WordPress Vulnerability Report - April 5, 2023

This week, the total number of patched and unpatched vulnerabilities is low but still may affect five million+ WordPress sites. There are 55 plugin vulnerabilities and two themes with security patches available, so run those updates if you use these plugins! Additionally, there are 18 plugin vulnerabilities with no patch available yet. At least three of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

WordPress Core News

WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Advanced Custom Fields

Plugin Slug: advanced-custom-fields
Installations: 2,000,000+
Vulnerability: PHP Object Injection
Patched in Version: 6.1.0
Severity Score: High

The vulnerability has been patched, so you should update to version 6.1.0.

Custom Post Type UI

Plugin Slug: custom-post-type-ui
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.13.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.13.5.

WPCode

Plugin Slug: insert-headers-and-footers
Installations: 1,000,000+
Vulnerability: Cross-Site Request Forgery (CSRF)
Patched in Version: 2.0.9
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.9.

Happy Addons for Elementor

Plugin Slug: happy-elementor-addons
Installations: 300,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.3.

Plugin Slug: newsletter
Installations: 300,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.6.9
Severity Score: High

The vulnerability has been patched, so you should update to version 7.6.9.

Slimstat Analytics

Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 4.9.3.4
Severity Score: High

The vulnerability has been patched, so you should update to version 4.9.3.4.

WC Fields Factory

Plugin: WC Fields Factory
Plugin Slug: wc-fields-factory
Vulnerability: SQL Injection
Patched in Version: 4.1.6
Severity Score: High

The vulnerability has been patched, so you should update to version 4.1.6.

Enhanced WP Contact Form

Plugin: Enhanced WP Contact Form
Plugin Slug: enhanced-wordpress-contactform
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.3.

AJAX Search Pro

Plugin: Ajax Search Pro
Plugin Slug: ajax-search-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.26.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.26.2.

AJAX Search Lite

Plugin Slug: ajax-search-lite
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.11.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.11.1.

Simple Author Box

Plugin Slug: simple-author-box
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.51
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.51.

Advanced Shipment Tracking for WooCommerce

Plugin Slug: woo-advanced-shipment-tracking
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.5.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.5.3.

Maps Widget for Google Maps

Plugin Slug: google-maps-widget
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.24
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.24.

Popup Anything

Plugin Slug: popup-anything-on-click
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.2.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.2.2.

Feed Them Social

Plugin Slug: feed-them-social
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.0.8.

Gallery by BestWebSoft

Plugin Slug: gallery-plugin
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.7.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.7.0.

WP Meta SEO

Plugin Slug: wp-meta-seo
Installations: 20,000+
Vulnerability: Deserialization of untrusted data
Patched in Version: 4.5.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.5.

Direct checkout, Add to cart redirect for WooCommerce

Plugin Slug: add-to-cart-direct-checkout-for-woocommerce
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.49
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.49.

Affiliates Manager

Plugin Slug: affiliates-manager
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.9.21
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.9.21.

MasterStudy LMS

Plugin Slug: masterstudy-lms-learning-management-system
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 2.9.35
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.9.35.

WP Ultimate Review

Plugin Slug: wp-ultimate-review
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.0.

WP Ultimate Review

Plugin Slug: wp-ultimate-review
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.0.

WP VR

Plugin Slug: wpvr
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 8.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 8.3.0.

Zippy

Plugin Slug: zippy
Installations: 10,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 1.6.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.2.

Magic Post Thumbnail

Plugin Slug: magic-post-thumbnail
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.1.11
Severity Score: High

The vulnerability has been patched, so you should update to version 4.1.11.

WP EasyCart

Plugin Slug: wp-easycart
Installations: 6,000+
Vulnerability: Local File Inclusion
Patched in Version: 5.4.3
Severity Score: High

The vulnerability has been patched, so you should update to version 5.4.3.

WPMobile.App

Plugin Slug: wpappninja
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 11.21
Severity Score: Medium

The vulnerability has been patched, so you should update to version 11.21.

Configurable Tag Cloud

Plugin Slug: configurable-tag-cloud-widget
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.3.

TF Random Numbers

Plugin Slug: tf-numbers-number-counter-animaton
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: 2.0.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.1.

Advanced Local Pickup for WooCommerce

Plugin Slug: advanced-local-pickup-for-woocommerce
Installations: 4,000+
Vulnerability: Other Vulnerability Type
Patched in Version: 1.5.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.5.3.

ChatBot

Plugin Slug: chatbot
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: 4.4.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.4.8.

Sp*tify Play Button

Plugin Slug: spotify-play-button-for-wordpress
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.08
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.08.

Trending/Popular Post Slider and Widget

Plugin Slug: wp-trending-post-slider-and-widget
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: 1.5.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.5.8.

Full Width Banner Slider

Plugin Slug: full-width-responsive-slider-wp
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.8
Severity Score: High

The vulnerability has been patched, so you should update to version 1.1.8.

Quick Paypal Payments

Plugin Slug: quick-paypal-payments
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.7.26.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.7.26.4.

Coupon Affiliates

Plugin Slug: woo-coupon-usage
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.4.4
Severity Score: High

The vulnerability has been patched, so you should update to version 5.4.4.

PropertyHive

Plugin Slug: propertyhive
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.47
Severity Score: High

The vulnerability has been patched, so you should update to version 1.5.47.

Affiliate Toolkit

Plugin Slug: affiliate-toolkit-starter
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.3.4.

Albo Pretorio On line

Plugin Slug: albo-pretorio-on-line
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.6.2
Severity Score: High

The vulnerability has been patched, so you should update to version 4.6.2.

Conditional Extra Fees for WooCommerce

Plugin Slug: conditional-extra-fees-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.97
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.97.

Product Enquiry for WooCommerce

Plugin Slug: enquiry-quotation-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.13
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.2.13.

Order Date and Time for WooCommerce

Plugin Slug: pi-woocommerce-order-date-time-and-type
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.20
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.20.

Product Page Shipping Calculator for WooCommerce

Plugin Slug: product-page-shipping-calculator-for-woocommerce
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.3.21
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.3.21.

WishSuite – Wishlist for WooCommerce

Plugin Slug: wishsuite
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.3.4.

CopySafe Web Protection

Plugin Slug: wp-copysafe-web
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.14
Severity Score: High

The vulnerability has been patched, so you should update to version 3.14.

SMTP Mailing Queue

Plugin Slug: smtp-mailing-queue
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.0.

HT Builder

Plugin Slug: ht-builder
Installations: 500+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.3.0.

Mobile Banner

Plugin Slug: mobile-banner
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.

Easy Quiz Maker

Plugin Slug: n-media-wp-simple-quiz
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0
Severity Score: High

The vulnerability has been patched, so you should update to version 2.0.

Welcome Bar

Plugin Slug: intelly-welcome-bar
Installations: 30+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.4.

Welcome Bar

Plugin Slug: intelly-welcome-bar
Installations: 30+
Vulnerability: Broken Access Control
Patched in Version: 2.0.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.4.

Add User Role

Plugin: Add User Role
Plugin Slug: add-user-role
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.7
Severity Score: High

The vulnerability has been patched, so you should update to version 1.6.7.

HappyFiles Pro

Plugin: HappyFiles Pro
Plugin Slug: happyfiles-pro
Vulnerability: Arbitrary File Deletion
Patched in Version: 1.8.2
Severity Score: High

The vulnerability has been patched, so you should update to version 1.8.2.

HappyFiles Pro

Plugin: HappyFiles Pro
Plugin Slug: happyfiles-pro
Vulnerability: Broken Access Control
Patched in Version: 1.8.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.8.2.

Image Over Image For WPBakery Page Builder

Plugin: Image Over Image For WPBakery Page Builder
Plugin Slug: image-over-image-vc-extension
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WC Fields Factory

Plugin: WC Fields Factory
Plugin Slug: wc-fields-factory
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.