Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
WordPress Hosting: GoDaddy Hacked
In a security disclosure published on November 21, 2021, GoDaddy says that up to 1.2 million active and inactive customers have been exposed after hackers gained access to its managed WordPress hosting platform.
We wrote a post to unpack a few of the details of the recent GoDaddy hack, how it affects customers, and our recommendations for what to do if you’re a WordPress hosting customer at GoDaddy.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.2. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Pixel Cat Lite

Plugin: Pixel Cat Lite
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.6.3
Severity Score: Low
Plugin: Pixel Cat Lite
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 2.6.2
Severity Score: High
2. All-In-One-Gallery

Plugin: All-In-One-Gallery
Vulnerability: Admin+ Local File Inclusion
Patched in Version: 2.5.0
Severity Score: Low
3. StopBadBots

Plugin: StopBadBots
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.67
Severity Score: Critical
4. Temporary Login Without Password

Plugin: Temporary Login Without Password
Vulnerability: Subscriber+ Plugin’s Settings Update
Patched in Version: 1.7.1
Severity Score: Medium
5. ProfilePress

Plugin: ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.3
Severity Score: Medium
Plugin: ProfilePress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.3
Severity Score: High
6. Modern Events Calendar

Plugin: Modern Events Calendar
Vulnerability: Unauthenticated Blind SQL Injection
Patched in Version: 6.1.5
Severity Score: High
Plugin: Modern Events Calendar
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.1.5
Severity Score: High
7. Auto Featured Image

Plugin: Auto Featured Image
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.9.3
Severity Score: Medium
8. Ultimate NoFollow
Plugin: Ultimate NoFollow
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Medium
9. NEX-Forms
Plugin: NEX-Forms
Vulnerability: Multiple Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
10. SEO Booster
Plugin: SEO Booster
Vulnerability: Admin+ SQL Injection
Patched in Version: No known fix – plugin closed
Severity Score: Medium
11. WP System Log

Plugin: WP System Log
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 1.0.21
Severity Score: Critical
12. Inspirational Quote Rotator
Plugin: Inspirational Quote Rotator
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
13. Single Post Exporter
Plugin: Single Post Exporter
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium
14. Flex Local Fonts
Plugin: Flex Local Fonts
Vulnerability: Admin+ Stored Cross-Site-Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
15. WP Admin Logo Changer
Plugin: WP Admin Logo Changer
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix – plugin closed
Severity Score: Medium
16. Contact Form Advanced Database
Plugin: Contact Form Advanced Database
Vulnerability: Unauthorised AJAX Calls
Patched in Version: No known fix
Severity Score: Medium
17. Shiny Buttons
Plugin: Shiny Buttons
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High
18. Filter Portfolio Gallery
Plugin: Filter Portfolio Gallery
Vulnerability: Arbitrary Gallery Deletion via CSRF
Patched in Version: No known fix
Severity Score: Medium
19. WP Limits
Plugin: WP Limits
Vulnerability: Plugin’s Settings Update via CSRF
Patched in Version: No known fix
Severity Score: Medium
20. Page/Post Content Shortcode
Plugin: Page/Post Content Shortcode
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: No known fix
Severity Score: Medium
21. Improved Include Page
Plugin: Improved Include Page
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: No known fix
Severity Score: Medium
22. Mediamatic
Plugin: Mediamatic
Vulnerability: Subscriber+ SQL Injection
Patched in Version: No known fix
Severity Score: High
23. Display Post Metadata
Plugin: Display Post Metadata
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Medium
24. ToTop Link
Plugin: ToTop Link
Vulnerability: Unauthenticated PHP Object Injection
Patched in Version: No known fix
Severity Score: Medium
25. User Meta Shortcodes
Plugin: User Meta Shortcodes
Vulnerability: Contributor+ Unauthorized Arbitrary User Metadata Access
Patched in Version: No known fix
Severity Score: High
26. Quotes Collection
Plugin: Quotes Collection
Vulnerability: Admin+ SQL Injection
Patched in Version: No known fix
Severity Score: Medium
27. Push Notifications for WordPress (Lite)

Plugin: Push Notifications for WordPress (Lite)
Vulnerability: Settings Update via CSRF
Patched in Version: 6.0.1
Severity Score: Medium
28. SportsPress

Plugin: SportsPress
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.7.9
Severity Score: High
29. Login/Signup Popup

Plugin: Login/Signup Popup
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.2
Severity Score: High
30. Preview E-mails for WooCommerce
Plugin: Preview E-mails for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.0.0
Severity Score: Medium
31. WP User Frontend

Plugin: WP User Frontend
Vulnerability: Membership, Profile, Registration & Post Submission Plugin for WordPress
Patched in Version: 3.5.25
Severity Score: Medium
32. Directorist – Business Directory Plugin

Plugin: Directorist – Business Directory Plugin
Vulnerability: CSRF to Remote File Upload
Patched in Version: 7.0.6.2
Severity Score: Critical
33. Easy Registration Forms
Plugin: Easy Registration Forms
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: High
34. WP Reset Pro

Plugin: WP Reset Pro
Vulnerability: Subscriber+ Database Reset
Patched in Version: 5.99
Severity Score: Critical
Plugin: WP Reset Pro
Vulnerability: Database Reset via CSRF
Patched in Version: 5.99
Severity Score: Critical
35. WordPress + Microsoft Office 365

Plugin: WordPress + Microsoft Office 365
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 15.4
Severity Score: Critical
36. Duplicate Post

Plugin: Duplicate Post
Vulnerability: Authenticated SQL Injection
Patched in Version: 1.2.0
Severity Score: Medium
37. Backup Migration

Plugin: Backup Migration
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.1.6
Severity Score: Medium
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Save 40% Off iThemes Security Pro

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.