WordPress Vulnerability Report

This week, the total patched and unpatched vulnerabilities may impact well over 8 million WordPress sites. There are 58 plugin vulnerabilities with security patches available, so run those updates if you use these plugins! Additionally, there are 25 plugin vulnerabilities and 1 theme vulnerability with no patch available yet. If you use any of these unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or a vulnerable plugin or theme has been “closed” (dropped from the WordPress.org repository), you should consider deactivating it in favor of alternative solutions.

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.

WordPress 6.2 is the next major WordPress release, and it’s on track for a March 29, 2023 debut today after a brief, one-day delay. As of this writing, it has not been released yet. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide, as well as our post on the upcoming features for WordPress 6.2.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WordPress LiteSpeed Cache

Plugin: LiteSpeed Cache
Plugin Slug: litespeed-cache
Installations: 4,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.3.1
Severity Score: Medium
CVE: 2022-46800

WordPress IThemes Security

Plugin: iThemes Security
Plugin Slug: better-wp-security
Installations: 1,000,000+
Vulnerability: Open Redirection via Host header
Patched in Version: 8.1.5
Severity Score: Low
CVE: 2023-28786

WordPress Save SVG

Plugin: Safe SVG
Plugin Slug: safe-svg
Installations: 800,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: Medium
CVE: 2023-28426

WordPress WP Statistics

Plugin: WP Statistics
Plugin Slug: wp-statistics
Installations: 600,000+
Vulnerability: SQL Injection
Patched in Version: 13.2.11
Severity Score: High
CVE: 2023-0955

WordPress WooCommerce Payments

Plugin: WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo
Plugin Slug: woocommerce-payments
Installations: 500,000+
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 5.6.2
Severity Score: Critical

WordPress Newsletter plugin

Plugin: Newsletter – Send awesome emails from WordPress
Plugin Slug: newsletter
Installations: 300,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 7.6.9
Severity Score: High

WordPress FileBird

Plugin: FileBird – WordPress Media Library Folders & File Manager
Plugin Slug: filebird
Installations: 100,000+
Vulnerability: Broken Access Control
Patched in Version: 5.1.5
Severity Score: Medium
CVE: 2023-25966

WordPress GiveWP

Plugin: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug: give
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.25.3
Severity Score: Medium

WordPress OoohBoi Steroids for Elementor

Plugin: OoohBoi Steroids for Elementor
Plugin Slug: ooohboi-steroids-for-elementor
Installations: 60,000+
Vulnerability: Subscriber+ Attachment Deletion
Patched in Version: 2.1.5
Severity Score: High
CVE: 2023-0336

WordPress Simple Author Box

Plugin: Simple Author Box
Plugin Slug: simple-author-box
Installations: 60,000+
Vulnerability: Cross-Site Request Forgery via save_user_profile
Patched in Version: 2.51
Severity Score: Medium

WordPress Advanced Shipment Tracking for WooCommerce

Plugin: Advanced Shipment Tracking for WooCommerce
Plugin Slug: woo-advanced-shipment-tracking
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.5.3
Severity Score: Medium
CVE: 2022-41635

WordPress Maps Widget for Google Maps

Plugin: Maps Widget for Google Maps
Plugin Slug: google-maps-widget
Installations: 50,000+
Vulnerability: Cross-Site Request Forgery via dismiss_notice
Patched in Version: 4.24
Severity Score: Medium

WordPress Popup Anything

Plugin: Popup Anything – A Marketing Popup and Lead Generation Conversions
Plugin Slug: popup-anything-on-click
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.2.2
Severity Score: Medium
CVE: 2022-38077

WordPress Visibility Logic for Elementor

Plugin: Visibility Logic for Elementor
Plugin Slug: visibility-logic-elementor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.4
Severity Score: Medium
CVE: 2022-47150

WordPress Gallery by BestWebSoft

Plugin: Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Plugin Slug: gallery-plugin
Installations: 20,000+
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
Patched in Version: 4.7.0
Severity Score: Medium

WordPress HT Contact Form 7

Plugin: Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks
Plugin Slug: ht-contactform
Installations: 10,000+
Vulnerability: Arbitrary Plugin Activation via CSRF
Patched in Version: 1.1.6
Severity Score: Medium
CVE: 2023-0484

WordPress Advanced Page Visit Counter

Plugin: Advanced Page Visit Counter – Advanced WordPress Visit Counter
Plugin Slug: advanced-page-visit-counter
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 6.4.2.1
Severity Score: High
CVE: 2023-28788

WordPress NEX-Forms

Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Plugin Slug: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability: Contributor+ Stored XSS
Patched in Version: 8.3.3
Severity Score: Medium
CVE: 2023-0272

WordPress TH Advance Product Search

Plugin: Advance WordPress Search Plugin
Plugin Slug: th-advance-product-search
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.5
Severity Score: Medium
CVE: 2023-25969

WordPress WP Dark Mode

Plugin: WP Dark Mode – Best Dark Mode & Social Sharing Plugin for WordPress
Plugin Slug: wp-dark-mode
Installations: 10,000+
Vulnerability: Subscriber+ Local File Inclusion
Patched in Version: 4.0.8
Severity Score: High
CVE: 2023-0467

WordPress TH Side Cart and Menu Cart for Woocommerce

Plugin: Floating Cart and Menu Cart for Woocommerce
Plugin Slug: th-all-in-one-woo-cart
Installations: 9,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.2
Severity Score: Medium
CVE: 2023-25969

WordPress Pagination by BestWebSoft

Plugin: Pagination by BestWebSoft – Customizable WordPress Content Splitter and Navigation Plugin
Plugin Slug: pagination
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.3
Severity Score: Medium
CVE: 2023-28778

WordPress TH Variation Swatches

Plugin: Variation Swatches for WooCommerce
Plugin Slug: th-variation-swatches
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.8
Severity Score: Medium
CVE: 2023-28688

WordPress Advanced Local Pickup for WooCommerce

Plugin: Advanced Local Pickup for WooCommerce
Plugin Slug: advanced-local-pickup-for-woocommerce
Installations: 4,000+
Vulnerability: Other Vulnerability Type
Patched in Version: 1.5.3
Severity Score: Medium
CVE: 2022-40702

WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales

Plugin: Thank You Page Customizer for WooCommerce – Increase Your Sales
Plugin Slug: woo-thank-you-page-customizer
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.14
Severity Score: Medium
CVE: 2022-46812

WordPress GS Pins for Pinterest

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Plugin Slug: gs-pinterest-portfolio
Installations: 3,000+
Vulnerability: Stored (Contributor+) Cross-Site Scripting via Shortcode
Patched in Version: 1.6.2
Severity Score: Medium

WordPress Quick Paypal Payments

Plugin: Quick Paypal Payments
Plugin Slug: quick-paypal-payments
Installations: 3,000+
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched in Version: 5.7.26.4
Severity Score: Medium

WordPress ARMember

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Plugin Slug: armember-membership
Installations: 2,000+
Vulnerability: SQL Injection
Patched in Version: 4.0
Severity Score: High
CVE: 2022-46808

WordPress Continuous Image Carousel With Lightbox

Plugin: Continuous Image Carousel With Lightbox
Plugin Slug: continuous-image-carousel-with-lightbox
Installations: 2,000+
Vulnerability: Reflected Cross-Site Scripting (XSS)
Patched in Version: 1.0.16
Severity Score: High
CVE: 2023-28776

WordPress Continuous Image Carousel With Lightbox

Plugin: Continuous Image Carousel With Lightbox
Plugin Slug: continuous-image-carousel-with-lightbox
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.0.16
Severity Score: High
CVE: 2023-28792

WordPress Albo Pretorio On line

Plugin: Albo Pretorio On line
Plugin Slug: albo-pretorio-on-line
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.6.1
Severity Score: High
CVE: 2023-28750

WordPress CBX Currency Converter

Plugin: CBX Currency Converter
Plugin Slug: cbcurrencyconverter
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.4
Severity Score: Medium
CVE: 2023-28747

WordPress Contact Forms by Cimatti

Plugin: WordPress Contact Forms by Cimatti
Plugin Slug: contact-forms
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.5.5
Severity Score: High
CVE: 2023-28789

WordPress Contact Forms by Cimatti

Plugin: WordPress Contact Forms by Cimatti
Plugin Slug: contact-forms
Installations: 1,000+
Vulnerability: Unauth. Stored Cross Site Scripting (XSS)
Patched in Version: 1.5.5
Severity Score: High
CVE: 2023-28781

WordPress Contest Gallery

Plugin: Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress
Plugin Slug: contest-gallery
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 21.1.2.1
Severity Score: High
CVE: 2023-28784

WordPress Stock Sync for WooCommerce

Plugin: Stock Sync for WooCommerce
Plugin Slug: stock-sync-for-woocommerce
Installations: 1,000+
Vulnerability: Broken Access Control + CSRF
Patched in Version: 2.4.0
Severity Score: Medium
CVE: 2022-46807

WordPress HT Politic

Plugin: HT Politic – For Political WordPress Themes / Website
Plugin Slug: wp-politic
Installations: 600+
Vulnerability: Arbitrary Plugin Activation via CSRF
Patched in Version: 2.3.8
Severity Score: Medium
CVE: 2023-0504

WordPress Free WooCommerce Theme 99fy Extension

Plugin: Free WooCommerce Theme 99fy Extension
Plugin Slug: 99fy-core
Installations: 500+
Vulnerability: Arbitrary Plugin Activation via CSRF
Patched in Version: 1.2.8
Severity Score: Medium
CVE: 2023-0503

WordPress WP Film Studio

Plugin: WP Film Studio – WordPress Movie Maker/Production Plugin
Plugin Slug: wp-film-studio
Installations: 500+
Vulnerability: Arbitrary Plugin Activation via CSRF
Patched in Version: 1.3.5
Severity Score: Medium
CVE: 2023-0500

WordPress WP News

Plugin: WP News – WordPress News / Magazine Plugin
Plugin Slug: wp-news-magazine
Installations: 500+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.0
Severity Score: Medium
CVE: 2023-0502

WordPress QuickSwish

Plugin: QuickSwish – WooCommerce Product Quick View
Plugin Slug: quickswish
Installations: 200+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.0
Severity Score: Medium
CVE: 2023-0499

WordPress WP Education

Plugin: WP Education – Education WordPress Plugin for Elementor
Plugin Slug: wp-education
Installations: 200+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.7
Severity Score: Medium
CVE: 2023-0498

WordPress HT Event

Plugin: HT Event – WordPress Event Manager Plugin for Elementor
Plugin Slug: ht-event
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.6
Severity Score: Medium
CVE: 2023-0496

WordPress WP Insurance

Plugin: WP Insurance – WordPress Insurance Service Plugin
Plugin Slug: wp-insurance
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.4
Severity Score: Medium
CVE: 2023-0501

WordPress Complianz – GDPR/CCPA Cookie Consent

Plugin: Complianz Premium
Plugin Slug: complianz-gdpr-premium
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.4.2
Severity Score: Medium
CVE: 2023-1069

WordPress directory-pro

Plugin: directory-pro
Plugin Slug: directory-pro
Vulnerability: Privilege Escalation
Patched in Version: 1.9.5
Severity Score: High
CVE: 2020-36666

WordPress doctor-listing

Plugin: doctor-listing
Plugin Slug: doctor-listing
Vulnerability: Privilege Escalation
Patched in Version: 1.3.6
Severity Score: High
CVE: 2020-36666

WordPress Elementor Pro

Plugin: Elementor Pro
Plugin Slug: elementor-pro
Vulnerability: Broken Access Control
Patched in Version: 3.11.7
Severity Score: High

WordPress final-user-wp-frontend-user-profiles

Plugin: final-user-wp-frontend-user-profiles
Plugin Slug: final-user-wp-frontend-user-profiles
Vulnerability: Privilege Escalation
Patched in Version: 1.2.2
Severity Score: High
CVE: 2020-36666

WordPress fitness-trainer

Plugin: fitness-trainer
Plugin Slug: fitness-trainer
Vulnerability: Privilege Escalation
Patched in Version: 1.4.1
Severity Score: High
CVE: 2020-36666

WordPress hotel-listing

Plugin: Hotel Listing
Plugin Slug: hotel-listing
Vulnerability: Privilege Escalation
Patched in Version: 1.3.7
Severity Score: High
CVE: 2020-36666

WordPress institutions-directory

Plugin: institutions-directory
Plugin Slug: institutions-directory
Vulnerability: Privilege Escalation
Patched in Version: 1.3.1
Severity Score: High
CVE: 2020-36666

WordPress lawyer-directory

Plugin: lawyer-directory
Plugin Slug: lawyer-directory
Vulnerability: Privilege Escalation
Patched in Version: 1.2.9
Severity Score: High
CVE: 2020-36666

WordPress OAuth Single Sign On – SSO (OAuth Client) Premium plugin

Plugin: OAuth Single Sign On – SSO (OAuth Client) Premium
Plugin Slug: miniorange-oauth-oidc-single-sign-on
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 48.4.9
Severity Score: Medium
CVE: 2023-1092

WordPress Slider, Gallery, and Carousel by MetaSlider

Plugin: Meta Slider
Plugin Slug: ml-slider1
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.29.1
Severity Score: High

WordPress photographer-directory

Plugin: photographer-directory
Plugin Slug: photographer-directory
Vulnerability: Privilege Escalation
Patched in Version: 1.0.9
Severity Score: High
CVE: 2020-36666

WordPress real-estate-pro

Plugin: real-estate-pro
Plugin Slug: real-estate-pro
Vulnerability: Privilege Escalation
Patched in Version: 1.7.1
Severity Score: High
CVE: 2020-36666

WordPress WC Fields Factory

Plugin: WC Fields Factory
Plugin Slug: wc-fields-factory
Vulnerability: SQL Injection
Patched in Version: 4.1.6
Severity Score: High

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WordPress Product Feed PRO for WooCommerce

Plugin: Product Feed PRO for WooCommerce
Plugin Slug: woo-product-feed-pro
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-46793

WordPress If Menu – Visibility control for Menus

Plugin: If Menu – Visibility control for Menus
Plugin Slug: if-menu
Installations: 80,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-41698

WordPress Increase Maximum Upload File Size | Increase Execution Time

Plugin: Increase Maximum Upload File Size | Increase Execution Time
Plugin Slug: wp-maximum-upload-file-size
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress WP Shamsi

Plugin: WP Shamsi – ?????? ????? ???? ? ????? ??? ??????
Plugin Slug: wp-shamsi
Installations: 40,000+
Vulnerability: Subscriber+ Attachment Deletion
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0335

WordPress Fuse Social Floating Sidebar

Plugin: Fuse Social Floating Sidebar
Plugin Slug: fuse-social-floating-sidebar
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress eRoom plugin

Plugin: eRoom – Zoom Meetings & Webinars
Plugin Slug: eroom-zoom-meetings-webinar
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-43472

WordPress Product Carousel Slider & Grid Ultimate for WooCommerce

Plugin: Product Carousel Slider & Grid Ultimate for WooCommerce
Plugin Slug: woo-product-carousel-slider-and-grid-ultimate
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress I Recommend This

Plugin: I Recommend This
Plugin Slug: i-recommend-this
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28696

WordPress Worth The Read

Plugin: Worth The Read
Plugin Slug: worth-the-read
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress WP Content Pilot – Autoblogging & Affiliate Marketing Plugin

Plugin: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin
Plugin Slug: wp-content-pilot
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress Owl Carousel

Plugin: Owl Carousel
Plugin Slug: owl-carousel
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-44578

WordPress Easy Media Replace

Plugin: Easy Media Replace
Plugin Slug: easy-media-replace
Installations: 3,000+
Vulnerability: Arbitrary File Deletion
Patched in Version: No Fix
Severity Score: High
CVE: 2022-46850

WordPress Full Width Banner Slider Wp

Plugin: Full Width Banner Slider Wp
Plugin Slug: full-width-responsive-slider-wp
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-24392

WordPress GS Pins for Pinterest

Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Plugin Slug: gs-pinterest-portfolio
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress amr users

Plugin: amr users
Plugin Slug: amr-users
Installations: 2,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45348

WordPress Wbcom Designs – BuddyPress Activity Social Share

Plugin: Wbcom Designs – BuddyPress Activity Social Share
Plugin Slug: bp-activity-social-share
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28694

WordPress LionScripts: IP Blocker Lite

Plugin: LionScripts: IP Blocker Lite
Plugin Slug: ip-address-blocker
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23993

WordPress WooCommerce JazzCash Gateway Plugin

Plugin: WooCommerce JazzCash Gateway Plugin
Plugin Slug: jazzcash-woocommerce-gateway
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-46822

WordPress Review Stream

Plugin: Review Stream
Plugin Slug: review-stream
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28774

WordPress Onepage Builder – Easiest Landing Page Builder For WordPress

Plugin: Onepage Builder – Easiest Landing Page Builder For WordPress
Plugin Slug: tx-onepager
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WordPress Schedulicity

Plugin: Schedulicity – Easy Online Scheduling
Plugin Slug: schedulicity-online-appointment-booking
Installations: 500+
Vulnerability: Contributor+ Stored XSS
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0491

WordPress WP Image Carousel

Plugin: WP Image Carousel
Plugin Slug: wp-image-carousel
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0589

WordPress Woocommerce Custom Checkout Fields Editor With Drag & Drop

Plugin: Woocommerce Custom Checkout Fields Editor With Drag & Drop
Plugin Slug: woo-custom-checkout-fields
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-46864

WordPress Export Users Data Distinct

Plugin: Export Users Data Distinct
Plugin Slug: export-users-data-distinct
Installations: 10+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-46804

WordPress Product Specifications for WooCommerce

Plugin: Product Specifications for Woocommerce
Plugin Slug: product-specifications
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-46858

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

WordPress Resoto

Theme: Resoto
Theme Slug: resoto
Downloads: 18,877
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-28619

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.

WordPress Vulnerability Report – March 29, 2023

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

WordPress Core News

WordPress Plugin Vulnerabilities with Patches

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report