Menu
iThemes
WordPress Security, Backups & Maintenance
WordPress News and Updates from iThemes
Categories

WordPress Vulnerability Report – March 15, 2023

Written by on

Last Updated on March 22, 2023

This week there are 37 plugin vulnerabilities (and one theme vulnerability) affecting well over 6 million WordPress sites. Fortunately, all of these have patches available, so run those updates if you use these plugins! Additionally, there are 27 plugin vulnerabilities and 3 theme vulnerabilities with no patch available yet. Check their vendors’ intentions and progress on a patch if you use any of these unpatched plugins or themes. If no security fix is forthcoming or a vulnerable plugin or theme has been “closed” (dropped from the WordPress.org repository), you should consider deactivating it in favor of alternative solutions.

Not included on this week’s list is the Postmatic Replyable plugin, since it was closed in the WordPress directory, possibly due to a CSRF vulnerability reported in CVE-2022-4265. The current release, version 2.2.10 (Trac SVN), can be downloaded from Replyable. It patches a high-severity PHP Object Injection vulnerability.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.

WordPress 6.2 is the next major WordPress release, and it’s on track for a March 28, 2023 debut. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Updraft Plus

Product image for UpdraftPlus WordPress Backup Plugin.
Plugin Slug
updraftplus
Installations
3,000,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.23.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.23.1.

Popup Maker

Product image for Popup Maker – Popup for opt-ins, lead gen, & more.
Plugin Slug
popup-maker
Installations
700,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.18.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.18.1.

Complianz – GDPR/CCPA Cookie Consent

Product image for Complianz – GDPR/CCPA Cookie Consent.
Plugin Slug
complianz-gdpr
Installations
600,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.4.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.4.2.

301 Redirects – Easy Redirect Manager

Product image for 301 Redirects – Easy Redirect Manager.
Plugin Slug
eps-301-redirects
Installations
200,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.73
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.73.

External Links

Product image for External Links – nofollow, noopener & new window.
Plugin Slug
wp-external-links
Installations
100,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.58
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.58.

WP Maps

Product image for WordPress Plugin for Google Maps – WP MAPS.
Plugin Slug
wp-google-map-plugin
Installations
100,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
4.4.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.4.3.

Ajax Load More

Product image for WordPress Infinite Scroll – Ajax Load More.
Plugin Slug
ajax-load-more
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
5.6.0.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.6.0.3.

Site Reviews

Product image for Site Reviews.
Plugin Slug
site-reviews
Installations
50,000+
Vulnerability
Broken Access Control
Patched in Version
6.6.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.6.0.

Site Reviews

Product image for Site Reviews.
Plugin Slug
site-reviews
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.6.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.6.0.

Site Reviews

Product image for Site Reviews.
Plugin Slug
site-reviews
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.6.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.6.0.

Klaviyo

Plugin
Klaviyo
Plugin Slug
klaviyo
Installations
30,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.0.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.0.8.

Customify

Product image for Customify – Intuitive Website Styling.
Plugin Slug
customify
Installations
20,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.10.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.10.5.

Redirect Redirection

Product image for Redirection.
Plugin Slug
redirect-redirection
Installations
20,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.1.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.5.

Reusable Blocks Extended

Product image for Reusable Blocks Extended.
Plugin Slug
reusable-blocks-extended
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
0.9.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 0.9.1.

Weaver Xtreme Theme Support

Plugin Slug
weaverx-theme-support
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.2.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.5.

Woo Products Widgets For Elementor

Plugin Slug
woo-products-widgets-for-elementor
Installations
8,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.0.8.

W4 Post List

Product image for W4 Post List.
Plugin Slug
w4-post-list
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.4.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.4.5.

Stock Ticker

Product image for Stock Ticker.
Plugin Slug
stock-ticker
Installations
4,000+
Vulnerability
Broken Access Control
Patched in Version
3.23.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.23.1.

Auto Prune Posts

Plugin Slug
auto-prune-posts
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.0.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.0.0.

RapidLoad Power-Up for Autoptimize

Product image for RapidLoad Power-Up for Autoptimize.
Plugin Slug
unusedcss
Installations
2,000+
Vulnerability
Broken Access Control
Patched in Version
1.7.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.7.2.

RapidLoad Power-Up for Autoptimize

Product image for RapidLoad Power-Up for Autoptimize.
Plugin Slug
unusedcss
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.7.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.7.2.

Mass Delete Unused Tags

Plugin Slug
mass-delete-unused-tags
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.0.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.0.0.

PhonePe Payment Solutions

Plugin Slug
phonepe-payment-solutions
Installations
1,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
2.0.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.0.0.

Webmention

Product image for Webmention.
Plugin Slug
webmention
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.0.9
Severity Score
High
The vulnerability has been patched, so you should update to version 4.0.9.

LeadSnap

Product image for LeadSnap.
Plugin
LeadSnap
Plugin Slug
leadsnap
Installations
800+
Vulnerability
PHP Object Injection
Patched in Version
1.24
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.24.

Mass Delete Taxonomies

Plugin Slug
mass-delete-tags
Installations
300+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
4.0.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.0.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WooCommerce Weight Based Shipping

Product image for WooCommerce Weight Based Shipping.
Plugin Slug
weight-based-shipping-for-woocommerce
Installations
60,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Print Invoice & Delivery Notes for WooCommerce

Product image for Print Invoice & Delivery Notes for WooCommerce.
Plugin Slug
woocommerce-delivery-notes
Installations
40,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Data Tables Generator by Supsystic

Product image for Data Tables Generator by Supsystic.
Plugin Slug
data-tables-generator-by-supsystic
Installations
30,000+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Google XML Sitemap for Videos

Plugin Slug
xml-sitemaps-for-videos
Installations
20,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

CF7 Invisible reCAPTCHA

Product image for CF7 Invisible reCAPTCHA.
Plugin Slug
cf7-invisible-recaptcha
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Google XML Sitemap for Images

Plugin Slug
google-image-sitemap
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form 7 Redirect & Thank You Page

Plugin Slug
cf7-redirect-thank-you-page
Installations
6,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Yandex.News Feed by Teplitsa

Product image for Yandex.News Feed by Teplitsa.
Plugin Slug
yandexnews-feed-by-teplitsa
Installations
6,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Daily Prayer Time

Product image for Daily Prayer Time.
Plugin Slug
daily-prayer-time-for-mosques
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Daily Prayer Time

Product image for Daily Prayer Time.
Plugin Slug
daily-prayer-time-for-mosques
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Kopa Framework

Product image for Kopa Framework.
Plugin Slug
kopatheme
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

xili-tidy-tags

Product image for xili-tidy-tags.
Plugin Slug
xili-tidy-tags
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

WP-Advanced-Search

Plugin Slug
wp-advanced-search
Installations
800+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

CMS Press

Plugin
CMS Press
Plugin Slug
cms-press
Installations
700+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Backup Bank: WordPress Backup

Product image for Backup Bank: WordPress Backup Plugin.
Plugin Slug
wp-backup-bank
Installations
700+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Chronoforms

Product image for Chronoforms.
Plugin Slug
chronoforms
Installations
400+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

WP Basic Elements

Product image for WP Basic Elements.
Plugin Slug
wp-basic-elements
Installations
300+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Exxp

Product image for Exxp.
Plugin
Exxp
Plugin Slug
exxp-wp
Installations
200+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

WH Testimonials

Plugin Slug
wh-testimonials
Installations
90+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Console

Plugin Slug
wordpress-console
Installations
40+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Low
The vulnerability has not been patched. You should deactivate the plugin.

LOGIN AND REGISTRATION ATTEMPTS LIMIT

Plugin Slug
login-attempts-limit-wp
Installations
10+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Admin side data storage for Contact Form 7

Plugin Slug
admin-side-data-storage-for-contact-form-7
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

Easy Event calendar

Plugin Slug
easy-event-calendar
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.

Tags Cloud Manager

Product image for Tags Cloud Manager.
Plugin Slug
tags-cloud-manager
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Real Estate 7

Theme
Real Estate 7
Theme Slug
realestate-7
Vulnerability
Broken Access Control
Patched in Version
3.3.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.3.5.

Brilliance

Product image for Brilliance.
Theme Slug
brilliance
Downloads
139,773
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should switch themes.

Regina Lite

Product image for Regina Lite.
Theme Slug
regina-lite
Downloads
116,354
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should switch themes.

Intrepidity

Theme
Intrepidity
Theme Slug
intrepidity
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should switch themes.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.
iThemes Security Pro

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Buy iThemes Security Pro

Other related posts
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – March 22, 2023
website-backdoor
What is a Website Backdoor? How to Remove and Prevent the Hack
ip hack
What is an IP Hack?
Patchstack 2022 WordPress Security Review
The State of WordPress Security: Community and Collaboration Help Us All Win

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Copy link
CopyCopied
Powered by Social Snap