WordPress Vulnerability Report – September 13, 2023

Since last week, 136 total vulnerabilities emerged in public disclosure. They may affect over four million WordPress sites. There are 76 plugin vulnerabilities and two theme vulnerabilities with security patches, so run those updates!

Additionally, there are 55 plugin vulnerabilities and three theme vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

WEBINAR REPLAY NOW AVAILABLE

Discover a streamlined approach to WordPress logins with Passkeys and Solid Security Pro (the new name for iThemes Security Pro). Passkeys are compatible with leading browsers such as Chrome, Firefox, and Safari, as well as biometric logins like Face ID, Touch ID, and Windows Hello. Say goodbye to the hassle of extra two-factor apps, password managers, or intricate password requirements, as website administrators and end users can now enjoy secure logins effortlessly.

Powered by the WebAuthn protocol, these cutting-edge login methods redefine passwordless login experiences, setting the stage for the future of safeguarding sensitive online information, including accessing WordPress sites. Timothy Jacobs, Lead Developer for SolidWP, gives an in-depth exploration of how this innovative technology enhances the WordPress login process for both you and your clients.

Watch the replay

WordPress Core News

“Lionel” was released on August 8, 2023. This release of WordPress was built to help you “create beautiful and compelling websites more efficiently than ever.” See what’s new in WordPress 6.3.

Don’t forget to fully back up your website before installing WordPress 6.3. BackupBuddy, the industry-leading data protection and recovery solution for WordPress, will help you build a strong backup strategy to manage all updates. Embrace the enhanced content creation experience of WordPress 6.3 with confidence — and a backup copy of your website safely stored on a remote server.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

Starter Templates

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Plugin Slug: astra-sites
Installations: 1,000,000+
Vulnerability: Broken Access Control
Patched in Version: 3.2.6
Severity Score: Medium
CVE: 2023-41805

Starter Templates

Plugin: Starter Templates — Elementor, WordPress & Beaver Builder Templates
Plugin Slug: astra-sites
Installations: 1,000,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 3.2.5
Severity Score: High
CVE: 2023-41804

Fluent Forms

Plugin: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Plugin Slug: fluentform
Installations: 300,000+
Vulnerability: Broken Access Control
Patched in Version: 5.0.9
Severity Score: Medium
CVE: 2023-41952

Activity Log

Plugin: Activity Log
Plugin Slug: aryo-activity-log
Installations: 200,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 2.8.8
Severity Score: Medium
CVE: 2023-4281

ProfilePress

Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug: wp-user-avatar
Installations: 200,000+
Vulnerability: Privilege Escalation
Patched in Version: 4.13.2
Severity Score: High
CVE: 2023-41954

ProfilePress

Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug: wp-user-avatar
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 4.13.2
Severity Score: Medium
CVE: 2023-41953

GiveWP

Plugin: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug: give
Installations: 100,000+
Vulnerability: Privilege Escalation
Patched in Version: 2.33.1
Severity Score: High
CVE: 2023-41665

Modula

Plugin: Customizable WordPress Gallery Plugin – Modula Image Gallery
Plugin Slug: modula-best-grid-gallery
Installations: 100,000+
Vulnerability: Broken Access Control
Patched in Version: 2.7.5
Severity Score: Low

UserFeedback Lite

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug: userfeedback-lite
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.8
Severity Score: High
CVE: 2023-39308

Slimstat Analytics

Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 5.0.10
Severity Score: High
CVE: 2023-4598

Backup Migration

Plugin: BackupBliss – Backup Migration Staging
Plugin Slug: backup-backup
Installations: 90,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.0
Severity Score: Medium

Media Library Assistant

Plugin: Media Library Assistant
Plugin Slug: media-library-assistant
Installations: 70,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 3.10
Severity Score: Critical
CVE: 2023-4634

Form Maker by 10Web

Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug: form-maker
Installations: 60,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 1.15.20
Severity Score: Critical

MapPress Maps for WordPress

Plugin: MapPress Maps for WordPress
Plugin Slug: mappress-google-maps-for-wordpress
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.88.5
Severity Score: Medium
CVE: 2023-4840

Simple Membership

Plugin: Simple Membership
Plugin Slug: simple-membership
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.3.6
Severity Score: High
CVE: 2023-4719

Carousel Slider

Plugin: Carousel Slider
Plugin Slug: carousel-slider
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: 2.2.3
Severity Score: Medium
CVE: 2023-41848

Super Socializer

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Plugin Slug: super-socializer
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: 7.13.55
Severity Score: Medium
CVE: 2023-41802

Analytify

Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 made easy)
Plugin Slug: wp-analytify
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: 5.1.1
Severity Score: Low
CVE: 2023-41695

Meks Easy Photo Feed Widget

Plugin: Meks Easy Photo Feed Widget
Plugin Slug: meks-easy-instagram-widget
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.8
Severity Score: Medium
CVE: 2023-25989

Meks Simple Flickr Widget

Plugin: Meks Simple Flickr Widget
Plugin Slug: meks-simple-flickr-widget
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3
Severity Score: Medium
CVE: 2023-25989

GS Logo Slider

Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Plugin Slug: gs-logo-slider
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.4.3
Severity Score: Medium
CVE: 2022-47150

Meks Easy Ads Widget

Plugin: Meks Easy Ads Widget
Plugin Slug: meks-easy-ads-widget
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.8
Severity Score: Medium
CVE: 2023-25989

Meks Smart Author Widget

Plugin: Meks Smart Author Widget
Plugin Slug: meks-smart-author-widget
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.4
Severity Score: Medium
CVE: 2023-25989

Meks ThemeForest Smart Widget

Plugin: Meks ThemeForest Smart Widget
Plugin Slug: meks-themeforest-smart-widget
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.5
Severity Score: Medium
CVE: 2023-25989

User Submitted Posts

Plugin: User Submitted Posts – Enable Users to Submit Posts from the Front End
Plugin Slug: user-submitted-posts
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 20230902
Severity Score: Medium
CVE: 2023-41696

WP Accessibility Helper (WAH)

Plugin: WP Accessibility Helper (WAH)
Plugin Slug: wp-accessibility-helper
Installations: 20,000+
Vulnerability: Broken Access Control
Patched in Version: 0.6.2.5
Severity Score: Medium
CVE: 2023-41869

Auto Amazon Links

Plugin: Auto Amazon Links – Amazon Associates Affiliate Plugin
Plugin Slug: amazon-auto-links
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.3.2
Severity Score: Medium
CVE: 2023-4482

rtMedia for WordPress, BuddyPress and bbPress

Plugin: rtMedia for WordPress, BuddyPress and bbPress
Plugin Slug: buddypress-media
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 4.6.15
Severity Score: Medium
CVE: 2023-41951

Directorist

Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Plugin Slug: directorist
Installations: 10,000+
Vulnerability: CSV Injection
Patched in Version: 7.7.2
Severity Score: Medium
CVE: 2023-41798

Directorist

Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Plugin Slug: directorist
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 7.7.2
Severity Score: Medium
CVE: 2022-47150

Meks Time Ago

Plugin: Meks Time Ago
Plugin Slug: meks-time-ago
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.7
Severity Score: Medium
CVE: 2023-25989

SAML Single Sign On – SSO Login

Plugin: SAML Single Sign On – SSO Login
Plugin Slug: miniorange-saml-20-single-sign-on
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 5.0.5
Severity Score: Medium
CVE: 2023-41873

Order Delivery Date for WooCommerce

Plugin: Order Delivery Date for WooCommerce
Plugin Slug: order-delivery-date-for-woocommerce
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.20.1
Severity Score: High
CVE: 2023-41874

WP Project Manager

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug: wedevs-project-manager
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.6.1
Severity Score: Medium
CVE: 2022-47150

WP Project Manager

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug: wedevs-project-manager
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 2.6.1
Severity Score: High
CVE: 2023-34383

weMail

Plugin: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Plugin Slug: wemail
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.14.2
Severity Score: Medium
CVE: 2022-47150

Post to Google My Business (Google Business Profile)

Plugin: Post to Google My Business (Google Business Profile)
Plugin Slug: post-to-google-my-business
Installations: 9,000+
Vulnerability: Broken Access Control
Patched in Version: 3.1.15
Severity Score: Medium
CVE: 2023-41689

AcyMailing

Plugin: AcyMailing – Newsletter & mailing automation for WordPress
Plugin Slug: acymailing
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.6.3
Severity Score: High
CVE: 2023-41867

Classifieds

Plugin: WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds
Plugin Slug: another-wordpress-classifieds-plugin
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.3.1
Severity Score: Medium
CVE: 2023-41801

Automatic YouTube Gallery

Plugin: Automatic YouTube Gallery
Plugin Slug: automatic-youtube-gallery
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: 2.3.5
Severity Score: Medium
CVE: 2023-41866

MyCryptoCheckout

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce
Plugin Slug: mycryptocheckout
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.126
Severity Score: Medium
CVE: 2023-41693

Poll Maker

Plugin: Poll Maker – Best WordPress Poll Plugin
Plugin Slug: poll-maker
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.7.1
Severity Score: High
CVE: 2023-41871

Posts Like Dislike

Plugin: Posts Like Dislike
Plugin Slug: posts-like-dislike
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.1
Severity Score: Medium
CVE: 2023-41849

Slider Pro

Plugin: Slider Pro
Plugin Slug: sliderpro
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: 4.8.7
Severity Score: Medium
CVE: 2023-41865

WP Crowdfunding

Plugin: WP Crowdfunding
Plugin Slug: wp-crowdfunding
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: 2.1.6
Severity Score: Medium
CVE: 2023-41870

Meks Video Importer

Plugin: Meks Video Importer
Plugin Slug: meks-video-importer
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.11
Severity Score: Medium
CVE: 2023-25989

WooCommerce PensoPay

Plugin: WooCommerce PensoPay
Plugin Slug: woo-pensopay
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.3.2
Severity Score: High
CVE: 2023-41691

Locatoraid Store Locator

Plugin: Locatoraid Store Locator
Plugin Slug: locatoraid
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.24
Severity Score: High
CVE: 2023-4476

Meks Audio Player

Plugin: Meks Audio Player
Plugin Slug: meks-audio-player
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3
Severity Score: Medium
CVE: 2023-25989

StagTools

Plugin: StagTools
Plugin Slug: stagtools
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.8
Severity Score: High
CVE: 2023-41868

WP Directory Kit

Plugin: WP Directory Kit
Plugin Slug: wpdirectorykit
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.7
Severity Score: Medium
CVE: 2023-41875

WRC Pricing Tables

Plugin: WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables
Plugin Slug: wrc-pricing-tables
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 2.3.8
Severity Score: Medium
CVE: 2023-32293

Bulk NoIndex & NoFollow Toolkit

Plugin: Bulk NoIndex & NoFollow Toolkit
Plugin Slug: bulk-noindex-nofollow-toolkit-by-mad-fish
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.51
Severity Score: Medium
CVE: 2023-41688

CP Blocks

Plugin: CP Blocks
Plugin Slug: cp-blocks
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.21
Severity Score: Medium
CVE: 2023-41732

Laposta Signup Basic

Plugin: Laposta Signup Basic
Plugin Slug: laposta-signup-basic
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.2
Severity Score: Medium
CVE: 2023-41950

Meks Easy Maps

Plugin: Meks Easy Maps
Plugin Slug: meks-easy-maps
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.4
Severity Score: Medium
CVE: 2023-25989

Notice Bar

Plugin: Notice Bar
Plugin Slug: notice-bar
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.1
Severity Score: Medium
CVE: 2023-41847

POEditor

Plugin: POEditor
Plugin Slug: poeditor
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.9.5
Severity Score: Medium
CVE: 2023-32091

User Private Files

Plugin: WordPress File Sharing Plugin
Plugin Slug: user-private-files
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.4
Severity Score: Medium
CVE: 2023-4636

WiserNotify Social Proof

Plugin: WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets
Plugin Slug: wiser-notify
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 2.6
Severity Score: Medium
CVE: 2023-41690

WP Pipes

Plugin: WP Pipes
Plugin Slug: wp-pipes
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.1
Severity Score: Medium
CVE: 2023-40009

BitPay Checkout for WooCommerce

Plugin: BitPay Checkout for WooCommerce
Plugin Slug: bitpay-checkout-for-woocommerce
Installations: 900+
Vulnerability: Broken Access Control
Patched in Version: 5.0.0
Severity Score: Medium
CVE: 2023-41803

Swifty Bar, sticky bar by WPGens

Plugin: Swifty Bar, sticky bar by WPGens
Plugin Slug: swifty-bar
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.11
Severity Score: Medium
CVE: 2023-41737

Cookie Notice & Consent

Plugin: Cookie Notice & Consent
Plugin Slug: cookie-notice-consent
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.1
Severity Score: Medium
CVE: 2023-41948

Simple Download Counter

Plugin: Simple Download Counter
Plugin Slug: simple-download-counter
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.1
Severity Score: Medium
CVE: 2023-4838

Laposta Signup Embed

Plugin: Laposta Signup Embed
Plugin Slug: laposta-signup-embed
Installations: 400+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.1
Severity Score: Medium

Laposta Signup Embed

Plugin: Laposta Signup Embed
Plugin Slug: laposta-signup-embed
Installations: 400+
Vulnerability: Broken Access Control
Patched in Version: 1.1.1
Severity Score: Medium

RSVPMaker

Plugin: RSVPMaker
Plugin Slug: rsvpmaker
Installations: 400+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 10.6.7
Severity Score: Critical
CVE: 2023-25054

PeproDev CF7 Database

Plugin: PeproDev CF7 Database
Plugin Slug: pepro-cf7-database
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.8.0
Severity Score: High
CVE: 2023-41863

iFolders

Plugin: iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc
Plugin Slug: ifolders
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.1
Severity Score: Medium
CVE: 2023-41949

Staff / Employee Business Directory for Active Directory

Plugin: Staff / Employee Business Directory for Active Directory
Plugin Slug: ldap-ad-staff-employee-directory-search
Installations: 10+
Vulnerability: Broken Access Control
Patched in Version: 1.2.3
Severity Score: Medium
CVE: 2023-4757

Premium Starter Templates

Plugin: Premium Starter Templates
Plugin Slug: astra-pro-sites
Vulnerability: Broken Access Control
Patched in Version: 3.2.6
Severity Score: Medium
CVE: 2023-41805

Premium Starter Templates

Plugin: Premium Starter Templates
Plugin Slug: astra-pro-sites
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 3.2.5
Severity Score: High
CVE: 2023-41804

Plugin: Email Newsletter
Plugin Slug: email-newsletter
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.9.0
Severity Score: Medium
CVE: 2023-4772

My Account Page Editor

Plugin: My Account Page Editor for Woocommerce
Plugin Slug: my-account-page-editor
Vulnerability: Arbitrary File Upload
Patched in Version: 1.3.2
Severity Score: Critical
CVE: 2023-4536

VS Contact Form

Plugin: VS Contact Form
Plugin Slug: very-simple-contact-form
Vulnerability: Broken Authentication
Patched in Version: 14.0
Severity Score: Medium
CVE: 2023-41862

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

FileOrganizer

Plugin: FileOrganizer – Manage WordPress and Website Files
Plugin Slug: fileorganizer
Installations: 90,000+
Vulnerability: Arbitrary File Download
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3664

WooCommerce Conversion Tracking

Plugin: WooCommerce Conversion Tracking
Plugin Slug: woocommerce-conversion-tracking
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Legal Pages

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Plugin Slug: legal-pages
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

MailMunch – Grow your Email List

Plugin: MailMunch – Grow your Email List
Plugin Slug: mailmunch
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41852

Texty

Plugin: Texty – SMS Notification for WordPress, WooCommerce, Dokan and more
Plugin Slug: texty
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Unlimited Elementor Inner Sections By BoomDevs

Plugin: Unlimited Elementor Inner Sections By BoomDevs
Plugin Slug: unlimited-elementor-inner-sections-by-boomdevs
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Order Delivery Date for WP e-Commerce

Plugin: Order Delivery Date for WP e-Commerce
Plugin Slug: order-delivery-date
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41859

Order Delivery Date for WP e-Commerce

Plugin: Order Delivery Date for WP e-Commerce
Plugin Slug: order-delivery-date
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41858

weDocs – Knowledgebase and Documentation Plugin for WordPress

Plugin: weDocs – Knowledgebase and Documentation Plugin for WordPress
Plugin Slug: wedocs
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Outbound Link Manager

Plugin: Outbound Link Manager
Plugin Slug: outbound-link-manager
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41850

WP Custom Post Template

Plugin: WP Custom Post Template
Plugin Slug: wp-custom-post-template
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41851

Leadster

Plugin: Leadster
Plugin Slug: leadster-marketing-conversacional
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41668

SendPress Newsletters

Plugin: SendPress Newsletters
Plugin Slug: sendpress
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41730

SendPress Newsletters

Plugin: SendPress Newsletters
Plugin Slug: sendpress
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41729

Easy WP Cleaner

Plugin: Easy WP Cleaner
Plugin Slug: easy-wp-cleaner
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41697

Live News

Plugin: Live News
Plugin Slug: live-news-lite
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41669

Realbig

Plugin: Realbig For WordPress
Plugin Slug: realbig-media
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41694

TelSender

Plugin: TelSender – ?ontact form 7, Events, Wpforms and wooccommerce to telegram bot
Plugin Slug: telsender
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41683

Rescue Shortcodes

Plugin: Rescue Shortcodes
Plugin Slug: rescue-shortcodes
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41728

Restrict

Plugin: Restrict – membership, site, content and user access restrictions for WordPress
Plugin Slug: restricted-content
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41861

Hide admin notices – Admin Notification Center

Plugin: Hide admin notices – Admin Notification Center
Plugin Slug: wp-admin-notification-center
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41672

Back To The Top Button

Plugin: Back To The Top Button
Plugin Slug: back-to-the-top-button
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41733

Click To Tweet

Plugin: Click To Tweet
Plugin Slug: click-to-tweet
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41857

Click To Tweet

Plugin: Click To Tweet
Plugin Slug: click-to-tweet
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41856

Exclusive Team for Elementor

Plugin: Exclusive Team for Elementor
Plugin Slug: exclusive-team-for-elementor
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Goods Catalog

Plugin: Goods Catalog
Plugin Slug: goods-catalog
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41687

Stock Quotes List

Plugin: Stock Quotes List
Plugin Slug: stock-quotes-list
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41666

Sunshine Photo Cart

Plugin: Sunshine Photo Cart
Plugin Slug: sunshine-photo-cart
Installations: 1,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41796

Travel Map

Plugin: Travel Map
Plugin Slug: travelmap-blog
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41860

UniConsent Cookie Consent CMP for GDPR / CCPA

Plugin: UniConsent CMP for GDPR CPRA GPP TCF
Plugin Slug: uniconsent-cmp
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41800

Product Category Showcase for WooCommerce

Plugin: Product Category Showcase for WooCommerce
Plugin Slug: wc-category-showcase
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WP iCal Availability

Plugin: WP iCal Availability
Plugin Slug: wp-ical-availability
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41853

Insert Estimated Reading Time

Plugin: Insert Estimated Reading Time
Plugin Slug: insert-estimated-reading-time
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41734

wordpress publish post email notification

Plugin: wordpress publish post email notification
Plugin Slug: publish-post-email-notification
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41731

Tilda Publishing

Plugin: Tilda Publishing
Plugin Slug: tilda-publishing
Installations: 900+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31234

Locations

Plugin: Locations
Plugin Slug: locations
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41797

Woocommerce Support System

Plugin: Woocommerce Support System
Plugin Slug: wc-support-system
Installations: 300+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41686

Woocommerce Support System

Plugin: Woocommerce Support System
Plugin Slug: wc-support-system
Installations: 300+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41685

All in One B2B for WooCommerce

Plugin: All in One B2B for WooCommerce
Plugin Slug: all-in-one-b2b-for-woocommerce
Vulnerability: Privilege Escalation
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-4703

All in One B2B for WooCommerce

Plugin: All in One B2B for WooCommerce
Plugin Slug: all-in-one-b2b-for-woocommerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3547

Crayon Syntax Highlighter

Plugin: Crayon Syntax Highlighter
Plugin Slug: crayon-syntax-highlighter
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4893

WordPress CTA

Plugin: WordPress CTA
Plugin Slug: easy-sticky-sidebar
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Email posts to subscribers

Plugin: Email posts to subscribers
Plugin Slug: email-posts-to-subscribers
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41736

Email posts to subscribers

Plugin: Email posts to subscribers
Plugin Slug: email-posts-to-subscribers
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41735

Export Import Menus

Plugin: Export Import Menus
Plugin Slug: export-import-menus
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-34385

Font Awesome 4 Menus

Plugin: Font Awesome 4 Menus
Plugin Slug: font-awesome-4-menus
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4718

Google Maps Plugin by Intergeo

Plugin: Google Maps Plugin by Intergeo
Plugin Slug: intergeo-maps
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4887

JQuery Accordion Menu Widget

Plugin: JQuery Accordion Menu Widget
Plugin Slug: jquery-vertical-accordion-menu
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4890

Regpack

Plugin: Regpack
Plugin Slug: regpack
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41855

SIS Handball

Plugin: SIS Handball
Plugin Slug: sis-handball
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41684

Use Memcached

Plugin: Use Memcached
Plugin Slug: use-memcached
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41670

WordPress Social Login

Plugin: WordPress Social Login
Plugin Slug: wordpress-social-login
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4773

wpCentral

Plugin: wpCentral
Plugin Slug: wp-central
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41854

WP-dTree

Plugin: WP-dTree
Plugin Slug: wp-dtree-30
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41667

WP Gallery Metabox

Plugin: WP Gallery Metabox
Plugin Slug: wp-gallery-metabox
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41876

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

Wishful Blog

Theme: Wishful Blog
Theme Slug: wishful-blog
Downloads: 79,101
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-28621

Attorney

Theme: Attorney
Theme Slug: attorney
Downloads: 51,491
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41692

Raise Mag

Theme: Raise Mag
Theme Slug: raise-mag
Downloads: 12,709
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-28621

Flatsome

Theme: Flatsome
Theme Slug: flatsome
Vulnerability: PHP Object Injection
Patched in Version: 3.17.6
Severity Score: High
CVE: 2023-40555

Woodmart

Theme: WoodMart
Theme Slug: woodmart
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.2.5
Severity Score: High
CVE: 2023-41872

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.