Menu
iThemes
WordPress Security, Backups & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

WordPress Vulnerability Report – May 3, 2023

Written by Dan Knauss on May 3, 2023

Last Updated on May 25, 2023

This week, 94 vulnerabilities may affect over 8.6 million WordPress sites. There are 40 plugin vulnerabilities with security patches available, so run those updates if you use these plugins! Additionally, there are 46 plugin vulnerabilities and 8 more in themes with no patch available yet. At least five of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.

Our weekly vulnerability reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

Contents of the May 3, 2023 Report
  1. WordPress Plugin Vulnerabilities with Patches
    1. Elementor
    2. Autoptimize
    3. Custom Post Type UI plugin
    4. Ad Inserter
    5. Orbit Fox
    6. Customizer Export/Import
    7. Stream
    8. ActiveCampaign
    9. Advanced Woo Search
    10. Profile Builder
    11. AJAX Thumbnail Rebuild
    12. Easy Digital Downloads
    13. Mega Addons For WPBakery Page Builder
    14. Shield Security
    15. Shield Security
    16. HTTP Headers
    17. WP Popups
    18. Custom 404 Pro
    19. Liquid Speech Balloon
    20. NEX-Forms
    21. Ultimate Addons for Contact Form 7
    22. Weaver Xtreme Theme Support
    23. Japanized For WooCommerce
    24. Integration for Contact Form 7 HubSpot
    25. Active Directory Integration / LDAP Integration
    26. CM On Demand Search And Replace
    27. Responsive Filterable Portfolio
    28. WP BrowserUpdate
    29. WP EasyPay
    30. Thumbnail carousel slider
    31. User IP and Location
    32. wordpress vertical image slider plugin
    33. WP Directory Kit
    34. Extensions for Leaflet Map
    35. Mass Email To users
    36. Plugins List
    37. Stock Sync for WooCommerce
    38. Photo Gallery Slideshow & Masonry Tiled Gallery
    39. Zephyr Project Manager
    40. Logo Scheduler
  2. WordPress Plugin Vulnerabilities – No Known Fix
    1. Depicter Slider
    2. Bit File Manager
    3. Ultimate Carousel For Elementor
    4. Ultimate Carousel For WPBakery Page Builder
    5. WP Page Numbers
    6. Rating-Widget: Star Review System
    7. Arconix Shortcodes
    8. WP BrowserUpdate
    9. WP Search Analytics
    10. Progress Bar
    11. Thumbs Rating
    12. Updraft
    13. Advanced Category Template
    14. Simple Giveaways
    15. Inactive User Deleter
    16. Emails & Newsletters with Jackmail
    17. Maintenance Switch
    18. Tippy
    19. Video XML Sitemap Generator
    20. WP-CORS
    21. Enable/Disable Auto Login when Register
    22. Avirato hotels online booking engine
    23. f(x) TOC
    24. Custom Post Type List Shortcode
    25. PushAssist
    26. Video List Manager
    27. Woocommerce Tip/Donation
    28. Dynamically Register Sidebars
    29. Easy Bet
    30. Pretty Url
    31. Advanced Youtube Channel Pagination
    32. Membership Database
    33. BizLibrary
    34. Chronosly Events Calendar
    35. CRM Memberships
    36. Decon WP SMS
    37. Forms Ada
    38. Help Desk WP
    39. NS Coupon to Become Customer
    40. Post Shortcode
    41. Product Slider For WooCommerce Lite
    42. RapidExpCart
    43. SEO ALert
    44. KIWIZ Invoices Certification & PDF System
    45. WooCommerce Order Status Change Notifier
    46. Wp-D3 plugin
  3. WordPress Theme Vulnerabilities
    1. Cream Magazine
    2. Fascinate
    3. Cream Blog
    4. Everest News
    5. Viable blog
    6. Glaze Blog Lite
    7. Arya Multipurpose
    8. Mocho Blog
  4. The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
Subscribe now

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Elementor

Product image for Elementor Website Builder.
Plugin
Elementor Website Builder
Plugin Slug
elementor
Installations
5,000,000+
Vulnerability
SQL Injection
Patched in Version
3.12.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.12.2.

Autoptimize

Product image for Autoptimize.
Plugin
Autoptimize
Plugin Slug
autoptimize
Installations
1,000,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.1.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.1.7.

Custom Post Type UI plugin

Product image for Custom Post Type UI.
Plugin
Custom Post Type UI
Plugin Slug
custom-post-type-ui
Installations
1,000,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.13.5
Severity Score
Medium
CVE
2023-1623
The vulnerability has been patched, so you should update to version 1.13.5.

Ad Inserter

Product image for Ad Inserter – Ad Manager & AdSense Ads.
Plugin
Ad Inserter – Ad Manager & AdSense Ads
Plugin Slug
ad-inserter
Installations
300,000+
Vulnerability
PHP Object Injection
Patched in Version
2.7.27
Severity Score
Medium
CVE
2023-1549
The vulnerability has been patched, so you should update to version 2.7.27.

Orbit Fox

Product image for Orbit Fox by ThemeIsle.
Plugin
Orbit Fox by ThemeIsle
Plugin Slug
themeisle-companion
Installations
300,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
2.10.24
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.10.24.

Customizer Export/Import

Product image for Customizer Export/Import.
Plugin
Customizer Export/Import
Plugin Slug
customizer-export-import
Installations
200,000+
Vulnerability
PHP Object Injection
Patched in Version
0.9.6
Severity Score
Medium
CVE
2023-1347
The vulnerability has been patched, so you should update to version 0.9.6.

Stream

Product image for Stream.
Plugin
Stream
Plugin Slug
stream
Installations
80,000+
Vulnerability
Insecure Direct Object References (IDOR)
Patched in Version
3.9.3
Severity Score
Medium
CVE
2022-43450
The vulnerability has been patched, so you should update to version 3.9.3.

ActiveCampaign

Product image for ActiveCampaign – Forms, Site Tracking, Live Chat.
Plugin
ActiveCampaign – Forms, Site Tracking, Live Chat
Plugin Slug
activecampaign-subscription-forms
Installations
70,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
8.1.12
Severity Score
Medium
CVE
2023-0233
The vulnerability has been patched, so you should update to version 8.1.12.

Advanced Woo Search

Product image for Advanced Woo Search.
Plugin
Advanced Woo Search
Plugin Slug
advanced-woo-search
Installations
70,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.78
Severity Score
Medium
CVE
2023-2452
The vulnerability has been patched, so you should update to version 2.78.

Profile Builder

Product image for Profile Builder – User Profile & User Registration Forms.
Plugin
Profile Builder – User Profile & User Registration Forms
Plugin Slug
profile-builder
Installations
60,000+
Vulnerability
Sensitive Data Exposure
Patched in Version
3.9.1
Severity Score
Critical
CVE
2023-2297
The vulnerability has been patched, so you should update to version 3.9.1.

AJAX Thumbnail Rebuild

Plugin
AJAX Thumbnail Rebuild
Plugin Slug
ajax-thumbnail-rebuild
Installations
50,000+
Vulnerability
Broken Access Control
Patched in Version
1.14
Severity Score
Medium
CVE
2022-47604
The vulnerability has been patched, so you should update to version 1.14.

Easy Digital Downloads

Product image for Easy Digital Downloads – Simple eCommerce for Selling Digital Files.
Plugin
Easy Digital Downloads – Simple eCommerce for Selling Digital Files
Plugin Slug
easy-digital-downloads
Installations
50,000+
Vulnerability
Privilege Escalation
Patched in Version
3.1.1.4.2
Severity Score
Critical
CVE
2023-30869
The vulnerability has been patched, so you should update to version 3.1.1.4.2.

Mega Addons For WPBakery Page Builder

Product image for Mega Addons For WPBakery Page Builder.
Plugin
Mega Addons For WPBakery Page Builder
Plugin Slug
mega-addons-for-visual-composer
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.3.0
Severity Score
Medium
CVE
2023-0268
The vulnerability has been patched, so you should update to version 4.3.0.

Shield Security

Product image for Shield Security – Smart Bot Blocking & Intrusion Prevention.
Plugin
Shield Security – Smart Bot Blocking & Intrusion Prevention
Plugin Slug
wp-simple-firewall
Installations
50,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
17.0.18
Severity Score
High
CVE
2023-0992
The vulnerability has been patched, so you should update to version 17.0.18.

Shield Security

Product image for Shield Security – Smart Bot Blocking & Intrusion Prevention.
Plugin
Shield Security – Smart Bot Blocking & Intrusion Prevention
Plugin Slug
wp-simple-firewall
Installations
50,000+
Vulnerability
Broken Access Control
Patched in Version
17.0.18
Severity Score
Medium
CVE
2023-0993
The vulnerability has been patched, so you should update to version 17.0.18.

HTTP Headers

Product image for HTTP Headers.
Plugin
HTTP Headers
Plugin Slug
http-headers
Installations
40,000+
Vulnerability
SQL Injection
Patched in Version
1.18.8
Severity Score
Medium
CVE
2023-1207
The vulnerability has been patched, so you should update to version 1.18.8.

WP Popups

Product image for WP Popups – WordPress Popup builder.
Plugin
WP Popups – WordPress Popup builder
Plugin Slug
wp-popups-lite
Installations
30,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.1.5.1
Severity Score
Medium
CVE
2023-1905
The vulnerability has been patched, so you should update to version 2.1.5.1.

Custom 404 Pro

Product image for Custom 404 Pro.
Plugin
Custom 404 Pro
Plugin Slug
custom-404-pro
Installations
10,000+
Vulnerability
SQL Injection
Patched in Version
3.7.3
Severity Score
Critical
The vulnerability has been patched, so you should update to version 3.7.3.

Liquid Speech Balloon

Product image for LIQUID SPEECH BALLOON.
Plugin
LIQUID SPEECH BALLOON
Plugin Slug
liquid-speech-balloon
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.2
Severity Score
Medium
CVE
2023-27889
The vulnerability has been patched, so you should update to version 1.2.

NEX-Forms

Product image for NEX-Forms – Ultimate Form Builder – Contact forms and much more.
Plugin
NEX-Forms – Ultimate Form Builder – Contact forms and much more
Plugin Slug
nex-forms-express-wp-form-builder
Installations
10,000+
Vulnerability
SQL Injection
Patched in Version
8.4
Severity Score
High
CVE
2023-2114
The vulnerability has been patched, so you should update to version 8.4.

Ultimate Addons for Contact Form 7

Product image for Ultimate Addons for Contact Form 7.
Plugin
Ultimate Addons for Contact Form 7
Plugin Slug
ultimate-addons-for-contact-form-7
Installations
10,000+
Vulnerability
SQL Injection
Patched in Version
3.1.24
Severity Score
High
CVE
2023-30495
The vulnerability has been patched, so you should update to version 3.1.24.

Weaver Xtreme Theme Support

Plugin
Weaver Xtreme Theme Support
Plugin Slug
weaverx-theme-support
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.2.7
Severity Score
Medium
CVE
2023-0276
The vulnerability has been patched, so you should update to version 6.2.7.

Japanized For WooCommerce

Product image for Japanized For WooCommerce.
Plugin
Japanized For WooCommerce
Plugin Slug
woocommerce-for-japan
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.5.8
Severity Score
High
CVE
2023-0948
The vulnerability has been patched, so you should update to version 2.5.8.

Integration for Contact Form 7 HubSpot

Product image for Integration for Contact Form 7 HubSpot.
Plugin
Integration for Contact Form 7 HubSpot
Plugin Slug
cf7-hubspot
Installations
7,000+
Vulnerability
Open Redirection
Patched in Version
1.2.9
Severity Score
Medium
CVE
2023-31095
The vulnerability has been patched, so you should update to version 1.2.9.

Active Directory Integration / LDAP Integration

Product image for Active Directory Integration / LDAP Integration.
Plugin
Active Directory Integration / LDAP Integration
Plugin Slug
ldap-login-for-intranet-sites
Installations
6,000+
Vulnerability
Sensitive Data Exposure
Patched in Version
4.1.1
Severity Score
High
CVE
2023-0812
The vulnerability has been patched, so you should update to version 4.1.1.

CM On Demand Search And Replace

Product image for CM On Demand Search And Replace.
Plugin
CM On Demand Search And Replace
Plugin Slug
cm-on-demand-search-and-replace
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.3.1
Severity Score
Medium
CVE
2023-31228
The vulnerability has been patched, so you should update to version 1.3.1.

Responsive Filterable Portfolio

Product image for Responsive Filterable Portfolio.
Plugin
Responsive Filterable Portfolio
Plugin Slug
responsive-filterable-portfolio
Installations
3,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.20
Severity Score
High
CVE
2023-2119
The vulnerability has been patched, so you should update to version 1.0.20.

WP BrowserUpdate

Product image for WP BrowserUpdate.
Plugin
WP BrowserUpdate
Plugin Slug
wp-browser-update
Installations
3,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
4.5
Severity Score
Medium
CVE
2023-31078
The vulnerability has been patched, so you should update to version 4.5.

WP EasyPay

Product image for WP EasyPay – Square for WordPress.
Plugin
WP EasyPay – Square for WordPress
Plugin Slug
wp-easy-pay
Installations
3,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.1
Severity Score
High
CVE
2023-1465
The vulnerability has been patched, so you should update to version 4.1.

Thumbnail carousel slider

Product image for Thumbnail carousel slider.
Plugin
Thumbnail carousel slider
Plugin Slug
wp-responsive-thumbnail-slider
Installations
3,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.1.10
Severity Score
High
CVE
2023-1915
The vulnerability has been patched, so you should update to version 1.1.10.

User IP and Location

Product image for User IP and Location.
Plugin
User IP and Location
Plugin Slug
user-ip-and-location
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.2.1
Severity Score
Medium
CVE
2023-30780
The vulnerability has been patched, so you should update to version 2.2.1.

wordpress vertical image slider plugin

Product image for wordpress vertical image slider plugin.
Plugin
wordpress vertical image slider plugin
Plugin Slug
wp-vertical-image-slider
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.2.17
Severity Score
High
CVE
2023-2289
The vulnerability has been patched, so you should update to version 1.2.17.

WP Directory Kit

Product image for WP Directory Kit.
Plugin
WP Directory Kit
Plugin Slug
wpdirectorykit
Installations
2,000+
Vulnerability
Open Redirection
Patched in Version
1.2.0
Severity Score
Medium
CVE
2023-31229
The vulnerability has been patched, so you should update to version 1.2.0.

Extensions for Leaflet Map

Plugin
Extensions for Leaflet Map
Plugin Slug
extensions-leaflet-map
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.4.2
Severity Score
High
CVE
2023-31074
The vulnerability has been patched, so you should update to version 3.4.2.

Mass Email To users

Product image for Mass Email To users.
Plugin
Mass Email To users
Plugin Slug
mass-email-to-users
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.1.5
Severity Score
High
CVE
2022-47600
The vulnerability has been patched, so you should update to version 1.1.5.

Plugins List

Plugin
Plugins List
Plugin Slug
plugins-list
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.5.1
Severity Score
Medium
CVE
2023-31232
The vulnerability has been patched, so you should update to version 2.5.1.

Stock Sync for WooCommerce

Product image for Stock Sync for WooCommerce.
Plugin
Stock Sync for WooCommerce
Plugin Slug
stock-sync-for-woocommerce
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.4.1
Severity Score
High
CVE
2023-31094
The vulnerability has been patched, so you should update to version 2.4.1.

Photo Gallery Slideshow & Masonry Tiled Gallery

Product image for Photo Gallery Slideshow & Masonry Tiled Gallery.
Plugin
Photo Gallery Slideshow & Masonry Tiled Gallery
Plugin Slug
wp-responsive-photo-gallery
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.14
Severity Score
High
CVE
2023-2402
The vulnerability has been patched, so you should update to version 1.0.14.

Zephyr Project Manager

Product image for Zephyr Project Manager.
Plugin
Zephyr Project Manager
Plugin Slug
zephyr-project-manager
Installations
1,000+
Vulnerability
Open Redirection
Patched in Version
3.3.91
Severity Score
Medium
CVE
2023-31237
The vulnerability has been patched, so you should update to version 3.3.91.

Logo Scheduler

Product image for Logo Scheduler – Great for holidays, events, and more.
Plugin
Logo Scheduler – Great for holidays, events, and more
Plugin Slug
logo-scheduler-great-for-holidays-events-and-more
Installations
100+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.2.2
Severity Score
Medium
CVE
2023-30875
The vulnerability has been patched, so you should update to version 1.2.2.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Depicter Slider

Product image for Depicter Slider – Responsive Image Slider, Video Slider & Post Slider.
Plugin
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider
Plugin Slug
depicter
Installations
40,000+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47176
The vulnerability has not been patched. You should deactivate the plugin.

Bit File Manager

Product image for Bit File Manager – 100% free file manager for WordPress.
Plugin
Bit File Manager – 100% free file manager for WordPress
Plugin Slug
file-manager
Installations
20,000+
Vulnerability
PHP Object Injection
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47599
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Carousel For Elementor

Product image for Ultimate Carousel For Elementor.
Plugin
Ultimate Carousel For Elementor
Plugin Slug
ultimate-carousel-for-elementor
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0280
The vulnerability has not been patched. You should deactivate the plugin.

Ultimate Carousel For WPBakery Page Builder

Product image for Ultimate Carousel For WPBakery Page Builder.
Plugin
Ultimate Carousel For WPBakery Page Builder
Plugin Slug
ultimate-carousel-for-visual-composer
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0267
The vulnerability has not been patched. You should deactivate the plugin.

WP Page Numbers

Plugin
WP Page Numbers
Plugin Slug
wp-page-numbers
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27623
The vulnerability has not been patched. You should deactivate the plugin.

Rating-Widget: Star Review System

Product image for Rating-Widget: Star Review System.
Plugin
Rating-Widget: Star Review System
Plugin Slug
rating-widget
Installations
8,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-23831
The vulnerability has not been patched. You should deactivate the plugin.

Arconix Shortcodes

Product image for Arconix Shortcodes.
Plugin
Arconix Shortcodes
Plugin Slug
arconix-shortcodes
Installations
7,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-23703
The vulnerability has not been patched. You should deactivate the plugin.

WP BrowserUpdate

Product image for WP BrowserUpdate.
Plugin
WP BrowserUpdate
Plugin Slug
wp-browser-update
Installations
3,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28690
The vulnerability has not been patched. You should deactivate the plugin.

WP Search Analytics

Product image for WP Search Analytics.
Plugin
WP Search Analytics
Plugin Slug
search-analytics
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47587
The vulnerability has not been patched. You should deactivate the plugin.

Progress Bar

Product image for Progress Bar.
Plugin
Progress Bar
Plugin Slug
progress-bar
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-23699
The vulnerability has not been patched. You should deactivate the plugin.

Thumbs Rating

Product image for Thumbs Rating.
Plugin
Thumbs Rating
Plugin Slug
thumbs-rating
Installations
2,000+
Vulnerability
Race Condition
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-45809
The vulnerability has not been patched. You should deactivate the plugin.

Updraft

Plugin
Updraft
Plugin Slug
updraft
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-26530
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Category Template

Product image for Advanced Category Template.
Plugin
Advanced Category Template
Plugin Slug
advanced-category-template
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-31072
The vulnerability has not been patched. You should deactivate the plugin.

Simple Giveaways

Product image for Simple Giveaways – Grow your business, email lists and traffic with contests.
Plugin
Simple Giveaways – Grow your business, email lists and traffic with contests
Plugin Slug
giveasap
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31086
The vulnerability has not been patched. You should deactivate the plugin.

Inactive User Deleter

Plugin
Inactive User Deleter
Plugin Slug
inactive-user-deleter
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27424
The vulnerability has not been patched. You should deactivate the plugin.

Emails & Newsletters with Jackmail

Product image for Emails & Newsletters with Jackmail.
Plugin
Emails & Newsletters with Jackmail
Plugin Slug
jackmail-newsletters
Installations
1,000+
Vulnerability
CSV Injection
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-46821
The vulnerability has not been patched. You should deactivate the plugin.

Maintenance Switch

Product image for Maintenance Switch.
Plugin
Maintenance Switch
Plugin Slug
maintenance-switch
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2022-47590
The vulnerability has not been patched. You should deactivate the plugin.

Tippy

Plugin
Tippy
Plugin Slug
tippy
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31079
The vulnerability has not been patched. You should deactivate the plugin.

Video XML Sitemap Generator

Product image for Video XML Sitemap Generator.
Plugin
Video XML Sitemap Generator
Plugin Slug
video-xml-sitemap-generator
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31089
The vulnerability has not been patched. You should deactivate the plugin.

WP-CORS

Plugin
WP-CORS
Plugin Slug
wp-cors
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2022-47606
The vulnerability has not been patched. You should deactivate the plugin.

Enable/Disable Auto Login when Register

Product image for Enable/Disable Auto Login when Register.
Plugin
Enable/Disable Auto Login when Register
Plugin Slug
auto-login-when-resister
Installations
700+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0522
The vulnerability has not been patched. You should deactivate the plugin.

Avirato hotels online booking engine

Product image for Avirato hotels online booking engine.
Plugin
Avirato hotels online booking engine
Plugin Slug
avirato-calendar
Installations
600+
Vulnerability
SQL Injection
Patched in Version
No Fix
Severity Score
High
CVE
2023-0768
The vulnerability has not been patched. You should deactivate the plugin.

f(x) TOC

Product image for f(x) TOC.
Plugin
f(x) TOC
Plugin Slug
fx-toc
Installations
500+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0490
The vulnerability has not been patched. You should deactivate the plugin.

Custom Post Type List Shortcode

Plugin
Custom Post Type List Shortcode
Plugin Slug
custom-post-type-list-shortcode
Installations
400+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0542
The vulnerability has not been patched. You should deactivate the plugin.

PushAssist

Product image for Push Notifications for WordPress by PushAssist.
Plugin
Push Notifications for WordPress by PushAssist
Plugin Slug
push-notification-for-wp-by-pushassist
Installations
200+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-0644
The vulnerability has not been patched. You should deactivate the plugin.

Video List Manager

Product image for Video List Manager.
Plugin
Video List Manager
Plugin Slug
video-list-manager
Installations
200+
Vulnerability
SQL Injection
Patched in Version
No Fix
Severity Score
High
CVE
2023-1408
The vulnerability has not been patched. You should deactivate the plugin.

Woocommerce Tip/Donation

Product image for Woocommerce Tip/Donation.
Plugin
Woocommerce Tip/Donation
Plugin Slug
woo-tipdonation
Installations
200+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-28783
The vulnerability has not been patched. You should deactivate the plugin.

Dynamically Register Sidebars

Product image for Dynamically Register Sidebars.
Plugin
Dynamically Register Sidebars
Plugin Slug
dynamically-register-sidebars
Installations
100+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31091
The vulnerability has not been patched. You should deactivate the plugin.

Easy Bet

Product image for Easy Bet.
Plugin
Easy Bet
Plugin Slug
easy-bet
Installations
100+
Vulnerability
SQL Injection
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31092
The vulnerability has not been patched. You should deactivate the plugin.

Pretty Url

Plugin
Pretty Url
Plugin Slug
pretty-url
Installations
100+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-2009
The vulnerability has not been patched. You should deactivate the plugin.

Advanced Youtube Channel Pagination

Product image for Advanced Youtube Channel Pagination.
Plugin
Advanced Youtube Channel Pagination
Plugin Slug
advanced-youtube-channel-pagination
Installations
60+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-28693
The vulnerability has not been patched. You should deactivate the plugin.

Membership Database

Plugin
Membership Database
Plugin Slug
member-database
Installations
30+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-0514
The vulnerability has not been patched. You should deactivate the plugin.

BizLibrary

Product image for BizLibrary.
Plugin
BizLibrary
Plugin Slug
bizlibrary
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0892
The vulnerability has not been patched. You should deactivate the plugin.

Chronosly Events Calendar

Plugin
Chronosly Events Calendar
Plugin Slug
chronosly-events-calendar
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-31093
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

CRM Memberships

Product image for CRM Memberships.
Plugin
CRM Memberships
Plugin Slug
crm-memberships
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27427
The vulnerability has not been patched. You should deactivate the plugin.

Decon WP SMS

Product image for Decon WP SMS.
Plugin
Decon WP SMS
Plugin Slug
decon-wp-sms
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27416
The vulnerability has not been patched. You should deactivate the plugin.

Forms Ada

Product image for Forms Ada – Form Builder.
Plugin
Forms Ada – Form Builder
Plugin Slug
forms-ada-form-builder
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-27613
The vulnerability has not been patched. You should deactivate the plugin.

Help Desk WP

Product image for Help Desk WP.
Plugin
Help Desk WP
Plugin Slug
helpdeskwp
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-1019
The vulnerability has not been patched. You should deactivate the plugin.

NS Coupon to Become Customer

Product image for NS Coupon To Become Customer.
Plugin
NS Coupon To Become Customer
Plugin Slug
ns-coupon-to-become-customer
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-27422
The vulnerability has not been patched. You should deactivate the plugin.

Post Shortcode

Plugin
Post Shortcode
Plugin Slug
post-shortcode
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0526
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Product Slider For WooCommerce Lite

Plugin
Product Slider For WooCommerce Lite
Plugin Slug
product-slider-for-woocommerce-lite
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0537
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

RapidExpCart

Plugin
RapidExpCart
Plugin Slug
rapidexpcart
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-0520
The vulnerability has not been patched. You should deactivate the plugin.

SEO ALert

Plugin
SEO ALert
Plugin Slug
seo-alert
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-2225
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

KIWIZ Invoices Certification & PDF System

Plugin
KIWIZ Invoices Certification & PDF System
Plugin Slug
woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz
Vulnerability
Arbitrary File Download
Patched in Version
No Fix
Severity Score
High
CVE
2023-2180
The vulnerability has not been patched. You should deactivate the plugin.

WooCommerce Order Status Change Notifier

Plugin
WooCommerce Order Status Change Notifier
Plugin Slug
woocommerce-order-status-change-notifier
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-2179
The vulnerability has not been patched. You should deactivate the plugin.

Wp-D3 plugin

Plugin
Wp D3
Plugin Slug
wp-d3
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
CVE
2023-0536
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Cream Magazine

Product image for Cream Magazine.
Theme
Cream Magazine
Theme Slug
cream-magazine
Downloads
228,678
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-28687
The vulnerability has not been patched. You should switch themes.

Fascinate

Product image for Fascinate.
Theme
Fascinate
Theme Slug
fascinate
Downloads
85,974
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-28687
The vulnerability has not been patched. You should switch themes.

Cream Blog

Product image for Cream Blog.
Theme
Cream Blog
Theme Slug
cream-blog
Downloads
63,606
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-28687
The vulnerability has not been patched. You should switch themes.

Everest News

Product image for Everest News.
Theme
Everest News
Theme Slug
everest-news
Downloads
53,712
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-27421
The vulnerability has not been patched. You should switch themes.

Viable blog

Product image for Viable Blog.
Theme
Viable Blog
Theme Slug
viable-blog
Downloads
32,005
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-27419
The vulnerability has not been patched. You should switch themes.

Glaze Blog Lite

Product image for Glaze Blog Lite.
Theme
Glaze Blog Lite
Theme Slug
glaze-blog-lite
Downloads
26,199
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-28687
The vulnerability has not been patched. You should switch themes.

Arya Multipurpose

Product image for Arya Multipurpose.
Theme
Arya Multipurpose
Theme Slug
arya-multipurpose
Downloads
16,065
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-27420
The vulnerability has not been patched. You should switch themes.

Mocho Blog

Product image for Mocho Blog.
Theme
Mocho Blog
Theme Slug
mocho-blog
Downloads
6,884
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
CVE
2023-27412
The vulnerability has not been patched. You should switch themes.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

iThemes Security Pro

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro


Dan Knauss
Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress Vulnerability Report
WordPress Vulnerability Report – May 24, 2023
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – May 17, 2023
A computer riddled with security issue alerts. There is a large, orange shield with a slash in the middle of the screen. Surrounding it are a red target, a green skull and crossbones, an orange “bug”, a triangle with an explanation point in the middle and a gray gear.
WordPress Vulnerability Report – May 10, 2023
WordPress Vulnerability Report
WordPress Vulnerability Report – April 26, 2023

Get updates on new themes & plugins plus special discounts

About iThemes

  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2023 All rights reserved | Privacy Policy

A Liquid Web Brand © 2022 All Rights Reserved.

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Report
Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.
No spam. Unsubscribe anytime.