Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. New in this report: vulnerabilities are now listed in order by the number of active installs, rather than the date of the disclosure.
Please share this post with your friends to help get the word out and make WordPress safer for everyone!

WordPress 5.9: Core Major Version Update Now Available
WordPress 5.9 “Joséphine” was released on January 25, 2022, as the first major WordPress core release of the year. The biggest thing to know about WordPress 5.9 is simply this: Full Site Editing (FSE) using the WordPress block editor is here (well, if you want to use it or your theme supports it).
WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements and 100 bug fixes.
In this post, we unpack what’s new and noteworthy in WordPress 5.9 so you can get the most out of the latest version of WordPress.
You can update to WordPress 5.9 by downloading from WordPress.org or visiting your WordPress admin dashboard > Updates and clicking Update Now.
If you have sites that have enabled automatic background updates, they should have already updated successfully. Just be sure to verify that all your WordPress sites are on WordPress 5.9.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.
Essential Addons for Elementor
- Plugin
- Essential Addons for Elementor
- Installations
- 1,000,000+
- Vulnerability
- Unauthenticated LFI
- Patched in Version
- 5.0.5
- Severity Score
- Critical
Use Any Font
- Plugin
- Use Any Font | Custom Font Uploader
- Installations
- 200,000+
- Vulnerability
- Unauthenticated Arbitrary CSS Appending
- Patched in Version
- 6.2.1
- Severity Score
- High
TI WooCommerce Wishlist
- Plugin
- TI WooCommerce Wishlist
- Installations
- 100,000+
- Vulnerability
- Unauthenticated Blind SQL Injection
- Patched in Version
- 1.40.1
- Severity Score
- High
StatCounter
- Plugin
- StatCounter – Free Real Time Visitor Stats
- Installations
- 100,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 2.0.7
- Severity Score
- Low
WPvivid Backup and Migration Plugin
- Plugin
- Migration, Backup, Staging – WPvivid Backup and Migration Plugin
- Installations
- 100,000+
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- 0.9.69
- Severity Score
- Critical
LearnPress
- Plugin
- LearnPress – WordPress LMS Plugin
- Installations
- 100,000+
- Vulnerability
- Arbitrary Image Renaming
- Patched in Version
- 4.1.5
- Severity Score
- Medium
WP RSS Aggregator
- Plugin
- WP RSS Aggregator – News Feeds, Autoblogging, Youtube Video Feeds and More
- Installations
- 60,000+
- Vulnerability
- Reflected Cross-Site Scripting (XSS)
- Patched in Version
- 4.20
- Severity Score
- Medium
Simple Membership
- Plugin
- Simple Membership
- Installations
- 50,000+
- Vulnerability
- Arbitrary Member Deletion via CSRF
- Patched in Version
- 4.0.9
- Severity Score
- Medium
Better Notifications for WP
- Plugin
- Customize WordPress Emails and Alerts – Better Notifications for WP
- Installations
- 40,000+
- Vulnerability
- Email Address Disclosure
- Patched in Version
- 1.8.7
- Severity Score
- Medium
Post Snippets
- Plugin
- Post Snippets
- Installations
- 30,000+
- Vulnerability
- CSRF to Stored Cross-Site Scripting
- Patched in Version
- 3.1.4
- Severity Score
- High
Blackhole for Bad Bots
- Plugin
- Blackhole for Bad Bots
- Installations
- 30,000+
- Vulnerability
- Arbitrary IP Address Blocking via IP Spoofing
- Patched in Version
- 3.3.2
- Severity Score
- High
WP Visitor Statistics (Real Time Traffic)
- Plugin
- WP Visitor Statistics (Real Time Traffic)
- Installations
- 20,000+
- Vulnerability
- Arbitrary IP Address Exclusion to Stored XSS
- Patched in Version
- 5.5
- Severity Score
- High
WP Accessibility Helper (WAH)
- Plugin
- WP Accessibility Helper (WAH)
- Installations
- 20,000+
- Vulnerability
- Reflected Cross-Site Scripting (XSS)
- Patched in Version
- 0.6.0.7
- Severity Score
- Medium
Asgaros Forum
- Plugin
- Asgaros Forum
- Installations
- 20,000+
- Vulnerability
- Subscriber+ Blind SQL Injection
- Patched in Version
- 2.0.0
- Severity Score
- High
WP Google Map
- Plugin
- Maps Plugin using Google Maps for WordPress – WP Google Map
- Installations
- 20,000+
- Vulnerability
- Arbitrary Post Deletion and Plugin’s Settings Update via CSRF
- Patched in Version
- 1.8.4
- Severity Score
- Medium
WHMCS Bridge
- Plugin
- WHMCS Bridge
- Installations
- 10,000+
- Vulnerability
- Reflected Cross-Site Scripting (XSS)
- Patched in Version
- 6.4b
- Severity Score
- Medium
WP Review Slider
- Plugin
- WP Review Slider
- Installations
- 10,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 11.0
- Severity Score
- Medium
WP Ultimate CSV Importer
- Plugin
- Easy Drag And drop All Import : WP Ultimate CSV Importer
- Installations
- 10,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting
- Patched in Version
- 6.4.3
- Severity Score
- Low
AP Custom Testimonial
- Plugin
- Testimonial WordPress Plugin – AP Custom Testimonial
- Installations
- 4,000+
- Vulnerability
- Reflected Cross-Site Scripting; Admin+ SQL Injection
- Patched in Version
- 1.4.8
- Severity Score
- Medium
Logo Showcase with Slick Slider
- Plugin
- Logo Showcase with Slick Slider – Logo Carousel, Logo Slider & Logo Grid
- Installations
- 3,000+
- Vulnerability
- Arbitrary Media Title/Description/Alt Text/URL Update via CSRF
- Patched in Version
- 2.0.1
- Severity Score
- Medium
WP User
- Plugin
- WP User – Custom Registration Forms, Login and User Profile
- Installations
- 2,000+
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 7.0
- Severity Score
- Medium
WS Form
- Plugin
- WS Form LITE – Drag & Drop Contact Form Builder for WordPress
- Installations
- 1,000+
- Vulnerability
- Admin+ Stored Cross-Site Scripting; Unauthenticated Stored Cross-Site Scripting
- Patched in Version
- 1.8.176
- Severity Score
- High
Premium Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure
Super Forms
- Plugin
- Super Forms – Drag & Drop Form Builder
- Installations
- Unknown (Premium Plugin)
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- 6.0.4
- Severity Score
- Medium
WordPress GDPR & CCPA
- Plugin
- WordPress GDPR
- Installations
- Unknown (Premium Plugin)
- Vulnerability
- Authenticated Reflected Cross-Site Scripting; Unauthenticated Reflected Cross-Site Scripting
- Patched in Version
- 1.9.27
- Severity Score
- Medium
Ti WooCommerce Wishlist Pro
- Plugin
- TI WooCommerce Wishlist Pro
- Installations
- Unknown (Premium Plugin)
- Vulnerability
- Unauthenticated Blind SQL Injection
- Patched in Version
- 1.40.1
- Severity Score
- High
AdSanity
- Plugin
- AdSanity
- Installations
- Unknown (Premium Plugin)
- Vulnerability
- Contributor Arbitrary File Upload
- Patched in Version
- 1.8.2
- Severity Score
- Critical
WordPress Plugin Vulnerabilities – No Known Fix
In this section, the latest WordPress plugin vulnerabilities have been disclosed in closed plugins. Each plugin listing includes the type of vulnerability, the severity rating, and the date of closure
Embed Swagger
- Plugin
- Embed Swagger
- Vulnerability
- Reflected Cross-Site Scripting
- Patched in Version
- No Fix
- Severity Score
- Medium
Crazy Bone
- Plugin
- Crazy Bone
- Vulnerability
- Unauthenticated Stored XSS
- Patched in Version
- No Fix
- Severity Score
- High
WP Responsive Menu
- Plugin
- WP Responsive Menu
- Vulnerability
- Subscriber Settings Update to Stored XSS
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Theme Vulnerabilities
No new theme vulnerabilities were disclosed this week.
How to Protect Your WordPress Website From Vulnerable Plugins and Themes
As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.
Get iThemes Security Pro with 24/7 Website Security Monitoring
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add extra layers of security to your website.
Get iThemes Security Pro

Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.