WordPress Vulnerability Report

Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. The weekly WordPress Vulnerability Report powered by WPScan covers recent WordPress plugin, theme, and core vulnerabilities, and what to do if you run one of the vulnerable plugins or themes on your website.

Each vulnerability will have a severity rating of low, medium, high, or critical. Responsible disclosure and reporting of vulnerabilities is an integral part of keeping the WordPress community safe. Please share this post with your friends to help get the word out and make WordPress safer for everyone!

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Core Vulnerabilities

WordPress 6.0 “Arturo” has been released! This major version release of WordPress was “built to help you unlock your creative aspirations and make your site-building experience more intuitive,” including almost 1,000 enhancements and bug fixes. See what’s new in WordPress 6.0.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugin Vulnerabilities

In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

GTM4WP

Installations: 600,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.15.2
Severity Score: Low

Ultimate Member

Installations: 200,000+
Vulnerability: Subscriber+ Stored Cross-Site Scripting
Patched in Version: 2.4.0
Severity Score: Medium

Download manager

Installations: 100,000+
Vulnerability: Reflected Cross-Site Scripting
Patched in Version: 3.2.43
Severity Score: Medium

Nested Pages

Installations: 90,000+
Vulnerability: Admin+ Stored Cross Site Scripting
Patched in Version: 3.1.21
Severity Score: Low

Co-Authors-Plus

Installations: 30,000+
Vulnerability: Guest Authors Email Address Disclosure
Patched in Version: 3.5.2
Severity Score: Medium

Icegram

Installations: 30,000+
Vulnerability: Contributor+ Stored Cross-Site Scripting
Patched in Version: 2.1.8
Severity Score: Medium

My Private Site

Installations: 30,000+
Vulnerability: Arbitrary Settings Update via CSRF
Patched in Version: 3.0.8
Severity Score: Medium

miniOrange’s Google Authenticator

Installations: 20,000+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 5.5.6
Severity Score: Low

New User Approve

Installations: 20,000+
Vulnerability: Arbitrary Settings Update & Invitation Code Creation via CSRF
Patched in Version: 2.4
Severity Score: Medium

Easy Pricing Tables

Installations: 20,000+
Vulnerability: Reflected Cross-Site-Scripting
Patched in Version: 3.2.1
Severity Score: Medium

Easy SVG Support

Installations: 10,000+
Vulnerability: Author+ Stored Cross Site Scripting via SVG
Patched in Version: 3.3.0
Severity Score: Medium

WP Ultimate CSV Importer

Installations: 10,000+
Vulnerability: Admin+ Blind SSRF
Patched in Version: 6.5.3
Severity Score: Medium

Active Products Tables for WooCommerce

Installations: 3,000+
Vulnerability: Reflected Cross-Site-Scripting
Patched in Version: 1.0.5
Severity Score: Medium

ARMember

Installations: 2,000+
Vulnerability: Unauthenticated Admin Account Takeover
Patched in Version: 3.4.8
Severity Score: Critical

Product Configurator for WooCommerce

Installations: 1,000+
Vulnerability: Unauthenticated Arbitrary File Deletion
Patched in Version: 1.2.32
Severity Score: High

WP Post Styling

Installations: 800+
Vulnerability: Multiple CSRF
Patched in Version: 1.3.1
Severity Score: Medium

Login using WordPress Users

Installations: 700+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: 1.13.4
Severity Score: Low

miniOrange Google Authenticator

Plugin: Google Authenticator
Vulnerability: CSRF to Stored Cross-Site Scripting
Patched in Version: 1.0.5
Severity Score: Medium

Modern Events Calendar Lite

Plugin: Modern Events Calendar Lite
Vulnerability: Authenticated Stored Cross-Site Scripting
Patched in Version: 6.3.0
Severity Score: Medium

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, immediately uninstall and delete the plugin.

XCloner

Installations: 20,000+
Vulnerability: Unauthenticated Plugin Settings Reset
Patched in Version: No Fix
Severity Score: Medium

Qubely

Installations: 10,000+
Vulnerability: Authenticated Arbitrary Settings Update
Patched in Version: No Fix
Severity Score: Medium

Flower Delivery by Florist One

Installations: 100+
Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

HTML2WP

Vulnerability: Subscriber+ Arbitrary File Deletion; Arbitrary Settings Update via CSRF; Unauthenticated Arbitrary File Upload
Patched in Version: No Fix
Severity Score: High

MailPress

Vulnerability: Arbitrary Settings Update & Log Files Purge via CSRF
Patched in Version: No Fix
Severity Score: Medium

Site Offline or Coming Soon

Vulnerability: Stored Cross-Site Scripting via CSRF
Patched in Version: No Fix
Severity Score: Medium

Ultimate WooCommerce CSV Importer

Vulnerability: Reflected Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Medium

WP Sentry

Vulnerability: Arbitrary Settings Update to Stored XSS via CSRF
Patched in Version: No Fix
Severity Score: Medium

Google Authenticator

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Clean-Contact

Vulnerability: Arbitrary Settings Update to Stored XSS via CSRF
Patched in Version: No Fix
Severity Score: Medium

Tiny Contact Form

Vulnerability: Arbitrary Settings Update via CSRF
Patched in Version: No Fix
Severity Score: Medium

Social Share Buttons by Supsystic

Vulnerability: Multiple CSRF
Patched in Version: No Fix
Severity Score: Medium

MiniOrange Limit Login Attempts

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

WPMK Ajax Finder

Vulnerability: Stored Cross-Site Scripting via CSRF
Patched in Version: No Fix
Severity Score: Medium

Add Post URL

Vulnerability: Arbitrary Settings Update to Stored XSS via CSRF
Patched in Version: No Fix
Severity Score: Medium

WordPress Security

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Mihdan: No External Links

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

miniOrange’s Malware Scanner

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Image Gallery – Grid Gallery

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

MyCSS

Vulnerability: Arbitrary Settings Update via CSRF
Patched in Version: No Fix
Severity Score: Medium

Browser and Operating System Finder

Vulnerability: Unauthenticated Settings Reset
Patched in Version: No Fix
Severity Score: Medium

OpenBook Book Data

Vulnerability: Arbitrary Settings Update to Stored XSS via CSRF
Patched in Version: No Fix
Severity Score: Medium

Mobile Browser Color Select

Vulnerability: Stored Cross-Site Scripting via CSRF
Patched in Version: No Fix
Severity Score: Medium

NextCellent Gallery

Vulnerability: Admin+ Stored XSS
Patched in Version: No Fix
Severity Score: Low

Form – Contact Form

Vulnerability: Admin+ Stored Cross-Site Scripting
Patched in Version: No Fix
Severity Score: Low

Rotating Posts

Vulnerability: Arbitrary Settings Update to Stored XSS via CSRF
Patched in Version: No Fix
Severity Score: Medium

Cimy Header Image Rotator

Vulnerability: Arbitrary Settings Update via CSRF
Patched in Version: No Fix
Severity Score: Medium

WordPress Theme Vulnerabilities

In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, and the severity rating.

Good news! No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, lots of new WordPress plugin and theme vulnerabilities are disclosed each week. We know it can be difficult to stay on top of every reported vulnerability disclosure, so the iThemes Security Pro plugin makes it easy to make sure your site isn’t running a theme, plugin, or WordPress core version with a known vulnerability.