YouTube Channel
- Plugin Slug
- youtube-channel
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.23.4
- Severity Score
- Medium
- CVE
- 2023-25987
WordPress WordPress Tooltips plugin

- Plugin
- WordPress Tooltips
- Plugin Slug
- wordpress-tooltips
- Installations
- 7,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 8.2.7
- Severity Score
- Medium
- CVE
- 2023-25985
WordPress Client Portal plugin

- Plugin Slug
- client-portal
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.9
- Severity Score
- Medium
- CVE
- 2023-25968
WordPress Etsy Shop plugin

- Plugin
- Etsy Shop
- Plugin Slug
- etsy-shop
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.0.4
- Severity Score
- Medium
- CVE
- 2023-25975
WordPress WPMobile.App — Android and iOS Mobile Application plugin

- Plugin Slug
- wpappninja
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 11.19
- Severity Score
- Medium
- CVE
- 2023-26010
WordPress Dashboard Widgets Suite plugin

- Plugin
- Dashboard Widgets Suite
- Plugin Slug
- dashboard-widgets-suite
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.2
- Severity Score
- Medium
- CVE
- 2023-26517
WordPress Publish to Schedule plugin

- Plugin
- Publish to Schedule
- Plugin Slug
- publish-to-schedule
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.5.5
- Severity Score
- Medium
- CVE
- 2023-26519
WordPress Publish to Schedule plugin

- Plugin
- Publish to Schedule
- Plugin Slug
- publish-to-schedule
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.5.4
- Severity Score
- Medium
- CVE
- 2023-25994
WordPress Read More Excerpt Link plugin

- Plugin
- Read More Excerpt Link
- Plugin Slug
- read-more-excerpt-link
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.6.1
- Severity Score
- Medium
- CVE
- 2023-26011
WordPress Auto Affiliate Links plugin

- Plugin
- Auto Affiliate Links
- Plugin Slug
- wp-auto-affiliate-links
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.3.0.3
- Severity Score
- Medium
- CVE
- 2023-25973
WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin

- Plugin Slug
- cf7-zoho
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.2.3
- Severity Score
- Medium
- CVE
- 2023-25976
WordPress Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin

- Plugin Slug
- peepso-core
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.0.3.0
- Severity Score
- Medium
- CVE
- 2023-25967
WordPress Community by PeepSo plugin

- Plugin Slug
- peepso-core
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.0.3.0
- Severity Score
- Medium
- CVE
- 2022-41633
WordPress Sp*tify Play Button for WordPress plugin

- Plugin Slug
- spotify-play-button-for-wordpress
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.06
- Severity Score
- Medium
- CVE
- 2023-26536
WordPress Drag and Drop Multiple File Upload for WooCommerce plugin

- Plugin Slug
- drag-and-drop-multiple-file-upload-for-woocommerce
- Installations
- 3,000+
- Vulnerability
- Unauth. Non-arbitrary file upload/deletion
- Patched in Version
- 1.0.9
- Severity Score
- Medium
- CVE
- 2022-45377
WordPress We’re Open! plugin

- Plugin
- We’re Open!
- Plugin Slug
- opening-hours
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.47
- Severity Score
- Medium
- CVE
- 2023-25964
WordPress Simple YouTube Responsive plugin

- Plugin Slug
- simple-youtube-responsive
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0
- Severity Score
- Medium
- CVE
- 2023-25982
WordPress WP Custom Fields Search plugin

- Plugin
- WP Custom Fields Search
- Plugin Slug
- wp-custom-fields-search
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.35
- Severity Score
- Medium
- CVE
- 2022-47157
WordPress BuddyForms plugin

- Plugin Slug
- buddyforms
- Installations
- 2,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 2.7.8
- Severity Score
- Medium
WordPress CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin

- Plugin Slug
- css-js-manager
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.4.49.1
- Severity Score
- Medium
- CVE
- 2022-47154
WordPress KB Support – WordPress Help Desk plugin

- Plugin Slug
- kb-support
- Installations
- 2,000+
- Vulnerability
- CSV Injection
- Patched in Version
- 1.5.85
- Severity Score
- Medium
- CVE
- 2023-25983
WordPress Multiple Pages Generator by Themeisle plugin

- Plugin Slug
- multiple-pages-generator-by-porthas
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.3.10
- Severity Score
- Medium
- CVE
- 2022-47143
WordPress Simple Slug Translate plugin

- Plugin
- Simple Slug Translate
- Plugin Slug
- simple-slug-translate
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.7.3
- Severity Score
- Medium
- CVE
- 2023-26515
WordPress WordPress Books Gallery plugin

- Plugin
- WordPress Books Gallery
- Plugin Slug
- wp-books-gallery
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.4.9
- Severity Score
- Medium
- CVE
- 2023-23705
WordPress Accordions – Multiple Accordions or FAQs Builder plugin

- Plugin Slug
- accordions-or-faqs
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.3.1
- Severity Score
- Medium
- CVE
- 2023-25962
WordPress Clio Grow plugin
- Plugin
- Clio Grow
- Plugin Slug
- clio-grow-form
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.1
- Severity Score
- Medium
- CVE
- 2023-22683
WordPress Calendar Event Multi View plugin

- Plugin Slug
- cp-multi-view-calendar
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.4.15
- Severity Score
- Low
- CVE
- 2023-23814
WordPress Sheets To WP Table Live Sync plugin

- Plugin Slug
- sheets-to-wp-table-live-sync
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.13.0
- Severity Score
- Medium
- CVE
- 2023-26535
WordPress Broadcast Live Video plugin

- Plugin Slug
- videowhisper-live-streaming-integration
- Installations
- 1,000+
- Vulnerability
- Remote Code Execution (RCE)
- Patched in Version
- 5.5.16
- Severity Score
- Critical
- CVE
- 2023-25699
WordPress WP Dynamic Keywords Injector plugin

- Plugin Slug
- wp-dynamic-keywords-injector
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.3.16
- Severity Score
- Medium
- CVE
- 2022-47141
WordPress WordPress Stripe Donation plugin

- Plugin Slug
- wp-stripe-donation
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.6
- Severity Score
- Medium
- CVE
- 2022-47422
WordPress CM Answers plugin

- Plugin
- CM Answers
- Plugin Slug
- cm-answers
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.0
- Severity Score
- Medium
- CVE
- 2023-25992
WordPress Coupon Zen plugin

- Plugin
- Coupon Zen
- Plugin Slug
- coupon-zen
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.0.6
- Severity Score
- Medium
WordPress Houzez Login Register plugin
- Plugin
- Houzez Login Register
- Plugin Slug
- houzez-login-register
- Vulnerability
- Privilege Escalation
- Patched in Version
- 2.6.4
- Severity Score
- Critical
- CVE
- 2023-26009
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WordPress All In One Favicon plugin

- Plugin
- All In One Favicon
- Plugin Slug
- all-in-one-favicon
- Installations
- 100,000+
- Vulnerability
- Arbitrary File Deletion
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24416
WordPress Apollo13 Framework Extensions plugin
- Plugin Slug
- apollo13-framework-extensions
- Installations
- 40,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25959
WordPress Markup plugin

- Plugin Slug
- wp-structuring-markup
- Installations
- 30,000+
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-4666
WordPress TypeSquare Webfonts for ConoHa plugin

- Plugin Slug
- ts-webfonts-for-conoha
- Installations
- 20,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25458
WordPress All-in-one search automatic push management plug-in – support Baidu/Google/Bing/IndexNow/Yandex/ headlines plugin

- Plugin Slug
- baidu-submit-link
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26531
WordPress Login Logout Menu plugin

- Plugin
- Login Logout Menu
- Plugin Slug
- baw-login-logout-menu
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-4622
WordPress Jobs for WordPress plugin

- Plugin
- Jobs for WordPress
- Plugin Slug
- job-postings
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26017
WordPress For the visually impaired plugin
- Plugin Slug
- for-the-visually-impaired
- Installations
- 8,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25038
WordPress Admin Block Country plugin
- Plugin
- Admin Block Country
- Plugin Slug
- admin-block-country
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24007
WordPress Hero Banner Ultimate plugin

- Plugin
- Hero Banner Ultimate
- Plugin Slug
- hero-banner-ultimate
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45818
WordPress Theme Tweaker plugin

- Plugin
- Theme Tweaker
- Plugin Slug
- theme-tweaker-lite
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23713
WordPress Booking Ultra Pro Appointments Booking Calendar Plugin plugin

- Plugin Slug
- booking-ultra-pro
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46816
WordPress Easy Google Analytics for WordPress plugin
- Plugin Slug
- easy-google-analytics-for-wordpress
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23887
WordPress GMAce plugin
- Plugin
- GMAce
- Plugin Slug
- gmace
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23861
WordPress GMAce plugin
- Plugin
- GMAce
- Plugin Slug
- gmace
- Installations
- 1,000+
- Vulnerability
- Arbitrary File Download
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23872
WordPress JS Job Manager plugin

- Plugin
- JS Job Manager
- Plugin Slug
- js-jobs
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25963
WordPress phpinfo() WP plugin

- Plugin
- phpinfo() WP
- Plugin Slug
- phpinfo-wp
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26542
WordPress WP Google Tag Manager plugin

- Plugin
- WP Google Tag Manager
- Plugin Slug
- wp-google-tag-manager
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-22693
WordPress Bing Site Verification plugin using Meta Tag plugin
- Plugin Slug
- bing-site-verification-using-meta-tag
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23875
WordPress WordPress Custom Settings plugin

- Plugin Slug
- custom-settings
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23806
WordPress Exquisite PayPal Donation plugin

- Plugin Slug
- exquisite-paypal-donation
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23785
WordPress Sitemap Index plugin
- Plugin
- Sitemap Index
- Plugin Slug
- sitemap-index
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23816
WordPress Sponsors Carousel plugin

- Plugin
- Sponsors Carousel
- Plugin Slug
- sponsors-carousel
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23808
WordPress Stock market charts from finviz plugin

- Plugin Slug
- stock-market-charts-from-finviz
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23809
WordPress WP-RecentComments plugin
- Plugin
- WP-RecentComments
- Plugin Slug
- wp-recentcomments
- Installations
- 900+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP-RecentComments plugin
- Plugin
- WP-RecentComments
- Plugin Slug
- wp-recentcomments
- Installations
- 900+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23886
WordPress Circles Gallery plugin

- Plugin
- Circles Gallery
- Plugin Slug
- circles-gallery
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23881
WordPress Upload Resume plugin

- Plugin
- Upload Resume
- Plugin Slug
- resume-upload-form
- Installations
- 600+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25965
WordPress Educare – Students & Result Management System plugin

- Plugin Slug
- educare
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25971
WordPress Custom Login Page plugin
- Plugin
- Custom Login Page
- Plugin Slug
- wp-custom-login-page
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26012
WordPress asMember plugin
- Plugin
- asMember
- Plugin Slug
- asmember
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26541
WordPress Chat Bee plugin
- Plugin
- Chat Bee
- Plugin Slug
- chat-bee
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26538
WordPress Simple Portfolio Gallery plugin
- Plugin
- Simple Portfolio Gallery
- Plugin Slug
- simple-portfolio-gallery
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-26016
WordPress Conditional Checkout Fields for WooCommerce plugin
- Plugin
- Conditional Checkout Fields for WooCommerce
- Plugin Slug
- conditional-checkout-fields-for-woocommerce
- Vulnerability
- Broken Authentication
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45070
WordPress CPT – Speakers plugin
- Plugin
- CPT – Speakers
- Plugin Slug
- cpt-speakers
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25977
WordPress PayGreen plugin
- Plugin
- PayGreen
- Plugin Slug
- paygreen-woocommerce
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25986
WordPress Social Login WP plugin
- Plugin
- Social Login WP
- Plugin Slug
- social-login-wp
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-38063
WordPress Zendrop – Global Dropshipping plugin
- Plugin
- Zendrop – Global Dropshipping
- Plugin Slug
- zendrop-dropshipping-and-fulfillment
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-25960
WordPress Zendrop – Global Dropshipping plugin
- Plugin
- Zendrop – Global Dropshipping
- Plugin Slug
- zendrop-dropshipping-and-fulfillment
- Vulnerability
- Arbitrary File Upload
- Patched in Version
- No Fix
- Severity Score
- Critical
- CVE
- 2023-25970
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
WordPress OceanWP theme

- Theme
- OceanWP
- Theme Slug
- oceanwp
- Downloads
- 5,960,838
- Vulnerability
- Authenticated Local File Inclusion
- Patched in Version
- 3.4.2
- Severity Score
- High
- CVE
- 2023-23700
WordPress darcie theme

- Theme
- Darcie
- Theme Slug
- darcie
- Downloads
- 14,649
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1.6
- Severity Score
- High
- CVE
- 2023-25961
WordPress Houzez theme
- Theme
- Houzez
- Theme Slug
- houzez
- Vulnerability
- Privilege Escalation
- Patched in Version
- 2.7.2
- Severity Score
- Critical
- CVE
- 2023-26540
WordPress Real Estate 7 theme
- Theme
- Real Estate 7
- Theme Slug
- realestate-7
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.3.2
- Severity Score
- High
- CVE
- 2022-47146
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.