Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
In the past, we’ve listed vulnerabilities on a per-plugin or per-theme basis. To better describe the vulnerabilities listed, we’re now adding additional listings when a plugin has patched multiple vulnerabilities. While this makes the report somewhat longer, we feel that more information will help you understand the full scope of the vulnerabilities that have been patched so that you can more effectively make good decisions about your site’s security. We welcome your feedback!
Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, it makes sense to ensure your site is backed up with BackupBuddy before updating.
There is a known unpatched vulnerability in WordPress core affecting all versions of WordPress. If you’re using iThemes Security, you’ve probably been alerted to this. As we are unsure when this very low-severity vulnerability will be patched, emails from iThemes Security will no longer alert for this specific vulnerability. Read our blog post about this vulnerability.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Spectra
- Plugin Slug
- ultimate-addons-for-gutenberg
- Installations
- 400,000+
- Vulnerability
- Contributor+ Stored Cross-Side Scripting
- Patched in Version
- 1.15.0
- Severity Score
- Medium
LearnPress Plugin
- Plugin Slug
- learnpress
- Installations
- 100,000+
- Vulnerability
- Unauthenticated LFI
- Patched in Version
- 4.2.0
- Severity Score
- Critical
LearnPress Plugin
- Plugin Slug
- learnpress
- Installations
- 100,000+
- Vulnerability
- Subscriber+ SQLi
- Patched in Version
- 4.2.0
- Severity Score
- High
LearnPress Plugin
- Plugin Slug
- learnpress
- Installations
- 100,000+
- Vulnerability
- Unauthenticated SQLi
- Patched in Version
- 4.2.0
- Severity Score
- High
Paid Memberships Pro
- Plugin Slug
- paid-memberships-pro
- Installations
- 100,000+
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- 2.9.9
- Severity Score
- Medium
ShopLentor
- Plugin Slug
- woolentor-addons
- Installations
- 90,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 2.5.4
- Severity Score
- Medium
ShopLentor
- Plugin Slug
- woolentor-addons
- Installations
- 90,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 2.5.4
- Severity Score
- Medium
Real Media Library
- Plugin Slug
- real-media-library-lite
- Installations
- 60,000+
- Vulnerability
- Author+ Stored XSS
- Patched in Version
- 4.18.29
- Severity Score
- Medium
Easy Digital Downloads
- Plugin Slug
- easy-digital-downloads
- Installations
- 50,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 3.1.0.5
- Severity Score
- Medium
Customer Reviews for WooCommerce
- Plugin Slug
- customer-reviews-woocommerce
- Installations
- 50,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 5.17.0
- Severity Score
- Medium
Easy Affiliate Links
- Plugin Slug
- easy-affiliate-links
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 3.7.1
- Severity Score
- Medium
WP Font Awesome
- Plugin Slug
- wp-font-awesome
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.7.9
- Severity Score
- Medium
Product Slider and Carousel with Category for WooCommerce
- Plugin Slug
- woo-product-slider-and-carousel-with-category
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- 2.8
- Severity Score
- Medium
WP Dark Mode
- Plugin Slug
- wp-dark-mode
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS in Shortcode
- Patched in Version
- 4.0.0
- Severity Score
- Medium
Greenshift
- Plugin Slug
- greenshift-animation-and-page-builder-blocks
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 5.0
- Severity Score
- Medium
Youzify
- Plugin Slug
- youzify
- Installations
- 9,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.2.2
- Severity Score
- Medium
Timed Content
- Plugin Slug
- timed-content
- Installations
- 8,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 2.73
- Severity Score
- Medium
Extensive VC Addons for WPBakery page builder
- Plugin Slug
- extensive-vc-addon
- Installations
- 8,000+
- Vulnerability
- Unauthenticated LFI
- Patched in Version
- 1.9.1
- Severity Score
- High
Watu Quiz
- Plugin Slug
- watu
- Installations
- 5,000+
- Vulnerability
- Admin+ Stored XSS
- Patched in Version
- 3.3.8.3
- Severity Score
- Low
Watu Quiz
- Plugin Slug
- watu
- Installations
- 5,000+
- Vulnerability
- Reflected XSS
- Patched in Version
- 3.3.8.2
- Severity Score
- High
EmbedSocial
- Plugin Slug
- embedalbum-pro
- Installations
- 4,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.1.28
- Severity Score
- Medium
GS Portfolio for Envato
- Plugin Slug
- gs-envato-portfolio
- Installations
- 900+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.4.0
- Severity Score
- Medium
Shortcode for Font Awesome
- Plugin Slug
- shortcode-for-font-awesome
- Installations
- 700+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.4.1
- Severity Score
- Medium
EmbedStories
- Plugin Slug
- embedstories
- Installations
- 600+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 0.7.5
- Severity Score
- Medium
Loan Comparison
- Plugin Slug
- loan-comparison
- Installations
- 500+
- Vulnerability
- Reflected XSS via shortcode
- Patched in Version
- 1.5.3
- Severity Score
- Medium
Loan Comparison
- Plugin Slug
- loan-comparison
- Installations
- 500+
- Vulnerability
- Contributor+ Stored XSS via shortcode
- Patched in Version
- 1.5.3
- Severity Score
- Medium
GS Products Slider for WooCommerce
- Plugin Slug
- gs-woocommerce-products-slider
- Installations
- 400+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.5.9
- Severity Score
- Medium
GS Filterable Portfolio
- Plugin Slug
- gs-portfolio
- Installations
- 400+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.6.1
- Severity Score
- Medium
GS Books Showcase
- Plugin Slug
- gs-books-showcase
- Installations
- 400+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 1.3.1
- Severity Score
- Medium
PrivateContent
- Plugin Slug
- private-content
- Vulnerability
- Brute Force Protection Bypass
- Patched in Version
- 8.4.4
- Severity Score
- Medium
BackupBuddy
- Plugin
- BackupBuddy
- Plugin Slug
- backupbuddy
- Vulnerability
- Multiple Reflected Cross-Site Scripting
- Patched in Version
- 8.8.3
- Severity Score
- High
WP Private Message
- Plugin
- WP Private Message
- Plugin Slug
- wp-private-message
- Vulnerability
- Private Message Disclosure via IDOR
- Patched in Version
- 1.0.6
- Severity Score
- Medium
Quick Restaurant Menu
- Plugin Slug
- quick-restaurant-menu
- Vulnerability
- Menu Items Update via CSRF
- Patched in Version
- 2.1.0
- Severity Score
- Medium
Quick Restaurant Menu
- Plugin Slug
- quick-restaurant-menu
- Vulnerability
- Admin+ Stored XSS
- Patched in Version
- 2.1.0
- Severity Score
- Low
Quick Restaurant Menu
- Plugin Slug
- quick-restaurant-menu
- Vulnerability
- Subscriber+ Arbitrary Post Deletion/Updating
- Patched in Version
- 2.1.0
- Severity Score
- Medium
ContentStudio
- Plugin Slug
- contentstudio
- Vulnerability
- Authorisation Bypass
- Patched in Version
- 1.2.6
- Severity Score
- High
ContentStudio
- Plugin Slug
- contentstudio
- Vulnerability
- Nonce Disclosure
- Patched in Version
- 1.2.6
- Severity Score
- High
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.
Markup
- Plugin Slug
- wp-structuring-markup
- Installations
- 30,000+
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Page Builder: Live Composer
- Plugin Slug
- live-composer-page-builder
- Installations
- 20,000+
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Login Logout Menu
- Plugin Slug
- baw-login-logout-menu
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS in Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Easy Social Box
- Plugin Slug
- easy-facebook-like-box
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Intuitive Custom Post Order
- Plugin Slug
- intuitive-custom-post-order
- Vulnerability
- Arbitrary Menu Order Update via CSRF
- Patched in Version
- No Fix
- Severity Score
- Medium
Intuitive Custom Post Order
- Plugin Slug
- intuitive-custom-post-order
- Vulnerability
- Subscriber+ Arbitrary Menu Order Update
- Patched in Version
- No Fix
- Severity Score
- Medium
Simple File Downloader
- Plugin Slug
- simple-file-downloader
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Post Views Count
- Plugin Slug
- baw-post-views-count
- Vulnerability
- Contributor+ Stored XSS in Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
WP Responsive Testimonials Slider And Widget
- Plugin Slug
- wp-responsive-testimonials-slider-and-widget
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
Opening Hours
- Plugin Slug
- wp-opening-hours
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Hueman Addons
- Plugin Slug
- hueman-addons
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Video.js – HTML5 Video Player for WordPress
- Plugin Slug
- videojs-html5-video-player-for-wordpress
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Download Video Sidebar Widgets
- Plugin Slug
- video-sidebar-widgets
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
Bootstrap Shortcodes
- Plugin Slug
- bootstrap-shortcodes
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Scans Your Website Twice a Day for Vulnerabilities
Your website’s plugins, themes, and WordPress core versions are checked against the WPScan Vulnerability Database for the latest vulnerability disclosures.
Automatically Updates if a Security Fix is Available
Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.
Emails You if Site Scan Detects a Vulnerability
You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.