Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core Vulnerabilities
WordPress 5.9.3 was released on April 5, 2022, as a short-cycle maintenance release with 19 bug fixes. Because this is a core update, be sure to update to WordPress 5.9.3 as soon as possible.
WordPress Theme Vulnerabilities
n this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
All In One WP Security
- Plugin
- All In One WP Security & Firewall
- Installations
- 1,000,000+
- Vulnerability
- Authenticated Arbitrary Redirect / Reflected XSS
- Patched in Version
- 4.4.11
- Severity Score
- Low
SiteGround Security
- Plugin
- SiteGround Security
- Installations
- 400,000+
- Vulnerability
- Authentication Bypass via 2-FA Authentication Setup; Authorization Weakness to Authentication Bypass via 2-FA Back-up Codes
- Patched in Version
- 1.2.6
- Severity Score
- Critical
Photo Gallery
- Plugin
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery
- Installations
- 300,000+
- Vulnerability
- Unauthenticated SQL Injection; Reflected Cross-Site Scripting
- Patched in Version
- 1.6.3
- Severity Score
- High
HubSpot
- Plugin
- HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics
- Installations
- 200,000+
- Vulnerability
- Contributor+ Blind SSRF
- Patched in Version
- 8.8.15
- Severity Score
- Medium
Import and export users and customers
- Plugin
- Import and export users and customers
- Installations
- 70,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 1.19.2.1
- Severity Score
- Low
Visual Form Builder
- Plugin
- Visual Form Builder
- Installations
- 60,000+
- Vulnerability
- Entries Deletion/Restoration via CSRF; Admin+ Stored Cross-Site Scripting
- Patched in Version
- 3.0.8
- Severity Score
- Medium
Adrotate
- Plugin
- AdRotate – Ad manager & AdSense Ads
- Installations
- 40,000+
- Vulnerability
- Admin+ XSS via Advert Name; Admin+ XSS via Group Name
- Patched in Version
- 5.8.23
- Severity Score
- Low
Content Egg
- Plugin
- Content Egg
- Installations
- 30,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 5.3.0
- Severity Score
- Medium
Ad Invalid Click Protector (AICP)
- Plugin
- Ad Invalid Click Protector (AICP)
- Installations
- 20,000+
- Vulnerability
- Reflected Cross-Site Scripting; Arbitrary Ban Deletion via CSRF
- Patched in Version
- 1.2.7
- Severity Score
- Medium
Sitemap by click5
- Plugin
- Sitemap by click5
- Installations
- 7,000+
- Vulnerability
- Unauthenticated Arbitrary Options Update
- Patched in Version
- 1.0.36
- Severity Score
- Critical
Import WP
- Plugin
- Import WP – Import and Export WordPress data to XML or CSV files
- Installations
- 1,000+
- Vulnerability
- Admin+ Arbitrary File Upload to RCE
- Patched in Version
- 2.4.6
- Severity Score
- Medium
Wbcom Designs Plugins – BuddyPress Activity Filter
- Plugin
- Wbcom Designs – BuddyPress Activity Filter
- Installations
- 1,000+
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- 2.8.0
- Severity Score
- High
Multiple Shipping Address Woocommerce
- Plugin
- Multiple Shipping Address Woocommerce
- Installations
- 900+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 2.0
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Member Reviews
- Plugin
- Wbcom Designs – BuddyPress Member Reviews
- Installations
- 800+
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- 2.7.0
- Severity Score
- High
Wbcom Designs Plugins – Private Community for BuddyPress
- Plugin
- Wbcom Designs – Private Community for BuddyPress
- Installations
- 700+
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- 1.7.0
- Severity Score
- High
SiteSuperCharger
- Plugin
- SiteSuperCharger
- Installations
- 300+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 5.2.0
- Severity Score
- High
Fast Flow
- Plugin
- Fast Flow
- Installations
- 200+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.2.11
- Severity Score
- Medium
Wbcom Designs Plugins – BuddyPress Hashtags
- Plugin
- BuddyPress Hashtags
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- 2.7.0
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Check-ins Pro
- Plugin
- BuddyPress Check-ins Pro
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- 1.4.0
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Sticky Post
- Plugin
- BuddyPress Sticky Post
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- 1.9.9
- Severity Score
- High
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Wbcom Designs Plugins – BuddyPress Ads
- Plugin
- Wbcom Designs – BuddyPress Ads
- Installations
- 80+
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Advanced Page Visit Counter
- Plugin
- Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- High
Documentor
- Plugin
- Documentor – Create Product Documentation
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- No Fix
- Severity Score
- High
Event List
- Plugin
- Event List
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Low
Tipsacarrier
- Plugin
- Vulnerability
- Unauthenticated SQLi; Unauthenticated Orders Disclosure
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Activity Social Share
- Plugin
- Wbcom Designs – BuddyPress Activity Social Share
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Create Group Type
- Plugin
- Wbcom Designs – BuddyPress Create Group Type
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Group Reviews
- Plugin
- Wbcom Designs – BuddyPress Group Reviews
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Job Manager
- Plugin
- Wbcom Designs – BuddyPress Job Manager
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Search
- Plugin
- Wbcom Designs – BuddyPress Search
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – BuddyPress Todo List
- Plugin
- Wbcom Designs BuddyPress Todo List
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – Check-ins for BuddyPress Activity
- Plugin
- Wbcom Designs – Check-ins for BuddyPress Activity
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – Custom Email Options
- Plugin
- Custom Email Options
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – Custom Font Uploader
- Plugin
- Custom Font Uploader
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – Woo Audio Preview
- Plugin
- Woo Audio Preview
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – Woo Document Preview
- Plugin
- Woo Document Preview
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
Wbcom Designs Plugins – WordPress System Log
- Plugin
- WordPress System Log
- Vulnerability
- Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
![Michael Moore](https://secure.gravatar.com/avatar/357f583754f4fba0a885ecb567041716?s=100&d=https%3A%2F%2Fithemes.com%2Fwp-content%2Fthemes%2FiThemes2012%2Fimages%2Figuy-avatar.png&r=g)
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.