WordPress Vulnerability Report – September 6, 2023

Since last week, 95 total vulnerabilities emerged in public disclosure. They may affect over two million WordPress sites. There are 32 plugin vulnerabilities with security patches, so run those updates!

Additionally, there are 60 plugin vulnerabilities and three theme vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

FREE ONLINE TRAINING EVENT SEPT 6TH @ 1:00 P.M. (CT)

Discover essential best practices for safeguarding your WordPress website through proactive security measures. Join WordPress security expert Thomas Raef as he explains the art and science of WordPress security, focusing on three key dimensions: hosting, WordPress configurations, and user management. You’ll also learn how Solid Security equips users with tools that diminish hacking risks, focusing on safeguarding plugins, themes, and user accounts.

WordPress Core News

“Lionel” was released on August 8, 2023. This release of WordPress was built to help you “create beautiful and compelling websites more efficiently than ever.” See what’s new in WordPress 6.3.

Don’t forget to fully back up your website before installing WordPress 6.3. BackupBuddy, the industry-leading data protection and recovery solution for WordPress, will help you build a strong backup strategy to manage all updates. Embrace the enhanced content creation experience of WordPress 6.3 with confidence — and a backup copy of your website safely stored on a remote server.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

GTranslate

Plugin: Translate WordPress with GTranslate
Plugin Slug: gtranslate
Installations: 500,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.4
Severity Score: Medium

Forminator

Plugin: Forminator – Contact Form, Payment Form & Custom Form Builder
Plugin Slug: forminator
Installations: 400,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 1.25.0
Severity Score: Critical
CVE: 2023-4596

Metform Elementor Contact Form Builder

Plugin: Metform Elementor Contact Form Builder
Plugin Slug: metform
Installations: 200,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.3.2
Severity Score: Medium
CVE: 2023-0689

Social Media & Share Icons

Plugin: Social Media Share Buttons & Social Sharing Icons
Plugin Slug: ultimate-social-media-icons
Installations: 200,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.8.4
Severity Score: High
CVE: 2023-41238

GiveWP

Plugin: GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug: give
Installations: 100,000+
Vulnerability: Privilege Escalation
Patched in Version: 2.33.1
Severity Score: High
CVE: 2023-41665

UserFeedback Lite

Plugin: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug: userfeedback-lite
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.8
Severity Score: High
CVE: 2023-39308

Slimstat Analytics

Plugin: Slimstat Analytics
Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.0.10
Severity Score: Medium
CVE: 2023-4597

Email Encoder

Plugin: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug: email-encoder-bundle
Installations: 80,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.8
Severity Score: Medium
CVE: 2023-4599

Folders

Plugin: Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Plugin Slug: folders
Installations: 60,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 2.9.3
Severity Score: Critical
CVE: 2023-40204

Popup Box

Plugin: Popup box
Plugin Slug: ays-popup-box
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.7.2
Severity Score: Medium

GS Logo Slider

Plugin: Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
Plugin Slug: gs-logo-slider
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.4.3
Severity Score: Medium
CVE: 2022-47150

WP Project Manager

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug: wedevs-project-manager
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.6.1
Severity Score: Medium
CVE: 2022-47150

WP Project Manager

Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Plugin Slug: wedevs-project-manager
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 2.6.1
Severity Score: High
CVE: 2023-34383

WP Super Minify

Plugin: WP Super Minify
Plugin Slug: wp-super-minify
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6
Severity Score: Medium
CVE: 2023-27615

Post to Google My Business (Google Business Profile)

Plugin: Post to Google My Business (Google Business Profile)
Plugin Slug: post-to-google-my-business
Installations: 9,000+
Vulnerability: Broken Access Control
Patched in Version: 3.1.15
Severity Score: Medium
CVE: 2023-41689

SureCart

Plugin: WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Plugin Slug: surecart
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.1
Severity Score: Medium
CVE: 2023-41241

HollerBox

Plugin: Fast & Effective Popups & Lead-Generation for WordPress – HollerBox
Plugin Slug: holler-box
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.3
Severity Score: Medium
CVE: 2023-41657

Order Tracking Pro

Plugin: Order Tracking – WordPress Status Tracking Plugin
Plugin Slug: order-tracking
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.7
Severity Score: Medium
CVE: 2023-4500

Order Tracking Pro

Plugin: Order Tracking – WordPress Status Tracking Plugin
Plugin Slug: order-tracking
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.7
Severity Score: High
CVE: 2023-4471

Leyka

Plugin: Leyka
Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.30.3
Severity Score: Medium
CVE: 2023-2995

WP Search Analytics

Plugin: WP Search Analytics
Plugin Slug: search-analytics
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.8
Severity Score: High
CVE: 2023-30471

Sitekit

Plugin: Sitekit
Plugin Slug: sitekit
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4
Severity Score: Medium
CVE: 2023-27628

Prevent files / folders access

Plugin: Prevent files / folders access
Plugin Slug: prevent-file-access
Installations: 1,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 2.5.2
Severity Score: High
CVE: 2023-4238

WP Pipes

Plugin: WP Pipes
Plugin Slug: wp-pipes
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.4.1
Severity Score: Medium
CVE: 2023-40009

Photo Gallery Slideshow & Masonry Tiled Gallery

Plugin: Photo Gallery Slideshow & Masonry Tiled Gallery
Plugin Slug: wp-responsive-photo-gallery
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.14
Severity Score: High
CVE: 2023-41658

RSVPMaker

Plugin: RSVPMaker
Plugin Slug: rsvpmaker
Installations: 400+
Vulnerability: SQL Injection
Patched in Version: 10.6.7
Severity Score: High
CVE: 2023-41652

AffiliateWP

Plugin: AffiliateWP
Plugin Slug: affiliatewp
Vulnerability: Broken Access Control
Patched in Version: 2.14.1
Severity Score: Medium
CVE: 2023-4600

All-in-One WP Migration Box Extension

Plugin: All-in-One WP Migration Box Extension
Plugin Slug: all-in-one-wp-migration-box-extension
Vulnerability: Broken Access Control
Patched in Version: 1.54
Severity Score: High
CVE: 2023-40004

All-in-One WP Migration Dropbox Extension

Plugin: All-in-One WP Migration Dropbox Extension
Plugin Slug: all-in-one-wp-migration-dropbox-extension
Vulnerability: Broken Access Control
Patched in Version: 3.76
Severity Score: High
CVE: 2023-40004

All-in-One WP Migration Google Drive Extension

Plugin: All-in-One WP Migration Google Drive Extension
Plugin Slug: all-in-one-wp-migration-gdrive-extension
Vulnerability: Broken Access Control
Patched in Version: 2.80
Severity Score: High
CVE: 2023-40004

All-in-One WP Migration OneDrive Extension

Plugin: All-in-One WP Migration OneDrive Extension
Plugin Slug: all-in-one-wp-migration-onedrive-extension
Vulnerability: Broken Access Control
Patched in Version: 1.67
Severity Score: High
CVE: 2023-40004

Happy Elementor Addons Pro

Plugin: Happy Elementor Addons Pro
Plugin Slug: happy-elementor-addons-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.8.1
Severity Score: High
CVE: 2023-41236

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

PowerPress Podcasting plugin by Blubrry

Plugin: PowerPress Podcasting plugin by Blubrry
Plugin Slug: powerpress
Installations: 40,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41239

WooCommerce Conversion Tracking

Plugin: WooCommerce Conversion Tracking
Plugin Slug: woocommerce-conversion-tracking
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Ultimate Addons for Contact Form 7

Plugin: Ultimate Addons for Contact Form 7
Plugin Slug: ultimate-addons-for-contact-form-7
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30493

Directorist

Plugin: Directorist – WordPress Business Directory Plugin with Classified Ads Listings
Plugin Slug: directorist
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Export Import Menus

Plugin: Export Import Menus
Plugin Slug: export-import-menus
Installations: 10,000+
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-34385

Legal Pages

Plugin: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Plugin Slug: legal-pages
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

URL Shortener by MyThemeShop

Plugin: URL Shortener by MyThemeShop
Plugin Slug: mts-url-shortener
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-30472

Texty

Plugin: Texty – SMS Notification for WordPress, WooCommerce, Dokan and more
Plugin Slug: texty
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

weMail

Plugin: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Plugin Slug: wemail
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Better Elementor Addons

Plugin: Better Elementor Addons
Plugin Slug: better-elementor-addons
Installations: 7,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41656

Easy Coming Soon

Plugin: Easy Coming Soon
Plugin Slug: easy-coming-soon
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25483

Login and Logout Redirect

Plugin: Login and Logout Redirect
Plugin Slug: login-and-logout-redirect
Installations: 7,000+
Vulnerability: Open Redirection
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41648

authLdap

Plugin: authLdap
Plugin Slug: authldap
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41655

authLdap

Plugin: authLdap
Plugin Slug: authldap
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41654

LuckyWP Scripts Control

Plugin: LuckyWP Scripts Control
Plugin Slug: luckywp-scripts-control
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29239

Multi-column Tag Map

Plugin: Multi-column Tag Map
Plugin Slug: multi-column-tag-map
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41651

Responsive Gallery Grid

Plugin: Responsive Gallery Grid
Plugin Slug: responsive-gallery-grid
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41659

Social Share Boost

Plugin: Social Share Boost
Plugin Slug: social-share-boost
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25033

Unlimited Elementor Inner Sections By BoomDevs

Plugin: Unlimited Elementor Inner Sections By BoomDevs
Plugin Slug: unlimited-elementor-inner-sections-by-boomdevs
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

weDocs – Knowledgebase and Documentation Plugin for WordPress

Plugin: weDocs – Knowledgebase and Documentation Plugin for WordPress
Plugin Slug: wedocs
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

MakeStories (for Google Web Stories)

Plugin: MakeStories (for Google Web Stories)
Plugin Slug: makestories-helper
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27448

MyCryptoCheckout

Plugin: MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce
Plugin Slug: mycryptocheckout
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41693

Remove/hide Author, Date, Category Like Entry-Meta

Plugin: Remove/hide Author, Date, Category Like Entry-Meta
Plugin Slug: removehide-author-date-category-like-entry-meta
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41650

Surfer

Plugin: Surfer – WordPress Plugin
Plugin Slug: surferseo
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: High
CVE: 2023-35037

Leadster

Plugin: Leadster
Plugin Slug: leadster-marketing-conversacional
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41668

Ovic Product Bundle

Plugin: Ovic Product Bundle
Plugin Slug: ovic-product-bundle
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41649

Pricing Deals for WooCommercePricing Deals for WooCommerce

Plugin: Pricing Deals for WooCommerce
Plugin Slug: pricing-deals-for-woocommerce
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41240

WP users media

Plugin: WP Users Media
Plugin Slug: wp-users-media
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27428

Migration Plugin DB & Files – WP Synchro

Plugin: WP Synchro – WordPress Migration Plugin for Database & Files
Plugin Slug: wpsynchro
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41660

Live News

Plugin: Live News
Plugin Slug: live-news-lite
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41669

Realbig

Plugin: Realbig For WordPress
Plugin Slug: realbig-media
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41694

TelSender

Plugin: TelSender – ?ontact form 7, Events, Wpforms and wooccommerce to telegram bot
Plugin Slug: telsender
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41683

WooCommerce PensoPay

Plugin: WooCommerce PensoPay
Plugin Slug: woo-pensopay
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41691

Hide admin notices – Admin Notification Center

Plugin: Hide admin notices – Admin Notification Center
Plugin Slug: wp-admin-notification-center
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41672

WRC Pricing Tables

Plugin: WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables
Plugin Slug: wrc-pricing-tables
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32293

Bulk NoIndex & NoFollow Toolkit

Plugin: Bulk NoIndex & NoFollow Toolkit
Plugin Slug: bulk-noindex-nofollow-toolkit-by-mad-fish
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41688

Exclusive Team for Elementor

Plugin: Exclusive Team for Elementor
Plugin Slug: exclusive-team-for-elementor
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Goods Catalog

Plugin: Goods Catalog
Plugin Slug: goods-catalog
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41687

Olive One Click Demo Import

Plugin: Olive One Click Demo Import
Plugin Slug: olive-one-click-demo-import
Installations: 1,000+
Vulnerability: Arbitrary File Upload
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-29102

Stock Quotes List

Plugin: Stock Quotes List
Plugin Slug: stock-quotes-list
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41666

Product Category Showcase for WooCommerce

Plugin: Product Category Showcase for WooCommerce
Plugin Slug: wc-category-showcase
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

WiserNotify Social Proof

Plugin: WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets
Plugin Slug: wiser-notify
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41690

WP Bannerize Pro

Plugin: WP Bannerize Pro
Plugin Slug: wp-bannerize-pro
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41663

Tilda Publishing

Plugin: Tilda Publishing
Plugin Slug: tilda-publishing
Installations: 900+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31234

Easy Newsletter Signups

Plugin: Easy Newsletter Signups
Plugin Slug: easy-newsletter-signups
Installations: 800+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41664

Snap Pixel

Plugin: Snap Pixel
Plugin Slug: snap-pixel
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41242

Woocommerce Support System

Plugin: Woocommerce Support System
Plugin Slug: wc-support-system
Installations: 300+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41686

Woocommerce Support System

Plugin: Woocommerce Support System
Plugin Slug: wc-support-system
Installations: 300+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41685

Localize Remote Images

Plugin: Localize Remote Images
Plugin Slug: localize-remote-images
Installations: 10+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41244

Bridge Core

Plugin: Bridge Core
Plugin Slug: bridge-core
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-40333

WordPress CTA

Plugin: WordPress CTA
Plugin Slug: easy-sticky-sidebar
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-47150

Font Awesome 4 Menus

Plugin: Font Awesome 4 Menus
Plugin Slug: font-awesome-4-menus
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-4718

GuruWalk Affiliates

Plugin: GuruWalk Affiliates
Plugin Slug: guruwalk-affiliates
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-27622

Maintenance Switch

Plugin: Maintenance Switch
Plugin Slug: maintenance-switch
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-29235

Sermon’e – Sermons Online

Plugin: Sermon’e – Sermons Online
Plugin Slug: sermone-online-sermons-management
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41653

SIS Handball

Plugin: SIS Handball
Plugin Slug: sis-handball
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41684

Smarty for WordPress

Plugin: Smarty for WordPress
Plugin Slug: smarty-for-wordpress
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41661

Use Memcached

Plugin: Use Memcached
Plugin Slug: use-memcached
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41670

WP-dTree

Plugin: WP-dTree
Plugin Slug: wp-dtree-30
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-41667

WP-dTree

Plugin: WP-dTree
Plugin Slug: wp-dtree-30
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41662

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

Attorney

Theme: Attorney
Theme Slug: attorney
Downloads: 51,489
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41692

Arya Multipurpose Pro

Theme: Arya Multipurpose Pro
Theme Slug: arya-multipurpose-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41237

Everest News Pro

Theme: Everest News Pro
Theme Slug: everest-news-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-41235

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

WordPress Vulnerability Report – September 6, 2023

FREE ONLINE TRAINING EVENT SEPT 6TH @ 1:00 P.M. (CT)

WordPress Core News

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Other related posts

About iThemes

Resources

Customers

Top Products

Get the Weekly WordPress Vulnerability Report

Vulnerable WordPress plugins and themes are the #1 reason WordPress sites get hacked, but keeping track of every new plugin and theme vulnerability is hard work. Get the weekly WordPress Vulnerability Report delivered right to your inbox to help keep your website secure.

Get the Weekly WordPress Vulnerability Report