WordPress Vulnerability Report – July 27, 2023

Since last week, 329 total vulnerabilities emerged in public disclosure. They may affect over 7 million WordPress sites. There are 209 plugin vulnerabilities and 18 theme vulnerabilities with security patches, so run those updates!

Additionally, there are 66 plugin vulnerabilities and 36 theme vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. Suppose no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories. In that case, you should consider deactivation and removal in favor of alternative solutions.

Such an unusually high number of vulnerability reports is due to outdated versions of many plugins and themes that may use a common third-party dependency, Freemius’ WordPress SDK 2.5.9. Please see the Freemius WordPress SDK 2.5.9 Security Disclosure for more details.

?? New Today: Patchstack lists multiple high-severity vulnerabilities in the Ninja Forms plugin, potentially affecting 900k active WordPress sites. These vulnerabilities include a POST-based reflected XSS and broken access control on the form submissions export feature. Please update to version 3.6.26.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.