WordPress Vulnerability Report

Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging vulnerabilities and help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper analysis of trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

Please note the Metform Elementor Contact Form Builder plugin has an important update that patches two recently disclosed vulnerabilities. One is a high-risk XSS vulnerability. Update Metform to version 3.2.3 as soon as possible.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

Learn More About Passkeys

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 5

The first release candidate (RC1) for the WordPress 6.2 development cycle has been postponed two days, to Thursday, March 9, and an additional fifth Beta release came out on Tuesday, March 7. Additional time and testing were needed to deal with a regression that came to light last week. The project is still on track for the final release of WordPress 6.2 on March 28. You can get a preview of what’s coming in 6.2 thanks to Anne McCarthy and Rich Tabor, who hosted a live demo. Anne has also written a detailed overview.

No new WordPress core vulnerabilities were disclosed this week.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WordPress Yoast SEO plugin

Plugin: Yoast SEO
Plugin Slug: wordpress-seo
Installations: 5,000,000+
Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched in Version: 20.2.1
Severity Score: Medium

WordPress Cookie Notice & Compliance for GDPR / CCPA plugin

Plugin: Cookie Notice & Compliance for GDPR / CCPA
Plugin Slug: cookie-notice
Installations: 1,000,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4.7
Severity Score: Medium
CVE: 2023-24400

WordPress WPCode plugin

Plugin: WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Plugin Slug: insert-headers-and-footers
Installations: 1,000,000+
Vulnerability: Contributor+ WPCode Library Auth Key Update/Deletion
Patched in Version: 2.0.7
Severity Score: Medium
CVE: 2023-0328

WordPress Popup Builder by OptinMonster plugin

Plugin: Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation
Plugin Slug: optinmonster
Installations: 1,000,000+
Vulnerability: Subscriber+ Arbitrary Post Content Disclosure
Patched in Version: 2.12.2
Severity Score: Medium
CVE: 2023-0772

WordPress Smart Slider 3 plugin

Plugin: Smart Slider 3
Plugin Slug: smart-slider-3
Installations: 900,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.5.1.14
Severity Score: Medium
CVE: 2023-0660

WordPress Shortcodes Ultimate plugin

Plugin: WordPress Shortcodes Plugin — Shortcodes Ultimate
Plugin Slug: shortcodes-ultimate
Installations: 700,000+
Vulnerability: Subscriber+ User Meta Disclosure
Patched in Version: 5.12.8
Severity Score: Medium
CVE: 2023-0911

WordPress Metform Elementor Contact Form Builder plugin

Plugin: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Plugin Slug: metform
Installations: 200,000+
Vulnerability: reCaptcha Protection Bypass Vulnerability
Patched in Version: 3.2.2
Severity Score: Medium
CVE: 2023-0085

WordPress FluentSMTP plugin

Plugin: FluentSMTP – WP Mail SMTP, Amazon SES, SendGrid, MailGun and Any SMTP Connector Plugin
Plugin Slug: fluent-smtp
Installations: 100,000+
Vulnerability: Stored XSS via Email Logs
Patched in Version: 2.2.3
Severity Score: Medium
CVE: 2023-0219

WordPress Paid Memberships Pro plugin

Plugin: Paid Memberships Pro – Restrict Member Access to Content, Courses, Communities – Free or Paid Subscriptions
Plugin Slug: paid-memberships-pro
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 2.9.12
Severity Score: High
CVE: 2023-0631

WordPress VK All in One Expansion Unit plugin

Plugin: VK All in One Expansion Unit
Plugin Slug: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.86.0.0
Severity Score: Medium
CVE: 2023-0230

WordPress Slimstat Analytics plugin

Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 4.9.3.3
Severity Score: High
CVE: 2023-0630

WordPress Auto Featured Image plugin

Plugin: Auto Featured Image (Auto Post Thumbnail)
Plugin Slug: auto-post-thumbnail
Installations: 80,000+
Vulnerability: Author+ Arbitrary File Upload
Patched in Version: 3.9.16
Severity Score: Critical
CVE: 2023-0477

WordPress Calculated Fields Form plugin

Plugin: Calculated Fields Form
Plugin Slug: calculated-fields-form
Installations: 60,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.1.121
Severity Score: Medium
CVE: 2023-26523

WordPress Dokan plugin

Plugin: Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy
Plugin Slug: dokan-lite
Installations: 60,000+
Vulnerability: SQL Injection
Patched in Version: 3.7.13
Severity Score: High
CVE: 2023-26525

WordPress Quiz And Survey Master plugin

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.1.0
Severity Score: Medium
CVE: 2023-26524

WordPress Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation plugin

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Plugin Slug: zero-bs-crm
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.5.0
Severity Score: Medium
CVE: 2023-27429

WordPress GN Publisher plugin

Plugin: GN Publisher: Google News Compatible RSS Feeds
Plugin Slug: gn-publisher
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.6
Severity Score: High
CVE: 2023-1080

WordPress Rife Elementor Extensions & Templates plugin

Plugin: Rife Elementor Extensions & Templates
Plugin Slug: rife-elementor-extensions
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.0
Severity Score: Medium
CVE: 2023-27454

WordPress When Last Login plugin

Plugin: When Last Login
Plugin Slug: when-last-login
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.2
Severity Score: Medium
CVE: 2023-27461

WordPress WP Meteor Page Speed Optimization Topping plugin

Plugin: WP Meteor Page Speed Optimization Topping
Plugin Slug: wp-meteor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.5
Severity Score: Medium
CVE: 2023-26543

WordPress Gallery Blocks with Lightbox plugin

Plugin: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Plugin Slug: simply-gallery-block
Installations: 20,000+
Vulnerability: Missing Authorization in pgc_sgb_add_dashboard_widget
Patched in Version: 3.0.8
Severity Score: Medium

WordPress Wholesale Suite plugin

Plugin: Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More
Plugin Slug: woocommerce-wholesale-prices
Installations: 20,000+
Vulnerability: Settings Change
Patched in Version: 2.1.5.1
Severity Score: Medium
CVE: 2022-34344

WordPress Yasr – Yet Another Stars Rating plugin

Plugin: Yasr – Yet Another Stars Rating
Plugin Slug: yet-another-stars-rating
Installations: 20,000+
Vulnerability: XSS & Arbitrary Shortcode Execution
Patched in Version: 3.1.3
Severity Score: Medium
CVE: 2022-40699

WordPress Admin CSS MU plugin

Plugin: Admin CSS MU
Plugin Slug: admin-css-mu
Installations: 10,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 2.7
Severity Score: High
CVE: 2022-40700

WordPress Maspik – Spam blacklist plugin

Plugin: Maspik – Spam blacklist
Plugin Slug: contact-forms-anti-spam
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.7.9
Severity Score: Medium
CVE: 2023-24008

WordPress GTmetrix for WordPress plugin

Plugin: GTmetrix for WordPress
Plugin Slug: gtmetrix-for-wordpress
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.4.6
Severity Score: Low
CVE: 2023-23677

WordPress HT Slider For Elementor plugin

Plugin: HT Slider For Elementor
Plugin Slug: ht-slider-for-elementor
Installations: 10,000+
Vulnerability: Arbitrary Plugin Activation via CSRF
Patched in Version: 1.4.0
Severity Score: Medium
CVE: 2023-0495

WordPress 10WebMapBuilder plugin

Plugin: 10Web Map Builder for Google Maps
Plugin Slug: wd-google-maps
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 1.0.73
Severity Score: High
CVE: 2023-0037

WordPress WP SMS plugin

Plugin: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug: wp-sms
Installations: 9,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 6.0.4.1
Severity Score: Medium
CVE: 2023-27447

WordPress WP SMS plugin

Plugin: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug: wp-sms
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.4.13
Severity Score: Medium
CVE: 2021-24561

WordPress YITH WooCommerce Product Slider Carousel plugin

Plugin: YITH WooCommerce Product Slider Carousel
Plugin Slug: yith-woocommerce-product-slider-carousel
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.16.1
Severity Score: Medium
CVE: 2022-44630

WordPress JCH Optimize plugin

Plugin: JCH Optimize
Plugin Slug: jch-optimize
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.3
Severity Score: Medium
CVE: 2023-25491

WordPress LWS Tools plugin

Plugin: LWS Tools
Plugin Slug: lws-tools
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4
Severity Score: Medium
CVE: 2023-27453

WordPress ProfileGrid plugin

Plugin: ProfileGrid – User Profiles, Memberships, Groups and Communities
Plugin Slug: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability: Subscriber+ Arbitrary Password Reset
Patched in Version: 5.3.1
Severity Score: High
CVE: 2023-0940

WordPress Add Expires Headers & Optimized Minify plugin

Plugin: Add Expires Headers & Optimized Minify
Plugin Slug: add-expires-headers
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.7.1
Severity Score: Medium
CVE: 2023-27457

WordPress Button Generator plugin

Plugin: Button Generator – easily Button Builder
Plugin Slug: button-generation
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.4
Severity Score: Medium
CVE: 2023-27452

WordPress WpStream plugin

Plugin: WpStream – Live Streaming, Video on Demand, Pay Per View
Plugin Slug: wpstream
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4.10.6
Severity Score: Medium
CVE: 2023-27458

WordPress Dashboard Widgets Suite plugin

Plugin: Dashboard Widgets Suite
Plugin Slug: dashboard-widgets-suite
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.2
Severity Score: Medium
CVE: 2023-26517

WordPress Publish to Schedule plugin

Plugin: Publish to Schedule
Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium
CVE: 2023-26519

WordPress Simple File List plugin

Plugin: Simple File List
Plugin Slug: simple-file-list
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.0.10
Severity Score: Medium
CVE: 2023-1025

WordPress Watu Quiz plugin

Plugin: Watu Quiz
Plugin Slug: watu
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.9.1
Severity Score: High
CVE: 2023-0968

WordPress WP OAuth Server plugin

Plugin: WP OAuth Server (OAuth Authentication)
Plugin Slug: oauth2-provider
Installations: 4,000+
Vulnerability: Subscriber+ Arbitrary Client Deletion
Patched in Version: 4.3.0
Severity Score: Medium
CVE: 2022-4148

WordPress Pie Register plugin

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Plugin Slug: pie-register
Installations: 4,000+
Vulnerability: Arbitrary Content Deletion
Patched in Version: 3.8.1.3
Severity Score: High
CVE: 2022-4024

WordPress Pie Register plugin

Plugin: Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Plugin Slug: pie-register
Installations: 4,000+
Vulnerability: Open Redirection
Patched in Version: 3.8.2.3
Severity Score: Medium
CVE: 2023-0552

WordPress We’re Open! plugin

Plugin: We’re Open!
Plugin Slug: opening-hours
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.47
Severity Score: Medium
CVE: 2023-25964

WordPress Search in Place plugin

Plugin: Search in Place
Plugin Slug: search-in-place
Installations: 3,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.0.105
Severity Score: Medium
CVE: 2023-26521

WordPress WP Plugin Manager plugin

Plugin: WP Plugin Manager – Deactivate plugins per page
Plugin Slug: wp-plugin-manager
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.8
Severity Score: Medium
CVE: 2023-1088

WordPress DeepL API translation

Plugin: DeepL API translation plugin
Plugin Slug: wpdeepl
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.5
Severity Score: Medium
CVE: 2023-27446

WordPress Cart Lift

Plugin: Cart Lift – Abandoned Cart Recovery for WooCommerce and EDD
Plugin Slug: cart-lift
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.6
Severity Score: High
CVE: 2022-47449

WordPress CP Contact Form with PayPal

Plugin: CP Contact Form with PayPal
Plugin Slug: cp-contact-form-with-paypal
Installations: 2,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.3.35
Severity Score: Medium
CVE: 2023-27460

WordPress Simple Slug Translate plugin

Plugin: Simple Slug Translate
Plugin Slug: simple-slug-translate
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.3
Severity Score: Medium
CVE: 2023-26515

WordPress DecaLog plugin

Plugin: DecaLog
Plugin Slug: decalog
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.7.1
Severity Score: Medium
CVE: 2023-27444

WordPress Easy Testimonial Slider and Form

Plugin: Easy Testimonial Slider and Form
Plugin Slug: easy-testimonial-rotator
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.16
Severity Score: High
CVE: 2022-46799

WordPress Event Espresso 4 Decaf plugin

Plugin: Event Espresso 4 Decaf – Event Registration Event Ticketing
Plugin Slug: event-espresso-decaf
Installations: 1,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 4.10.45.decaf
Severity Score: Low
CVE: 2023-27437

WordPress Sheets To WP Table Live Sync

Plugin: Sheets To WP Table Live Sync
Plugin Slug: sheets-to-wp-table-live-sync
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.13.0
Severity Score: Medium
CVE: 2023-26535

WordPress Total Poll Lite

Plugin: Total Poll Lite
Plugin Slug: totalpoll-lite
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 4.8.7
Severity Score: Medium
CVE: 2023-27449

WordPress WP Time Slots Booking Form

Plugin: WP Time Slots Booking Form
Plugin Slug: wp-time-slots-booking-form
Installations: 1,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.1.77
Severity Score: Medium
CVE: 2022-41790

WordPress Donation Block For PayPal

Plugin: Donation Block For PayPal
Plugin Slug: donations-block
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: Medium
CVE: 2023-0535

WordPress Namaste! LMS plugin

Plugin: Namaste! LMS
Plugin Slug: namaste-lms
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.6
Severity Score: Medium
CVE: 2023-0844

WordPress Namaste! LMS plugin

Plugin: Namaste! LMS
Plugin Slug: namaste-lms
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.9.4
Severity Score: Medium
CVE: 2023-0548

WordPress real.Kit plugin

Plugin: real.Kit
Plugin Slug: real-kit
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.1.1
Severity Score: Medium
CVE: 2023-0364

WordPress Custom Login Admin Front-end CSS

Plugin: Custom Login Admin Front-end CSS
Plugin Slug: custom-login-admin-front-end-css-with-multisite-support
Installations: 500+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 1.5
Severity Score: High
CVE: 2022-40700

WordPress HT Portfolio plugin

Plugin: HT Portfolio – WordPress Portfolio Plugin for Elementor
Plugin Slug: ht-portfolio
Installations: 300+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.6
Severity Score: Medium
CVE: 2023-0497

WordPress WooCommerce Checkout Field Manager plugin

Plugin: WooCommerce Checkout Field Manager
Plugin Slug: n-media-woocommerce-checkout-fields
Installations: 200+
Vulnerability: Arbitrary File Upload
Patched in Version: 18.0
Severity Score: Critical
CVE: 2022-4328

WordPress GS Insever Portfolio plugin

Plugin: GS Insever Portfolio
Plugin Slug: gs-instagram-portfolio
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.5
Severity Score: Medium
CVE: 2023-0539

WordPress WC Sales Notification plugin

Plugin: WC Sales Notification
Plugin Slug: wc-sales-notification
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.3
Severity Score: Medium
CVE: 2023-1087

WordPress Debug Assistant plugin

Plugin: Debug Assistant
Plugin Slug: debug-assistant
Installations: 80+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.5
Severity Score: High
CVE: 2023-26516

WordPress Debug Assistant plugin

Plugin: Debug Assistant
Plugin Slug: debug-assistant
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5
Severity Score: Medium
CVE: 2023-26527

WordPress Preview Link Generator plugin

Plugin: Preview Link Generator
Plugin Slug: preview-link-generator
Installations: 10+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.4
Severity Score: Medium
CVE: 2023-1086

WordPress Replyable plugin

Plugin: Postmatic
Plugin Slug: postmatic
Vulnerability: PHP Object Injection
Patched in Version: 2.2.10
Severity Score: High
CVE: 2022-4265

WordPress Toolset Types plugin

Plugin: Types
Plugin Slug: types
Vulnerability: Arbitrary File Upload
Patched in Version: 3.4.18
Severity Score: High
CVE: 2023-27440

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WordPress Instant Images

Plugin: Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels
Plugin Slug: instant-images
Installations: 100,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-27451

WordPress Rus-To-Lat plugin

Plugin: Rus-To-Lat
Plugin Slug: rustolat
Installations: 90,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25470

WordPress WP Social Bookmarking Light plugin

Plugin: WP Social Bookmarking Light
Plugin Slug: wp-social-bookmarking-light
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25029

WordPress clickfunnels plugin

Plugin: ClickFunnels
Plugin Slug: clickfunnels
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47152

WordPress WP Translitera plugin

Plugin: WP Translitera
Plugin Slug: wp-translitera
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27438

WordPress WP TFeed plugin

Plugin: WP TFeed
Plugin Slug: accesspress-twitter-feed
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26518

WordPress Custom Content Shortcode plugin

Plugin: Custom Content Shortcode
Plugin Slug: custom-content-shortcode
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0273

WordPress Custom Content Shortcode plugin

Plugin: Custom Content Shortcode
Plugin Slug: custom-content-shortcode
Installations: 10,000+
Vulnerability: Local File Inclusion
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0340

WordPress menu shortcode plugin

Plugin: menu shortcode
Plugin Slug: menu-shortcode
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0395

WordPress Smart YouTube PRO plugin

Plugin: Smart YouTube PRO
Plugin Slug: smart-youtube
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25475

WordPress Styles plugin

Plugin: Styles
Plugin Slug: styles
Installations: 10,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress Video Background plugin

Plugin: Video Background
Plugin Slug: video-background
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4652

WordPress WP Clean Up plugin

Plugin: WP Clean Up
Plugin Slug: wp-clean-up
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25034

WordPress XML Sitemap Generator for Google plugin

Plugin: Google XML Sitemaps Generator
Plugin Slug: xml-sitemap-generator-for-google
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26514

WordPress FareHarbor for WordPress plugin

Plugin: FareHarbor for WordPress
Plugin Slug: fareharbor
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25021

WordPress Blog Floating Button plugin

Plugin: Blog Floating Button
Plugin Slug: blog-floating-button
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27445

WordPress Classic Editor and Classic Widgets plugin

Plugin: Classic Editor and Classic Widgets
Plugin Slug: classic-editor-and-classic-widgets
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27434

WordPress CPO Content Types plugin

Plugin: CPO Content Types
Plugin Slug: cpo-content-types
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25451

WordPress Resize at Upload Plus plugin

Plugin: Resize at Upload Plus
Plugin Slug: resize-at-upload-plus
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25467

WordPress Advanced Text Widget plugin

Plugin: Advanced Text Widget
Plugin Slug: advanced-text-widget
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26520

WordPress Advanced Text Widget plugin

Plugin: Advanced Text Widget
Plugin Slug: advanced-text-widget
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26539

WordPress New Adman plugin

Plugin: New Adman
Plugin Slug: new-adman
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27439

WordPress New Adman plugin

Plugin: New Adman
Plugin Slug: new-adman
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27441

WordPress WP No External Links plugin

Plugin: WP No External Links
Plugin Slug: no-external-links
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26537

WordPress Simple CSV/XLS Exporter plugin

Plugin: Simple CSV/XLS Exporter
Plugin Slug: simple-csv-xls-exporter
Installations: 6,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-42882

WordPress Social Auto Poster plugin

Plugin: Social Auto Poster
Plugin Slug: accesspress-facebook-auto-post
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26532

WordPress Elegant Custom Fonts plugin

Plugin: Elegant Custom Fonts
Plugin Slug: elegant-custom-fonts
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27436

WordPress About Me 3000 widget plugin

Plugin: About Me 3000 widget
Plugin Slug: about-me-3000
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25474

WordPress Leyka plugin

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-27450

WordPress Leyka plugin

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27442

WordPress Wpopal Core Features plugin

Plugin: Wpopal Core Features
Plugin Slug: wpopal-core-features
Installations: 2,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress Simple Vimeo Shortcode

Plugin: Simple Vimeo Shortcode
Plugin Slug: the-very-simple-vimeo-shortcode
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27443

WordPress Sales Report Email for WooCommerce

Plugin: Sales Report Email for WooCommerce
Plugin Slug: woo-advanced-sales-report-email
Installations: 1,000+
Vulnerability: Other Vulnerability Type
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-38141

WordPress WP Google Tag Manager plugin

Plugin: WP Google Tag Manager
Plugin Slug: wp-google-tag-manager
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-22693

WordPress Ever Compare plugin

Plugin: Ever Compare – Products Compare Plugin for WooCommerce
Plugin Slug: ever-compare
Installations: 800+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0505

WordPress React Webcam plugin

Plugin: React Webcam
Plugin Slug: react-webcam
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0365

WordPress User Activity plugin

Plugin: User Activity
Plugin Slug: user-activity
Installations: 300+
Vulnerability: Content Spoofing
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4550

WordPress GoToWP plugin

Plugin: GoToWP
Plugin Slug: gotowp
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0369

WordPress WP Repost plugin

Plugin: WP Repost
Plugin Slug: wp-repost
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26534

WordPress WP Repost plugin

Plugin: WP Repost
Plugin Slug: wp-repost
Installations: 200+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26522

WordPress wp2syslog plugin

Plugin: wp2syslog
Plugin Slug: wp2syslog
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25974

WordPress CSS Adder By Agene-Press

Plugin: CSS Adder By Agence-Press
Plugin Slug: css-adder-by-agence-press
Installations: 60+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress AMP Toolbox plugin

Plugin: AMP Toolbox
Plugin Slug: amp-toolbox
Installations: 50+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress Start plugin

Plugin: WordPress Start
Plugin Slug: iksweb
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25972

WordPress Manage Upload Limit plugin

Plugin: Manage Upload Limit
Plugin Slug: wpsimpletools-upload-limit
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-27432

WordPress DupeOff plugin

Plugin: DupeOff
Plugin Slug: dupeoff
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26529

WordPress Shipyaari Shipping Management

Plugin: Shipyaari Shipping Management
Plugin Slug: manage-shipyaari-shipping
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-26528

WordPress Advanced Recent Posts plugin

Plugin: Advanced Recent Posts
Plugin Slug: advanced-recent-posts
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0212

WordPress Confirm Data plugin

Plugin: Confirm Data
Plugin Slug: confirm-data
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress Correos Oficial plugin

Plugin: Correos Oficial
Plugin Slug: correosoficial
Vulnerability: Arbitrary File Download
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0331

WordPress Custom Add User plugin

Plugin: Custom Add User
Plugin Slug: custom-add-user
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0043

WordPress Download Attachments plugin

Plugin: Download Attachments
Plugin Slug: download-attachments
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0076

WordPress GigPress plugin

Plugin: GigPress
Plugin Slug: gigpress
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0381

WordPress i2 Pros & Cons plugin

Plugin: i2 Pros & Cons
Plugin Slug: i2-pro-cons
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0065

WordPress PHPFreeChat plugin

Plugin: PHPFreeChat
Plugin Slug: phpfreechat
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress Product GTIN (EAN, UPC, ISBN) for WooCommerce plugin

Plugin: Product GTIN (EAN, UPC, ISBN) for WooCommerce
Plugin Slug: product-gtin-ean-upc-isbn-for-woocommerce
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0068

WordPress Page Builder – Qards

Plugin: WordPress Page Builder – Qards
Plugin Slug: qards-free
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress Resume Builder plugin

Plugin: Resume Builder
Plugin Slug: resume-builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0078

WordPress Saan World Clock plugin

Plugin: Saan World Clock
Plugin Slug: saan-world-clock
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0145

WordPress Smart Logo Showcase Lite plugin

Plugin: Smart Logo Showcase Lite
Plugin Slug: smart-logo-showcase-lite
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0175

WordPress Synved Shortcodes plugin

Plugin: Synved Shortcodes
Plugin Slug: synved-shortcodes
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0063

WordPress Theme Minifier plugin

Plugin: Theme Minifier
Plugin Slug: theme-minifier
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress UpQode Google Maps plugin

Plugin: UpQode Google Maps
Plugin Slug: upqode-google-maps
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0094

WordPress Galleries by Angie Makes

Plugin: Galleries by Angie Makes
Plugin Slug: wc-gallery
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-4795

WordPress WooSupply plugin

Plugin: WooSupply – Suppliers, Supply Orders and Stock Management
Plugin Slug: woosupply
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress WooVIP plugin

Plugin: WooVIP – Membership plugin for WordPress and WooCommerce
Plugin Slug: woovip
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress WooVirtualWallet plugin

Plugin: WooVirtualWallet – A virtual wallet for WooCommerce
Plugin Slug: woovirtualwallet
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress AMO for WP plugin

Plugin: AMO for WP – Membership Management
Plugin Slug: wp-amo
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2022-40700

WordPress WPaudio MP3 Player plugin

Plugin: WPaudio MP3 Player
Plugin Slug: wpaudio-mp3-player
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0069

WordPress WPB Advanced FAQ plugin

Plugin: WPB Advanced FAQ
Plugin Slug: wpb-advanced-faq
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0370

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

WordPress OceanWP theme

Theme: OceanWP
Theme Slug: oceanwp
Downloads: 5,985,364
Vulnerability: Local File Inclusion
Patched in Version: 3.4.2
Severity Score: High
CVE: 2023-23700

WordPress Total theme

Theme: Total
Theme Slug: total
Downloads: 956,513
Vulnerability: Broken Authentication
Patched in Version: 2.1.20
Severity Score: Medium
CVE: 2023-27456

WordPress Big Store theme

Theme: Big Store
Theme Slug: big-store
Downloads: 104,293
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.9.4
Severity Score: Medium
CVE: 2023-27431

WordPress darcie theme

Theme: Darcie
Theme Slug: darcie
Downloads: 14,911
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.6
Severity Score: High
CVE: 2023-25961

WordPress Houzez theme

Theme: Houzez
Theme Slug: houzez
Vulnerability: Privilege Escalation
Patched in Version: 2.7.2
Severity Score: Critical
CVE: 2023-26540

WordPress Real Estate 7 theme

Theme: Real Estate 7
Theme Slug: realestate-7
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.3.5
Severity Score: Medium

WordPress Real Estate 7 theme

Theme: Real Estate 7
Theme Slug: realestate-7
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.5
Severity Score: High

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

iThemes Editorial Team

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.