WordPress Vulnerability Report

This week, 66 vulnerabilities may affect over 5.8 million WordPress sites. There are 42 plugin vulnerabilities and five in themes that have security patches available, so run those updates! Additionally, there are 18 plugin vulnerabilities and one theme with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

Please note we’ve revised last week’s report to correct the list of vulnerable code after many of the previous week’s vulnerabilities were mistakenly included. Thanks to Jeff Severson of JTS Design for bringing this to our attention.

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Advanced Custom Fields

Plugin: Advanced Custom Fields (ACF)
Plugin Slug: advanced-custom-fields
Installations: 2,000,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.6
Severity Score: High
CVE: 2023-30777

Advanced Custom Fields

Plugin: Advanced Custom Fields (ACF)
Plugin Slug: advanced-custom-fields
Installations: 2,000,000+
Vulnerability: PHP Object Injection
Patched in Version: 5.12.5
Severity Score: Medium
CVE: 2023-1196

Ninja Forms

Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6.22
Severity Score: High
CVE: 2023-1835

Otter – Gutenberg Blocks

Plugin: Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE
Plugin Slug: otter-blocks
Installations: 300,000+
Vulnerability: PHP Object Injection
Patched in Version: 2.2.6
Severity Score: Medium
CVE: 2023-2288

Metform Elementor Contact Form Builder

Plugin: Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress
Plugin Slug: metform
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 3.3.1
Severity Score: Medium
CVE: 2023-1843

YARPP

Plugin: YARPP – Yet Another Related Posts Plugin
Plugin Slug: yet-another-related-posts-plugin
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 5.30.3
Severity Score: High
CVE: 2023-0579

Advanced Woo Search

Plugin: Advanced Woo Search
Plugin Slug: advanced-woo-search
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.78
Severity Score: Medium
CVE: 2023-2452

Easy Digital Downloads

Plugin: Easy Digital Downloads – Simple eCommerce for Selling Digital Files
Plugin Slug: easy-digital-downloads
Installations: 50,000+
Vulnerability: Privilege Escalation
Patched in Version: 3.1.1.4.2
Severity Score: Critical
CVE: 2023-30869

FV Flowplayer Video Player

Plugin: FV Flowplayer Video Player
Plugin Slug: fv-wordpress-flowplayer
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.5.35.7212
Severity Score: High
CVE: 2023-30499

Product Addons & Fields for WooCommerce

Plugin: Product Addons & Fields for WooCommerce
Plugin Slug: woocommerce-product-addon
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 32.0.6
Severity Score: Medium
CVE: 2023-1839

WP Visitor Statistics (Real Time Traffic)

Plugin: WP Visitor Statistics (Real Time Traffic)
Plugin Slug: wp-stats-manager
Installations: 20,000+
Vulnerability: SQL Injection
Patched in Version: 6.9
Severity Score: Critical
CVE: 2023-0600

CM Pop-Up banners for WordPress

Plugin: CM Pop-Up banners for WordPress
Plugin Slug: cm-pop-up-banners
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 1.6.0
Severity Score: High
CVE: 2023-30750

Image Optimizer by 10web

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin
Plugin Slug: image-optimizer-wd
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.27
Severity Score: High
CVE: 2023-2122

Participants Database

Plugin: Participants Database
Plugin Slug: participants-database
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.5.0
Severity Score: Medium
CVE: 2023-31235

URL Params

Plugin: URL Params
Plugin Slug: url-params
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5
Severity Score: Medium
CVE: 2023-0274

Product Catalog Feed by PixelYourSite

Plugin: Product Catalog Feed by PixelYourSite
Plugin Slug: product-catalog-feed
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.1
Severity Score: High
CVE: 2023-1804

WOLF

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Plugin Slug: bulk-editor
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.7
Severity Score: High
CVE: 2023-31218

HollerBox

Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Plugin Slug: holler-box
Installations: 5,000+
Vulnerability: SQL Injection
Patched in Version: 2.1.4
Severity Score: High

Ko-fi Button

Plugin: Ko-fi Button
Plugin Slug: ko-fi-button
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.3
Severity Score: Medium
CVE: 2023-2254

Booking Manager

Plugin: Booking Manager
Plugin Slug: booking-manager
Installations: 4,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 2.0.29
Severity Score: Medium
CVE: 2023-1977

WPO365 | Mail Integration for Office 365 / Outlook

Plugin: WPO365 | Mail Integration for Office 365 / Outlook
Plugin Slug: mail-integration-365
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.9.1
Severity Score: Medium
CVE: 2023-32119

Spiffy Calendar

Plugin: Spiffy Calendar
Plugin Slug: spiffy-calendar
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.9.4
Severity Score: Medium
CVE: 2023-32122

Stagtools

Plugin: StagTools
Plugin Slug: stagtools
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.7
Severity Score: Medium
CVE: 2023-0891

WP EasyPay

Plugin: WP EasyPay – Square for WordPress
Plugin Slug: wp-easy-pay
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.1
Severity Score: High
CVE: 2023-1465

TK Google Fonts GDPR Compliant

Plugin: TK Google Fonts GDPR Compliant
Plugin Slug: tk-google-fonts
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 2.2.8
Severity Score: Medium

WP Inventory Manager

Plugin: WP Inventory Manager
Plugin Slug: wp-inventory-manager
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0.13
Severity Score: High
CVE: 2023-2123

WP Directory Kit

Plugin: WP Directory Kit
Plugin Slug: wpdirectorykit
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.2
Severity Score: Medium
CVE: 2023-2279

WP Directory Kit

Plugin: WP Directory Kit
Plugin Slug: wpdirectorykit
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.3
Severity Score: Medium
CVE: 2023-2280

Albo Pretorio On line

Plugin: Albo Pretorio On line
Plugin Slug: albo-pretorio-on-line
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.6.4
Severity Score: High
CVE: 2023-32109

Albo Pretorio On line

Plugin: Albo Pretorio On line
Plugin Slug: albo-pretorio-on-line
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.6.4
Severity Score: High
CVE: 2023-32108

Contact Form 7 extension for Google Map fields

Plugin: Contact Form 7 extension for Google Map fields
Plugin Slug: cf7-google-map
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.4
Severity Score: High

Photo Gallery by Ays

Plugin: Photo Gallery by Ays – Responsive Image Gallery
Plugin Slug: gallery-photo-gallery
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.1.4
Severity Score: High
CVE: 2023-32107

TP Education

Plugin: TP Education
Plugin Slug: tp-education
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5
Severity Score: Medium
CVE: 2023-32103

WP Docs

Plugin: WP Docs
Plugin Slug: wp-docs
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-32106

WPPizza – A Restaurant Plugin

Plugin: WPPizza – A Restaurant Plugin
Plugin Slug: wppizza
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.17.2
Severity Score: High
CVE: 2023-32105

WP SMTP Mailing Queue

Plugin: SMTP Mailing Queue
Plugin Slug: smtp-mailing-queue
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.1
Severity Score: Medium
CVE: 2023-1090

Library Viewer

Plugin: Library Viewer
Plugin Slug: library-viewer
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.6.1
Severity Score: Medium
CVE: 2023-32102

Library Viewer

Plugin: Library Viewer
Plugin Slug: library-viewer
Installations: 400+
Vulnerability: Open Redirection
Patched in Version: 2.0.6.1
Severity Score: Medium
CVE: 2023-32101

Hostel

Plugin: Hostel
Plugin Slug: hostel
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.5.2
Severity Score: Medium
CVE: 2023-32120

Advanced Custom Fields Pro

Plugin: Advanced Custom Fields PRO
Plugin Slug: advanced-custom-fields-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.6
Severity Score: High
CVE: 2023-30777

Advanced Custom Fields Pro

Plugin: Advanced Custom Fields PRO
Plugin Slug: advanced-custom-fields-pro
Vulnerability: PHP Object Injection
Patched in Version: 6.1.0
Severity Score: Medium
CVE: 2023-1196

tagDiv Composer

Plugin: tagDiv Composer
Plugin Slug: td-composer
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.0
Severity Score: High
CVE: 2023-1596

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Easy Appointments

Plugin: Easy Appointments
Plugin Slug: easy-appointments
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-36424

Points and Rewards for WooCommerce

Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Referral Points & Redemptions
Plugin Slug: points-and-rewards-for-woocommerce
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27608

Points and Rewards for WooCommerce

Plugin: Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Referral Points & Redemptions
Plugin Slug: points-and-rewards-for-woocommerce
Installations: 6,000+
Vulnerability: Settings Change
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27607

Community by PeepSo

Plugin: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Plugin Slug: peepso-core
Installations: 4,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27630

Cryptocurrency Payment & Donation Box

Plugin: Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free
Plugin Slug: cryptocurrency-donation-box
Installations: 3,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32128

WP Job Portal

Plugin: WP Job Portal – A Complete Job Board
Plugin Slug: wp-job-portal
Installations: 3,000+
Vulnerability: Other Vulnerability Type
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-41786

Multi Rating

Plugin: Multi Rating
Plugin Slug: multi-rating
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32130

Multi Rating

Plugin: Multi Rating
Plugin Slug: multi-rating
Installations: 2,000+
Vulnerability: Other Vulnerability Type
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32127

Multi Rating

Plugin: Multi Rating
Plugin Slug: multi-rating
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32125

Booking Ultra Pro Appointments

Plugin: Booking Ultra Pro Appointments Booking Calendar Plugin
Plugin Slug: booking-ultra-pro
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-32236

REST API TO MiniProgram

Plugin: REST API TO MiniProgram
Plugin Slug: rest-api-to-miniprogram
Installations: 1,000+
Vulnerability: Arbitrary Content Deletion
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0551

Tiempo.com

Plugin: Tiempo.com
Plugin Slug: tiempocom
Installations: 600+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2271

Tiempo.com

Plugin: Tiempo.com
Plugin Slug: tiempocom
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0058

Tiempo.com

Plugin: Tiempo.com
Plugin Slug: tiempocom
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2272

Manager for Icommon

Plugin: Manager for Icomoon
Plugin Slug: manager-for-icomoon
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29387

Manager for Icommon

Plugin: Manager for Icomoon
Plugin Slug: manager-for-icomoon
Installations: 500+
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-29386

WP Abstracts

Plugin: WP Abstracts
Plugin Slug: wp-abstracts-manuscripts-manager
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-29385

UserAgent-Spy

Plugin: UserAgent-Spy
Plugin Slug: useragent-spy
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2490

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Editorialmag

Theme: Editorialmag
Theme Slug: editorialmag
Downloads: 81,155
Vulnerability: Broken Authentication
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32129

JupiterX

Theme: JupiterX
Theme Slug: jupiterx
Vulnerability: Local File Inclusion
Patched in Version: 3.1.0
Severity Score: High
CVE: 2023-32110

TheGem (Elementor)

Theme: TheGem
Theme Slug: thegem
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.8.1.1
Severity Score: Medium
CVE: 2023-32237

TheGem (Elementor)

Theme: TheGem
Theme Slug: thegem
Vulnerability: Broken Access Control
Patched in Version: 5.8.1.1
Severity Score: Medium
CVE: 2023-32238

TheGem (WPBakery)

Theme: TheGem
Theme Slug: thegem
Vulnerability: Broken Access Control
Patched in Version: 5.8.1.1
Severity Score: Medium
CVE: 2023-32238

TheGem (WPBakery)

Theme: TheGem
Theme Slug: thegem
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.8.1.1
Severity Score: Medium
CVE: 2023-32237

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – May 10, 2023

WordPress Plugin Vulnerabilities with Patches

WordPress Plugin Vulnerabilities – No Known Fix

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report