Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Shared Files
Plugin: Shared Files
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.6.61
Severity Score: Low
2. QR Redirector

Plugin: QR Redirector
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.6.1
Severity Score: Medium
Plugin: QR Redirector
Vulnerability: Subscriber+ Arbitrary QR Redirect Response Status Update
Patched in Version: 1.6
Severity Score: Medium
3. MouseWheel Smooth Scroll

Plugin: MouseWheel Smooth Scroll
Vulnerability: Plugin’s Setting Update via CSRF
Patched in Version: 5.7
Severity Score: Medium
4. Insert Pages
Plugin: Insert Pages
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: 3.7.0
Severity Score: Medium
Plugin: Insert Pages
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 3.7.0
Severity Score: Medium
5. SEO Redirection

Plugin: SEO Redirection
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 8.2
Severity Score: High
6. Paypal Donation

Plugin: Paypal Donation
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.3.2
Severity Score: Low
7. IMPress for IDX Broker

Plugin: IMPress for IDX Broker
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.6
Severity Score: High
8. Simple JWT Login

Plugin: Simple JWT Login
Vulnerability: Arbitrary Settings Update to Site Takeover via CSRF
Patched in Version: 3.2.1
Severity Score: High
9. My Tickets

Plugin: My Tickets
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 1.8.31
Severity Score: High
10. Client Invoicing by Sprout Invoices

Plugin: Client Invoicing by Sprout Invoices
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 19.9.7
Severity Score: Low
11. Email Log

Plugin: Email Log
Vulnerability: Admin+ SQL Injection
Patched in Version: 2.4.7
Severity Score: Medium
12. WP Performance Score Booster

Plugin WP Performance Score Booster
Vulnerability: Settings Change via CSRF
Patched in Version: 2.1
Severity Score: Medium
13. Active Directory Integration / LDAP Integration

Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 3.6.95
Severity Score: High
14. TableOn

Plugin: TableOn
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.1
Severity Score: Medium
15. Responsive Image Slider, Photo Gallery And Carousel

Plugin: Responsive Image Slider, Photo Gallery And Carousel
Vulnerability: Slider Clone/Save/Delete via CSRF
Patched in Version: 1.3.2
Severity Score: Medium
Plugin: Responsive Image Slider, Photo Gallery And Carousel
Vulnerability: Subscriber+ Arbitrary Post Access
Patched in Version: 1.3.6
Severity Score: Medium
16. WP Sitemap Page

Plugin: WP Sitemap Page
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 1.7.0
Severity Score: Low
17. Stream

Plugin: Stream
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.8.2
Severity Score: Medium
18. Helpful
Plugin: Helpful
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.4.59
Severity Score: Low
19. LearnPress

Plugin: LearnPress
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.1.3.2
Severity Score: Low
20. Content Staging
Plugin: Content Staging
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
21. Leaky Paywall

Plugin: Leaky Paywall
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low
22. Tutor LMS

Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.11
Severity Score: Medium
23. Logo Showcase with Slick Slider

Plugin: Logo Showcase with Slick Slider
Vulnerability: Author+ Stored Cross Site Scripting
Patched in Version: 1.2.4
Severity Score: Medium
24. Formidable Form Builder

Plugin: Formidable Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 4.09.05
Severity Score: Low
25. Download Plugin

Plugin: Download Plugin
Vulnerability: Subscriber+ Arbitrary Plugin Activation
Patched in Version: 1.6.1
Severity Score: Medium
26. Images to WebP

Plugin: Images to WebP
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 1.9
Severity Score: Medium
Plugin: Images to WebP
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 1.9
Severity Score: Low
27. MStore API

Plugin: MStore API
Vulnerability: Unauthenticated PHP File Upload
Patched in Version: 3.4.5
Severity Score: Critical
28. Easy Digital Downloads

Plugin: Easy Digital Downloads
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.11.2.1
Severity Score: High
29. Advanced Access Manager

Plugin: Advanced Access Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 6.8.0
Severity Score: Low
30. YOP Poll

Plugin: YOP Poll
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.1.2
Severity Score: Medium
31. WP Attachment Export

Plugin: WP Attachment Export
Vulnerability: Unauthenticated Posts Download
Patched in Version: 0.2.4
Severity Score: High
32. Content text slider on post

Plugin: Content text slider on post
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 6.9
Severity Score: Medium
33. Icegram

Plugin: Icegram
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.0.3
Severity Score: Low
34. BetterLinks

Plugin: BetterLinks
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.6
Severity Score: Low
35. LearnDash
Plugin: LearnDash
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: 2.5.4
Severity Score: Critical
36. ImageBoss

Plugin: ImageBoss
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.0.6
Severity Score: Low
37. Forminator

Plugin: Forminator
Vulnerability: Admin + Stored Cross Site Scripting
Patched in Version: 1.2.4
Severity Score: Low
38. MPL-Publisher

Plugin: MPL-Publisher
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 1.30.4
Severity Score: Low
39. Elementor

Plugin: Elementor
Vulnerability: DOM Cross Site Scripting
Patched in Version: 3.1.4
Severity Score: Medium
40. Sassy Social Share

Plugin: Sassy Social Share
Vulnerability: Missing Access Controls to PHP Object Injection
Patched in Version: 3.3.24
Severity Score: Medium
41. Pie Register

Plugin: Pie Register
Vulnerability: Open Redirect
Patched in Version: 3.7.2.4
Severity Score: Medium
42. Advanced Forms

Plugin: Advanced Forms
Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR
Patched in Version: 1.6.9
Severity Score: High
Plugin: Advanced Forms Pro
Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR
Patched in Version: 1.6.9
Severity Score: High
43. Catch Themes Demo Import

Plugin: Catch Themes Demo Import
Vulnerability: Admin+ Arbitrary File Upload
Patched in Version: 1.8
Severity Score: Critical
44. Simple Job Board

Plugin: Simple Job Board
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.9.5
Severity Score: Low
45. Ivory Search

Plugin: Ivory Search
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.7
Severity Score: High
46. Age Gate

Plugin: Age Gate
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 2.16.4
Severity Score: Critical
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.

Get iThemes Security Pro with 24/7 Website Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro

Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.