WordPress Vulnerability Report

On May 20, 2023, WordPress 6.2.2 was released to address a regression — a bug introduced in 6.2.1 that broke shortcode functionality — as well as a security issue. Because 6.2.2 is a security release, you should update your sites immediately. All versions since WordPress 5.9 have also been updated. The next major version of WordPress Core, slated for an August release, will be 6.3.

WordPress core has been updated to secure one vulnerability disclosed with its 6.2.2 release. In the plugin and theme ecosystem, 85 total vulnerabilities emerged in public disclosure. They may affect over 12 million WordPress sites. Out of the total number, there are 57 plugin vulnerabilities and 2 theme vulnerabilities that have security patches available.

Additionally, there are 25 plugin vulnerabilities and 1 theme vulnerability with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

WordPress Core

Vulnerability: Unauth. Shortcode Execution
Patched in Version: 6.2.2
Severity Score: Medium

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Elementor

Plugin: Elementor Website Builder – More than Just a Page Builder
Plugin Slug: elementor
Installations: 5,000,000+
Vulnerability: Broken Access Control
Patched in Version: 3.13.3
Severity Score: Medium
CVE: 2023-33922

Jetpack

Plugin: Jetpack – WP Security, Backup, Speed, & Growth
Plugin Slug: jetpack
Installations: 5,000,000+
Vulnerability: Arbitrary File Overwrite
Patched in Version: 12.1.1
Severity Score: Critical

WooCommerce Shipping & Tax

Plugin: WooCommerce Shipping & Tax
Plugin Slug: woocommerce-services
Installations: 900,000+
Vulnerability: Stored Cross Site Scripting (XSS)
Patched in Version: 2.2.5
Severity Score: Medium

Unlimited Elements For Elementor

Plugin: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Plugin Slug: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability: Unrestricted Zip Extraction
Patched in Version: 1.5.61
Severity Score: Critical
CVE: 2023-31090

Custom Twitter Feeds

Plugin: Custom Twitter Feeds (Tweets Widget)
Plugin Slug: custom-twitter-feeds
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0
Severity Score: Medium
CVE: 2022-33974

Contact Form Entries

Plugin: Contact Form Entries – Contact Form 7, WPforms and more
Plugin Slug: contact-form-entries
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.1
Severity Score: Medium
CVE: 2023-33311

Contact Form Entries

Plugin: Contact Form Entries – Contact Form 7, WPforms and more
Plugin Slug: contact-form-entries
Installations: 60,000+
Vulnerability: Auth. SQL Injection
Patched in Version: 1.3.1
Severity Score: High
CVE: 2023-31212

WP-Matomo Integration (WP-Piwik)

Plugin: WP-Matomo Integration (WP-Piwik)
Plugin Slug: wp-piwik
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.28
Severity Score: Medium
CVE: 2023-33211

Ultimate Dashboard

Plugin: Ultimate Dashboard – Custom WordPress Dashboard
Plugin Slug: ultimate-dashboard
Installations: 50,000+
Vulnerability: Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
Patched in Version: 3.7.6
Severity Score: Medium

Easy Google Maps

Plugin: Easy Google Maps
Plugin Slug: google-maps-easy
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.11.8
Severity Score: High
CVE: 2023-33926

JetFormBuilder

Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug: jetformbuilder
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.7
Severity Score: Medium
CVE: 2023-33212

BEAR

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug: woo-bulk-editor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.3.2
Severity Score: Medium
CVE: 2023-33314

Download Plugin

Plugin: Download Plugin
Plugin Slug: download-plugin
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.5
Severity Score: Medium
CVE: 2022-36345

Uncanny Automator

Plugin: Uncanny Automator – Automate everything with the #1 no-code Automation tool for WordPress
Plugin Slug: uncanny-automator
Installations: 20,000+
Vulnerability: Cross-Site Request Forgery via update_automator_connect
Patched in Version: 4.15
Severity Score: Medium

Product Gallery Slider for WooCommerce

Plugin: Product Gallery Slider for WooCommerce
Plugin Slug: woo-product-gallery-slider
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.2.9
Severity Score: Medium
CVE: 2022-45372

Unite Gallery Lite

Plugin: Unite Gallery Lite
Plugin Slug: unite-gallery-lite
Installations: 10,000+
Vulnerability: Local File Inclusion
Patched in Version: 1.7.60
Severity Score: Medium
CVE: 2023-33310

WP Coder

Plugin: WP Coder – add custom html, css and js code
Plugin Slug: wp-coder
Installations: 10,000+
Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter
Patched in Version: 2.5.6
Severity Score: High
CVE: 2023-2362

bbp style pack

Plugin: bbp style pack
Plugin Slug: bbp-style-pack
Installations: 8,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.5.6
Severity Score: High
CVE: 2023-33997

WordPress Backup & Migration

Plugin: WordPress Backup & Migration
Plugin Slug: wp-migration-duplicator
Installations: 8,000+
Vulnerability: Broken Access Control
Patched in Version: 1.4.1
Severity Score: Medium
CVE: 2023-33928

Drop Shadow Boxes

Plugin: Drop Shadow Boxes
Plugin Slug: drop-shadow-boxes
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.11
Severity Score: Medium
CVE: 2023-23833

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Cross-Site Request Forgery via process_delete_product
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-2891

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Cross-Site Request Forgery via process_bulk_delete_product
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-2892

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Cross-Site Request Forgery via process_bulk_deactivate_product
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-2894

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Cross-Site Request Forgery via process_deactivate_product
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-2893

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Cross-Site Request Forgery via process_duplicate_product
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-2896

WP EasyCart

Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Cross-Site Request Forgery via process_bulk_activate_product
Patched in Version: 5.4.9
Severity Score: Medium
CVE: 2023-2895

WOLF

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Plugin Slug: bulk-editor
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.7.1
Severity Score: Medium
CVE: 2023-34028

PluginOps Optin Builder

Plugin: MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder
Plugin Slug: mailchimp-subscribe-sm
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.0.9.2
Severity Score: Medium
CVE: 2023-33328

MStore API

Plugin: MStore API
Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: Authentication Bypass
Patched in Version: 3.9.2
Severity Score: Critical
CVE: 2023-2734

MStore API

Plugin: MStore API
Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: Authentication Bypass
Patched in Version: 3.9.3
Severity Score: Critical
CVE: 2023-2732

Download Theme

Plugin: Download Theme
Plugin Slug: download-theme
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.0
Severity Score: Medium
CVE: 2022-38062

OAuth Single Sign On – SSO (OAuth Client)

Plugin: OAuth Single Sign On – SSO (OAuth Client)
Plugin Slug: miniorange-login-with-eve-online-google-facebook
Installations: 4,000+
Vulnerability: Broken Authentication
Patched in Version: 6.23.4
Severity Score: High
CVE: 2022-34155

WS Form LITE

Plugin: WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Plugin Slug: ws-form
Installations: 4,000+
Vulnerability: CAPTCHA Bypass
Patched in Version: 1.9.118
Severity Score: Medium

Multiple Page Generator Plugin – MPG

Plugin: Multiple Page Generator Plugin – MPG
Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: SQL Injection
Patched in Version: 3.3.20
Severity Score: High
CVE: 2023-33927

Bubble Menu

Plugin: Bubble Menu – circle floating menu
Plugin Slug: bubble-menu
Installations: 1,000+
Vulnerability: Reflected Cross-Site Scripting via ‘page’ parameter
Patched in Version: 3.0.4
Severity Score: High
CVE: 2023-2362

EventPrime

Plugin: EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug: eventprime-event-calendar-management
Installations: 1,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.0.0
Severity Score: Medium
CVE: 2023-33321

EventPrime

Plugin: EventPrime – Modern Events Calendar, Bookings and Tickets
Plugin Slug: eventprime-event-calendar-management
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.0
Severity Score: High
CVE: 2023-33326

Novelist

Plugin: Novelist
Plugin Slug: novelist
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.1
Severity Score: Medium
CVE: 2023-32958

Smart App Banner

Plugin: Smart App Banner
Plugin Slug: smart-app-banner
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.3
Severity Score: Medium
CVE: 2023-33315

Telegram Bot & Channel

Plugin: Telegram Bot & Channel
Plugin Slug: telegram-bot
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.6.3
Severity Score: Medium
CVE: 2023-34006

WIP Custom Login

Plugin: WIP Custom Login
Plugin Slug: wip-custom-login
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.0
Severity Score: Medium
CVE: 2023-33313

WP-Hijri

Plugin: WP-Hijri
Plugin Slug: wp-hijri
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.2
Severity Score: High
CVE: 2023-33320

YouTube Playlist Player

Plugin: YouTube Playlist Player
Plugin Slug: youtube-playlist-player
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.6.5
Severity Score: Medium
CVE: 2023-33931

Duplicator Pro

Plugin: Duplicator Pro
Plugin Slug: duplicator-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 4.5.11.1
Severity Score: High
CVE: 2023-33309

Go Pricing – WordPress Responsive Pricing Tables

Plugin: Go Pricing
Plugin Slug: go-pricing-wordpress-responsive-pricing-tables
Vulnerability: Authenticated (Subscriber+) PHP Object Injection
Patched in Version: 3.4
Severity Score: Medium
CVE: 2023-2500

Gravity Forms

Plugin: Gravity Forms
Plugin Slug: gravityforms
Vulnerability: Unauthenticated PHP Object Injection
Patched in Version: 2.7.4
Severity Score: High
CVE: 2023-28782

Qubotchat

Plugin: QuBot – Chatbot Builder with Templates
Plugin Slug: qubotchat
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 1.1.6
Severity Score: Medium
CVE: 2023-2401

Rank Math SEO PRO

Plugin: Rank Math SEO PRO
Plugin Slug: seo-by-rank-math-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.36
Severity Score: High
CVE: 2023-32800

LearnDash LMS

Plugin: LearnDash LMS
Plugin Slug: sfwd-lms
Vulnerability: Auth. SQL Injection (SQLi)
Patched in Version: 4.5.3.1
Severity Score: High
CVE: 2023-28777

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Follow-Up Emails Manager+ SQL Injection
Patched in Version: 4.9.51
Severity Score: High
CVE: 2023-33330

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Arbitrary File Upload
Patched in Version: 4.9.50
Severity Score: Critical
CVE: 2023-33318

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 4.9.50
Severity Score: High
CVE: 2023-33319

WooCommerce Follow-Up Emails

Plugin: WooCommerce Follow-Up Emails
Plugin Slug: woocommerce-follow-up-emails
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 4.9.50
Severity Score: Medium
CVE: 2023-33316

WooCommerce Product Vendors

Plugin: WooCommerce Product Vendors
Plugin Slug: woocommerce-product-vendors
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.1.77
Severity Score: High
CVE: 2023-33332

WooCommerce Product Vendors

Plugin: WooCommerce Product Vendors
Plugin Slug: woocommerce-product-vendors
Vulnerability: Vendor Admin+ SQL Injection
Patched in Version: 2.1.77
Severity Score: High
CVE: 2023-33331

WooCommerce Warranty Requests

Plugin: WooCommerce Warranty Requests
Plugin Slug: woocommerce-warranty
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.1.7
Severity Score: High
CVE: 2023-33317

Yoast SEO: Local

Plugin: Yoast SEO: Local
Plugin Slug: wpseo-local
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 15.0
Severity Score: Medium
CVE: 2023-28785

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Tutor LMS

Plugin: Tutor LMS – eLearning and online course solution
Plugin Slug: tutor
Installations: 70,000+
Vulnerability: Multiple Broken Access Control
Patched in Version: No Fix
Severity Score: High
CVE: 2023-25799

Button Generator

Plugin: Button Generator – easily Button Builder
Plugin Slug: button-generation
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25443

Flickr Justified Gallery

Plugin: Flickr Justified Gallery
Plugin Slug: flickr-justified-gallery
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25473

Google Map Shortcode

Plugin: Google Map Shortcode
Plugin Slug: google-map-shortcode
Installations: 4,000+
Vulnerability: Contributor+ Stored XSS
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-2899

WooCommerce Product Categories Selection Widget

Plugin: WooCommerce Product Categories Selection Widget
Plugin Slug: woocommerce-product-category-selection-widget
Installations: 3,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33925

Custom Post Type Generator

Plugin: Custom Post Type Generator
Plugin Slug: custom-post-type-generator
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33329

Leyka

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Privilege Escalation
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33327

Leyka

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33325

Easy Admin Menu

Plugin: Easy Admin Menu
Plugin Slug: easy-admin-menu
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33929

Easy Captcha

Plugin: Easy Captcha
Plugin Slug: easy-captcha
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33324

Easy Captcha

Plugin: Easy Captcha
Plugin Slug: easy-captcha
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33312

This Day In History

Plugin: This Day In History
Plugin Slug: this-day-in-history
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34026

SKU Label Changer For WooCommerce

Plugin: SKU Label Changer For WooCommerce
Plugin Slug: woo-sku-label-changer
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29174

Front End Users

Plugin: Front End Users
Plugin Slug: front-end-only-users
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33322

UTM Tracker

Plugin: UTM Tracker
Plugin Slug: utm-tracker
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-23822

QueryWall

Plugin: QueryWall: Plug'n Play Firewall
Plugin Slug: querywall
Installations: 500+
Vulnerability: Admin+ SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-2492

SlideOnline

Plugin: SlideOnline
Plugin Slug: slideonline
Installations: 500+
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0489

IP Metaboxes

Plugin: IP Metaboxes
Plugin Slug: ip-metaboxes
Installations: 100+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30753

IP Metaboxes

Plugin: IP Metaboxes
Plugin Slug: ip-metaboxes
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30745

SIS Handball

Plugin: SIS Handball
Plugin Slug: sis-handball
Installations: 30+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-33924

Responsive Tabs For WPBakery Page Builder

Plugin: Responsive Tabs For WPBakery Page Builder
Plugin Slug: responsive-tabs-for-wpbakery
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-0368

Video Contest WordPress Plugin

Plugin: Video Contest WordPress Plugin
Plugin Slug: video-contest
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45823

Video Contest WordPress Plugin

Plugin: Video Contest WordPress Plugin
Plugin Slug: video-contest
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-45827

WP Tiles

Plugin: WP Tiles
Plugin Slug: wp-tiles
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25482

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

HashOne

Theme: HashOne
Theme Slug: hashone
Downloads: 160,367
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-33923

Viral

Theme: Viral
Theme Slug: viral
Downloads: 144,927
Vulnerability: Broken Access Control
Patched in Version: 1.8.1
Severity Score: Medium
CVE: 2023-33923

Viral News

Theme: Viral News
Theme Slug: viral-news
Downloads: 86,793
Vulnerability: Broken Access Control
Patched in Version: 1.4.6
Severity Score: Medium
CVE: 2023-33923

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – May 31, 2023

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

iThemes is Becoming SolidWP

We have been working hard for almost a year to bring you incredible new features in the form of our new and improved brand: SolidWP. Discover what’s new!

Get the Weekly WordPress Vulnerability Report