Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – March 15, 2023

Written by iThemes Editorial Team on March 15, 2023

Last Updated on March 22, 2023

This week there are 37 plugin vulnerabilities (and one theme vulnerability) affecting well over 6 million WordPress sites. Fortunately, all of these have patches available, so run those updates if you use these plugins! Additionally, there are 27 plugin vulnerabilities and 3 theme vulnerabilities with no patch available yet. Check their vendors’ intentions and progress on a patch if you use any of these unpatched plugins or themes. If no security fix is forthcoming or a vulnerable plugin or theme has been “closed” (dropped from the WordPress.org repository), you should consider deactivating it in favor of alternative solutions.

Not included on this week’s list is the Postmatic Replyable plugin, since it was closed in the WordPress directory, possibly due to a CSRF vulnerability reported in CVE-2022-4265. The current release, version 2.2.10 (Trac SVN), can be downloaded from Replyable. It patches a high-severity PHP Object Injection vulnerability.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

Contents of the March 15, 2023 Report
  1. The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
  2. WordPress Core News
  3. WordPress Plugin Vulnerabilities with Patches
    1. Updraft Plus
    2. Popup Maker
    3. Popup Maker
    4. Popup Maker
    5. Complianz – GDPR/CCPA Cookie Consent
    6. Formidable Forms
    7. 301 Redirects – Easy Redirect Manager
    8. GiveWP
    9. GiveWP
    10. GiveWP
    11. GiveWP
    12. GiveWP
    13. GiveWP
    14. External Links
    15. WP Maps
    16. Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
    17. Ajax Load More
    18. Robo Gallery
    19. Site Reviews
    20. Site Reviews
    21. Site Reviews
    22. Klaviyo
    23. Customify
    24. Redirect Redirection
    25. Reusable Blocks Extended
    26. Weaver Xtreme Theme Support
    27. Woo Products Widgets For Elementor
    28. W4 Post List
    29. Stock Ticker
    30. Auto Prune Posts
    31. RapidLoad Power-Up for Autoptimize
    32. RapidLoad Power-Up for Autoptimize
    33. Mass Delete Unused Tags
    34. PhonePe Payment Solutions
    35. Webmention
    36. LeadSnap
    37. Mass Delete Taxonomies
  4. WordPress Plugin Vulnerabilities – No Known Fix
    1. WooCommerce Weight Based Shipping
    2. Print Invoice & Delivery Notes for WooCommerce
    3. Data Tables Generator by Supsystic
    4. Google XML Sitemap for Videos
    5. CF7 Invisible reCAPTCHA
    6. Google XML Sitemap for Images
    7. Contact Form 7 Redirect & Thank You Page
    8. Yandex.News Feed by Teplitsa
    9. Coming Soon Landing Page and Maintenance Mode
    10. Daily Prayer Time
    11. Daily Prayer Time
    12. Kopa Framework
    13. Store Locator for WordPress with Google Maps – LotsOfLocales
    14. xili-tidy-tags
    15. WP-Advanced-Search
    16. CMS Press
    17. Backup Bank: WordPress Backup
    18. Chronoforms
    19. WP Basic Elements
    20. Exxp
    21. Solidres
    22. WH Testimonials
    23. WordPress Console
    24. LOGIN AND REGISTRATION ATTEMPTS LIMIT
    25. Admin side data storage for Contact Form 7
    26. Easy Event calendar
    27. Tags Cloud Manager
  5. WordPress Theme Vulnerabilities
    1. Real Estate 7
    2. Brilliance
    3. Regina Lite
    4. Intrepidity
  6. The Best WordPress Security Plugin to Secure & Protect WordPress Sites

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.

WordPress 6.2 is the next major WordPress release, and it’s on track for a March 28, 2023 debut. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Updraft Plus

Product image for UpdraftPlus WordPress Backup Plugin.
Plugin
UpdraftPlus WordPress Backup Plugin
Plugin Slug
updraftplus
Installations
3,000,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.23.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.23.1.

Popup Maker

Product image for Popup Maker – Popup for opt-ins, lead gen, & more.
Plugin
Popup Maker – Popup for opt-ins, lead gen, & more
Plugin Slug
popup-maker
Installations
700,000+
Vulnerability
Sensitive Data Exposure
Patched in Version
1.18.0
Severity Score
Medium
CVE
2022-47597
The vulnerability has been patched, so you should update to version 1.18.0.

Popup Maker

Product image for Popup Maker – Popup for opt-ins, lead gen, & more.
Plugin
Popup Maker – Popup for opt-ins, lead gen, & more
Plugin Slug
popup-maker
Installations
700,000+
Vulnerability
Broken Access Control
Patched in Version
1.18.0
Severity Score
Low
CVE
2022-45819
The vulnerability has been patched, so you should update to version 1.18.0.

Popup Maker

Product image for Popup Maker – Popup for opt-ins, lead gen, & more.
Plugin
Popup Maker – Popup for opt-ins, lead gen, & more
Plugin Slug
popup-maker
Installations
700,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.18.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.18.1.

Complianz – GDPR/CCPA Cookie Consent

Product image for Complianz – GDPR/CCPA Cookie Consent.
Plugin
Complianz – GDPR/CCPA Cookie Consent
Plugin Slug
complianz-gdpr
Installations
600,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.4.2
Severity Score
Medium
CVE
2023-1069
The vulnerability has been patched, so you should update to version 6.4.2.

Formidable Forms

Product image for Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder.
Plugin
Formidable Forms – Contact Form, Survey, Quiz, Calculator & Custom Form Builder
Plugin Slug
formidable
Installations
300,000+
Vulnerability
Bypass Vulnerability
Patched in Version
6.1
Severity Score
Medium
CVE
2023-0816
The vulnerability has been patched, so you should update to version 6.1.

301 Redirects – Easy Redirect Manager

Product image for 301 Redirects – Easy Redirect Manager.
Plugin
301 Redirects – Easy Redirect Manager
Plugin Slug
eps-301-redirects
Installations
200,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.73
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.73.

GiveWP

Product image for GiveWP – Donation Plugin and Fundraising Platform.
Plugin
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug
give
Installations
100,000+
Vulnerability
Arbitrary Content Deletion
Patched in Version
2.25.2
Severity Score
Medium
CVE
2023-23672
The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Product image for GiveWP – Donation Plugin and Fundraising Platform.
Plugin
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug
give
Installations
100,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.25.2
Severity Score
Medium
CVE
2022-40211
The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Product image for GiveWP – Donation Plugin and Fundraising Platform.
Plugin
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug
give
Installations
100,000+
Vulnerability
CSV Injection
Patched in Version
2.25.2
Severity Score
Medium
CVE
2023-22719
The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Product image for GiveWP – Donation Plugin and Fundraising Platform.
Plugin
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug
give
Installations
100,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
2.25.2
Severity Score
Medium
CVE
2022-40312
The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Product image for GiveWP – Donation Plugin and Fundraising Platform.
Plugin
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug
give
Installations
100,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.25.2
Severity Score
Medium
CVE
2023-23668
The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Product image for GiveWP – Donation Plugin and Fundraising Platform.
Plugin
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug
give
Installations
100,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.25.2
Severity Score
Medium
CVE
2023-25450
The vulnerability has been patched, so you should update to version 2.25.2.

External Links

Product image for External Links – nofollow, noopener & new window.
Plugin
External Links – nofollow, noopener & new window
Plugin Slug
wp-external-links
Installations
100,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.58
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.58.

WP Maps

Product image for WordPress Plugin for Google Maps – WP MAPS.
Plugin
WordPress Plugin for Google Maps – WP MAPS
Plugin Slug
wp-google-map-plugin
Installations
100,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
4.4.3
Severity Score
Medium
CVE
2023-28172
The vulnerability has been patched, so you should update to version 4.4.3.

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Product image for Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files.
Plugin
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
Plugin Slug
embed-any-document
Installations
70,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.7.2
Severity Score
Medium
CVE
2023-23707
The vulnerability has been patched, so you should update to version 2.7.2.

Ajax Load More

Product image for WordPress Infinite Scroll – Ajax Load More.
Plugin
WordPress Infinite Scroll – Ajax Load More
Plugin Slug
ajax-load-more
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
5.6.0.3
Severity Score
Medium
CVE
2022-4466
The vulnerability has been patched, so you should update to version 5.6.0.3.

Robo Gallery

Product image for Photo Gallery, Images, Slider in Rbs Image Gallery.
Plugin
Photo Gallery, Images, Slider in Rbs Image Gallery
Plugin Slug
robo-gallery
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.2.13
Severity Score
Medium
CVE
2023-27620
The vulnerability has been patched, so you should update to version 3.2.13.

Site Reviews

Product image for Site Reviews.
Plugin
Site Reviews
Plugin Slug
site-reviews
Installations
50,000+
Vulnerability
Broken Access Control
Patched in Version
6.6.0
Severity Score
Medium
CVE
2023-27625
The vulnerability has been patched, so you should update to version 6.6.0.

Site Reviews

Product image for Site Reviews.
Plugin
Site Reviews
Plugin Slug
site-reviews
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.6.0
Severity Score
Medium
CVE
2023-27612
The vulnerability has been patched, so you should update to version 6.6.0.

Site Reviews

Product image for Site Reviews.
Plugin
Site Reviews
Plugin Slug
site-reviews
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.6.0
Severity Score
Medium
CVE
2023-27629
The vulnerability has been patched, so you should update to version 6.6.0.

Klaviyo

Plugin
Klaviyo
Plugin Slug
klaviyo
Installations
30,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.0.8
Severity Score
Medium
CVE
2023-25456
The vulnerability has been patched, so you should update to version 3.0.8.

Customify

Product image for Customify – Intuitive Website Styling.
Plugin
Customify – Intuitive Website Styling
Plugin Slug
customify
Installations
20,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.10.5
Severity Score
Medium
CVE
2023-27633
The vulnerability has been patched, so you should update to version 2.10.5.

Redirect Redirection

Product image for Redirection.
Plugin
Redirection
Plugin Slug
redirect-redirection
Installations
20,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.1.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.5.

Reusable Blocks Extended

Product image for Reusable Blocks Extended.
Plugin
Reusable Blocks Extended
Plugin Slug
reusable-blocks-extended
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
0.9.1
Severity Score
Medium
CVE
2023-27611
The vulnerability has been patched, so you should update to version 0.9.1.

Weaver Xtreme Theme Support

Plugin
Weaver Xtreme Theme Support
Plugin Slug
weaverx-theme-support
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.2.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.5.

Woo Products Widgets For Elementor

Plugin
Widgets for WooCommerce Products on Elementor
Plugin Slug
woo-products-widgets-for-elementor
Installations
8,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.8
Severity Score
Medium
CVE
2022-4661
The vulnerability has been patched, so you should update to version 1.0.8.

W4 Post List

Product image for W4 Post List.
Plugin
W4 Post List
Plugin Slug
w4-post-list
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.4.5
Severity Score
Medium
CVE
2023-27413
The vulnerability has been patched, so you should update to version 2.4.5.

Stock Ticker

Product image for Stock Ticker.
Plugin
Stock Ticker
Plugin Slug
stock-ticker
Installations
4,000+
Vulnerability
Broken Access Control
Patched in Version
3.23.1
Severity Score
Medium
CVE
2023-27626
The vulnerability has been patched, so you should update to version 3.23.1.

Auto Prune Posts

Plugin
Auto Prune Posts
Plugin Slug
auto-prune-posts
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.0.0
Severity Score
Medium
CVE
2023-27423
The vulnerability has been patched, so you should update to version 2.0.0.

RapidLoad Power-Up for Autoptimize

Product image for RapidLoad Power-Up for Autoptimize.
Plugin
RapidLoad Power-Up for Autoptimize
Plugin Slug
unusedcss
Installations
2,000+
Vulnerability
Broken Access Control
Patched in Version
1.7.2
Severity Score
Medium
CVE
2023-1339
The vulnerability has been patched, so you should update to version 1.7.2.

RapidLoad Power-Up for Autoptimize

Product image for RapidLoad Power-Up for Autoptimize.
Plugin
RapidLoad Power-Up for Autoptimize
Plugin Slug
unusedcss
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.7.2
Severity Score
Medium
CVE
2023-1340
The vulnerability has been patched, so you should update to version 1.7.2.

Mass Delete Unused Tags

Plugin
Mass Delete Unused Tags
Plugin Slug
mass-delete-unused-tags
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.0.0
Severity Score
Medium
CVE
2023-27430
The vulnerability has been patched, so you should update to version 3.0.0.

PhonePe Payment Solutions

Plugin
PhonePe Payment Solutions
Plugin Slug
phonepe-payment-solutions
Installations
1,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
2.0.0
Severity Score
Medium
CVE
2022-45835
The vulnerability has been patched, so you should update to version 2.0.0.

Webmention

Product image for Webmention.
Plugin
Webmention
Plugin Slug
webmention
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.0.9
Severity Score
High
The vulnerability has been patched, so you should update to version 4.0.9.

LeadSnap

Product image for LeadSnap.
Plugin
LeadSnap
Plugin Slug
leadsnap
Installations
800+
Vulnerability
PHP Object Injection
Patched in Version
1.24
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.24.

Mass Delete Taxonomies

Plugin
Mass Delete Taxonomies
Plugin Slug
mass-delete-tags
Installations
300+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
4.0.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.0.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WooCommerce Weight Based Shipping

Product image for WooCommerce Weight Based Shipping.
Plugin
WooCommerce Weight Based Shipping
Plugin Slug
weight-based-shipping-for-woocommerce
Installations
60,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-46794
The vulnerability has not been patched. You should deactivate the plugin.

Print Invoice & Delivery Notes for WooCommerce

Product image for Print Invoice & Delivery Notes for WooCommerce.
Plugin
Print Invoice & Delivery Notes for WooCommerce
Plugin Slug
woocommerce-delivery-notes
Installations
40,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-46795
The vulnerability has not been patched. You should deactivate the plugin.

Data Tables Generator by Supsystic

Product image for Data Tables Generator by Supsystic.
Plugin
Data Tables Generator by Supsystic
Plugin Slug
data-tables-generator-by-supsystic
Installations
30,000+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-25043
The vulnerability has not been patched. You should deactivate the plugin.

Google XML Sitemap for Videos

Plugin
Google XML Sitemap for Videos
Plugin Slug
xml-sitemaps-for-videos
Installations
20,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-25055
The vulnerability has not been patched. You should deactivate the plugin.

CF7 Invisible reCAPTCHA

Product image for CF7 Invisible reCAPTCHA.
Plugin
CF7 Invisible reCAPTCHA
Plugin Slug
cf7-invisible-recaptcha
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28167
The vulnerability has not been patched. You should deactivate the plugin.

Google XML Sitemap for Images

Plugin
Google XML Sitemap for Images
Plugin Slug
google-image-sitemap
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28173
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form 7 Redirect & Thank You Page

Plugin
Contact Form 7 Redirect & Thank You Page
Plugin Slug
cf7-redirect-thank-you-page
Installations
6,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-24395
The vulnerability has not been patched. You should deactivate the plugin.

Yandex.News Feed by Teplitsa

Product image for Yandex.News Feed by Teplitsa.
Plugin
Yandex.News Feed by Teplitsa
Plugin Slug
yandexnews-feed-by-teplitsa
Installations
6,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-25052
The vulnerability has not been patched. You should deactivate the plugin.

Coming Soon Landing Page and Maintenance Mode

Product image for Coming Soon Landing Page and Maintenance Mode WordPress Plugin.
Plugin
Coming Soon Landing Page and Maintenance Mode WordPress Plugin
Plugin Slug
8-degree-coming-soon-page
Installations
2,000+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47429
The vulnerability has not been patched. You should deactivate the plugin.

Daily Prayer Time

Product image for Daily Prayer Time.
Plugin
Daily Prayer Time
Plugin Slug
daily-prayer-time-for-mosques
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27632
The vulnerability has not been patched. You should deactivate the plugin.

Daily Prayer Time

Product image for Daily Prayer Time.
Plugin
Daily Prayer Time
Plugin Slug
daily-prayer-time-for-mosques
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27631
The vulnerability has not been patched. You should deactivate the plugin.

Kopa Framework

Product image for Kopa Framework.
Plugin
Kopa Framework
Plugin Slug
kopatheme
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47180
The vulnerability has not been patched. You should deactivate the plugin.

Store Locator for WordPress with Google Maps – LotsOfLocales

Product image for Store Locator for WordPress with Google Maps – LotsOfLocales.
Plugin
Store Locator for WordPress with Google Maps – LotsOfLocales
Plugin Slug
store-locator
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47446
The vulnerability has not been patched. You should deactivate the plugin.

xili-tidy-tags

Product image for xili-tidy-tags.
Plugin
xili-tidy-tags
Plugin Slug
xili-tidy-tags
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47448
The vulnerability has not been patched. You should deactivate the plugin.

WP-Advanced-Search

Plugin
WordPress WP-Advanced-Search
Plugin Slug
wp-advanced-search
Installations
800+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47447
The vulnerability has not been patched. You should deactivate the plugin.

CMS Press

Plugin
CMS Press
Plugin Slug
cms-press
Installations
700+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-25452
The vulnerability has not been patched. You should deactivate the plugin.

Backup Bank: WordPress Backup

Product image for Backup Bank: WordPress Backup Plugin.
Plugin
Backup Bank: WordPress Backup Plugin
Plugin Slug
wp-backup-bank
Installations
700+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28165
The vulnerability has not been patched. You should deactivate the plugin.

Chronoforms

Product image for Chronoforms.
Plugin
Chronoforms
Plugin Slug
chronoforms
Installations
400+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47135
The vulnerability has not been patched. You should deactivate the plugin.

WP Basic Elements

Product image for WP Basic Elements.
Plugin
WP Basic Elements
Plugin Slug
wp-basic-elements
Installations
300+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47139
The vulnerability has not been patched. You should deactivate the plugin.

Exxp

Product image for Exxp.
Plugin
Exxp
Plugin Slug
exxp-wp
Installations
200+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-45812
The vulnerability has not been patched. You should deactivate the plugin.

Solidres

Product image for Solidres – Hotel booking plugin for WordPress.
Plugin
Solidres – Hotel booking plugin for WordPress
Plugin Slug
solidres
Installations
100+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-1374
The vulnerability has not been patched. You should deactivate the plugin.

WH Testimonials

Plugin
WH Testimonials
Plugin Slug
wh-testimonials
Installations
90+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-1372
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Console

Plugin
WordPress Console
Plugin Slug
wordpress-console
Installations
40+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Low
CVE
2023-28168
The vulnerability has not been patched. You should deactivate the plugin.

LOGIN AND REGISTRATION ATTEMPTS LIMIT

Plugin
LOGIN AND REGISTRATION ATTEMPTS LIMIT
Plugin Slug
login-attempts-limit-wp
Installations
10+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47138
The vulnerability has not been patched. You should deactivate the plugin.

Admin side data storage for Contact Form 7

Plugin
Admin side data storage for Contact Form 7
Plugin Slug
admin-side-data-storage-for-contact-form-7
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-24420
The vulnerability has not been patched. You should deactivate the plugin.

Easy Event calendar

Plugin
Easy Event calendar
Plugin Slug
easy-event-calendar
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28169
The vulnerability has not been patched. You should deactivate the plugin.

Tags Cloud Manager

Product image for Tags Cloud Manager.
Plugin
Tags Cloud Manager
Plugin Slug
tags-cloud-manager
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-28166
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Real Estate 7

Theme
Real Estate 7
Theme Slug
realestate-7
Vulnerability
Broken Access Control
Patched in Version
3.3.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.3.5.

Brilliance

Product image for Brilliance.
Theme
Brilliance
Theme Slug
brilliance
Downloads
139,773
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28171
The vulnerability has not been patched. You should switch themes.

Regina Lite

Product image for Regina Lite.
Theme
Regina Lite
Theme Slug
regina-lite
Downloads
116,354
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27619
The vulnerability has not been patched. You should switch themes.

Intrepidity

Theme
Intrepidity
Theme Slug
intrepidity
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
High
CVE
2023-27634
The vulnerability has not been patched. You should switch themes.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

iThemes Security Pro

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro


iThemes Team
iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – March 22, 2023
website-backdoor
What is a Website Backdoor? How to Remove and Prevent the Hack
ip hack
What is an IP Hack?
Patchstack 2022 WordPress Security Review
The State of WordPress Security: Community and Collaboration Help Us All Win

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.