Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe.
Please share this post with your friends to help get the word out and make WordPress safer for everyone.
WordPress Core Vulnerabilities
The latest version of WordPress core is 5.8.1 was released as a security and maintenance release. As a best practice, always be sure to run the latest version of WordPress core!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the version number if patched, and the severity rating.
1. Shared Files
Plugin: Shared Files
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.6.61
Severity Score: Low
2. QR Redirector
Plugin: QR Redirector
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 1.6.1
Severity Score: Medium
Plugin: QR Redirector
Vulnerability: Subscriber+ Arbitrary QR Redirect Response Status Update
Patched in Version: 1.6
Severity Score: Medium
3. MouseWheel Smooth Scroll
Plugin: MouseWheel Smooth Scroll
Vulnerability: Plugin’s Setting Update via CSRF
Patched in Version: 5.7
Severity Score: Medium
4. Insert Pages
Plugin: Insert Pages
Vulnerability: Contributor+ Arbitrary Posts/Pages Access
Patched in Version: 3.7.0
Severity Score: Medium
Plugin: Insert Pages
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 3.7.0
Severity Score: Medium
5. SEO Redirection
Plugin: SEO Redirection
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 8.2
Severity Score: High
6. Paypal Donation
Plugin: Paypal Donation
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.3.2
Severity Score: Low
7. IMPress for IDX Broker
Plugin: IMPress for IDX Broker
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.0.6
Severity Score: High
8. Simple JWT Login
Plugin: Simple JWT Login
Vulnerability: Arbitrary Settings Update to Site Takeover via CSRF
Patched in Version: 3.2.1
Severity Score: High
9. My Tickets
Plugin: My Tickets
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 1.8.31
Severity Score: High
10. Client Invoicing by Sprout Invoices
Plugin: Client Invoicing by Sprout Invoices
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 19.9.7
Severity Score: Low
11. Email Log
Plugin: Email Log
Vulnerability: Admin+ SQL Injection
Patched in Version: 2.4.7
Severity Score: Medium
12. WP Performance Score Booster
Plugin WP Performance Score Booster
Vulnerability: Settings Change via CSRF
Patched in Version: 2.1
Severity Score: Medium
13. Active Directory Integration / LDAP Integration
Plugin: Active Directory Integration / LDAP Integration
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 3.6.95
Severity Score: High
14. TableOn
Plugin: TableOn
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.0.1
Severity Score: Medium
15. Responsive Image Slider, Photo Gallery And Carousel
Plugin: Responsive Image Slider, Photo Gallery And Carousel
Vulnerability: Slider Clone/Save/Delete via CSRF
Patched in Version: 1.3.2
Severity Score: Medium
Plugin: Responsive Image Slider, Photo Gallery And Carousel
Vulnerability: Subscriber+ Arbitrary Post Access
Patched in Version: 1.3.6
Severity Score: Medium
16. WP Sitemap Page
Plugin: WP Sitemap Page
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 1.7.0
Severity Score: Low
17. Stream
Plugin: Stream
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.8.2
Severity Score: Medium
18. Helpful
Plugin: Helpful
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.4.59
Severity Score: Low
19. LearnPress
Plugin: LearnPress
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 4.1.3.2
Severity Score: Low
20. Content Staging
Plugin: Content Staging
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix – plugin closed
Severity Score: Low
21. Leaky Paywall
Plugin: Leaky Paywall
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No known fix
Severity Score: Low
22. Tutor LMS
Plugin: Tutor LMS
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 1.9.11
Severity Score: Medium
23. Logo Showcase with Slick Slider
Plugin: Logo Showcase with Slick Slider
Vulnerability: Author+ Stored Cross Site Scripting
Patched in Version: 1.2.4
Severity Score: Medium
24. Formidable Form Builder
Plugin: Formidable Form Builder
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched in Version: 4.09.05
Severity Score: Low
25. Download Plugin
Plugin: Download Plugin
Vulnerability: Subscriber+ Arbitrary Plugin Activation
Patched in Version: 1.6.1
Severity Score: Medium
26. Images to WebP
Plugin: Images to WebP
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 1.9
Severity Score: Medium
Plugin: Images to WebP
Vulnerability: Authenticated Local File Inclusion
Patched in Version: 1.9
Severity Score: Low
27. MStore API
Plugin: MStore API
Vulnerability: Unauthenticated PHP File Upload
Patched in Version: 3.4.5
Severity Score: Critical
28. Easy Digital Downloads
Plugin: Easy Digital Downloads
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 2.11.2.1
Severity Score: High
29. Advanced Access Manager
Plugin: Advanced Access Manager
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 6.8.0
Severity Score: Low
30. YOP Poll
Plugin: YOP Poll
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 6.1.2
Severity Score: Medium
31. WP Attachment Export
Plugin: WP Attachment Export
Vulnerability: Unauthenticated Posts Download
Patched in Version: 0.2.4
Severity Score: High
32. Content text slider on post
Plugin: Content text slider on post
Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
Patched in Version: 6.9
Severity Score: Medium
33. Icegram
Plugin: Icegram
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.0.3
Severity Score: Low
34. BetterLinks
Plugin: BetterLinks
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.2.6
Severity Score: Low
35. LearnDash
Plugin: LearnDash
Vulnerability: Unauthenticated Arbitrary File Upload
Patched in Version: 2.5.4
Severity Score: Critical
36. ImageBoss
Plugin: ImageBoss
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 3.0.6
Severity Score: Low
37. Forminator
Plugin: Forminator
Vulnerability: Admin + Stored Cross Site Scripting
Patched in Version: 1.2.4
Severity Score: Low
38. MPL-Publisher
Plugin: MPL-Publisher
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 1.30.4
Severity Score: Low
39. Elementor
Plugin: Elementor
Vulnerability: DOM Cross Site Scripting
Patched in Version: 3.1.4
Severity Score: Medium
40. Sassy Social Share
Plugin: Sassy Social Share
Vulnerability: Missing Access Controls to PHP Object Injection
Patched in Version: 3.3.24
Severity Score: Medium
41. Pie Register
Plugin: Pie Register
Vulnerability: Open Redirect
Patched in Version: 3.7.2.4
Severity Score: Medium
42. Advanced Forms
Plugin: Advanced Forms
Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR
Patched in Version: 1.6.9
Severity Score: High
Plugin: Advanced Forms Pro
Vulnerability: Subscriber+ Arbitrary User Email Address Update via IDOR
Patched in Version: 1.6.9
Severity Score: High
43. Catch Themes Demo Import
Plugin: Catch Themes Demo Import
Vulnerability: Admin+ Arbitrary File Upload
Patched in Version: 1.8
Severity Score: Critical
44. Simple Job Board
Plugin: Simple Job Board
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 2.9.5
Severity Score: Low
45. Ivory Search
Plugin: Ivory Search
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 4.7
Severity Score: High
46. Age Gate
Plugin: Age Gate
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 2.16.4
Severity Score: Critical
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro
Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.
