This week, WordPress 6.2.1 was released — the first security and maintenance update for the 6.2 version line. This release patched 5 security vulnerabilities, including Cross-Site Scripting (XSS), Cross-site request forgery (CSRF), and path traversal vulnerabilities. If you have your site set to auto-update point releases for WordPress core, your site is likely already protected. Still, it is good practice to verify that the update has been applied to protect your site. For a full review of these patches, you can review WordPress trac tickets for 6.2.1.
In the plugin and theme ecosystem, 146 total vulnerabilities emerged in public disclosure. They may affect over 17 million WordPress sites. Out of the total number, there are 92 plugin vulnerabilities and 5 in themes that have security patches available. This includes Elementor (used on 5+ million sites) and Divi, which is used on over 4 million sites.
Additionally, there are 49 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Elementor

- Plugin Slug
- elementor
- Installations
- 5,000,000+
- Vulnerability
- Missing Authorization to Settings Update
- Patched in Version
- 3.13.2
- Severity Score
- Medium
Google Analytics by MonsterInsights

- Plugin Slug
- google-analytics-for-wordpress
- Installations
- 3,000,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 8.14.1
- Severity Score
- Medium
- CVE
- 2023-23999
Essential Addons for Elementor

- Plugin Slug
- essential-addons-for-elementor-lite
- Installations
- 1,000,000+
- Vulnerability
- Unauthenticated Privilege Escalation
- Patched in Version
- 5.7.2
- Severity Score
- Critical
- CVE
- 2023-32243
Loginizer

WP Fastest Cache

- Plugin
- WP Fastest Cache
- Plugin Slug
- wp-fastest-cache
- Installations
- 1,000,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 1.1.5
- Severity Score
- Medium
- CVE
- 2023-1938
ExactMetrics

- Plugin Slug
- google-analytics-dashboard-for-wp
- Installations
- 700,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 7.14.2
- Severity Score
- Medium
- CVE
- 2023-23880
MW WP Form

- Plugin
- MW WP Form
- Plugin Slug
- mw-wp-form
- Installations
- 200,000+
- Vulnerability
- Directory Traversal via _file_upload
- Patched in Version
- 4.4.3
- Severity Score
- Medium
Download Manager

- Plugin
- Download Manager
- Plugin Slug
- download-manager
- Installations
- 100,000+
- Vulnerability
- Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Patched in Version
- 3.2.71
- Severity Score
- Medium
- CVE
- 2023-2305
Download Monitor

- Plugin
- Download Monitor
- Plugin Slug
- download-monitor
- Installations
- 100,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 4.7.70
- Severity Score
- Medium
- CVE
- 2022-45354
Give – Donation Plugin

- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 2.26.0
- Severity Score
- High
- CVE
- 2023-32513
Hide My WP Ghost

- Plugin Slug
- hide-my-wp
- Installations
- 100,000+
- Vulnerability
- Address Spoofing to Protection Mechanism Bypass
- Patched in Version
- 5.0.20
- Severity Score
- Medium
- CVE
- 2022-4537
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue

- Plugin Slug
- mailin
- Installations
- 100,000+
- Vulnerability
- Reflected Cross-Site Scripting via ‘lang’
- Patched in Version
- 3.1.61
- Severity Score
- High
Slimstat Analytics

- Plugin
- Slimstat Analytics
- Plugin Slug
- wp-slimstat
- Installations
- 100,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 5.0.5
- Severity Score
- High
- CVE
- 2022-45373
Slimstat Analytics

- Plugin
- Slimstat Analytics
- Plugin Slug
- wp-slimstat
- Installations
- 100,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 5.0.5
- Severity Score
- High
- CVE
- 2022-45366
AnyWhere Elementor

- Plugin
- AnyWhere Elementor
- Plugin Slug
- anywhere-elementor
- Installations
- 90,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 1.2.8
- Severity Score
- Medium
- CVE
- 2023-0443
Custom Field Suite
- Plugin
- Custom Field Suite
- Plugin Slug
- custom-field-suite
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.6.3
- Severity Score
- Medium
- CVE
- 2023-32515
Easy Hide Login

- Plugin
- Easy Hide Login
- Plugin Slug
- easy-hide-login
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.0.9
- Severity Score
- Medium
- CVE
- 2023-31075
Easy Hide Login

- Plugin
- Easy Hide Login
- Plugin Slug
- easy-hide-login
- Installations
- 40,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.8
- Severity Score
- Medium
- CVE
- 2023-32505
Forget About Shortcode Buttons

- Plugin Slug
- forget-about-shortcode-buttons
- Installations
- 40,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 2.1.3
- Severity Score
- Medium
- CVE
- 2023-32579
Post Snippets – Custom WordPress Code Snippets Customizer

- Plugin Slug
- post-snippets
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.0.3
- Severity Score
- Medium
- CVE
- 2023-25459
Zero Spam for WordPress

- Plugin
- Zero Spam for WordPress
- Plugin Slug
- zero-spam
- Installations
- 30,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 5.4.5
- Severity Score
- High
- CVE
- 2023-32121
Login Rebuilder
- Plugin
- Login rebuilder
- Plugin Slug
- login-rebuilder
- Installations
- 20,000+
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 2.8.1
- Severity Score
- Medium
- CVE
- 2023-2223
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

- Plugin Slug
- shortpixel-adaptive-images
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.7.2
- Severity Score
- Medium
- CVE
- 2023-32512
10Web Social Post Feed

- Plugin
- 10Web Social Post Feed
- Plugin Slug
- wd-facebook-feed
- Installations
- 20,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.9
- Severity Score
- High
Product Addons & Fields for WooCommerce

- Plugin Slug
- woocommerce-product-addon
- Installations
- 20,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 32.0.7
- Severity Score
- High
- CVE
- 2023-2256
Custom 404 Pro

- Plugin
- Custom 404 Pro
- Plugin Slug
- custom-404-pro
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.8.2
- Severity Score
- Medium
- CVE
- 2023-32740
Custom 404 Pro

- Plugin
- Custom 404 Pro
- Plugin Slug
- custom-404-pro
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.7.3
- Severity Score
- High
- CVE
- 2023-2023
RegistrationMagic

- Plugin Slug
- custom-registration-form-builder-with-submission-manager
- Installations
- 10,000+
- Vulnerability
- Authentication Bypass
- Patched in Version
- 5.2.1.1
- Severity Score
- Critical
- CVE
- 2023-2499
GTmetrix for WordPress

- Plugin
- GTmetrix for WordPress
- Plugin Slug
- gtmetrix-for-wordpress
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 0.4.7
- Severity Score
- High
- CVE
- 2023-32503
Restaurant Menu – Food Ordering System – Table Reservation

- Plugin Slug
- menu-ordering-reservations
- Installations
- 10,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 2.3.7
- Severity Score
- High
- CVE
- 2023-32516
SALERT

- Plugin Slug
- salert
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.2.2
- Severity Score
- Medium
- CVE
- 2023-32126
SALERT

- Plugin Slug
- salert
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.2
- Severity Score
- High
- CVE
- 2023-32118
Snow Monkey Forms

- Plugin
- Snow Monkey Forms
- Plugin Slug
- snow-monkey-forms
- Installations
- 10,000+
- Vulnerability
- Directory Traversal via ‘view’ REST endpoint
- Patched in Version
- 5.0.7
- Severity Score
- Medium
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection

- Plugin Slug
- stopbadbots
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 7.32
- Severity Score
- Medium
- CVE
- 2023-32496
Ultimate Addons for Contact Form 7

- Plugin Slug
- ultimate-addons-for-contact-form-7
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.1.24
- Severity Score
- High
- CVE
- 2022-47586
Wise Chat

- Plugin
- Wise Chat
- Plugin Slug
- wise-chat
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.4
- Severity Score
- Medium
- CVE
- 2023-32504
WP SMS

- Plugin Slug
- wp-sms
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.1.5
- Severity Score
- High
- CVE
- 2023-32742
My WP Customize Admin/Frontend
- Plugin Slug
- my-wp
- Installations
- 7,000+
- Vulnerability
- Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
- Patched in Version
- 1.21.1
- Severity Score
- Medium
Brands for WooCommerce

- Plugin
- Brands for WooCommerce
- Plugin Slug
- brands-for-woocommerce
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.8.2
- Severity Score
- Medium
- CVE
- 2023-23667
Active Directory Integration / LDAP Integration

- Plugin Slug
- ldap-login-for-intranet-sites
- Installations
- 6,000+
- Vulnerability
- Cross-Site Request Forgery to SQL Injection
- Patched in Version
- 4.1.5
- Severity Score
- High
- CVE
- 2023-2599
Active Directory Integration / LDAP Integration

- Plugin Slug
- ldap-login-for-intranet-sites
- Installations
- 6,000+
- Vulnerability
- Authenticated (Administrator+) SQL Injection
- Patched in Version
- 4.1.5
- Severity Score
- High
- CVE
- 2023-2484
VikBooking Hotel Booking Engine & PMS

- Plugin Slug
- vikbooking
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.6.2
- Severity Score
- Medium
- CVE
- 2023-32501
CM On Demand Search And Replace

- Plugin Slug
- cm-on-demand-search-and-replace
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.3.1
- Severity Score
- Medium
- CVE
- 2023-28749
Community by PeepSo

- Plugin Slug
- peepso-core
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.1.0.0
- Severity Score
- Medium
- CVE
- 2023-32092
WP Custom Cursors

- Plugin Slug
- wp-custom-cursors
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.2
- Severity Score
- Medium
- CVE
- 2023-32739
GS Pins for Pinterest

- Plugin Slug
- gs-pinterest-portfolio
- Installations
- 3,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.6.8
- Severity Score
- Medium
- CVE
- 2023-32593
Seo By 10Web

- Plugin
- SEO by 10Web
- Plugin Slug
- seo-by-10web
- Installations
- 3,000+
- Vulnerability
- Admin+ Stored XSS
- Patched in Version
- 1.2.7
- Severity Score
- Medium
- CVE
- 2023-2224
Bit Form

- Plugin Slug
- bit-form
- Installations
- 2,000+
- Vulnerability
- RCE via Unauthenticated Arbitrary File Upload
- Patched in Version
- 1.9
- Severity Score
- Critical
- CVE
- 2022-4774
BuddyForms

- Plugin Slug
- buddyforms
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.8.2
- Severity Score
- Medium
- CVE
- 2023-25981
Injection Guard

- Plugin
- Injection Guard
- Plugin Slug
- injection-guard
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.2.2
- Severity Score
- Medium
- CVE
- 2023-32574
Locatoraid Store Locator

- Plugin
- Locatoraid Store Locator
- Plugin Slug
- locatoraid
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.9.19
- Severity Score
- Medium
- CVE
- 2023-32576
Pro Mime Types
- Plugin
- Pro Mime Types
- Plugin Slug
- pro-mime-types
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.0.0
- Severity Score
- Medium
- CVE
- 2023-32502
WP Responsive Tabs horizontal vertical and accordion Tabs

- Plugin Slug
- responsive-horizontal-vertical-and-accordion-tabs
- Installations
- 2,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.1.16
- Severity Score
- High
- CVE
- 2023-24409
video carousel slider with lightbox

- Plugin Slug
- wp-responsive-video-gallery-with-lightbox
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.23
- Severity Score
- High
- CVE
- 2023-32797
Vertical Image Slider

- Plugin Slug
- wp-vertical-image-slider
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.17
- Severity Score
- High
- CVE
- 2023-24413
Announcement & Notification Banner – Bulletin

- Plugin Slug
- bulletin-announcements
- Installations
- 1,000+
- Vulnerability
- Missing Authorization Checks
- Patched in Version
- 3.7.0
- Severity Score
- Medium
- CVE
- 2023-2066
Announcement & Notification Banner – Bulletin

- Plugin Slug
- bulletin-announcements
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.7.1
- Severity Score
- Medium
- CVE
- 2023-2067
WPCS

- Plugin Slug
- currency-switcher
- Installations
- 1,000+
- Vulnerability
- Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Patched in Version
- 1.2.0
- Severity Score
- Medium
- CVE
- 2023-2558
WPCS

- Plugin Slug
- currency-switcher
- Installations
- 1,000+
- Vulnerability
- Multiple Missing Authorization
- Patched in Version
- 1.2.0
- Severity Score
- Medium
- CVE
- 2023-2556
Product page shipping calculator for WooCommerce

- Plugin Slug
- product-page-shipping-calculator-for-woocommerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.3.26
- Severity Score
- Medium
- CVE
- 2023-32575
Radio Station

- Plugin Slug
- radio-station
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 2.5.0
- Severity Score
- High
- CVE
- 2023-32499
reCAPTCHA for all

- Plugin Slug
- recaptcha-for-all
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.23
- Severity Score
- Medium
- CVE
- 2023-32599
WP Reactions Lite

- Plugin
- WP Reactions Lite
- Plugin Slug
- wp-reactions-lite
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.3.9
- Severity Score
- Medium
- CVE
- 2023-32587
Video Gallery

- Plugin
- Video Gallery
- Plugin Slug
- video-slider-with-thumbnails
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.11
- Severity Score
- High
- CVE
- 2023-32597
Block Referer Spam

- Plugin
- Block Referer Spam
- Plugin Slug
- block-referer-spam
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1.9.5
- Severity Score
- Medium
- CVE
- 2023-32497
Team Circle Image Slider With Lightbox

- Plugin Slug
- circle-image-slider-with-lightbox
- Installations
- 600+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.0.18
- Severity Score
- High
- CVE
- 2023-2604
Featured Image Pro Post Grid

- Plugin Slug
- featured-image-pro
- Installations
- 200+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 5.15
- Severity Score
- High
- CVE
- 2023-32598
WP Replicate Post

- Plugin
- WP Replicate Post
- Plugin Slug
- wp-replicate-post
- Installations
- 200+
- Vulnerability
- Authenticated (Contributor+) SQL Injection
- Patched in Version
- 4.1
- Severity Score
- High
- CVE
- 2023-2237
Custom Base Terms

- Plugin
- Custom Base Terms
- Plugin Slug
- custom-base-terms
- Installations
- 100+
- Vulnerability
- Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’
- Patched in Version
- 1.0.3
- Severity Score
- Medium
Easy Form by AYS

- Plugin
- Easy Form by AYS
- Plugin Slug
- easy-form
- Installations
- 40+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.1
- Severity Score
- Medium
- CVE
- 2023-32498
Predictive Search

- Plugin
- Predictive Search
- Plugin Slug
- predictive-search
- Installations
- 10+
- Vulnerability
- Missing Authorization
- Patched in Version
- 1.2.3
- Severity Score
- Medium
AutomateWoo
- Plugin
- AutomateWoo
- Plugin Slug
- automatewoo
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.7.2
- Severity Score
- Medium
- CVE
- 2023-32745
AutomateWoo
- Plugin
- AutomateWoo
- Plugin Slug
- automatewoo
- Vulnerability
- Shop Manager+ SQL Injection
- Patched in Version
- 5.7.2
- Severity Score
- High
- CVE
- 2023-32743
Essential Addons for Elementor Pro
- Plugin
- Essential Addons for Elementor Pro
- Plugin Slug
- essential-addons-elementor
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 5.4.9
- Severity Score
- High
- CVE
- 2023-32241
Essential Addons for Elementor Pro
- Plugin
- Essential Addons for Elementor Pro
- Plugin Slug
- essential-addons-elementor
- Vulnerability
- Unauthenticated Server Side Request Forgery (SSRF)
- Patched in Version
- 5.4.9
- Severity Score
- Medium
- CVE
- 2023-32245
QuBotChat
- Plugin Slug
- qubotchat
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.1.6
- Severity Score
- High
WooCommerce Bookings
- Plugin
- WooCommerce Bookings
- Plugin Slug
- woocommerce-bookings
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 1.15.79
- Severity Score
- Medium
- CVE
- 2023-32747
WooCommerce Brands
- Plugin
- WooCommerce Brands
- Plugin Slug
- woocommerce-brands
- Vulnerability
- Contributor+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.6.46
- Severity Score
- Medium
- CVE
- 2023-32746
WooCommerce Composite Products
- Plugin
- WooCommerce Composite Products
- Plugin Slug
- woocommerce-composite-products
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 8.7.6
- Severity Score
- High
- CVE
- 2023-32801
WooCommerce Pre-Orders
- Plugin
- WooCommerce Pre-Orders
- Plugin Slug
- woocommerce-pre-orders
- Vulnerability
- Contributor+ Stored Cross Site Scripting (XSS)
- Patched in Version
- 2.0.1
- Severity Score
- Medium
- CVE
- 2023-32793
WooCommerce Pre-Orders
- Plugin
- WooCommerce Pre-Orders
- Plugin Slug
- woocommerce-pre-orders
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.0.0
- Severity Score
- High
- CVE
- 2023-32802
WooCommerce Product Add-ons
- Plugin
- WooCommerce Product Add-ons
- Plugin Slug
- woocommerce-product-addons
- Vulnerability
- Authenticated PHP Object Injection
- Patched in Version
- 6.2.0
- Severity Score
- High
- CVE
- 2023-32795
WooCommerce Product Add-ons
- Plugin
- WooCommerce Product Add-ons
- Plugin Slug
- woocommerce-product-addons
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.2.0
- Severity Score
- Medium
- CVE
- 2023-32794
WooCommerce Product Recommendations
- Plugin
- WooCommerce Product Recommendations
- Plugin Slug
- woocommerce-product-recommendations
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.3.0
- Severity Score
- Medium
- CVE
- 2023-32744
WooCommerce Ship to Multiple Addresses
- Plugin
- WooCommerce Ship to Multiple Addresses
- Plugin Slug
- woocommerce-shipping-multiple-addresses
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 3.8.4
- Severity Score
- Medium
- CVE
- 2023-32799
Woodmart Core
- Plugin
- Woodmart Core
- Plugin Slug
- woodmart-core
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.0.37
- Severity Score
- Critical
- CVE
- 2023-32244
Woodmart Core
- Plugin
- Woodmart Core
- Plugin Slug
- woodmart-core
- Vulnerability
- PHP Object Injection
- Patched in Version
- 1.0.37
- Severity Score
- Critical
- CVE
- 2023-32242
Yoast SEO Premium
- Plugin
- Yoast SEO Premium
- Plugin Slug
- wordpress-seo-premium
- Vulnerability
- Unauthenticated Zapier API Key Reset
- Patched in Version
- 20.5
- Severity Score
- Medium
- CVE
- 2023-28775
Predictive Search
- Plugin
- E-Commerce Predictive Search
- Plugin Slug
- wp-e-commerce-predictive-search
- Vulnerability
- Missing Authorization
- Patched in Version
- 1.2.3
- Severity Score
- Medium
Yoast SEO: Local
- Plugin
- Yoast SEO: Local
- Plugin Slug
- wpseo-local
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 14.9
- Severity Score
- Medium
- CVE
- 2023-28780
Yoast SEO: Local
- Plugin
- Yoast SEO: Local
- Plugin Slug
- wpseo-local
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 14.9
- Severity Score
- High
- CVE
- 2023-32300
YITH WooCommerce Gift Cards Premium
- Plugin
- YITH WooCommerce Gift Cards Premium
- Plugin Slug
- yith-woocommerce-gift-cards-premium
- Vulnerability
- Unauth. Gift Card Creation Leading to Stored XSS
- Patched in Version
- 3.24.0
- Severity Score
- Medium
- CVE
- 2022-44633
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Quick Page/Post Redirect Plugin

- Plugin Slug
- quick-pagepost-redirect-plugin
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-25063
Bookly

- Plugin Slug
- bookly-responsive-appointment-booking-tool
- Installations
- 60,000+
- Vulnerability
- Arbitrary File Deletion
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-26526
Link Whisper Free

- Plugin
- Link Whisper Free
- Plugin Slug
- link-whisper
- Installations
- 20,000+
- Vulnerability
- Unauthenticated Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32506
WP-Chatbot for Messenger

- Plugin
- WP-Chatbot for Messenger
- Plugin Slug
- wp-chatbot
- Installations
- 8,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32581
Google Site Verification plugin using Meta Tag

- Plugin Slug
- google-site-verification-using-meta-tag
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32514
SoundCloud Is Gold

- Plugin
- SoundCloud Is Gold
- Plugin Slug
- soundcloud-is-gold
- Installations
- 6,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32586
MailChimp Subscribe Forms

- Plugin Slug
- mailchimp-subscribe-sm
- Installations
- 5,000+
- Vulnerability
- Open Redirection
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32517
WP Category Post List Widget

- Plugin Slug
- wp-category-posts-list
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23828
Add Posts to Pages

- Plugin
- Add Posts to Pages
- Plugin Slug
- add-posts-to-pages
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23826
Button

- Plugin
- Button
- Plugin Slug
- button
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23871
Owl Carousel

- Plugin
- Owl Carousel
- Plugin Slug
- owl-carousel
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23829
Pinterest RSS Widget

- Plugin
- Pinterest RSS Widget
- Plugin Slug
- pinterest-rss-widget
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23877
WCP Contact Form

- Plugin
- WCP Contact Form
- Plugin Slug
- wcp-contact-form
- Installations
- 3,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32520
WCP Contact Form

- Plugin
- WCP Contact Form
- Plugin Slug
- wcp-contact-form
- Installations
- 3,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32519
Portfolio Gallery – Responsive Image Gallery

- Plugin Slug
- gallery-portfolio
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32585
Hyphenator

- Plugin
- Hyphenator
- Plugin Slug
- hyphenator
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32594
Woo Custom Emails

- Plugin
- Woo Custom Emails
- Plugin Slug
- woo-custom-emails
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32507
Booking Ultra Pro Appointments Booking Calendar Plugin

- Plugin Slug
- booking-ultra-pro
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32601
Booking Ultra Pro Appointments Booking Calendar Plugin

- Plugin Slug
- booking-ultra-pro
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32511
Column-Matic

- Plugin
- Column-Matic
- Plugin Slug
- column-matic
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32578
DevBuddy Twitter Feed
- Plugin
- DevBuddy Twitter Feed
- Plugin Slug
- devbuddy-twitter-feed
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32577
Iframe Popup

- Plugin
- iframe popup
- Plugin Slug
- iframe-popup
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-24394
Order Your Posts Manually

- Plugin Slug
- order-your-posts-manually
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32510
Order Your Posts Manually

- Plugin Slug
- order-your-posts-manually
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32509
Order Your Posts Manually

- Plugin Slug
- order-your-posts-manually
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32508
Post State Tags

- Plugin
- Post State Tags
- Plugin Slug
- post-state-tags
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32588
Donations Made Easy – Smart Donations

- Plugin Slug
- smart-donations
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32603
WP All Backup

- Plugin
- WP All Backup
- Plugin Slug
- wp-all-backup
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32583
WP Chinese Conversion
- Plugin
- WP Chinese Conversion
- Plugin Slug
- wp-chinese-conversion
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-32518
itemprop WP for SERP/SEO Rich snippets
- Plugin Slug
- itempropwp
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23819
WP Register Profile With Shortcode

- Plugin Slug
- wp-register-profile-with-shortcode
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-23818
Whydonate

- Plugin Slug
- wp-whydonate
- Installations
- 700+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-29238
Newsletter Popup

- Plugin
- Newsletter Popup
- Plugin Slug
- newsletter-popup
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-0733
Newsletter Popup

- Plugin
- Newsletter Popup
- Plugin Slug
- newsletter-popup
- Installations
- 600+
- Vulnerability
- Record Deletion via CSRF
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0766
WP Multi Store Locator

- Plugin
- WP Multi Store Locator
- Plugin Slug
- wp-multi-store-locator
- Installations
- 500+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-0152
WP Abstracts

- Plugin
- WP Abstracts
- Plugin Slug
- wp-abstracts-manuscripts-manager
- Installations
- 400+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-29385
Add to Feedly

- Plugin
- Add to Feedly
- Plugin Slug
- add-to-feedly
- Installations
- 100+
- Vulnerability
- Admin+ Stored XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2470
CALL ME NOW

- Plugin
- CALL ME NOW
- Plugin Slug
- lokalyze-call-now
- Installations
- 100+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32602
Dyslexiefont Free

- Plugin
- Dyslexiefont Free
- Plugin Slug
- dyslexiefont
- Installations
- 50+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32589
Don8

- Plugin
- Don8
- Plugin Slug
- don8
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32582
Sunny Search
- Plugin
- Sunny Search
- Plugin Slug
- fast-search-powered-by-solr
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32595
Sunny Search
- Plugin
- Sunny Search
- Plugin Slug
- fast-search-powered-by-solr
- Installations
- 10+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32592
AP Pricing Tables Lite
- Plugin
- AP Pricing Tables Lite
- Plugin Slug
- ap-pricing-tables-lite
- Vulnerability
- Admin+ SQLi
- Patched in Version
- No Fix
- Severity Score
- High
- CVE
- 2023-0900
DBargain

- Plugin
- DBargain
- Plugin Slug
- d-bargain
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32591
eBecas

- Plugin
- eBecas
- Plugin Slug
- ebecas
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32584
Get Your Number
- Plugin
- Get Your Number
- Plugin Slug
- get-your-number
- Vulnerability
- Admin+ Stored XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-2634
LetterPress

- Plugin Slug
- letterpress
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27415
Notify visitors lead form

- Plugin Slug
- notifyvisitors-lead-form
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-27426
weebotLite
- Plugin
- weebotLite
- Plugin Slug
- weebotlite
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
- CVE
- 2023-32596
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Divi
- Theme
- Divi
- Theme Slug
- divi
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.20.3
- Severity Score
- Medium
- CVE
- 2023-29099
Flatsome
- Theme
- Flatsome
- Theme Slug
- flatsome
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 3.17.0
- Severity Score
- High
- CVE
- 2023-28994
WoodMart
- Theme
- WoodMart
- Theme Slug
- woodmart
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 7.1.2
- Severity Score
- Medium
- CVE
- 2023-32500
Woodmart
- Theme
- WoodMart
- Theme Slug
- woodmart
- Vulnerability
- Broken Access Control
- Patched in Version
- 7.2.2
- Severity Score
- Medium
- CVE
- 2023-32240
Woodmart
- Theme
- WoodMart
- Theme Slug
- woodmart
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 7.2.2
- Severity Score
- Medium
- CVE
- 2023-32239
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.