This week, 160 vulnerabilities may affect over 8 million WordPress sites. There are 68 plugin vulnerabilities with security patches available, so run those updates if you use these plugins! Additionally, there are 92 plugin vulnerabilities with no patch available yet. At least eight of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.
For reference, these reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
WordPress Core News
WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Elementor
- Plugin Slug
- elementor
- Installations
- 5,000,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.12.2
- Severity Score
- Medium
Autoptimize
- Plugin Slug
- autoptimize
- Installations
- 1,000,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.1.7
- Severity Score
- Medium
Limit Login Attempts
- Plugin Slug
- limit-login-attempts
- Installations
- 600,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.2
- Severity Score
- Medium
CMP – Coming Soon & Maintenance
- Plugin Slug
- cmp-coming-soon-maintenance
- Installations
- 200,000+
- Vulnerability
- Bypass Vulnerability
- Patched in Version
- 4.1.8
- Severity Score
- Medium
Photo Gallery by 10Web
- Plugin Slug
- photo-gallery
- Installations
- 200,000+
- Vulnerability
- Directory Traversal
- Patched in Version
- 1.8.15
- Severity Score
- Medium
Photo Gallery by 10Web
- Plugin Slug
- photo-gallery
- Installations
- 200,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.8.3
- Severity Score
- Medium
Blocksy Companion
- Plugin Slug
- blocksy-companion
- Installations
- 100,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 1.8.82
- Severity Score
- Medium
Essential Blocks
- Plugin Slug
- essential-blocks
- Installations
- 80,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 4.0.7
- Severity Score
- Medium
Ninja Tables – Best Data Table Plugin for WordPress
- Plugin Slug
- ninja-tables
- Installations
- 80,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.3.5
- Severity Score
- Medium
Ninja Tables – Best Data Table Plugin for WordPress
- Plugin Slug
- ninja-tables
- Installations
- 80,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.3.5
- Severity Score
- Medium
Stream
- Plugin Slug
- stream
- Installations
- 80,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.9.3
- Severity Score
- Medium
CMS Tree Page View
- Plugin Slug
- cms-tree-page-view
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.6.8
- Severity Score
- High
TaxoPress
- Plugin Slug
- simple-tags
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.6.5
- Severity Score
- Medium
OoohBoi Steroids for Elementor
- Plugin Slug
- ooohboi-steroids-for-elementor
- Installations
- 60,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 2.1.5
- Severity Score
- Medium
PowerPress Podcasting plugin by Blubrry
- Plugin Slug
- powerpress
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 10.0.2
- Severity Score
- Medium
Visual CSS Style Editor
- Plugin Slug
- yellow-pencil-visual-theme-customizer
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 7.5.9
- Severity Score
- Medium
Jetpack CRM
- Plugin Slug
- zero-bs-crm
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.4.0
- Severity Score
- Medium
miniOrange’s Google Authenticator
- Plugin Slug
- miniorange-2-factor-authentication
- Installations
- 20,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 5.6.6
- Severity Score
- High
Donation Forms by Charitable
- Plugin Slug
- charitable
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.0.11
- Severity Score
- High
Helpie FAQ
- Plugin Slug
- helpie-faq
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.9.7
- Severity Score
- High
Image Optimizer by 10web
- Plugin Slug
- image-optimizer-wd
- Installations
- 10,000+
- Vulnerability
- Directory Traversal
- Patched in Version
- 1.0.26
- Severity Score
- Medium
Kaya QR Code Generator
- Plugin Slug
- kaya-qr-code-generator
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.3
- Severity Score
- Medium
Ultimate Addons for Contact Form 7
- Plugin Slug
- ultimate-addons-for-contact-form-7
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.1.24
- Severity Score
- High
YML for Yandex Market
- Plugin Slug
- yml-for-yandex-market
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.10.8
- Severity Score
- High
WP Original Media Path
- Plugin Slug
- wp-original-media-path
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.4.1
- Severity Score
- Medium
LearnPress Export Import
- Plugin Slug
- learnpress-import-export
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.0.3
- Severity Score
- High
Integration for Contact Form 7 HubSpot
- Plugin Slug
- cf7-hubspot
- Installations
- 7,000+
- Vulnerability
- Open Redirection
- Patched in Version
- 1.2.9
- Severity Score
- Medium
Category Specific RSS feed Subscription
- Plugin Slug
- category-specific-rss-feed-menu
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- v2.3
- Severity Score
- Medium
Captcha Them All
- Plugin Slug
- captcha-them-all
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.4
- Severity Score
- Medium
Live Chat by Formilla
- Plugin Slug
- formilla-live-chat
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.3.1
- Severity Score
- Medium
Album Gallery – WordPress Gallery
- Plugin Slug
- new-album-gallery
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.5.0
- Severity Score
- Medium
Tablesome
- Plugin Slug
- tablesome
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.9
- Severity Score
- High
XML for Google Merchant Center
- Plugin Slug
- xml-for-google-merchant-center
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0.2
- Severity Score
- High
ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.4.9
- Severity Score
- Medium
ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.4.9
- Severity Score
- High
ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 4.4.7
- Severity Score
- Medium
ChatBot
- Plugin Slug
- chatbot
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.4.5
- Severity Score
- High
Vimeotheque
- Plugin Slug
- codeflavors-vimeo-video-post-lite
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.2.2
- Severity Score
- High
WooCommerce Easy Duplicate Product
- Plugin Slug
- woo-easy-duplicate-product
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 0.3.0.1
- Severity Score
- High
Thumbnail carousel slider
- Plugin Slug
- wp-responsive-thumbnail-slider
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1.10
- Severity Score
- High
WPJAM Basic
- Plugin Slug
- wpjam-basic
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.2.1.1
- Severity Score
- Medium
File Gallery
- Plugin Slug
- file-gallery
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.8.5.4
- Severity Score
- Medium
WP-FormAssembly
- Plugin Slug
- formassembly-web-forms
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.0.8
- Severity Score
- Medium
Robokassa payment gateway for Woocommerce
- Plugin Slug
- robokassa
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.4.6
- Severity Score
- Medium
Recipe Maker For Your Food Blog from Zip Recipes
- Plugin Slug
- zip-recipes
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 8.0.7
- Severity Score
- High
Locatoraid Store Locator
- Plugin Slug
- locatoraid
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.9.15
- Severity Score
- Medium
WP Custom Author URL
- Plugin Slug
- wp-custom-author-url
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.5
- Severity Score
- Medium
WP Inventory Manager
- Plugin Slug
- wp-inventory-manager
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.1.0.12
- Severity Score
- High
BSK Forms Blacklist
- Plugin Slug
- bsk-gravityforms-blacklist
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 3.6.3
- Severity Score
- High
Church Admin
- Plugin Slug
- church-admin
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.7.6
- Severity Score
- High
Contact Form to DB by BestWebSoft
- Plugin Slug
- contact-form-to-db
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 1.7.1
- Severity Score
- High
Contact Form to DB
- Plugin Slug
- contact-form-to-db
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.1
- Severity Score
- Medium
Extensions for Leaflet Map
- Plugin Slug
- extensions-leaflet-map
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.4.2
- Severity Score
- High
Modal Dialog
- Plugin Slug
- modal-dialog
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.5.15
- Severity Score
- High
Query Wrangler
- Plugin Slug
- query-wrangler
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.52
- Severity Score
- High
Shortcode to display post and user data
- Plugin Slug
- shortcode-to-display-post-and-user-data
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.2.1
- Severity Score
- Medium
Stock Exporter for WooCommerce
- Plugin Slug
- stock-exporter-for-woocommerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.0
- Severity Score
- High
Stock Sync for WooCommerce
- Plugin Slug
- stock-sync-for-woocommerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.4.1
- Severity Score
- High
Video Grid
- Plugin Slug
- video-grid
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.22
- Severity Score
- High
WP Docs
- Plugin Slug
- wp-docs
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.9.9
- Severity Score
- Medium
Panorama
- Plugin Slug
- project-panorama-lite
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.1
- Severity Score
- Medium
Formilla Chat and Marketing Automation
- Plugin Slug
- formilla-chat-and-marketing
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1
- Severity Score
- Medium
Formilla Edge
- Plugin Slug
- formilla-edge
- Installations
- 90+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1
- Severity Score
- Medium
ChatBot
- Plugin Slug
- xatkit-chatbot-connector
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.5.1
- Severity Score
- Medium
Form Block
- Plugin Slug
- form-block
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.0.2
- Severity Score
- Medium
Google Analytics Top Content Widget
- Plugin
- Google Analytics Top Content Widget
- Plugin Slug
- google-analytics-top-posts-widget
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.5.6
- Severity Score
- High
Ruby Help Desk
- Plugin Slug
- ruby-help-desk
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- 1.3.4
- Severity Score
- Medium
WP Cerber Security
- Plugin
- WP Cerber Security
- Plugin Slug
- wp-cerber
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 9.2
- Severity Score
- High
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Yet Another Related Posts Plugin (YARPP)
- Plugin Slug
- yet-another-related-posts-plugin
- Installations
- 100,000+
- Vulnerability
- Local File Inclusion
- Patched in Version
- No Fix
- Severity Score
- High
Simple Share Buttons Adder
- Plugin Slug
- simple-share-buttons-adder
- Installations
- 80,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Themify Portfolio Post
- Plugin Slug
- themify-portfolio-post
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
GDPR Compliance & Cookie Consent
- Plugin Slug
- gdpr-compliance-cookie-consent
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
ShopEngine
- Plugin Slug
- shopengine
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Pearl
- Plugin Slug
- pearl-header-builder
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
ReviewX – Multi-criteria Rating & Reviews for WooCommerce
- Plugin Slug
- reviewx
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
Simple Tooltips
- Plugin Slug
- simple-tooltips
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Smart WooCommerce Search
- Plugin Slug
- smart-woocommerce-search
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WP Page Numbers
- Plugin Slug
- wp-page-numbers
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
I Recommend This
- Plugin Slug
- i-recommend-this
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Motors
- Plugin Slug
- motors-car-dealership-classified-listings
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Redirect After Login
- Plugin Slug
- redirect-after-login
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
SparkPost
- Plugin Slug
- sparkpost
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
White Label Branding for Elementor Page Builder
- Plugin Slug
- white-label-branding-elementor
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Arconix Shortcodes
- Plugin Slug
- arconix-shortcodes
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Rating-Widget: Star Review System
- Plugin Slug
- rating-widget
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
BBSpoiler
- Plugin Slug
- bbspoiler
- Installations
- 7,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Mail Subscribe List
- Plugin Slug
- mail-subscribe-list
- Installations
- 7,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
SiteAlert
- Plugin Slug
- my-wp-health-check
- Installations
- 7,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Social Share Boost
- Plugin Slug
- social-share-boost
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
FormCraft
- Plugin Slug
- formcraft-form-builder
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WP-dTree
- Plugin Slug
- wp-dtree-30
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WP Links Page
- Plugin Slug
- wp-links-page
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
BadgeOS
- Plugin Slug
- badgeos
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Booking calendar, Appointment Booking System
- Plugin Slug
- booking-calendar
- Installations
- 4,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
Email posts to subscribers
- Plugin Slug
- email-posts-to-subscribers
- Installations
- 4,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- High
Layer Slider
- Plugin Slug
- slider-slideshow
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- High
Zendesk Support for WordPress
- Plugin Slug
- zendesk
- Installations
- 4,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
Button Builder – Buttons X
- Plugin Slug
- buttons-x
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Subscribers
- Plugin Slug
- subscribers-com
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Uji Popup
- Plugin Slug
- uji-popup
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Update Image Tag Alt Attribute
- Plugin Slug
- update-alt-attribute
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WCP Contact Form
- Plugin Slug
- wcp-contact-form
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WP BrowserUpdate
- Plugin Slug
- wp-browser-update
- Installations
- 3,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WP BrowserUpdate
- Plugin Slug
- wp-browser-update
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
ARMember
- Plugin Slug
- armember-membership
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Progress Bar
- Plugin Slug
- progress-bar
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
PropertyHive
- Plugin Slug
- propertyhive
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Updraft
- Plugin Slug
- updraft
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Advanced Category Template
- Plugin Slug
- advanced-category-template
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Continuous announcement scroller
- Plugin Slug
- continuous-announcement-scroller
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Easy Slider Revolution
- Plugin Slug
- easy-slider-revolution
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Ebook Store
- Plugin Slug
- ebook-store
- Installations
- 1,000+
- Vulnerability
- Broken Authentication
- Patched in Version
- No Fix
- Severity Score
- High
Ebook Store
- Plugin Slug
- ebook-store
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Gallery Metabox
- Plugin Slug
- gallery-metabox
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Simple Giveaways
- Plugin Slug
- giveasap
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Inactive User Deleter
- Plugin Slug
- inactive-user-deleter
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Kodex Posts likes
- Plugin Slug
- kodex-posts-likes
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Verified Reviews (Avis Vérifiés)
- Plugin Slug
- netreviews
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Accessibility Suite by Online ADA
- Plugin Slug
- online-accessibility
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
Premmerce
- Plugin Slug
- premmerce
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
The School Management
- Plugin Slug
- school-management-system
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
Shortcode IMDB
- Plugin Slug
- shortcode-imdb
- Installations
- 1,000+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
Tippy
- Plugin Slug
- tippy
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Video XML Sitemap Generator
- Plugin Slug
- video-xml-sitemap-generator
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Yatra
- Plugin Slug
- yatra
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Semalt Blocker
- Plugin Slug
- semalt
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Woocommerce Products Designer by ORION
- Plugin Slug
- woocommerce-products-designer
- Installations
- 900+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
ApexChat
- Plugin Slug
- apexchat
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
eRocket
- Plugin Slug
- erocket
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Flyzoo Chat
- Plugin Slug
- flyzoo
- Installations
- 600+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Cab Grid
- Plugin Slug
- cab-grid
- Installations
- 300+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Clock In Portal
- Plugin Slug
- clock-in-portal
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Clock In Portal
- Plugin Slug
- clock-in-portal
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Clock In Portal
- Plugin Slug
- clock-in-portal
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
GPS Plotter
- Plugin Slug
- gps-plotter
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Woocommerce Tip/Donation
- Plugin Slug
- woo-tipdonation
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Dynamically Register Sidebars
- Plugin Slug
- dynamically-register-sidebars
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Easy Bet
- Plugin Slug
- easy-bet
- Installations
- 100+
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
Logo Scheduler
- Plugin Slug
- logo-scheduler-great-for-holidays-events-and-more
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Woocommerce Email Report
- Plugin Slug
- wooemailreport
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Pickup | Delivery | Dine-in date time
- Plugin Slug
- restaurant-pickup-delivery-dine-in
- Installations
- 70+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Advanced Youtube Channel Pagination
- Plugin Slug
- advanced-youtube-channel-pagination
- Installations
- 60+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
hiWeb Migration Simple
- Plugin Slug
- hiweb-migration-simple
- Installations
- 20+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
UserPlus
- Plugin Slug
- userplus
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Chronosly Events Calendar
- Plugin
- Chronosly Events Calendar
- Plugin Slug
- chronosly-events-calendar
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Cloud Manager
- Plugin
- Cloud Manager
- Plugin Slug
- cloud-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
CRM Memberships
- Plugin Slug
- crm-memberships
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Dave’s WordPress Live Search
- Plugin
- Dave’s WordPress Live Search
- Plugin Slug
- daves-wordpress-live-search
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Decon WP SMS
- Plugin Slug
- decon-wp-sms
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Easy Ad Manager
- Plugin Slug
- easy-ad-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
EZP Maintenance Mode
- Plugin
- EZP Maintenance Mode
- Plugin Slug
- easy-pie-maintenance-mode
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Forms Ada
- Plugin Slug
- forms-ada-form-builder
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Login Page Styler
- Plugin
- Login Page Styler
- Plugin Slug
- login-page-styler
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
NS Coupon to Become Customer
- Plugin Slug
- ns-coupon-to-become-customer
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Reservation.Studio widget
- Plugin Slug
- reservation-studio-widget
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Sloth Logo Customizer
- Plugin Slug
- sloth-logo-customizer
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
vSlider Multi Image Slider for WordPress
- Plugin
- vSlider Multi Image Slider for WordPress
- Plugin Slug
- vslider
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WP Login Box
- Plugin
- WP Login Box
- Plugin Slug
- wp-login-box
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
ZM Ajax Login & Register
- Plugin
- ZM Ajax Login & Register
- Plugin Slug
- zm-ajax-login-register
- Vulnerability
- Bypass Vulnerability
- Patched in Version
- No Fix
- Severity Score
- Critical
ZM Ajax Login & Register
- Plugin
- ZM Ajax Login & Register
- Plugin Slug
- zm-ajax-login-register
- Vulnerability
- Broken Authentication
- Patched in Version
- No Fix
- Severity Score
- Critical
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.