Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!
WordPress 5.9: Core Major Version Update Now Available
The latest version of WordPress core is WordPress 5.9. Be sure to update to WordPress 5.9 as soon as possible!
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
WP Statistics
- Plugin
- WP Statistics
- Installations
- 600,000+
- Vulnerability
- Unauthenticated Blind SQL Injection
- Patched in Version
- 13.1.5
- Severity Score
- Critical
LoginPress
- Plugin
- LoginPress | Custom Login Page Customizer
- Installations
- 200,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 1.5.12
- Severity Score
- Medium
WP Cerber Security, Anti-spam & Malware Scan
- Plugin
- WP Cerber Security, Anti-spam & Malware Scan
- Installations
- 200,000+
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- 8.9.6
- Severity Score
- High
Email Subscribers & Newsletters
- Plugin
- Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin
- Installations
- 100,000+
- Vulnerability
- Subscriber+ Blind SQL injection; Unauthenticated arbitrary option update
- Patched in Version
- 5.3.2
- Severity Score
- High
WP-Matomo Integration (WP-Piwik)
- Plugin
- WP-Matomo Integration (WP-Piwik)
- Installations
- 60,000+
- Vulnerability
- Plugin Settings Reset via CSRF
- Patched in Version
- 1.0.27
- Severity Score
- Medium
Ditty (formerly Ditty News Ticker)
- Plugin
- Ditty (formerly Ditty News Ticker)
- Installations
- 50,000+
- Vulnerability
- Reflected Cross-Site Scripting (XSS)
- Patched in Version
- 3.0.15
- Severity Score
- Medium
WordPress File Upload
- Plugin
- WordPress File Upload
- Installations
- 30,000+
- Vulnerability
- Contributor+ Stored Cross-Site Scripting via Malicious SVG; Contributor+ Stored Cross-Site Scripting via Shortcode
- Patched in Version
- 4.16.3
- Severity Score
- Medium
PHP Everywhere
- Plugin
- PHP Everywhere
- Installations
- 30,000+
- Vulnerability
- Contributor+ RCE via Gutenberg Block; Subscriber+ RCE via Shortcode; Contributor+ RCE via Metabox
- Patched in Version
- 3.0.0
- Severity Score
- Critical
Video Conferencing with Zoom
- Plugin
- Video Conferencing with Zoom
- Installations
- 30,000+
- Vulnerability
- E-mail Address Disclosure
- Patched in Version
- 3.8.17
- Severity Score
- Medium
WP Visitor Statistics (Real Time Traffic)
- Plugin
- WP Visitor Statistics (Real Time Traffic)
- Installations
- 20,000+
- Vulnerability
- Subscriber+ SQL Injection
- Patched in Version
- 5.6
- Severity Score
- High
YOP Poll
- Plugin
- YOP Poll
- Installations
- 20,000+
- Vulnerability
- Author+ Stored Cross-Site Scripting
- Patched in Version
- 6.3.5
- Severity Score
- Medium
WP Event Manager
- Plugin
- WP Event Manager – Easily Build your Calendar of Events!
- Installations
- 10,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 3.1.23
- Severity Score
- Low
UsersWP
- Plugin
- UsersWP – User Registration & User Profile
- Installations
- 10,000+
- Vulnerability
- Subscriber+ User Avatar Override
- Patched in Version
- 1.2.3.1
- Severity Score
- Medium
Smart Forms
- Plugin
- Smart Forms – when you need more than just a contact form
- Installations
- 10,000+
- Vulnerability
- Subscriber+ Form Data Download
- Patched in Version
- 2.6.71
- Severity Score
- Medium
E2Pdf
- Plugin
- E2Pdf – Export To Pdf Tool for WordPress
- Installations
- 7,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting (XSS)
- Patched in Version
- 1.16.45
- Severity Score
- Medium
WordPress File Upload Professional
- Plugin
- WordPress File Upload
- Vulnerability
- Contributor+ Stored Cross-Site Scripting via Malicious SVG; Contributor+ Stored Cross-Site Scripting via Shortcode
- Patched in Version
- 4.16.3
- Severity Score
- Medium
Premium Plugin Vulnerabilities
In this section, the latest vulnerabilities for premium plugins have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Fancy Product Designer
- Plugin
- Fancy Product Designer
- Installations
- Unknown; Premium Plugin
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 4.7.5
- Severity Score
- Medium
WordPress File Upload Professional
- Plugin
- WordPress File Upload
- Vulnerability
- Contributor+ Stored Cross-Site Scripting via Malicious SVG; Contributor+ Stored Cross-Site Scripting via Shortcode
- Patched in Version
- 4.16.3
- Severity Score
- Medium
WordPress Plugin Vulnerabilities – No Known Fix
Good news! No plugins with no known fix were disclosed this week.
WordPress Theme Vulnerabilities
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
ArileWP
- Theme
- ArileWP
- Downloads
- 401,314
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 2.9.7
- Severity Score
- Medium
Travel Agency
- Theme
- Travel Agency
- Downloads
- 213,208
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 1.4.2
- Severity Score
- Medium
Perfect Portfolio
- Theme
- Perfect Portfolio
- Downloads
- 172,199
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 1.1.6
- Severity Score
- Medium
Rara Business
- Theme
- Rara Business
- Downloads
- 160,126
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 1.2.3
- Severity Score
- Medium
AwpBusinessPress
- Theme
- AwpBusinessPress
- Downloads
- 40,249
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 0.2.4
- Severity Score
- Medium
ConsultStreet
- Theme
- ConsultStreet
- Downloads
- 143,798
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 1.6.7
- Severity Score
- Medium
Designexo
- Theme
- Designexo
- Downloads
- 114,513
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 3.7
- Severity Score
- Medium
Travel Booking
- Theme
- Travel Booking
- Downloads
- 38,747
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- 1.2.3
- Severity Score
- Medium
WordPress Theme Vulnerabilities – No Known Fix
This section covers vulnerabilities in themes with no known fix. Until a patch is available, deactivate and uninstall the theme.
Colorway
- Theme
- ColorWay
- Downloads
- 1,313,341
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Wallstreet
- Theme
- Wallstreet
- Downloads
- 718,444
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Quality
- Theme
- Quality
- Downloads
- 495,739
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
StartKit
- Theme
- StartKit
- Downloads
- 459,051
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Busiprof
- Theme
- Busiprof
- Downloads
- 458,162
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Rambo
- Theme
- Rambo
- Downloads
- 371,342
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Spasalon
- Theme
- Spasalon
- Downloads
- 334,726
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
HoneyPress
- Theme
- HoneyPress
- Downloads
- 226,695
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Fifteen
- Theme
- Fifteen
- Downloads
- 212,109
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
ElitePress
- Theme
- ElitePress
- Downloads
- 148,007
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Envo Business
- Theme
- Envo Business
- Downloads
- 111,185
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
CloudPress
- Theme
- CloudPress
- Downloads
- 102,458
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Shopbiz Lite
- Theme
- Shopbiz Lite
- Downloads
- 83,149
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
ConsultEra
- Theme
- ConsultEra
- Downloads
- 82,730
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
EventPress
- Theme
- EventPress
- Downloads
- 70,771
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Blain
- Theme
- Blain
- Downloads
- 50,841
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Robolist Lite
- Theme
- Robolist Lite
- Downloads
- 48,328
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Short
- Theme
- Short
- Downloads
- 46,868
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
BusiCare
- Theme
- BusiCare
- Downloads
- 42,606
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Spice Software
- Theme
- Spice Software
- Downloads
- 40,528
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
WP Real Estate
- Theme
- WP Real Estate
- Downloads
- 38,280
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Jewelry Store
- Theme
- Jewelry Store
- Downloads
- 31,042
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
IH Business Pro
- Theme
- IH Business Pro
- Downloads
- 25,480
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Spiko
- Theme
- Spiko
- Downloads
- 20,289
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Mediciti LIte
- Theme
- Mediciti Lite
- Downloads
- 20,137
- Vulnerability
- XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
Auto Car
- Theme
- Auto Car
- Downloads
- 10,972
- Vulnerability
- XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
Hasten Lite
- Theme
- Hasten Lite
- Downloads
- 10,364
- Vulnerability
- XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
lawyerpress lite
- Theme
- lawyerpress lite
- Downloads
- 9,576
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Spawp
- Theme
- Spawp
- Downloads
- 8,864
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Businesswp
- Theme
- Businesswp
- Downloads
- 6,371
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
NGO Charity Lite
- Theme
- NGO Charity Lite
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
AStore
- Theme
- AStore
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
Cactus
- Theme
- Cactus
- Vulnerability
- Reflected Cross-Site Scripting via Customizer Notify
- Patched in Version
- No Fix
- Severity Score
- Medium
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro

Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.