Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
WordPress 6.2 Beta 4
WordPress 6.2 Beta 4 rolled out today for testing after being postponed for a few days to deal with a regression. As of Beta 4, over 400 Trac issues have been raised and closed this cycle. The current target for the final release date is still March 28, 2023.
So far, the 6.2 release cycle has made more than 292 enhancements and 354 bug fixes just for the editor. A running total of 289 tickets have been closed in Trac for the 6.2 milestone, with more to come.
In the final 6.2 release, expect to see tight integration with Openverse in the editor and media library. The Navigation block has been significantly improved. A new Style Book feature displays all blocks in the current global styles, and there’s new custom CSS support for your full site and individual blocks. For more details on new features in 6.2, see the Beta 1 release news.
With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.
Gutenberg 15.2
The latest release of the Gutenberg plugin, version 15.2, is available now if you’d like to get a preview of bleeding-edge features. Please note the 15.2 release offers new features that will be included in the WordPress 6.3 core release but not 6.2. These features include revisions for the full site template editor so you can roll back changes to site templates.
Other new features of note in Gutenberg 15.2 are CSS aspect-ratio controls for the Featured Image block for posts and support for border color, style, and width in the Button block. There’s new typography support for the Latest Comments block, and the Post Excerpt block will have an excerpt length limit control. You’ll find accessibility improvements to labeling, tab, arrow key navigation, and the hierarchy of headings in the editor interface. See the version notes for the full details about many other enhancements and bug fixes.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WordPress All in One SEO Pack plugin
- Plugin Slug
- all-in-one-seo-pack
- Installations
- 3,000,000+
- Vulnerability
- Authenticated (Administrator+) Stored Cross-Site Scripting
- Patched in Version
- 4.3.0
- Severity Score
- Medium
WordPress All in One SEO Pack plugin
- Plugin Slug
- all-in-one-seo-pack
- Installations
- 3,000,000+
- Vulnerability
- Authenticated (Contributor+) Stored Cross-Site Scripting
- Patched in Version
- 4.3.0
- Severity Score
- Medium
WordPress Starter Templates plugin
- Plugin Slug
- astra-sites
- Installations
- 1,000,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.21
- Severity Score
- Medium
WordPress ProfilePress plugin
- Plugin Slug
- wp-user-avatar
- Installations
- 300,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.5.5
- Severity Score
- High
WordPress Advanced Database Cleaner plugin
- Plugin Slug
- advanced-database-cleaner
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.2
- Severity Score
- Medium
WordPress Strong Testimonials plugin
- Plugin Slug
- strong-testimonials
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0.3
- Severity Score
- Medium
WordPress VK All in One Expansion Unit plugin
- Plugin Slug
- vk-all-in-one-expansion-unit
- Installations
- 100,000+
- Vulnerability
- Reflected Cross-Site Scripting via REQUEST_URI
- Patched in Version
- 9.87.1.0
- Severity Score
- High
WordPress Contextual Related Posts plugin
- Plugin Slug
- contextual-related-posts
- Installations
- 70,000+
- Vulnerability
- Missing Authorization in crp_ajax_clearcache
- Patched in Version
- 3.3.2
- Severity Score
- Medium
WordPress Media Library Assistant plugin
- Plugin Slug
- media-library-assistant
- Installations
- 70,000+
- Vulnerability
- Admin+ SQL Injection
- Patched in Version
- 3.06
- Severity Score
- Medium
WordPress wpDataTables – WordPress Tables & Table Charts Plugin plugin
- Plugin Slug
- wpdatatables
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.1.50
- Severity Score
- Medium
WordPress WP Table Builder – WordPress Table Plugin plugin
- Plugin Slug
- wp-table-builder
- Installations
- 60,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.4.7
- Severity Score
- Medium
WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin
- Plugin Slug
- drag-and-drop-multiple-file-upload-contact-form-7
- Installations
- 50,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.3.6.6
- Severity Score
- Medium
WordPress Feed Them Social – for Twitter feed, Youtube and more plugin
- Plugin Slug
- feed-them-social
- Installations
- 50,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.0.0
- Severity Score
- Medium
WordPress The Post Grid plugin
- Plugin Slug
- the-post-grid
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.0.5
- Severity Score
- Medium
WordPress 10Web Booster
- Plugin Slug
- tenweb-speed-optimizer
- Installations
- 30,000+
- Vulnerability
- Authorization in Settings Import to Stored Cross-Site Scripting
- Patched in Version
- 2.13.45
- Severity Score
- High
WordPress Top 10 plugin
- Plugin Slug
- top-10
- Installations
- 30,000+
- Vulnerability
- Insufficient Authorization
- Patched in Version
- 3.2.5
- Severity Score
- Medium
WordPress Top 10 plugin
- Plugin Slug
- top-10
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.5
- Severity Score
- Medium
WordPress Minify HTML plugin
- Plugin Slug
- minify-html-markup
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.1.8
- Severity Score
- Medium
WordPress Redirect Redirection plugin
- Plugin Slug
- redirect-redirection
- Installations
- 20,000+
- Vulnerability
- Multiple Missing Authorization
- Patched in Version
- 1.1.4
- Severity Score
- Medium
WordPress Wholesale Suite plugin
- Plugin Slug
- woocommerce-wholesale-prices
- Installations
- 20,000+
- Vulnerability
- Settings Change
- Patched in Version
- 2.1.5.1
- Severity Score
- Medium
WordPress WP Meta SEO plugin
- Plugin Slug
- wp-meta-seo
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF) via ‘regenerateSitemaps’
- Patched in Version
- 4.5.4
- Severity Score
- Medium
WordPress WP Meta SEO plugin
- Plugin Slug
- wp-meta-seo
- Installations
- 20,000+
- Vulnerability
- Authenticated (Subscriber+) SQL Injection
- Patched in Version
- 4.5.3
- Severity Score
- High
WordPress Maspik – Spam blacklist plugin
- Plugin Slug
- contact-forms-anti-spam
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 0.7.9
- Severity Score
- Medium
WordPress Video Gallery – YouTube Gallery plugin
- Plugin Slug
- gallery-videos
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.7.7
- Severity Score
- High
WordPress Video Gallery – YouTube Gallery plugin
- Plugin Slug
- gallery-videos
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.7.7
- Severity Score
- Medium
WordPress Paytm Payment Gateway plugin
- Plugin Slug
- paytm-payments
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 2.7.7
- Severity Score
- High
WordPress UsersWP plugin
- Plugin Slug
- userswp
- Installations
- 10,000+
- Vulnerability
- CSV Injection
- Patched in Version
- 1.2.3.10
- Severity Score
- Medium
WordPress Japanized For WooCommerce plugin
- Plugin Slug
- woocommerce-for-japan
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.5.5
- Severity Score
- High
WordPress My YouTube Channel plugin
- Plugin Slug
- youtube-channel
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.23.4
- Severity Score
- Medium
WordPress WordPress Tooltips plugin
- Plugin Slug
- wordpress-tooltips
- Installations
- 7,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 8.2.7
- Severity Score
- Medium
WordPress Client Portal plugin
- Plugin Slug
- client-portal
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.9
- Severity Score
- Medium
WordPress Etsy Shop plugin
- Plugin Slug
- etsy-shop
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.0.4
- Severity Score
- Medium
WordPress WPMobile.App — Android and iOS Mobile Application plugin
- Plugin Slug
- wpappninja
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 11.19
- Severity Score
- Medium
WordPress Dashboard Widgets Suite plugin
- Plugin Slug
- dashboard-widgets-suite
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.2
- Severity Score
- Medium
WordPress Publish to Schedule plugin
- Plugin Slug
- publish-to-schedule
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.5.5
- Severity Score
- Medium
WordPress Publish to Schedule plugin
- Plugin Slug
- publish-to-schedule
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.5.4
- Severity Score
- Medium
WordPress Read More Excerpt Link plugin
- Plugin Slug
- read-more-excerpt-link
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.6.1
- Severity Score
- Medium
WordPress Auto Affiliate Links plugin
- Plugin Slug
- wp-auto-affiliate-links
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.3.0.3
- Severity Score
- Medium
WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin
- Plugin Slug
- cf7-zoho
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.2.3
- Severity Score
- Medium
WordPress Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin
- Plugin Slug
- peepso-core
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.0.3.0
- Severity Score
- Medium
WordPress Community by PeepSo plugin
- Plugin Slug
- peepso-core
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 6.0.3.0
- Severity Score
- Medium
WordPress Sp*tify Play Button for WordPress plugin
- Plugin Slug
- spotify-play-button-for-wordpress
- Installations
- 4,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.06
- Severity Score
- Medium
WordPress Drag and Drop Multiple File Upload for WooCommerce plugin
- Plugin Slug
- drag-and-drop-multiple-file-upload-for-woocommerce
- Installations
- 3,000+
- Vulnerability
- Unauth. Non-arbitrary file upload/deletion
- Patched in Version
- 1.0.9
- Severity Score
- Medium
WordPress We’re Open! plugin
- Plugin Slug
- opening-hours
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.47
- Severity Score
- Medium
WordPress Simple YouTube Responsive plugin
- Plugin Slug
- simple-youtube-responsive
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0
- Severity Score
- Medium
WordPress WP Custom Fields Search plugin
- Plugin Slug
- wp-custom-fields-search
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.35
- Severity Score
- Medium
WordPress BuddyForms plugin
- Plugin Slug
- buddyforms
- Installations
- 2,000+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 2.7.8
- Severity Score
- Medium
WordPress CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin
- Plugin Slug
- css-js-manager
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.4.49.1
- Severity Score
- Medium
WordPress KB Support – WordPress Help Desk plugin
- Plugin Slug
- kb-support
- Installations
- 2,000+
- Vulnerability
- CSV Injection
- Patched in Version
- 1.5.85
- Severity Score
- Medium
WordPress Multiple Pages Generator by Themeisle plugin
- Plugin Slug
- multiple-pages-generator-by-porthas
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.3.10
- Severity Score
- Medium
WordPress Simple Slug Translate plugin
- Plugin Slug
- simple-slug-translate
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.7.3
- Severity Score
- Medium
WordPress WordPress Books Gallery plugin
- Plugin Slug
- wp-books-gallery
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.4.9
- Severity Score
- Medium
WordPress Accordions – Multiple Accordions or FAQs Builder plugin
- Plugin Slug
- accordions-or-faqs
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.3.1
- Severity Score
- Medium
WordPress Clio Grow plugin
- Plugin Slug
- clio-grow-form
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.1
- Severity Score
- Medium
WordPress Calendar Event Multi View plugin
- Plugin Slug
- cp-multi-view-calendar
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.4.15
- Severity Score
- Low
WordPress Sheets To WP Table Live Sync plugin
- Plugin Slug
- sheets-to-wp-table-live-sync
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.13.0
- Severity Score
- Medium
WordPress Broadcast Live Video plugin
- Plugin Slug
- videowhisper-live-streaming-integration
- Installations
- 1,000+
- Vulnerability
- Remote Code Execution (RCE)
- Patched in Version
- 5.5.16
- Severity Score
- Critical
WordPress WP Dynamic Keywords Injector plugin
- Plugin Slug
- wp-dynamic-keywords-injector
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.3.16
- Severity Score
- Medium
WordPress WordPress Stripe Donation plugin
- Plugin Slug
- wp-stripe-donation
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.1.6
- Severity Score
- Medium
WordPress CM Answers plugin
- Plugin Slug
- cm-answers
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.0
- Severity Score
- Medium
WordPress Coupon Zen plugin
- Plugin Slug
- coupon-zen
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.0.6
- Severity Score
- Medium
WordPress Houzez Login Register plugin
- Plugin
- Houzez Login Register
- Plugin Slug
- houzez-login-register
- Vulnerability
- Privilege Escalation
- Patched in Version
- 2.6.4
- Severity Score
- Critical
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WordPress All In One Favicon plugin
- Plugin Slug
- all-in-one-favicon
- Installations
- 100,000+
- Vulnerability
- Arbitrary File Deletion
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Apollo13 Framework Extensions plugin
- Plugin Slug
- apollo13-framework-extensions
- Installations
- 40,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Markup plugin
- Plugin Slug
- wp-structuring-markup
- Installations
- 30,000+
- Vulnerability
- Contributor+ Stored XSS via Shortcode
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress TypeSquare Webfonts for ConoHa plugin
- Plugin Slug
- ts-webfonts-for-conoha
- Installations
- 20,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress All-in-one search automatic push management plug-in – support Baidu/Google/Bing/IndexNow/Yandex/ headlines plugin
- Plugin Slug
- baidu-submit-link
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Login Logout Menu plugin
- Plugin Slug
- baw-login-logout-menu
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Jobs for WordPress plugin
- Plugin Slug
- job-postings
- Installations
- 9,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress For the visually impaired plugin
- Plugin Slug
- for-the-visually-impaired
- Installations
- 8,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Admin Block Country plugin
- Plugin Slug
- admin-block-country
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Hero Banner Ultimate plugin
- Plugin Slug
- hero-banner-ultimate
- Installations
- 2,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Theme Tweaker plugin
- Plugin Slug
- theme-tweaker-lite
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Booking Ultra Pro Appointments Booking Calendar Plugin plugin
- Plugin Slug
- booking-ultra-pro
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Easy Google Analytics for WordPress plugin
- Plugin Slug
- easy-google-analytics-for-wordpress
- Installations
- 1,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress GMAce plugin
- Plugin Slug
- gmace
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress GMAce plugin
- Plugin Slug
- gmace
- Installations
- 1,000+
- Vulnerability
- Arbitrary File Download
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress JS Job Manager plugin
- Plugin Slug
- js-jobs
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress phpinfo() WP plugin
- Plugin Slug
- phpinfo-wp
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP Google Tag Manager plugin
- Plugin Slug
- wp-google-tag-manager
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Bing Site Verification plugin using Meta Tag plugin
- Plugin Slug
- bing-site-verification-using-meta-tag
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WordPress Custom Settings plugin
- Plugin Slug
- custom-settings
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Exquisite PayPal Donation plugin
- Plugin Slug
- exquisite-paypal-donation
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Sitemap Index plugin
- Plugin Slug
- sitemap-index
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Sponsors Carousel plugin
- Plugin Slug
- sponsors-carousel
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Stock market charts from finviz plugin
- Plugin Slug
- stock-market-charts-from-finviz
- Installations
- 900+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP-RecentComments plugin
- Plugin Slug
- wp-recentcomments
- Installations
- 900+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP-RecentComments plugin
- Plugin Slug
- wp-recentcomments
- Installations
- 900+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Circles Gallery plugin
- Plugin Slug
- circles-gallery
- Installations
- 800+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Upload Resume plugin
- Plugin Slug
- resume-upload-form
- Installations
- 600+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Educare – Students & Result Management System plugin
- Plugin Slug
- educare
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Custom Login Page plugin
- Plugin Slug
- wp-custom-login-page
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress asMember plugin
- Plugin Slug
- asmember
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Chat Bee plugin
- Plugin Slug
- chat-bee
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Simple Portfolio Gallery plugin
- Plugin Slug
- simple-portfolio-gallery
- Installations
- 10+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Conditional Checkout Fields for WooCommerce plugin
- Plugin
- Conditional Checkout Fields for WooCommerce
- Plugin Slug
- conditional-checkout-fields-for-woocommerce
- Vulnerability
- Broken Authentication
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress CPT – Speakers plugin
- Plugin
- CPT – Speakers
- Plugin Slug
- cpt-speakers
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress PayGreen plugin
- Plugin
- PayGreen
- Plugin Slug
- paygreen-woocommerce
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Social Login WP plugin
- Plugin
- Social Login WP
- Plugin Slug
- social-login-wp
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Zendrop – Global Dropshipping plugin
- Plugin
- Zendrop – Global Dropshipping
- Plugin Slug
- zendrop-dropshipping-and-fulfillment
- Vulnerability
- SQL Injection
- Patched in Version
- No Fix
- Severity Score
- Critical
WordPress Zendrop – Global Dropshipping plugin
- Plugin
- Zendrop – Global Dropshipping
- Plugin Slug
- zendrop-dropshipping-and-fulfillment
- Vulnerability
- Arbitrary File Upload
- Patched in Version
- No Fix
- Severity Score
- Critical
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
WordPress OceanWP theme
- Theme Slug
- oceanwp
- Downloads
- 5,960,838
- Vulnerability
- Authenticated Local File Inclusion
- Patched in Version
- 3.4.2
- Severity Score
- High
WordPress darcie theme
- Theme Slug
- darcie
- Downloads
- 14,649
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.1.6
- Severity Score
- High
WordPress Houzez theme
- Theme
- Houzez
- Theme Slug
- houzez
- Vulnerability
- Privilege Escalation
- Patched in Version
- 2.7.2
- Severity Score
- Critical
WordPress Real Estate 7 theme
- Theme
- Real Estate 7
- Theme Slug
- realestate-7
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.3.2
- Severity Score
- High
