WordPress Vulnerability Report – June 28, 2023

Written by

Dan Knauss
on

June 28, 2023

Last Updated on June 28, 2023

This week, 140 total vulnerabilities emerged in public disclosure. They may affect over 13 million WordPress sites. There are 116 plugin vulnerabilities and one theme vulnerability that has security patches available, so run those updates!

Additionally, there are 23 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WPForms Lite

Plugin Slug: wpforms-lite
Installations: 5,000,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.8.1.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.8.1.3.

Ninja Forms Contact Form

Plugin Slug: ninja-forms
Installations: 900,000+
Vulnerability: Arbitrary File Deletion
Patched in Version: 3.6.25
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.6.25.

Complianz

Plugin Slug: complianz-gdpr
Installations: 700,000+
Vulnerability: Cross Site Request Forgery (CSRF) lead to Site Wide Cross Site Scripting (XSS)
Patched in Version: 6.4.5
Severity Score: High

The vulnerability has been patched, so you should update to version 6.4.5.

Complianz

Plugin Slug: complianz-gdpr
Installations: 700,000+
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 6.4.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.4.6.

MainWP Child

Plugin Slug: mainwp-child
Installations: 600,000+
Vulnerability: Information Disclosure via Back-Up Files
Patched in Version: 4.4.1.2
Severity Score: High

The vulnerability has been patched, so you should update to version 4.4.1.2.

WooCommerce Payments

Plugin Slug: woocommerce-payments
Installations: 600,000+
Vulnerability: SQL Injection
Patched in Version: 5.9.1
Severity Score: High

The vulnerability has been patched, so you should update to version 5.9.1.

WooCommerce Payments

Plugin Slug: woocommerce-payments
Installations: 600,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 5.9.1
Severity Score: High

The vulnerability has been patched, so you should update to version 5.9.1.

WooCommerce PayPal Payments

Plugin Slug: woocommerce-paypal-payments
Installations: 600,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.5.

ProfilePress

Plugin Slug: wp-user-avatar
Installations: 300,000+
Vulnerability: Reflected Cross Site Scripting (XSS) via error message
Patched in Version: 4.11.0
Severity Score: High

The vulnerability has been patched, so you should update to version 4.11.0.

Spam protection, AntiSpam, FireWall by CleanTalk

Plugin Slug: cleantalk-spam-protect
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 6.11
Severity Score: High

The vulnerability has been patched, so you should update to version 6.11.

Metform Elementor Contact Form Builder

Plugin Slug: metform
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF) via permalink_setup
Patched in Version: 3.3.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.3.3.

Photo Gallery by 10Web

Plugin Slug: photo-gallery
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.16
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.8.16.

Ultimate Member

Plugin Slug: ultimate-member
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.6.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.6.1.

Unlimited Elements For Elementor

Plugin Slug: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability: Multiple Broken Access Control
Patched in Version: 1.5.66
Severity Score: High

The vulnerability has been patched, so you should update to version 1.5.66.

Unlimited Elements For Elementor

Plugin Slug: unlimited-elements-for-elementor
Installations: 200,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 1.5.66
Severity Score: Critical

The vulnerability has been patched, so you should update to version 1.5.66.

WP Mail Logging

Plugin Slug: wp-mail-logging
Installations: 200,000+
Vulnerability: Missing Authorization to Notice Dismissal
Patched in Version: 1.12.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.12.0.

WP Activity Log

Plugin Slug: wp-security-audit-log
Installations: 200,000+
Vulnerability: Subscriber+ Information Leak
Patched in Version: 4.5.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.2.

Colibri Page Builder

Plugin Slug: colibri-page-builder
Installations: 100,000+
Vulnerability: Auth. SQL Injection
Patched in Version: 1.0.229
Severity Score: High

The vulnerability has been patched, so you should update to version 1.0.229.

WordPress Button Plugin MaxButtons

Plugin Slug: maxbuttons
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 9.6.

WooCommerce Square

Plugin Slug: woocommerce-square
Installations: 100,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 3.8.2
Severity Score: High

The vulnerability has been patched, so you should update to version 3.8.2.

EmbedPress

Plugin Slug: embedpress
Installations: 80,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.8.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.0.

Bookly

Plugin Slug: bookly-responsive-appointment-booking-tool
Installations: 70,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS) via service titles
Patched in Version: 21.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 21.8.

Conditional Menus

Plugin Slug: conditional-menus
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.1
Severity Score: High

The vulnerability has been patched, so you should update to version 1.2.1.

Tutor LMS

Plugin Slug: tutor
Installations: 70,000+
Vulnerability: Unauthenticated Access to Tutor LMS Lesson Resources via REST API
Patched in Version: 2.2.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.2.1.

Dokan

Plugin Slug: dokan-lite
Installations: 60,000+
Vulnerability: PHP Object Injection
Patched in Version: 3.7.20
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.7.20.

CF7 Google Sheets Connector

Plugin Slug: cf7-google-sheets-connector
Installations: 40,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.0.2
Severity Score: High

The vulnerability has been patched, so you should update to version 5.0.2.

ConvertKit

Plugin Slug: convertkit
Installations: 40,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.2.1
Severity Score: High

The vulnerability has been patched, so you should update to version 2.2.1.

Super Socializer

Plugin Slug: super-socializer
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.13.53
Severity Score: Medium

The vulnerability has been patched, so you should update to version 7.13.53.

Super Socializer

Plugin Slug: super-socializer
Installations: 40,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 7.13.52
Severity Score: High

The vulnerability has been patched, so you should update to version 7.13.52.

Login/Signup Popup

Plugin Slug: easy-login-woocommerce
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.4.

Float menu

Plugin Slug: float-menu
Installations: 30,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 5.0.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.0.3.

Gutenverse – Gutenberg Blocks – Page Builder for Site Editor

Plugin Slug: gutenverse
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 1.8.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.8.6.

Icegram

Plugin Slug: icegram
Installations: 30,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.1.12
Severity Score: High

The vulnerability has been patched, so you should update to version 3.1.12.

Subscribe2

Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 10.41
Severity Score: Medium

The vulnerability has been patched, so you should update to version 10.41.

Subscribe2

Plugin Slug: subscribe2
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 10.41
Severity Score: Medium

The vulnerability has been patched, so you should update to version 10.41.

PostX – Gutenberg Post Grid Blocks

Plugin Slug: ultimate-post
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.9.10
Severity Score: High

The vulnerability has been patched, so you should update to version 2.9.10.

Abandoned Cart Lite for WooCommerce

Plugin Slug: woocommerce-abandoned-cart
Installations: 30,000+
Vulnerability: Stored Cross Site Scripting (XSS)
Patched in Version: 5.2.0
Severity Score: High

The vulnerability has been patched, so you should update to version 5.2.0.

ND Shortcodes

Plugin Slug: nd-shortcodes
Installations: 20,000+
Vulnerability: Subscriber+ Local File Inclusion
Patched in Version: 7.0
Severity Score: High

The vulnerability has been patched, so you should update to version 7.0.

Supsystic Popup

Plugin Slug: popup-by-supsystic
Installations: 20,000+
Vulnerability: Prototype Pollution
Patched in Version: 1.10.19
Severity Score: High

The vulnerability has been patched, so you should update to version 1.10.19.

Protect WP Admin

Plugin Slug: protect-wp-admin
Installations: 20,000+
Vulnerability: Unauthenticated Protection Bypass Vulnerability
Patched in Version: 4.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.0.

Quiz Maker

Plugin Slug: quiz-maker
Installations: 20,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 6.4.2.7
Severity Score: High

The vulnerability has been patched, so you should update to version 6.4.2.7.

wpForo Forum

Plugin Slug: wpforo
Installations: 20,000+
Vulnerability: Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
Patched in Version: 2.1.8
Severity Score: High

The vulnerability has been patched, so you should update to version 2.1.8.

WP ERP

Plugin Slug: afterpay-gateway-for-woocommerce
Installations: 10,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 1.12.4
Severity Score: High

The vulnerability has been patched, so you should update to version 1.12.4.

BookIt

Plugin Slug: bookit
Installations: 10,000+
Vulnerability: Authentication Bypass
Patched in Version: 2.3.8
Severity Score: Critical

The vulnerability has been patched, so you should update to version 2.3.8.

CMS Commander

Plugin Slug: cms-commander-client
Installations: 10,000+
Vulnerability: Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched in Version: 2.288
Severity Score: High

The vulnerability has been patched, so you should update to version 2.288.

Contact Form Email

Plugin Slug: contact-form-to-email
Installations: 10,000+
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS)
Patched in Version: 1.3.38
Severity Score: High

The vulnerability has been patched, so you should update to version 1.3.38.

Custom 404 Pro

Plugin Slug: custom-404-pro
Installations: 10,000+
Vulnerability: Multiple SQL Injection
Patched in Version: 3.8.1
Severity Score: High

The vulnerability has been patched, so you should update to version 3.8.1.

File Renaming on Upload

Plugin Slug: file-renaming-on-upload
Installations: 10,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 2.5.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.5.2.

Accordion & FAQ

Plugin Slug: helpie-faq
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.9.9
Severity Score: High

The vulnerability has been patched, so you should update to version 1.9.9.

Five Star Restaurant Reservations

Plugin Slug: restaurant-reservations
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.6.8
Severity Score: High

The vulnerability has been patched, so you should update to version 2.6.8.

Restrict Content

Plugin Slug: restrict-content
Installations: 10,000+
Vulnerability: Missing Authorization to Notice Dismissal
Patched in Version: 3.2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.3.

Restrict Content

Plugin Slug: restrict-content
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.2.3
Severity Score: High

The vulnerability has been patched, so you should update to version 3.2.3.

SupportCandy

Plugin Slug: supportcandy
Installations: 10,000+
Vulnerability: Subscriber+ SQL Injection
Patched in Version: 3.1.7
Severity Score: High

The vulnerability has been patched, so you should update to version 3.1.7.

SupportCandy

Plugin Slug: supportcandy
Installations: 10,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.1.7
Severity Score: High

The vulnerability has been patched, so you should update to version 3.1.7.

Event Manager and Tickets Selling Plugin for WooCommerce

Plugin Slug: mage-eventpress
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.9.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.9.6.

Buy Me a Coffee

Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 3.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.7.

FormCraft Premium

Plugin Slug: formcraft-form-builder
Installations: 5,000+
Vulnerability: Auth. SQL Injection
Patched in Version: 3.9.7
Severity Score: High

The vulnerability has been patched, so you should update to version 3.9.7.

WPForms Google Sheet Connector

Plugin Slug: gsheetconnector-wpforms
Installations: 5,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.4.6
Severity Score: High

The vulnerability has been patched, so you should update to version 3.4.6.

MStore API

Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: Unauth. SQL Injection
Patched in Version: 4.0.2
Severity Score: Critical

The vulnerability has been patched, so you should update to version 4.0.2.

MStore API

Plugin Slug: mstore-api
Installations: 5,000+
Vulnerability: SQL Injection
Patched in Version: 3.9.8
Severity Score: High

The vulnerability has been patched, so you should update to version 3.9.8.

Poll Maker

Plugin Slug: poll-maker
Installations: 5,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 4.6.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.6.3.

Simple Iframe

Plugin Slug: simple-iframe
Installations: 5,000+
Vulnerability: Contributor+ Stored Cross Site Scripting (XSS)
Patched in Version: 1.2.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.0.

WP Custom Cursors

Plugin Slug: wp-custom-cursors
Installations: 5,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.2
Severity Score: High

The vulnerability has been patched, so you should update to version 3.2.

AI ChatBot

Plugin Slug: chatbot
Installations: 4,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.5.

AI ChatBot

Plugin Slug: chatbot
Installations: 4,000+
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 4.5.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.6.

Survey Maker

Plugin Slug: survey-maker
Installations: 4,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.4.7
Severity Score: High

The vulnerability has been patched, so you should update to version 3.4.7.

Integration for Contact Form 7 and Zoho CRM, Bigin

Plugin Slug: cf7-zoho
Installations: 3,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 1.2.4
Severity Score: High

The vulnerability has been patched, so you should update to version 1.2.4.

CHP Ads Block Detector

Plugin Slug: chp-ads-block-detector
Installations: 3,000+
Vulnerability: Broken Access Control
Patched in Version: 3.9.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.9.8.

Potent Donations for WooCommerce

Plugin Slug: donations-for-woocommerce
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.10
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.10.

EventON

Plugin Slug: eventon-lite
Installations: 3,000+
Vulnerability: Unauthenticated Event Access
Patched in Version: 2.1.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.2.

EventON

Plugin Slug: eventon-lite
Installations: 3,000+
Vulnerability: Unauthenticated Post Access via Insecure Direct Object References (IDOR)
Patched in Version: 2.1.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.2.

Core Web Vitals & PageSpeed Booster

Plugin Slug: core-web-vitals-pagespeed-booster
Installations: 2,000+
Vulnerability: Open Redirection
Patched in Version: 1.0.13
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.13.

Extra User Details

Plugin Slug: extra-user-details
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.5.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 0.5.1.

Extra User Details

Plugin Slug: extra-user-details
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.5.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 0.5.1.

KiviCare Management System

Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.2.1
Severity Score: High

The vulnerability has been patched, so you should update to version 3.2.1.

KiviCare Management System

Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Subscriber+ Sensitive Data Exposure
Patched in Version: 3.2.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.1.

KiviCare Management System

Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Subscriber+ Unauthorised AJAX Calls
Patched in Version: 3.2.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.1.

KiviCare Management System

Plugin Slug: kivicare-clinic-management-system
Installations: 2,000+
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 3.2.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.1.

teachPress

Plugin Slug: teachpress
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.0.3
Severity Score: High

The vulnerability has been patched, so you should update to version 9.0.3.

WP Directory Kit

Plugin Slug: wpdirectorykit
Installations: 2,000+
Vulnerability: Unauthenticated Local File Inclusion
Patched in Version: 1.2.4
Severity Score: High

The vulnerability has been patched, so you should update to version 1.2.4.

Contact Form to DB by BestWebSoft

Plugin Slug: contact-form-to-db
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: 1.7.2
Severity Score: High

The vulnerability has been patched, so you should update to version 1.7.2.

EventPrime

Plugin Slug: eventprime-event-calendar-management
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.6
Severity Score: High

The vulnerability has been patched, so you should update to version 3.0.6.

Photo Gallery by Ays

Plugin Slug: gallery-photo-gallery
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 5.1.7
Severity Score: High

The vulnerability has been patched, so you should update to version 5.1.7.

Elementor Forms Google Sheet Connector

Plugin Slug: gsheetconnector-for-elementor-forms
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.0.7
Severity Score: High

The vulnerability has been patched, so you should update to version 1.0.7.

Ninja Forms Google Sheet Connector

Plugin Slug: gsheetconnector-ninja-forms
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.2.7
Severity Score: High

The vulnerability has been patched, so you should update to version 1.2.7.

MyCurator Content Curation

Plugin Slug: mycurator
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.75
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.75.

OOPSpam Anti-Spam

Plugin Slug: oopspam-anti-spam
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.45
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.45.

ReDi Restaurant Reservation

Plugin Slug: redi-restaurant-reservation
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 23.0212
Severity Score: High

The vulnerability has been patched, so you should update to version 23.0212.

Booking Calendar Contact Form

Plugin Slug: booking-calendar-contact-form
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.41
Severity Score: High

The vulnerability has been patched, so you should update to version 1.2.41.

Customer Service Software & Support Ticket System

Plugin Slug: wp-ticket
Installations: 600+
Vulnerability: Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
Patched in Version: 5.13
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.13.

WP Sticky Social

Plugin Slug: wp-sticky-social
Installations: 300+
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version: 1.0.2
Severity Score: High

The vulnerability has been patched, so you should update to version 1.0.2.

Mail Queue

Plugin Slug: mail-queue
Installations: 80+
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched in Version: 1.2
Severity Score: High

The vulnerability has been patched, so you should update to version 1.2.

Lana Shortcodes

Plugin Slug: lana-shortcodes
Installations: 70+
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched in Version: 1.2.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.0.

Mailtree Log Mail

Plugin Slug: mailtree-log-mail
Installations: 10+
Vulnerability: Unauth. Stored Cross Site Scripting (XSS)
Patched in Version: 1.0.1
Severity Score: High

The vulnerability has been patched, so you should update to version 1.0.1.

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.7.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.7.6.

AutomateWoo

Plugin: AutomateWoo
Plugin Slug: automatewoo
Vulnerability: Broken Access Control
Patched in Version: 5.7.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.7.6.

Complianz Premium

Plugin: Complianz Premium
Plugin Slug: complianz-gdpr-premium
Vulnerability: Cross Site Request Forgery (CSRF) to Site Wide Cross Site Scripting (XSS
Patched in Version: 6.4.7
Severity Score: High

The vulnerability has been patched, so you should update to version 6.4.7.

Complianz Premiumy

Plugin: Complianz Premium
Plugin Slug: complianz-gdpr-premium
Vulnerability: Multiple Cross Site Request Forgery (CSRF)
Patched in Version: 6.4.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.4.8.

Elementor Pro

Plugin: Elementor Pro
Plugin Slug: elementor-pro
Vulnerability: Auth. Broken Access Control
Patched in Version: 3.13.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.13.1.

Go Pricing – WordPress Responsive Pricing Tables

Plugin: Go Pricing
Plugin Slug: go-pricing-wordpress-responsive-pricing-tables
Vulnerability: Broken Access Control
Patched in Version: 3.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.4.

Go Pricing – WordPress Responsive Pricing Tables

Plugin: Go Pricing
Plugin Slug: go-pricing-wordpress-responsive-pricing-tables
Vulnerability: Contributor+ Cross Site Scripting (XSS)
Patched in Version: 3.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.4.

MonsterInsights Pro

Plugin: MonsterInsights Pro
Plugin Slug: google-analytics-premium
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 8.15
Severity Score: Medium

The vulnerability has been patched, so you should update to version 8.15.

Gravity Forms

Plugin: Gravity Forms
Plugin Slug: gravityforms
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.7.5
Severity Score: High

The vulnerability has been patched, so you should update to version 2.7.5.

WPBakery Page Builder

Plugin: WPBakery Page Builder
Plugin Slug: js_composer
Vulnerability: Contributor+ Cross Site Scripting (XSS)
Patched in Version: 6.13.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.13.0.

Lana Text to Image

Plugin Slug: lana-text-to-image
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: 1.1.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.0.

PixelYourSite PRO

Plugin: PixelYourSite PRO
Plugin Slug: pixelyoursite-pro
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 9.6.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 9.6.2.

USM Premium

Plugin: USM Premium
Plugin Slug: ultimate-premium-plugin
Vulnerability: Admin+ Stored Cross Site Scripting (XSS)
Patched in Version: 16.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 16.3.

Abandoned Cart Pro for WooCommerce

Plugin: Abandoned Cart Pro
Plugin Slug: woocommerce-abandoned-cart-pro
Vulnerability: Stored Cross Site Scripting (XSS)
Patched in Version: 7.13.0
Severity Score: High

The vulnerability has been patched, so you should update to version 7.13.0.

WooCommerce Brands

Plugin: WooCommerce Brands
Plugin Slug: woocommerce-brands
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.50
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.50.

WooCommerce Bulk Stock Management

Plugin: WooCommerce Bulk Stock Management
Plugin Slug: woocommerce-bulk-stock-management
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.2.34
Severity Score: High

The vulnerability has been patched, so you should update to version 2.2.34.

WooCommerce Order Barcodes

Plugin: WooCommerce Order Barcodes
Plugin Slug: woocommerce-order-barcodes
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.5.

WooCommerce Product Vendors

Plugin: WooCommerce Product Vendors
Plugin Slug: woocommerce-product-vendors
Vulnerability: Shop Manager+ SQL Injection
Patched in Version: 2.1.79
Severity Score: High

The vulnerability has been patched, so you should update to version 2.1.79.

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.6.

WooCommerce Subscriptions

Plugin: WooCommerce Subscriptions
Plugin Slug: woocommerce-subscriptions
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 5.1.3
Severity Score: High

The vulnerability has been patched, so you should update to version 5.1.3.

WordPress File Upload

Plugin: File Uploader
Plugin Slug: wp-file-uploader
Vulnerability: Admin+ Path Traversal
Patched in Version: 4.19.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.19.2.

WPForms Pro

Plugin: WPForms Pro
Plugin Slug: wpforms
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.8.1.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.8.1.3.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent

Plugin Slug: gdpr-cookie-consent
Installations: 9,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Form Builder

Plugin Slug: contact-form-add
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

ApplyOnline – Application Form Builder and Manager

Plugin Slug: apply-online
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

JS Help Desk – Best Help Desk & Support Plugin

Plugin Slug: js-support-ticket
Installations: 5,000+
Vulnerability: Insecure Direct Object References (IDOR) Leading To Ticket Deletion
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

MojoPlug Slide Panel

Plugin Slug: mojoplug-slide-panel
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Smoothscroller

Plugin Slug: smoothscroller
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Enable SVG Uploads

Plugin Slug: enable-svg-uploads
Installations: 300+
Vulnerability: Auth. Stored Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

Caldera Forms Google Sheets Connector

Plugin Slug: gsheetconnector-caldera-forms
Installations: 200+
Vulnerability: Access Code Update via Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.