WordPress Vulnerability Report

On May 20, 2023, WordPress 6.2.2 was released to address a regression — a bug introduced in 6.2.1 that broke shortcode functionality — as well as a security issue. Because 6.2.2 is a security release, you should update your sites immediately. All versions since WordPress 5.9 have also been updated. The next major version of WordPress core slated for an August release will be 6.3.

WordPress core has been updated to secure 6 vulnerabilities disclosed with its 6.2.1-6.2.2 releases. In the plugin and theme ecosystem, 97 total vulnerabilities emerged in public disclosure. They may affect over 5 million WordPress sites. Out of the total number, there are 64 plugin vulnerabilities that have security patches available.

Additionally, there are 22 plugin vulnerabilities and 11 theme vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

WordPress Core

Vulnerability: Unauth. Shortcode Execution
Patched in Version: 6.2.2
Severity Score: Medium

WordPress Core

Vulnerability: Insufficient Sanitization of Block Attributes vulnerabilities
Patched in Version: 6.2.1
Severity Score: Medium

WordPress Core

Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: 6.2.1
Severity Score: Medium

WordPress Core

Vulnerability: Unauth. Shortcode Execution
Patched in Version: 6.2.1
Severity Score: Medium

WordPress Core

Vulnerability: Unauth. Directory Traversal
Patched in Version: 6.2.1
Severity Score: Medium
CVE: 2023-2745

WordPress Core

Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.2.1
Severity Score: Medium

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

UpdraftPlus

Plugin: UpdraftPlus WordPress Backup Plugin
Plugin Slug: updraftplus
Installations: 3,000,000+
Vulnerability: CSRF lead to wp-admin Site Wide XSS
Patched in Version: 1.23.4
Severity Score: High
CVE: 2023-32960

PixelYourSite

Plugin: PixelYourSite – Your smart PIXEL (TAG) Manager
Plugin Slug: pixelyoursite
Installations: 400,000+
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched in Version: 9.3.7
Severity Score: Medium
CVE: 2023-2584

Chaty

Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
Plugin Slug: chaty
Installations: 200,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1
Severity Score: High
CVE: 2023-25019

Simple Page Ordering

Plugin: Simple Page Ordering
Plugin Slug: simple-page-ordering
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 2.5.1
Severity Score: Medium
CVE: 2023-32798

Unlimited Elements For Elementor

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Plugin Slug: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability: Unrestricted Zip Extraction
Patched in Version: 1.5.61
Severity Score: Critical
CVE: 2023-31090

Performance Lab

Plugin: Performance Lab
Plugin Slug: performance-lab
Installations: 70,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.0
Severity Score: Medium
CVE: 2022-47174

Contact Form Entries

Plugin: Contact Form Entries – Contact Form 7, WPforms and more
Plugin Slug: contact-form-entries
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: Medium
CVE: 2023-33311

Contact Form Entries

Plugin: Contact Form Entries – Contact Form 7, WPforms and more
Plugin Slug: contact-form-entries
Installations: 60,000+
Vulnerability: SQL Injection
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-31212

WP-Matomo Integration (WP-Piwik)

Plugin: WP-Matomo Integration (WP-Piwik)
Plugin Slug: wp-piwik
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.28
Severity Score: Medium
CVE: 2023-33211

Ultimate Dashboard

Plugin: Ultimate Dashboard – Custom WordPress Dashboard
Plugin Slug: ultimate-dashboard
Installations: 50,000+
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched in Version: 3.7.6
Severity Score: Medium

Better Notifications for WP

Plugin: Customize WordPress Emails and Alerts – Better Notifications for WP
Plugin Slug: bnfw
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.9.3
Severity Score: Medium
CVE: 2023-32964

JetFormBuilder

Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug: jetformbuilder
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.7
Severity Score: Medium
CVE: 2023-33212

BEAR

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug: woo-bulk-editor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.3.2
Severity Score: Medium
CVE: 2023-33314

AI Engine: ChatGPT Chatbot

Plugin: AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable
Plugin Slug: ai-engine
Installations: 20,000+
Vulnerability: Authenticated (Admin+) Stored Cross-Site Scripting
Patched in Version: 1.6.83
Severity Score: Medium

Contact Form by Supsystic

Plugin: Contact Form by Supsystic
Plugin Slug: contact-form-by-supsystic
Installations: 10,000+
Vulnerability: Cross-Site Request Forgery via AJAX action
Patched in Version: 1.7.25
Severity Score: Medium
CVE: 2023-2528

Custom 404 Pro

Plugin: Custom 404 Pro
Plugin Slug: custom-404-pro
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.8.2
Severity Score: Medium
CVE: 2023-32740

RegistrationMagic

Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Installations: 10,000+
Vulnerability: Authentication Bypass
Patched in Version: 5.2.1.1
Severity Score: Critical
CVE: 2023-2499

Unite Gallery Lite

Plugin: Unite Gallery Lite
Plugin Slug: unite-gallery-lite
Installations: 10,000+
Vulnerability: Local File Inclusion
Patched in Version: 1.7.60
Severity Score: Medium
CVE: 2023-33310

WP SMS

Plugin: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug: wp-sms
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.1.5
Severity Score: High
CVE: 2023-32742

PluginOps Optin Builder

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
Plugin Slug: mailchimp-subscribe-sm
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.0.9.2
Severity Score: Medium
CVE: 2023-33328

WP Custom Cursors

Plugin: WP Custom Cursors | WordPress Cursor Plugin
Plugin Slug: wp-custom-cursors
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.2
Severity Score: Medium
CVE: 2023-32739

Bit Form

Plugin: Bit Form – Contact Form Plugin for WordPress: Drag & Drop, Responsive, Payment Form & Custom Form Builder
Plugin Slug: bit-form
Installations: 2,000+
Vulnerability: Remote Code Execution (RCE) via Unauthenticated Arbitrary File Upload
Patched in Version: 1.9
Severity Score: Critical
CVE: 2022-4774

Groundhogg

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug: groundhogg
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF) to Privilege Escalation
Patched in Version: 2.7.10
Severity Score: High
CVE: 2023-2736

Groundhogg

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug: groundhogg
Installations: 2,000+
Vulnerability: Multiple Missing Authorization
Patched in Version: 2.7.10
Severity Score: Medium
CVE: 2023-2716

Groundhogg

Plugin: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug: groundhogg
Installations: 2,000+
Vulnerability: Auth. Stored Cross-Site Scripting (XSS)
Patched in Version: 2.7.10
Severity Score: Medium
CVE: 2023-2735

OTP Login Woocommerce & Gravity Forms

Plugin: OTP Login Woocommerce & Gravity Forms
Plugin Slug: mobile-login-woocommerce
Installations: 2,000+
Vulnerability: Authentication Bypass to Privilege Escalation
Patched in Version: 2.3
Severity Score: High
CVE: 2023-2706

Multiple Page Generator Plugin

Plugin: Multiple Page Generator Plugin – MPG
Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched in Version: 3.3.18
Severity Score: High
CVE: 2023-2607

Multiple Page Generator Plugin

Plugin: Multiple Page Generator Plugin – MPG
Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.3.18
Severity Score: Medium
CVE: 2023-2608

Predictive Search for WooCommerce

Plugin: Predictive Search for WooCommerce
Plugin Slug: woocommerce-predictive-search
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 5.8.1
Severity Score: Medium
CVE: 2023-32963

video carousel slider with lightbox

Plugin: video carousel slider with lightbox
Plugin Slug: wp-responsive-video-gallery-with-lightbox
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.23
Severity Score: High
CVE: 2023-32797

Zotpress

Plugin: Zotpress
Plugin Slug: zotpress
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.3.4
Severity Score: High
CVE: 2023-32961

BP Social Connect

Plugin: BP Social Connect
Plugin Slug: bp-social-connect
Installations: 1,000+
Vulnerability: Authentication Bypass
Patched in Version: 1.6.2
Severity Score: High
CVE: 2023-2704

EventPrime

Plugin: EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug: eventprime-event-calendar-management
Installations: 1,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.0.0
Severity Score: Medium
CVE: 2023-33321

EventPrime

Plugin: EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug: eventprime-event-calendar-management
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.0
Severity Score: High
CVE: 2023-33326

Novelist

Plugin: Novelist
Plugin Slug: novelist
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.1
Severity Score: Medium
CVE: 2023-32958

reCAPTCHA for all

Plugin: reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China
Plugin Slug: recaptcha-for-all
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.23
Severity Score: Medium
CVE: 2023-32599

Smart App Banner

Plugin: Smart App Banner
Plugin Slug: smart-app-banner
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-33315

WIP Custom Login

Plugin: WIP Custom Login
Plugin Slug: wip-custom-login
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.0
Severity Score: Medium
CVE: 2023-33313

WishSuite – Wishlist for WooCommerce

Plugin: WishSuite – Wishlist for WooCommerce
Plugin Slug: wishsuite
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.5
Severity Score: Medium
CVE: 2023-32962

WooDiscuz – WooCommerce Comments

Plugin: WooDiscuz – WooCommerce Comments
Plugin Slug: woodiscuz-woocommerce-comments
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.0
Severity Score: Medium
CVE: 2023-33216

Video Gallery

Plugin: Video Gallery
Plugin Slug: video-slider-with-thumbnails
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.11
Severity Score: High
CVE: 2023-32597

Predictive Search

Plugin: Predictive Search
Plugin Slug: predictive-search
Installations: 20+
Vulnerability: Missing Authorization
Patched in Version: 1.2.3
Severity Score: Medium

Ricerca smart and advanced search

Plugin: Ricerca – advanced search
Plugin Slug: ricerca-smart-search
Installations: 20+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.16
Severity Score: Medium

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.7.2
Severity Score: Medium
CVE: 2023-32745

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Manager+ SQL Injection
Patched in Version: 5.7.2
Severity Score: High
CVE: 2023-32743

Duplicator Pro

Plugin: Duplicator Pro
Plugin Slug: duplicator-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.11.1
Severity Score: High
CVE: 2023-33309

Essential Addons for Elementor Pro

Plugin: Essential Addons for Elementor Pro
Plugin Slug: essential-addons-elementor
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.4.9
Severity Score: High
CVE: 2023-32241

Essential Addons for Elementor Pro

Plugin: Essential Addons for Elementor Pro
Plugin Slug: essential-addons-elementor
Vulnerability: Unauthenticated Server Side Request Forgery (SSRF)
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-32245

Rank Math SEO PRO

Plugin: Rank Math SEO PRO
Plugin Slug: seo-by-rank-math-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.36
Severity Score: High
CVE: 2023-32800

LearnDash LMS

Plugin: LearnDash LMS
Plugin Slug: sfwd-lms
Vulnerability: Auth. SQL Injection (SQLi)
Patched in Version: 4.5.3.1
Severity Score: High
CVE: 2023-28777

WooCommerce Bookings

Plugin: WooCommerce Bookings
Plugin Slug: woocommerce-bookings
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 1.15.79
Severity Score: Medium
CVE: 2023-32747

WooCommerce Brands

Plugin: WooCommerce Brands
Plugin Slug: woocommerce-brands
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: 1.6.46
Severity Score: Medium
CVE: 2023-32746

WooCommerce Composite Products

Plugin: WooCommerce Composite Products
Plugin Slug: woocommerce-composite-products
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 8.7.6
Severity Score: High
CVE: 2023-32801

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Arbitrary File Upload
Patched in Version: 4.9.50
Severity Score: Critical
CVE: 2023-33318

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 4.9.50
Severity Score: High
CVE: 2023-33319

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 4.9.50
Severity Score: Medium
CVE: 2023-33316

WooCommerce Pre-Orders

Plugin: WooCommerce Pre-Orders
Plugin Slug: woocommerce-pre-orders
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: 2.0.1
Severity Score: Medium
CVE: 2023-32793

WooCommerce Pre-Orders

Plugin: WooCommerce Pre-Orders
Plugin Slug: woocommerce-pre-orders
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: High
CVE: 2023-32802

WooCommerce Product Add-ons

Plugin: WooCommerce Product Add-ons
Plugin Slug: woocommerce-product-addons
Vulnerability: Authenticated PHP Object Injection
Patched in Version: 6.2.0
Severity Score: High
CVE: 2023-32795

WooCommerce Product Add-ons

Plugin: WooCommerce Product Add-ons
Plugin Slug: woocommerce-product-addons
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.2.0
Severity Score: Medium
CVE: 2023-32794

WooCommerce Product Recommendations

Plugin: WooCommerce Product Recommendations
Plugin Slug: woocommerce-product-recommendations
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.0
Severity Score: Medium
CVE: 2023-32744

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 3.8.4
Severity Score: Medium
CVE: 2023-32799

WooCommerce Warranty Requests

Plugin: WooCommerce Warranty Requests
Plugin Slug: woocommerce-warranty
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.1.7
Severity Score: High
CVE: 2023-33317

Predictive Search

Plugin: E-Commerce Predictive Search
Plugin Slug: wp-e-commerce-predictive-search
Vulnerability: Missing Authorization
Patched in Version: 1.2.3
Severity Score: Medium

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Easy Forms for Mailchimp

Plugin: Easy Forms for Mailchimp
Plugin Slug: yikes-inc-easy-mailchimp-extender
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23900

Scripts n Styles

Plugin: Scripts n Styles
Plugin Slug: scripts-n-styles
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31236

Easing Slider

Plugin: Easing Slider
Plugin Slug: easing-slider
Installations: 20,000+
Vulnerability: Plugin Settings Reset
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30490

WP htaccess Control

Plugin: WP htaccess Control
Plugin Slug: wp-htaccess-control
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25462

Custom Post Type Generator

Plugin: Custom Post Type Generator
Plugin Slug: custom-post-type-generator
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33329

Leyka

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Privilege Escalation
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33327

Leyka

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33325

Baidu Tongji generator

Plugin: Baidu Tongji generator
Plugin Slug: baidu-tongji-generator
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31233

Easy Captcha

Plugin: Easy Captcha
Plugin Slug: easy-captcha
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33324

Easy Captcha

Plugin: Easy Captcha
Plugin Slug: easy-captcha
Installations: 1,000+
Vulnerability: Refletced Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33312

Stop Referrer Spam

Plugin: Stop Referrer Spam
Plugin Slug: stop-referrer-spam
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33207

WP-Hijri

Plugin: WP-Hijri
Plugin Slug: wp-hijri
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33320

Front End Users

Plugin: Front End Users
Plugin Slug: front-end-only-users
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33322

Cookie Monster

Plugin: Cookie Monster
Plugin Slug: cookiemonster
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33208

Jazz Popups

Plugin: Jazz Popups
Plugin Slug: jazz-popups
Installations: 700+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32966

Jazz Popups

Plugin: Jazz Popups
Plugin Slug: jazz-popups
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-32965

WP Multi Store Locator

Plugin: WP Multi Store Locator
Plugin Slug: wp-multi-store-locator
Installations: 500+
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0152

File Away

Plugin: File Away
Plugin Slug: file-away
Vulnerability: Contributor+ Stored XSS via Shortcode
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0431

nuajik CDN

Plugin: nuajik
Plugin Slug: nuajik-cdn
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33210

SEO Change Monitor

Plugin: SEO Change Monitor – Track Website Changes
Plugin Slug: seo-change-monitor
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33209

Waiting: One-click countdowns

Plugin: Waiting: One-click countdowns
Plugin Slug: waiting
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2757

WeSecur Security

Plugin: WeSecur Security
Plugin Slug: wesecur-security
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24390

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

SparkleStore

Theme: SparkleStore
Theme Slug: sparklestore
Downloads: 157,360
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

MetroStore

Theme: MetroStore
Theme Slug: metrostore
Downloads: 149,017
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

BuzzStore

Theme: BuzzStore
Theme Slug: buzzstore
Downloads: 103,769
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

SpiderMag

Theme: SpiderMag
Theme Slug: spidermag
Downloads: 60,716
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Craft Blog

Theme: Craft Blog
Theme Slug: craft-blog
Downloads: 42,112
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Kingcabs

Theme: Kingcabs
Theme Slug: kingcabs
Downloads: 33,701
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Medical Heed

Theme: Medical Heed
Theme Slug: medical-heed
Downloads: 27,651
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Appzend

Theme: Appzend
Theme Slug: appzend
Downloads: 19,919
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Fitness Park

Theme: Fitness Park
Theme Slug: fitness-park
Downloads: 18,803
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Kathmag

Theme: Kathmag
Theme Slug: kathmag
Downloads: 16,375
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Online eStore

Theme: Online eStore
Theme Slug: online-estore
Downloads: 14,574
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32959

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – May 24, 2023

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report