Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – May 24, 2023

Written by Dan Knauss on May 24, 2023

Last Updated on May 25, 2023

On May 20, 2023, WordPress 6.2.2 was released to address a regression — a bug introduced in 6.2.1 that broke shortcode functionality — as well as a security issue. Because 6.2.2 is a security release, you should update your sites immediately. All versions since WordPress 5.9 have also been updated. The next major version of WordPress core slated for an August release will be 6.3.

WordPress core has been updated to secure 6 vulnerabilities disclosed with its 6.2.1-6.2.2 releases. In the plugin and theme ecosystem, 97 total vulnerabilities emerged in public disclosure. They may affect over 5 million WordPress sites. Out of the total number, there are 64 plugin vulnerabilities that have security patches available.

Additionally, there are 22 plugin vulnerabilities and 11 theme vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

WordPress Core

Vulnerability
Unauth. Shortcode Execution
Patched in Version
6.2.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.2.

WordPress Core

Vulnerability
Insufficient Sanitization of Block Attributes vulnerabilities
Patched in Version
6.2.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.1.

WordPress Core

Vulnerability
Auth. Stored Cross-Site Scripting (XSS)
Patched in Version
6.2.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.1.

WordPress Core

Vulnerability
Unauth. Shortcode Execution
Patched in Version
6.2.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.1.

WordPress Core

Vulnerability
Unauth. Directory Traversal
Patched in Version
6.2.1
Severity Score
Medium
CVE
2023-2745
The vulnerability has been patched, so you should update to version 6.2.1.

WordPress Core

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
6.2.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.2.1.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

Contents of the May 24, 2023 Report
  1. WordPress Core Vulnerabilities – Patched
    1. WordPress Core
    2. WordPress Core
    3. WordPress Core
    4. WordPress Core
    5. WordPress Core
    6. WordPress Core
  2. WordPress Plugin Vulnerabilities – Patched
    1. UpdraftPlus
    2. PixelYourSite
    3. Chaty
    4. Simple Page Ordering
    5. Unlimited Elements For Elementor
    6. Performance Lab
    7. Contact Form Entries
    8. Contact Form Entries
    9. WP-Matomo Integration (WP-Piwik)
    10. Ultimate Dashboard
    11. Better Notifications for WP
    12. JetFormBuilder
    13. BEAR
    14. AI Engine: ChatGPT Chatbot
    15. Contact Form by Supsystic
    16. Custom 404 Pro
    17. RegistrationMagic
    18. Unite Gallery Lite
    19. WP SMS
    20. PluginOps Optin Builder
    21. WP Custom Cursors
    22. Bit Form
    23. Groundhogg
    24. Groundhogg
    25. Groundhogg
    26. OTP Login Woocommerce & Gravity Forms
    27. Multiple Page Generator Plugin
    28. Multiple Page Generator Plugin
    29. Predictive Search for WooCommerce
    30. video carousel slider with lightbox
    31. Zotpress
    32. BP Social Connect
    33. EventPrime
    34. EventPrime
    35. Novelist
    36. reCAPTCHA for all
    37. Smart App Banner
    38. WIP Custom Login
    39. WishSuite – Wishlist for WooCommerce
    40. WooDiscuz – WooCommerce Comments
    41. Video Gallery
    42. Predictive Search
    43. Ricerca smart and advanced search
    44. AutomateWoo
    45. AutomateWoo
    46. Duplicator Pro
    47. Essential Addons for Elementor Pro
    48. Essential Addons for Elementor Pro
    49. Rank Math SEO PRO
    50. LearnDash LMS
    51. WooCommerce Bookings
    52. WooCommerce Brands
    53. WooCommerce Composite Products
    54. WooCommerce Follow-Up Emails
    55. WooCommerce Follow-Up Emails
    56. WooCommerce Follow-Up Emails
    57. WooCommerce Pre-Orders
    58. WooCommerce Pre-Orders
    59. WooCommerce Product Add-ons
    60. WooCommerce Product Add-ons
    61. WooCommerce Product Recommendations
    62. WooCommerce Ship to Multiple Addresses
    63. WooCommerce Warranty Requests
    64. Predictive Search
  3. WordPress Plugin Vulnerabilities – Unpatched
    1. Easy Forms for Mailchimp
    2. Scripts n Styles
    3. Easing Slider
    4. WP htaccess Control
    5. Custom Post Type Generator
    6. Leyka
    7. Leyka
    8. Baidu Tongji generator
    9. Easy Captcha
    10. Easy Captcha
    11. Stop Referrer Spam
    12. WP-Hijri
    13. Front End Users
    14. Cookie Monster
    15. Jazz Popups
    16. Jazz Popups
    17. WP Multi Store Locator
    18. File Away
    19. nuajik CDN
    20. SEO Change Monitor
    21. Waiting: One-click countdowns
    22. WeSecur Security
  4. WordPress Theme Vulnerabilities
    1. SparkleStore
    2. MetroStore
    3. BuzzStore
    4. SpiderMag
    5. Craft Blog
    6. Kingcabs
    7. Medical Heed
    8. Appzend
    9. Fitness Park
    10. Kathmag
    11. Online eStore
  5. The Best WordPress Security Plugin to Secure & Protect WordPress Sites

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

UpdraftPlus

Product image for UpdraftPlus WordPress Backup Plugin.
Plugin
UpdraftPlus WordPress Backup Plugin
Plugin Slug
updraftplus
Installations
3,000,000+
Vulnerability
CSRF lead to wp-admin Site Wide XSS
Patched in Version
1.23.4
Severity Score
High
CVE
2023-32960
The vulnerability has been patched, so you should update to version 1.23.4.

PixelYourSite

Product image for PixelYourSite – Your smart PIXEL (TAG) Manager.
Plugin
PixelYourSite – Your smart PIXEL (TAG) Manager
Plugin Slug
pixelyoursite
Installations
400,000+
Vulnerability
Authenticated (Administrator+) Stored Cross-Site Scripting
Patched in Version
9.3.7
Severity Score
Medium
CVE
2023-2584
The vulnerability has been patched, so you should update to version 9.3.7.

Chaty

Product image for Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty.
Plugin
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
Plugin Slug
chaty
Installations
200,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.1
Severity Score
High
CVE
2023-25019
The vulnerability has been patched, so you should update to version 3.1.

Simple Page Ordering

Product image for Simple Page Ordering.
Plugin
Simple Page Ordering
Plugin Slug
simple-page-ordering
Installations
200,000+
Vulnerability
Broken Access Control
Patched in Version
2.5.1
Severity Score
Medium
CVE
2023-32798
The vulnerability has been patched, so you should update to version 2.5.1.

Unlimited Elements For Elementor

Product image for Unlimited Elements For Elementor (Free Widgets, Addons, Templates).
Plugin
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Plugin Slug
unlimited-elements-for-elementor
Installations
200,000+
Vulnerability
Unrestricted Zip Extraction
Patched in Version
1.5.61
Severity Score
Critical
CVE
2023-31090
The vulnerability has been patched, so you should update to version 1.5.61.

Performance Lab

Product image for Performance Lab.
Plugin
Performance Lab
Plugin Slug
performance-lab
Installations
70,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.3.0
Severity Score
Medium
CVE
2022-47174
The vulnerability has been patched, so you should update to version 2.3.0.

Contact Form Entries

Product image for Contact Form Entries – Contact Form 7, WPforms and more.
Plugin
Contact Form Entries – Contact Form 7, WPforms and more
Plugin Slug
contact-form-entries
Installations
60,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.3.1
Severity Score
Medium
CVE
2023-33311
The vulnerability has been patched, so you should update to version 1.3.1.

Contact Form Entries

Product image for Contact Form Entries – Contact Form 7, WPforms and more.
Plugin
Contact Form Entries – Contact Form 7, WPforms and more
Plugin Slug
contact-form-entries
Installations
60,000+
Vulnerability
SQL Injection
Patched in Version
1.3.1
Severity Score
High
CVE
2023-31212
The vulnerability has been patched, so you should update to version 1.3.1.

WP-Matomo Integration (WP-Piwik)

Product image for WP-Matomo Integration (WP-Piwik).
Plugin
WP-Matomo Integration (WP-Piwik)
Plugin Slug
wp-piwik
Installations
60,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.28
Severity Score
Medium
CVE
2023-33211
The vulnerability has been patched, so you should update to version 1.0.28.

Ultimate Dashboard

Product image for Ultimate Dashboard – Custom WordPress Dashboard.
Plugin
Ultimate Dashboard – Custom WordPress Dashboard
Plugin Slug
ultimate-dashboard
Installations
50,000+
Vulnerability
Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched in Version
3.7.6
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.7.6.

Better Notifications for WP

Product image for Customize WordPress Emails and Alerts – Better Notifications for WP.
Plugin
Customize WordPress Emails and Alerts – Better Notifications for WP
Plugin Slug
bnfw
Installations
40,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.9.3
Severity Score
Medium
CVE
2023-32964
The vulnerability has been patched, so you should update to version 1.9.3.

JetFormBuilder

Product image for JetFormBuilder — Dynamic Blocks Form Builder.
Plugin
JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug
jetformbuilder
Installations
30,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.0.7
Severity Score
Medium
CVE
2023-33212
The vulnerability has been patched, so you should update to version 3.0.7.

BEAR

Product image for BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net.
Plugin
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug
woo-bulk-editor
Installations
30,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.1.3.2
Severity Score
Medium
CVE
2023-33314
The vulnerability has been patched, so you should update to version 1.1.3.2.

AI Engine: ChatGPT Chatbot

Product image for AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable.
Plugin
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
Plugin Slug
ai-engine
Installations
20,000+
Vulnerability
Authenticated (Admin+) Stored Cross-Site Scripting
Patched in Version
1.6.83
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.6.83.

Contact Form by Supsystic

Product image for Contact Form by Supsystic.
Plugin
Contact Form by Supsystic
Plugin Slug
contact-form-by-supsystic
Installations
10,000+
Vulnerability
Cross-Site Request Forgery via AJAX action
Patched in Version
1.7.25
Severity Score
Medium
CVE
2023-2528
The vulnerability has been patched, so you should update to version 1.7.25.

Custom 404 Pro

Product image for Custom 404 Pro.
Plugin
Custom 404 Pro
Plugin Slug
custom-404-pro
Installations
10,000+
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
3.8.2
Severity Score
Medium
CVE
2023-32740
The vulnerability has been patched, so you should update to version 3.8.2.

RegistrationMagic

Product image for RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login.
Plugin
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug
custom-registration-form-builder-with-submission-manager
Installations
10,000+
Vulnerability
Authentication Bypass
Patched in Version
5.2.1.1
Severity Score
Critical
CVE
2023-2499
The vulnerability has been patched, so you should update to version 5.2.1.1.

Unite Gallery Lite

Product image for Unite Gallery Lite.
Plugin
Unite Gallery Lite
Plugin Slug
unite-gallery-lite
Installations
10,000+
Vulnerability
Local File Inclusion
Patched in Version
1.7.60
Severity Score
Medium
CVE
2023-33310
The vulnerability has been patched, so you should update to version 1.7.60.

WP SMS

Product image for WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc.
Plugin
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug
wp-sms
Installations
9,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.1.5
Severity Score
High
CVE
2023-32742
The vulnerability has been patched, so you should update to version 6.1.5.

PluginOps Optin Builder

Product image for MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder.
Plugin
MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
Plugin Slug
mailchimp-subscribe-sm
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.0.9.2
Severity Score
Medium
CVE
2023-33328
The vulnerability has been patched, so you should update to version 4.0.9.2.

WP Custom Cursors

Product image for WP Custom Cursors | WordPress Cursor Plugin.
Plugin
WP Custom Cursors | WordPress Cursor Plugin
Plugin Slug
wp-custom-cursors
Installations
4,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.2
Severity Score
Medium
CVE
2023-32739
The vulnerability has been patched, so you should update to version 3.2.

Bit Form

Product image for Bit Form – Contact Form Plugin for WordPress: Drag & Drop, Responsive, Payment Form & Custom Form Builder.
Plugin
Bit Form – Contact Form Plugin for WordPress: Drag & Drop, Responsive, Payment Form & Custom Form Builder
Plugin Slug
bit-form
Installations
2,000+
Vulnerability
Remote Code Execution (RCE) via Unauthenticated Arbitrary File Upload
Patched in Version
1.9
Severity Score
Critical
CVE
2022-4774
The vulnerability has been patched, so you should update to version 1.9.

Groundhogg

Product image for WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg.
Plugin
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug
groundhogg
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF) to Privilege Escalation
Patched in Version
2.7.10
Severity Score
High
CVE
2023-2736
The vulnerability has been patched, so you should update to version 2.7.10.

Groundhogg

Product image for WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg.
Plugin
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug
groundhogg
Installations
2,000+
Vulnerability
Multiple Missing Authorization
Patched in Version
2.7.10
Severity Score
Medium
CVE
2023-2716
The vulnerability has been patched, so you should update to version 2.7.10.

Groundhogg

Product image for WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg.
Plugin
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug
groundhogg
Installations
2,000+
Vulnerability
Auth. Stored Cross-Site Scripting (XSS)
Patched in Version
2.7.10
Severity Score
Medium
CVE
2023-2735
The vulnerability has been patched, so you should update to version 2.7.10.

OTP Login Woocommerce & Gravity Forms

Product image for OTP Login Woocommerce & Gravity Forms.
Plugin
OTP Login Woocommerce & Gravity Forms
Plugin Slug
mobile-login-woocommerce
Installations
2,000+
Vulnerability
Authentication Bypass to Privilege Escalation
Patched in Version
2.3
Severity Score
High
CVE
2023-2706
The vulnerability has been patched, so you should update to version 2.3.

Multiple Page Generator Plugin

Product image for Multiple Page Generator Plugin – MPG.
Plugin
Multiple Page Generator Plugin – MPG
Plugin Slug
multiple-pages-generator-by-porthas
Installations
2,000+
Vulnerability
Authenticated (Administrator+) SQL Injection
Patched in Version
3.3.18
Severity Score
High
CVE
2023-2607
The vulnerability has been patched, so you should update to version 3.3.18.

Multiple Page Generator Plugin

Product image for Multiple Page Generator Plugin – MPG.
Plugin
Multiple Page Generator Plugin – MPG
Plugin Slug
multiple-pages-generator-by-porthas
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.3.18
Severity Score
Medium
CVE
2023-2608
The vulnerability has been patched, so you should update to version 3.3.18.

Predictive Search for WooCommerce

Product image for Predictive Search for WooCommerce.
Plugin
Predictive Search for WooCommerce
Plugin Slug
woocommerce-predictive-search
Installations
2,000+
Vulnerability
Broken Access Control
Patched in Version
5.8.1
Severity Score
Medium
CVE
2023-32963
The vulnerability has been patched, so you should update to version 5.8.1.

video carousel slider with lightbox

Product image for video carousel slider with lightbox.
Plugin
video carousel slider with lightbox
Plugin Slug
wp-responsive-video-gallery-with-lightbox
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.23
Severity Score
High
CVE
2023-32797
The vulnerability has been patched, so you should update to version 1.0.23.

Zotpress

Product image for Zotpress.
Plugin
Zotpress
Plugin Slug
zotpress
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
7.3.4
Severity Score
High
CVE
2023-32961
The vulnerability has been patched, so you should update to version 7.3.4.

BP Social Connect

Product image for BP Social Connect.
Plugin
BP Social Connect
Plugin Slug
bp-social-connect
Installations
1,000+
Vulnerability
Authentication Bypass
Patched in Version
1.6.2
Severity Score
High
CVE
2023-2704
The vulnerability has been patched, so you should update to version 1.6.2.

EventPrime

Product image for EventPrime – Modern Events Calendar, Bookings and Tickets.
Plugin
EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug
eventprime-event-calendar-management
Installations
1,000+
Vulnerability
Sensitive Data Exposure
Patched in Version
3.0.0
Severity Score
Medium
CVE
2023-33321
The vulnerability has been patched, so you should update to version 3.0.0.

EventPrime

Product image for EventPrime – Modern Events Calendar, Bookings and Tickets.
Plugin
EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug
eventprime-event-calendar-management
Installations
1,000+
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
3.0.0
Severity Score
High
CVE
2023-33326
The vulnerability has been patched, so you should update to version 3.0.0.

Novelist

Product image for Novelist.
Plugin
Novelist
Plugin Slug
novelist
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.2.1
Severity Score
Medium
CVE
2023-32958
The vulnerability has been patched, so you should update to version 1.2.1.

reCAPTCHA for all

Product image for reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China.
Plugin
reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China
Plugin Slug
recaptcha-for-all
Installations
1,000+
Vulnerability
Broken Access Control
Patched in Version
1.23
Severity Score
Medium
CVE
2023-32599
The vulnerability has been patched, so you should update to version 1.23.

Smart App Banner

Product image for Smart App Banner.
Plugin
Smart App Banner
Plugin Slug
smart-app-banner
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.1.3
Severity Score
Medium
CVE
2023-33315
The vulnerability has been patched, so you should update to version 1.1.3.

WIP Custom Login

Product image for WIP Custom Login.
Plugin
WIP Custom Login
Plugin Slug
wip-custom-login
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.3.0
Severity Score
Medium
CVE
2023-33313
The vulnerability has been patched, so you should update to version 1.3.0.

WishSuite – Wishlist for WooCommerce

Product image for WishSuite – Wishlist for WooCommerce.
Plugin
WishSuite – Wishlist for WooCommerce
Plugin Slug
wishsuite
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.3.5
Severity Score
Medium
CVE
2023-32962
The vulnerability has been patched, so you should update to version 1.3.5.

WooDiscuz – WooCommerce Comments

Product image for WooDiscuz – WooCommerce Comments.
Plugin
WooDiscuz – WooCommerce Comments
Plugin Slug
woodiscuz-woocommerce-comments
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.3.0
Severity Score
Medium
CVE
2023-33216
The vulnerability has been patched, so you should update to version 2.3.0.

Video Gallery

Product image for Video Gallery.
Plugin
Video Gallery
Plugin Slug
video-slider-with-thumbnails
Installations
900+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.11
Severity Score
High
CVE
2023-32597
The vulnerability has been patched, so you should update to version 1.0.11.

Predictive Search

Product image for Predictive Search.
Plugin
Predictive Search
Plugin Slug
predictive-search
Installations
20+
Vulnerability
Missing Authorization
Patched in Version
1.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.2.3.

Ricerca smart and advanced search

Product image for Ricerca – advanced search.
Plugin
Ricerca – advanced search
Plugin Slug
ricerca-smart-search
Installations
20+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.0.16
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.0.16.

AutomateWoo

Plugin
AutomateWoo
Plugin Slug
automatewoo
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
5.7.2
Severity Score
Medium
CVE
2023-32745
The vulnerability has been patched, so you should update to version 5.7.2.

AutomateWoo

Plugin
AutomateWoo
Plugin Slug
automatewoo
Vulnerability
Manager+ SQL Injection
Patched in Version
5.7.2
Severity Score
High
CVE
2023-32743
The vulnerability has been patched, so you should update to version 5.7.2.

Duplicator Pro

Plugin
Duplicator Pro
Plugin Slug
duplicator-pro
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.5.11.1
Severity Score
High
CVE
2023-33309
The vulnerability has been patched, so you should update to version 4.5.11.1.

Essential Addons for Elementor Pro

Plugin
Essential Addons for Elementor Pro
Plugin Slug
essential-addons-elementor
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
5.4.9
Severity Score
High
CVE
2023-32241
The vulnerability has been patched, so you should update to version 5.4.9.

Essential Addons for Elementor Pro

Plugin
Essential Addons for Elementor Pro
Plugin Slug
essential-addons-elementor
Vulnerability
Unauthenticated Server Side Request Forgery (SSRF)
Patched in Version
5.4.9
Severity Score
Medium
CVE
2023-32245
The vulnerability has been patched, so you should update to version 5.4.9.

Rank Math SEO PRO

Plugin
Rank Math SEO PRO
Plugin Slug
seo-by-rank-math-pro
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
3.0.36
Severity Score
High
CVE
2023-32800
The vulnerability has been patched, so you should update to version 3.0.36.

LearnDash LMS

Plugin
LearnDash LMS
Plugin Slug
sfwd-lms
Vulnerability
Auth. SQL Injection (SQLi)
Patched in Version
4.5.3.1
Severity Score
High
CVE
2023-28777
The vulnerability has been patched, so you should update to version 4.5.3.1.

WooCommerce Bookings

Plugin
WooCommerce Bookings
Plugin Slug
woocommerce-bookings
Vulnerability
Insecure Direct Object References (IDOR)
Patched in Version
1.15.79
Severity Score
Medium
CVE
2023-32747
The vulnerability has been patched, so you should update to version 1.15.79.

WooCommerce Brands

Plugin
WooCommerce Brands
Plugin Slug
woocommerce-brands
Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version
1.6.46
Severity Score
Medium
CVE
2023-32746
The vulnerability has been patched, so you should update to version 1.6.46.

WooCommerce Composite Products

Plugin
WooCommerce Composite Products
Plugin Slug
woocommerce-composite-products
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
8.7.6
Severity Score
High
CVE
2023-32801
The vulnerability has been patched, so you should update to version 8.7.6.

WooCommerce Follow-Up Emails

Plugin
WooCommerce Follow-Up Emails
Plugin Slug
woocommerce-follow-up-emails
Vulnerability
Arbitrary File Upload
Patched in Version
4.9.50
Severity Score
Critical
CVE
2023-33318
The vulnerability has been patched, so you should update to version 4.9.50.

WooCommerce Follow-Up Emails

Plugin
WooCommerce Follow-Up Emails
Plugin Slug
woocommerce-follow-up-emails
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
4.9.50
Severity Score
High
CVE
2023-33319
The vulnerability has been patched, so you should update to version 4.9.50.

WooCommerce Follow-Up Emails

Plugin
WooCommerce Follow-Up Emails
Plugin Slug
woocommerce-follow-up-emails
Vulnerability
Multiple Cross Site Request Forgery (CSRF)
Patched in Version
4.9.50
Severity Score
Medium
CVE
2023-33316
The vulnerability has been patched, so you should update to version 4.9.50.

WooCommerce Pre-Orders

Plugin
WooCommerce Pre-Orders
Plugin Slug
woocommerce-pre-orders
Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version
2.0.1
Severity Score
Medium
CVE
2023-32793
The vulnerability has been patched, so you should update to version 2.0.1.

WooCommerce Pre-Orders

Plugin
WooCommerce Pre-Orders
Plugin Slug
woocommerce-pre-orders
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.0.0
Severity Score
High
CVE
2023-32802
The vulnerability has been patched, so you should update to version 2.0.0.

WooCommerce Product Add-ons

Plugin
WooCommerce Product Add-ons
Plugin Slug
woocommerce-product-addons
Vulnerability
Authenticated PHP Object Injection
Patched in Version
6.2.0
Severity Score
High
CVE
2023-32795
The vulnerability has been patched, so you should update to version 6.2.0.

WooCommerce Product Add-ons

Plugin
WooCommerce Product Add-ons
Plugin Slug
woocommerce-product-addons
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
6.2.0
Severity Score
Medium
CVE
2023-32794
The vulnerability has been patched, so you should update to version 6.2.0.

WooCommerce Product Recommendations

Plugin
WooCommerce Product Recommendations
Plugin Slug
woocommerce-product-recommendations
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.3.0
Severity Score
Medium
CVE
2023-32744
The vulnerability has been patched, so you should update to version 2.3.0.

WooCommerce Ship to Multiple Addresses

Plugin
WooCommerce Ship to Multiple Addresses
Plugin Slug
woocommerce-shipping-multiple-addresses
Vulnerability
Insecure Direct Object References (IDOR)
Patched in Version
3.8.4
Severity Score
Medium
CVE
2023-32799
The vulnerability has been patched, so you should update to version 3.8.4.

WooCommerce Warranty Requests

Plugin
WooCommerce Warranty Requests
Plugin Slug
woocommerce-warranty
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
2.1.7
Severity Score
High
CVE
2023-33317
The vulnerability has been patched, so you should update to version 2.1.7.

Predictive Search

Plugin
E-Commerce Predictive Search
Plugin Slug
wp-e-commerce-predictive-search
Vulnerability
Missing Authorization
Patched in Version
1.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.2.3.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Easy Forms for Mailchimp

Product image for Easy Forms for Mailchimp.
Plugin
Easy Forms for Mailchimp
Plugin Slug
yikes-inc-easy-mailchimp-extender
Installations
100,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-23900
The vulnerability has not been patched. You should deactivate the plugin.

Scripts n Styles

Product image for Scripts n Styles.
Plugin
Scripts n Styles
Plugin Slug
scripts-n-styles
Installations
30,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31236
The vulnerability has not been patched. You should deactivate the plugin.

Easing Slider

Product image for Easing Slider.
Plugin
Easing Slider
Plugin Slug
easing-slider
Installations
20,000+
Vulnerability
Plugin Settings Reset
Patched in Version
No Fix
Severity Score
High
CVE
2023-30490
The vulnerability has not been patched. You should deactivate the plugin.

WP htaccess Control

Product image for WP htaccess Control.
Plugin
WP htaccess Control
Plugin Slug
wp-htaccess-control
Installations
8,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-25462
The vulnerability has not been patched. You should deactivate the plugin.

Custom Post Type Generator

Product image for Custom Post Type Generator.
Plugin
Custom Post Type Generator
Plugin Slug
custom-post-type-generator
Installations
2,000+
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-33329
The vulnerability has not been patched. You should deactivate the plugin.

Leyka

Product image for Leyka.
Plugin
Leyka
Plugin Slug
leyka
Installations
2,000+
Vulnerability
Privilege Escalation
Patched in Version
No Fix
Severity Score
High
CVE
2023-33327
The vulnerability has not been patched. You should deactivate the plugin.

Leyka

Product image for Leyka.
Plugin
Leyka
Plugin Slug
leyka
Installations
2,000+
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-33325
The vulnerability has not been patched. You should deactivate the plugin.

Baidu Tongji generator

Plugin
Baidu Tongji generator
Plugin Slug
baidu-tongji-generator
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31233
The vulnerability has not been patched. You should deactivate the plugin.

Easy Captcha

Plugin
Easy Captcha
Plugin Slug
easy-captcha
Installations
1,000+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-33324
The vulnerability has not been patched. You should deactivate the plugin.

Easy Captcha

Plugin
Easy Captcha
Plugin Slug
easy-captcha
Installations
1,000+
Vulnerability
Refletced Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-33312
The vulnerability has not been patched. You should deactivate the plugin.

Stop Referrer Spam

Product image for Stop Referrer Spam.
Plugin
Stop Referrer Spam
Plugin Slug
stop-referrer-spam
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-33207
The vulnerability has not been patched. You should deactivate the plugin.

WP-Hijri

Product image for WP-Hijri.
Plugin
WP-Hijri
Plugin Slug
wp-hijri
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-33320
The vulnerability has not been patched. You should deactivate the plugin.

Front End Users

Product image for Front End Users.
Plugin
Front End Users
Plugin Slug
front-end-only-users
Installations
900+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-33322
The vulnerability has not been patched. You should deactivate the plugin.

Cookie Monster

Plugin
Cookie Monster
Plugin Slug
cookiemonster
Installations
800+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-33208
The vulnerability has not been patched. You should deactivate the plugin.

Jazz Popups

Product image for Jazz Popups.
Plugin
Jazz Popups
Plugin Slug
jazz-popups
Installations
700+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32966
The vulnerability has not been patched. You should deactivate the plugin.

Jazz Popups

Product image for Jazz Popups.
Plugin
Jazz Popups
Plugin Slug
jazz-popups
Installations
700+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-32965
The vulnerability has not been patched. You should deactivate the plugin.

WP Multi Store Locator

Product image for WP Multi Store Locator.
Plugin
WP Multi Store Locator
Plugin Slug
wp-multi-store-locator
Installations
500+
Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0152
The vulnerability has not been patched. You should deactivate the plugin.

File Away

Plugin
File Away
Plugin Slug
file-away
Vulnerability
Contributor+ Stored XSS via Shortcode
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0431
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

nuajik CDN

Product image for nuajik.
Plugin
nuajik
Plugin Slug
nuajik-cdn
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-33210
The vulnerability has not been patched. You should deactivate the plugin.

SEO Change Monitor

Plugin
SEO Change Monitor – Track Website Changes
Plugin Slug
seo-change-monitor
Vulnerability
SQL Injection
Patched in Version
No Fix
Severity Score
High
CVE
2023-33209
The vulnerability has not been patched. You should deactivate the plugin.

Waiting: One-click countdowns

Plugin
Waiting: One-click countdowns
Plugin Slug
waiting
Vulnerability
Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-2757
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WeSecur Security

Plugin
WeSecur Security
Plugin Slug
wesecur-security
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-24390
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

SparkleStore

Product image for SparkleStore.
Theme
SparkleStore
Theme Slug
sparklestore
Downloads
157,360
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

MetroStore

Product image for MetroStore.
Theme
MetroStore
Theme Slug
metrostore
Downloads
149,017
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

BuzzStore

Product image for BuzzStore.
Theme
BuzzStore
Theme Slug
buzzstore
Downloads
103,769
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

SpiderMag

Product image for SpiderMag.
Theme
SpiderMag
Theme Slug
spidermag
Downloads
60,716
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Craft Blog

Product image for Craft Blog.
Theme
Craft Blog
Theme Slug
craft-blog
Downloads
42,112
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Kingcabs

Product image for Kingcabs.
Theme
Kingcabs
Theme Slug
kingcabs
Downloads
33,701
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Medical Heed

Product image for Medical Heed.
Theme
Medical Heed
Theme Slug
medical-heed
Downloads
27,651
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Appzend

Product image for Appzend.
Theme
Appzend
Theme Slug
appzend
Downloads
19,919
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Fitness Park

Product image for Fitness Park.
Theme
Fitness Park
Theme Slug
fitness-park
Downloads
18,803
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Kathmag

Product image for Kathmag.
Theme
Kathmag
Theme Slug
kathmag
Downloads
16,375
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.

Online eStore

Product image for Online eStore.
Theme
Online eStore
Theme Slug
online-estore
Downloads
14,574
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-32959
The vulnerability has not been patched. You should switch themes.


Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

iThemes Security Pro

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro


Dan Knauss
Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – May 17, 2023
Command Injection
What is a Command Injection?
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – May 10, 2023
directory traversal
What is Directory Traversal?

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.