WordPress Vulnerability Report

Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 4

WordPress 6.2 Beta 4 rolled out today for testing after being postponed for a few days to deal with a regression. As of Beta 4, over 400 Trac issues have been raised and closed this cycle. The current target for the final release date is still March 28, 2023.

So far, the 6.2 release cycle has made more than 292 enhancements and 354 bug fixes just for the editor. A running total of 289 tickets have been closed in Trac for the 6.2 milestone, with more to come.

In the final 6.2 release, expect to see tight integration with Openverse in the editor and media library. The Navigation block has been significantly improved. A new Style Book feature displays all blocks in the current global styles, and there’s new custom CSS support for your full site and individual blocks. For more details on new features in 6.2, see the Beta 1 release news.

With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.

Gutenberg 15.2

The latest release of the Gutenberg plugin, version 15.2, is available now if you’d like to get a preview of bleeding-edge features. Please note the 15.2 release offers new features that will be included in the WordPress 6.3 core release but not 6.2. These features include revisions for the full site template editor so you can roll back changes to site templates.

Other new features of note in Gutenberg 15.2 are CSS aspect-ratio controls for the Featured Image block for posts and support for border color, style, and width in the Button block. There’s new typography support for the Latest Comments block, and the Post Excerpt block will have an excerpt length limit control. You’ll find accessibility improvements to labeling, tab, arrow key navigation, and the hierarchy of headings in the editor interface. See the version notes for the full details about many other enhancements and bug fixes.

No new WordPress core vulnerabilities were disclosed this week.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WordPress All in One SEO Pack plugin

Plugin Slug: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched in Version: 4.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.3.0.

WordPress All in One SEO Pack plugin

Plugin Slug: all-in-one-seo-pack
Installations: 3,000,000+
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched in Version: 4.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.3.0.

WordPress Starter Templates plugin

Plugin Slug: astra-sites
Installations: 1,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.21
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.1.21.

WordPress ProfilePress plugin

Plugin Slug: wp-user-avatar
Installations: 300,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: High

The vulnerability has been patched, so you should update to version 4.5.5.

WordPress Advanced Database Cleaner plugin

Plugin Slug: advanced-database-cleaner
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.1.2.

WordPress Strong Testimonials plugin

Plugin Slug: strong-testimonials
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.3.

WordPress VK All in One Expansion Unit plugin

Plugin Slug: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability: Reflected Cross-Site Scripting via REQUEST_URI
Patched in Version: 9.87.1.0
Severity Score: High

The vulnerability has been patched, so you should update to version 9.87.1.0.

WordPress Contextual Related Posts plugin

Plugin Slug: contextual-related-posts
Installations: 70,000+
Vulnerability: Missing Authorization in crp_ajax_clearcache
Patched in Version: 3.3.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.3.2.

WordPress Media Library Assistant plugin

Plugin Slug: media-library-assistant
Installations: 70,000+
Vulnerability: Admin+ SQL Injection
Patched in Version: 3.06
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.06.

WordPress wpDataTables – WordPress Tables & Table Charts Plugin plugin

Plugin Slug: wpdatatables
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.50
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.50.

WordPress WP Table Builder – WordPress Table Plugin plugin

Plugin Slug: wp-table-builder
Installations: 60,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.4.7.

WordPress Drag and Drop Multiple File Upload – Contact Form 7 plugin

Plugin Slug: drag-and-drop-multiple-file-upload-contact-form-7
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.6.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.3.6.6.

WordPress Feed Them Social – for Twitter feed, Youtube and more plugin

Plugin Slug: feed-them-social
Installations: 50,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.0.0.

WordPress The Post Grid plugin

Plugin Slug: the-post-grid
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 5.0.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.0.5.

WordPress 10Web Booster

Plugin Slug: tenweb-speed-optimizer
Installations: 30,000+
Vulnerability: Authorization in Settings Import to Stored Cross-Site Scripting
Patched in Version: 2.13.45
Severity Score: High

The vulnerability has been patched, so you should update to version 2.13.45.

WordPress Top 10 plugin

Plugin Slug: top-10
Installations: 30,000+
Vulnerability: Insufficient Authorization
Patched in Version: 3.2.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.5.

WordPress Top 10 plugin

Plugin Slug: top-10
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.5.

WordPress Minify HTML plugin

Plugin Slug: minify-html-markup
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.8.

WordPress Redirect Redirection plugin

Plugin Slug: redirect-redirection
Installations: 20,000+
Vulnerability: Multiple Missing Authorization
Patched in Version: 1.1.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.4.

WordPress Wholesale Suite plugin

Plugin Slug: woocommerce-wholesale-prices
Installations: 20,000+
Vulnerability: Settings Change
Patched in Version: 2.1.5.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.5.1.

WordPress WP Meta SEO plugin

Plugin Slug: wp-meta-seo
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF) via ‘regenerateSitemaps’
Patched in Version: 4.5.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.4.

WordPress WP Meta SEO plugin

Plugin Slug: wp-meta-seo
Installations: 20,000+
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched in Version: 4.5.3
Severity Score: High

The vulnerability has been patched, so you should update to version 4.5.3.

WordPress Maspik – Spam blacklist plugin

Plugin Slug: contact-forms-anti-spam
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.7.9
Severity Score: Medium

The vulnerability has been patched, so you should update to version 0.7.9.

WordPress Video Gallery – YouTube Gallery plugin

Plugin Slug: gallery-videos
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.7.7
Severity Score: High

The vulnerability has been patched, so you should update to version 1.7.7.

WordPress Video Gallery – YouTube Gallery plugin

Plugin Slug: gallery-videos
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.7.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.7.7.

WordPress Paytm Payment Gateway plugin

Plugin Slug: paytm-payments
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 2.7.7
Severity Score: High

The vulnerability has been patched, so you should update to version 2.7.7.

WordPress UsersWP plugin

Plugin Slug: userswp
Installations: 10,000+
Vulnerability: CSV Injection
Patched in Version: 1.2.3.10
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.3.10.

WordPress Japanized For WooCommerce plugin

Plugin Slug: woocommerce-for-japan
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.5
Severity Score: High

The vulnerability has been patched, so you should update to version 2.5.5.

WordPress My YouTube Channel plugin

Plugin Slug: youtube-channel
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.23.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.23.4.

WordPress WordPress Tooltips plugin

Plugin Slug: wordpress-tooltips
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.2.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 8.2.7.

WordPress Client Portal plugin

Plugin Slug: client-portal
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.9
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.9.

WordPress Etsy Shop plugin

Plugin Slug: etsy-shop
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.4.

WordPress WPMobile.App — Android and iOS Mobile Application plugin

Plugin Slug: wpappninja
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 11.19
Severity Score: Medium

The vulnerability has been patched, so you should update to version 11.19.

WordPress Dashboard Widgets Suite plugin

Plugin Slug: dashboard-widgets-suite
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.2.

WordPress Publish to Schedule plugin

Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.5.

WordPress Publish to Schedule plugin

Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.5.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.4.

WordPress Read More Excerpt Link plugin

Plugin Slug: read-more-excerpt-link
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.6.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.6.1.

WordPress Auto Affiliate Links plugin

Plugin Slug: wp-auto-affiliate-links
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.3.0.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.3.0.3.

WordPress Integration for Contact Form 7 and Zoho CRM, Bigin plugin

Plugin Slug: cf7-zoho
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.3.

WordPress Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin

Plugin Slug: peepso-core
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.0.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.0.3.0.

WordPress Community by PeepSo plugin

Plugin Slug: peepso-core
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 6.0.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.0.3.0.

WordPress Sp*tify Play Button for WordPress plugin

Plugin Slug: spotify-play-button-for-wordpress
Installations: 4,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.06
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.06.

WordPress Drag and Drop Multiple File Upload for WooCommerce plugin

Plugin Slug: drag-and-drop-multiple-file-upload-for-woocommerce
Installations: 3,000+
Vulnerability: Unauth. Non-arbitrary file upload/deletion
Patched in Version: 1.0.9
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.9.

WordPress We’re Open! plugin

Plugin Slug: opening-hours
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.47
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.47.

WordPress Simple YouTube Responsive plugin

Plugin Slug: simple-youtube-responsive
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.

WordPress WP Custom Fields Search plugin

Plugin Slug: wp-custom-fields-search
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.35
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.35.

WordPress BuddyForms plugin

Plugin Slug: buddyforms
Installations: 2,000+
Vulnerability: PHP Object Injection
Patched in Version: 2.7.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.7.8.

WordPress CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin

Plugin Slug: css-js-manager
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4.49.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.4.49.1.

WordPress KB Support – WordPress Help Desk plugin

Plugin Slug: kb-support
Installations: 2,000+
Vulnerability: CSV Injection
Patched in Version: 1.5.85
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.5.85.

WordPress Multiple Pages Generator by Themeisle plugin

Plugin Slug: multiple-pages-generator-by-porthas
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.3.10
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.3.10.

WordPress Simple Slug Translate plugin

Plugin Slug: simple-slug-translate
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.7.3.

WordPress WordPress Books Gallery plugin

Plugin Slug: wp-books-gallery
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4.9
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.4.9.

WordPress Accordions – Multiple Accordions or FAQs Builder plugin

Plugin Slug: accordions-or-faqs
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.3.1.

WordPress Clio Grow plugin

Plugin Slug: clio-grow-form
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.1.

WordPress Calendar Event Multi View plugin

Plugin Slug: cp-multi-view-calendar
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.4.15
Severity Score: Low

The vulnerability has been patched, so you should update to version 1.4.15.

WordPress Sheets To WP Table Live Sync plugin

Plugin Slug: sheets-to-wp-table-live-sync
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.13.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.13.0.

WordPress Broadcast Live Video plugin

Plugin Slug: videowhisper-live-streaming-integration
Installations: 1,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 5.5.16
Severity Score: Critical

The vulnerability has been patched, so you should update to version 5.5.16.

WordPress WP Dynamic Keywords Injector plugin

Plugin Slug: wp-dynamic-keywords-injector
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.16
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.3.16.

WordPress WordPress Stripe Donation plugin

Plugin Slug: wp-stripe-donation
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.1.6.

WordPress CM Answers plugin

Plugin Slug: cm-answers
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.0.

WordPress Coupon Zen plugin

Plugin Slug: coupon-zen
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.6.

WordPress Houzez Login Register plugin

Plugin: Houzez Login Register
Plugin Slug: houzez-login-register
Vulnerability: Privilege Escalation
Patched in Version: 2.6.4
Severity Score: Critical

The vulnerability has been patched, so you should update to version 2.6.4.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.