This week there are 37 plugin vulnerabilities (and one theme vulnerability) affecting well over 6 million WordPress sites. Fortunately, all of these have patches available, so run those updates if you use these plugins! Additionally, there are 27 plugin vulnerabilities and 3 theme vulnerabilities with no patch available yet. Check their vendors’ intentions and progress on a patch if you use any of these unpatched plugins or themes. If no security fix is forthcoming or a vulnerable plugin or theme has been “closed” (dropped from the WordPress.org repository), you should consider deactivating it in favor of alternative solutions.
Not included on this week’s list is the Postmatic Replyable plugin, since it was closed in the WordPress directory, possibly due to a CSRF vulnerability reported in CVE-2022-4265. The current release, version 2.2.10 (Trac SVN), can be downloaded from Replyable. It patches a high-severity PHP Object Injection vulnerability.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.
If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.
WordPress 6.2 is the next major WordPress release, and it’s on track for a March 28, 2023 debut. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Updraft Plus

- Plugin Slug
- updraftplus
- Installations
- 3,000,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.23.1
- Severity Score
- Medium
Popup Maker

- Plugin Slug
- popup-maker
- Installations
- 700,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 1.18.0
- Severity Score
- Medium
- CVE
- 2022-47597
Popup Maker

- Plugin Slug
- popup-maker
- Installations
- 700,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.18.0
- Severity Score
- Low
- CVE
- 2022-45819
Popup Maker

- Plugin Slug
- popup-maker
- Installations
- 700,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.18.1
- Severity Score
- Medium
Complianz – GDPR/CCPA Cookie Consent

- Plugin Slug
- complianz-gdpr
- Installations
- 600,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.4.2
- Severity Score
- Medium
- CVE
- 2023-1069
Formidable Forms

- Plugin Slug
- formidable
- Installations
- 300,000+
- Vulnerability
- Bypass Vulnerability
- Patched in Version
- 6.1
- Severity Score
- Medium
- CVE
- 2023-0816
301 Redirects – Easy Redirect Manager

- Plugin Slug
- eps-301-redirects
- Installations
- 200,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.73
- Severity Score
- Medium
GiveWP

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Arbitrary Content Deletion
- Patched in Version
- 2.25.2
- Severity Score
- Medium
- CVE
- 2023-23672
GiveWP

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
- CVE
- 2022-40211
GiveWP

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- CSV Injection
- Patched in Version
- 2.25.2
- Severity Score
- Medium
- CVE
- 2023-22719
GiveWP

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
- CVE
- 2022-40312
GiveWP

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
- CVE
- 2023-23668
GiveWP

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
- CVE
- 2023-25450
External Links

- Plugin Slug
- wp-external-links
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.58
- Severity Score
- Medium
WP Maps

- Plugin Slug
- wp-google-map-plugin
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.4.3
- Severity Score
- Medium
- CVE
- 2023-28172
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

- Plugin Slug
- embed-any-document
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.7.2
- Severity Score
- Medium
- CVE
- 2023-23707
Ajax Load More

- Plugin Slug
- ajax-load-more
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 5.6.0.3
- Severity Score
- Medium
- CVE
- 2022-4466
Robo Gallery

- Plugin Slug
- robo-gallery
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.13
- Severity Score
- Medium
- CVE
- 2023-27620
Site Reviews

- Plugin
- Site Reviews
- Plugin Slug
- site-reviews
- Installations
- 50,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 6.6.0
- Severity Score
- Medium
- CVE
- 2023-27625
Site Reviews

- Plugin
- Site Reviews
- Plugin Slug
- site-reviews
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.6.0
- Severity Score
- Medium
- CVE
- 2023-27612
Site Reviews

- Plugin
- Site Reviews
- Plugin Slug
- site-reviews
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.6.0
- Severity Score
- Medium
- CVE
- 2023-27629
Klaviyo
- Plugin
- Klaviyo
- Plugin Slug
- klaviyo
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0.8
- Severity Score
- Medium
- CVE
- 2023-25456
Customify

- Plugin Slug
- customify
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.10.5
- Severity Score
- Medium
- CVE
- 2023-27633
Redirect Redirection

- Plugin
- Redirection
- Plugin Slug
- redirect-redirection
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.5
- Severity Score
- Medium
Reusable Blocks Extended

- Plugin
- Reusable Blocks Extended
- Plugin Slug
- reusable-blocks-extended
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 0.9.1
- Severity Score
- Medium
- CVE
- 2023-27611
Weaver Xtreme Theme Support
- Plugin Slug
- weaverx-theme-support
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.2.5
- Severity Score
- Medium
Woo Products Widgets For Elementor
- Plugin Slug
- woo-products-widgets-for-elementor
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.8
- Severity Score
- Medium
- CVE
- 2022-4661
W4 Post List

- Plugin
- W4 Post List
- Plugin Slug
- w4-post-list
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.4.5
- Severity Score
- Medium
- CVE
- 2023-27413
Stock Ticker

- Plugin
- Stock Ticker
- Plugin Slug
- stock-ticker
- Installations
- 4,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.23.1
- Severity Score
- Medium
- CVE
- 2023-27626
Auto Prune Posts
- Plugin
- Auto Prune Posts
- Plugin Slug
- auto-prune-posts
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.0.0
- Severity Score
- Medium
- CVE
- 2023-27423
RapidLoad Power-Up for Autoptimize

- Plugin Slug
- unusedcss
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.7.2
- Severity Score
- Medium
- CVE
- 2023-1339
RapidLoad Power-Up for Autoptimize

- Plugin Slug
- unusedcss
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.7.2
- Severity Score
- Medium
- CVE
- 2023-1340
Mass Delete Unused Tags
- Plugin
- Mass Delete Unused Tags
- Plugin Slug
- mass-delete-unused-tags
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.0.0
- Severity Score
- Medium
- CVE
- 2023-27430
PhonePe Payment Solutions
- Plugin Slug
- phonepe-payment-solutions
- Installations
- 1,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 2.0.0
- Severity Score
- Medium
- CVE
- 2022-45835
Webmention

- Plugin
- Webmention
- Plugin Slug
- webmention
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.0.9
- Severity Score
- High
LeadSnap

- Plugin
- LeadSnap
- Plugin Slug
- leadsnap
- Installations
- 800+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 1.24
- Severity Score
- Medium
Mass Delete Taxonomies
- Plugin
- Mass Delete Taxonomies
- Plugin Slug
- mass-delete-tags
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.0.0
- Severity Score
- Medium
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WooCommerce Weight Based Shipping

- Plugin Slug
- weight-based-shipping-for-woocommerce
- Installations
- 60,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46794
Print Invoice & Delivery Notes for WooCommerce

- Plugin Slug
- woocommerce-delivery-notes
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-46795
Data Tables Generator by Supsystic

- Plugin Slug
- data-tables-generator-by-supsystic
- Installations
- 30,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25043
Google XML Sitemap for Videos
- Plugin Slug
- xml-sitemaps-for-videos
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25055
CF7 Invisible reCAPTCHA

- Plugin
- CF7 Invisible reCAPTCHA
- Plugin Slug
- cf7-invisible-recaptcha
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28167
Google XML Sitemap for Images
- Plugin Slug
- google-image-sitemap
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28173
Contact Form 7 Redirect & Thank You Page
- Plugin Slug
- cf7-redirect-thank-you-page
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24395
Yandex.News Feed by Teplitsa

- Plugin Slug
- yandexnews-feed-by-teplitsa
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25052
Coming Soon Landing Page and Maintenance Mode

- Plugin Slug
- 8-degree-coming-soon-page
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47429
Daily Prayer Time

- Plugin
- Daily Prayer Time
- Plugin Slug
- daily-prayer-time-for-mosques
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27632
Daily Prayer Time

- Plugin
- Daily Prayer Time
- Plugin Slug
- daily-prayer-time-for-mosques
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27631
Kopa Framework

- Plugin
- Kopa Framework
- Plugin Slug
- kopatheme
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47180
Store Locator for WordPress with Google Maps – LotsOfLocales

- Plugin Slug
- store-locator
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47446
xili-tidy-tags

- Plugin
- xili-tidy-tags
- Plugin Slug
- xili-tidy-tags
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47448
WP-Advanced-Search
- Plugin Slug
- wp-advanced-search
- Installations
- 800+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47447
CMS Press
- Plugin
- CMS Press
- Plugin Slug
- cms-press
- Installations
- 700+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25452
Backup Bank: WordPress Backup

- Plugin Slug
- wp-backup-bank
- Installations
- 700+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28165
Chronoforms

- Plugin
- Chronoforms
- Plugin Slug
- chronoforms
- Installations
- 400+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47135
WP Basic Elements

- Plugin
- WP Basic Elements
- Plugin Slug
- wp-basic-elements
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47139
Exxp

- Plugin
- Exxp
- Plugin Slug
- exxp-wp
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-45812
Solidres

- Plugin Slug
- solidres
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-1374
WH Testimonials
- Plugin
- WH Testimonials
- Plugin Slug
- wh-testimonials
- Installations
- 90+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-1372
WordPress Console
- Plugin
- WordPress Console
- Plugin Slug
- wordpress-console
- Installations
- 40+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Low
- CVE
- 2023-28168
LOGIN AND REGISTRATION ATTEMPTS LIMIT
- Plugin Slug
- login-attempts-limit-wp
- Installations
- 10+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2022-47138
Admin side data storage for Contact Form 7
- Plugin Slug
- admin-side-data-storage-for-contact-form-7
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-24420
Easy Event calendar
- Plugin
- Easy Event calendar
- Plugin Slug
- easy-event-calendar
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28169
Tags Cloud Manager

- Plugin
- Tags Cloud Manager
- Plugin Slug
- tags-cloud-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-28166
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Real Estate 7
- Theme
- Real Estate 7
- Theme Slug
- realestate-7
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.3.5
- Severity Score
- Medium
Brilliance

- Theme
- Brilliance
- Theme Slug
- brilliance
- Downloads
- 139,773
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-28171
Regina Lite

- Theme
- Regina Lite
- Theme Slug
- regina-lite
- Downloads
- 116,354
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27619
Intrepidity
- Theme
- Intrepidity
- Theme Slug
- intrepidity
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-27634
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.