This week there are 37 plugin vulnerabilities (and one theme vulnerability) affecting well over 6 million WordPress sites. Fortunately, all of these have patches available, so run those updates if you use these plugins! Additionally, there are 27 plugin vulnerabilities and 3 theme vulnerabilities with no patch available yet. Check with their vendors for an update or consider adopting alternative solutions if you use any of these plugins or themes.
Not included on this week’s list is the Postmatic Replyable plugin, since it was closed in the WordPress directory, possibly due to a CSRF vulnerability reported in CVE-2022-4265. The current release, version 2.2.10 (Trac SVN), can be downloaded from Replyable. It patches a high-severity PHP Object Injection vulnerability.
Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging vulnerabilities and help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper analysis of trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.
If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.
WordPress 6.2 is the next major WordPress release, and it’s on track for a March 28, 2023 debut. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Updraft Plus
- Plugin Slug
- updraftplus
- Installations
- 3,000,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.23.1
- Severity Score
- Medium
Popup Maker
- Plugin Slug
- popup-maker
- Installations
- 700,000+
- Vulnerability
- Sensitive Data Exposure
- Patched in Version
- 1.18.0
- Severity Score
- Medium
Popup Maker
- Plugin Slug
- popup-maker
- Installations
- 700,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.18.0
- Severity Score
- Low
Popup Maker
- Plugin Slug
- popup-maker
- Installations
- 700,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.18.1
- Severity Score
- Medium
Complianz – GDPR/CCPA Cookie Consent
- Plugin Slug
- complianz-gdpr
- Installations
- 600,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.4.2
- Severity Score
- Medium
Formidable Forms
- Plugin Slug
- formidable
- Installations
- 300,000+
- Vulnerability
- Bypass Vulnerability
- Patched in Version
- 6.1
- Severity Score
- Medium
301 Redirects – Easy Redirect Manager
- Plugin Slug
- eps-301-redirects
- Installations
- 200,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.73
- Severity Score
- Medium
GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Arbitrary Content Deletion
- Patched in Version
- 2.25.2
- Severity Score
- Medium
GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- CSV Injection
- Patched in Version
- 2.25.2
- Severity Score
- Medium
GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.25.2
- Severity Score
- Medium
External Links
- Plugin Slug
- wp-external-links
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.58
- Severity Score
- Medium
WP Maps
- Plugin Slug
- wp-google-map-plugin
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.4.3
- Severity Score
- Medium
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
- Plugin Slug
- embed-any-document
- Installations
- 70,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.7.2
- Severity Score
- Medium
Ajax Load More
- Plugin Slug
- ajax-load-more
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 5.6.0.3
- Severity Score
- Medium
Robo Gallery
- Plugin Slug
- robo-gallery
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.2.13
- Severity Score
- Medium
Site Reviews
- Plugin Slug
- site-reviews
- Installations
- 50,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 6.6.0
- Severity Score
- Medium
Site Reviews
- Plugin Slug
- site-reviews
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.6.0
- Severity Score
- Medium
Site Reviews
- Plugin Slug
- site-reviews
- Installations
- 50,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.6.0
- Severity Score
- Medium
Klaviyo
- Plugin Slug
- klaviyo
- Installations
- 30,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.0.8
- Severity Score
- Medium
Customify
- Plugin Slug
- customify
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.10.5
- Severity Score
- Medium
Redirect Redirection
- Plugin Slug
- redirect-redirection
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.5
- Severity Score
- Medium
Reusable Blocks Extended
- Plugin Slug
- reusable-blocks-extended
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 0.9.1
- Severity Score
- Medium
Weaver Xtreme Theme Support
- Plugin Slug
- weaverx-theme-support
- Installations
- 10,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.2.5
- Severity Score
- Medium
Woo Products Widgets For Elementor
- Plugin Slug
- woo-products-widgets-for-elementor
- Installations
- 8,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.0.8
- Severity Score
- Medium
W4 Post List
- Plugin Slug
- w4-post-list
- Installations
- 5,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.4.5
- Severity Score
- Medium
Stock Ticker
- Plugin Slug
- stock-ticker
- Installations
- 4,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.23.1
- Severity Score
- Medium
Auto Prune Posts
- Plugin Slug
- auto-prune-posts
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.0.0
- Severity Score
- Medium
RapidLoad Power-Up for Autoptimize
- Plugin Slug
- unusedcss
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.7.2
- Severity Score
- Medium
RapidLoad Power-Up for Autoptimize
- Plugin Slug
- unusedcss
- Installations
- 2,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.7.2
- Severity Score
- Medium
Mass Delete Unused Tags
- Plugin Slug
- mass-delete-unused-tags
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.0.0
- Severity Score
- Medium
PhonePe Payment Solutions
- Plugin Slug
- phonepe-payment-solutions
- Installations
- 1,000+
- Vulnerability
- Server Side Request Forgery (SSRF)
- Patched in Version
- 2.0.0
- Severity Score
- Medium
Webmention
- Plugin Slug
- webmention
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.0.9
- Severity Score
- High
LeadSnap
- Plugin Slug
- leadsnap
- Installations
- 800+
- Vulnerability
- PHP Object Injection
- Patched in Version
- 1.24
- Severity Score
- Medium
Mass Delete Taxonomies
- Plugin Slug
- mass-delete-tags
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 4.0.0
- Severity Score
- Medium
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WooCommerce Weight Based Shipping
- Plugin Slug
- weight-based-shipping-for-woocommerce
- Installations
- 60,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Print Invoice & Delivery Notes for WooCommerce
- Plugin Slug
- woocommerce-delivery-notes
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Data Tables Generator by Supsystic
- Plugin Slug
- data-tables-generator-by-supsystic
- Installations
- 30,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
Google XML Sitemap for Videos
- Plugin Slug
- xml-sitemaps-for-videos
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
CF7 Invisible reCAPTCHA
- Plugin Slug
- cf7-invisible-recaptcha
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Google XML Sitemap for Images
- Plugin Slug
- google-image-sitemap
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Contact Form 7 Redirect & Thank You Page
- Plugin Slug
- cf7-redirect-thank-you-page
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Yandex.News Feed by Teplitsa
- Plugin Slug
- yandexnews-feed-by-teplitsa
- Installations
- 6,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Coming Soon Landing Page and Maintenance Mode
- Plugin Slug
- 8-degree-coming-soon-page
- Installations
- 2,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
Daily Prayer Time
- Plugin Slug
- daily-prayer-time-for-mosques
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Daily Prayer Time
- Plugin Slug
- daily-prayer-time-for-mosques
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Kopa Framework
- Plugin Slug
- kopatheme
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Store Locator for WordPress with Google Maps – LotsOfLocales
- Plugin Slug
- store-locator
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
xili-tidy-tags
- Plugin Slug
- xili-tidy-tags
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WP-Advanced-Search
- Plugin Slug
- wp-advanced-search
- Installations
- 800+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
CMS Press
- Plugin Slug
- cms-press
- Installations
- 700+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Backup Bank: WordPress Backup
- Plugin Slug
- wp-backup-bank
- Installations
- 700+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
Chronoforms
- Plugin Slug
- chronoforms
- Installations
- 400+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WP Basic Elements
- Plugin Slug
- wp-basic-elements
- Installations
- 300+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Exxp
- Plugin Slug
- exxp-wp
- Installations
- 200+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Solidres
- Plugin Slug
- solidres
- Installations
- 100+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WH Testimonials
- Plugin Slug
- wh-testimonials
- Installations
- 90+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Console
- Plugin Slug
- wordpress-console
- Installations
- 40+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Low
LOGIN AND REGISTRATION ATTEMPTS LIMIT
- Plugin Slug
- login-attempts-limit-wp
- Installations
- 10+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
Admin side data storage for Contact Form 7
- Plugin Slug
- admin-side-data-storage-for-contact-form-7
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
Easy Event calendar
- Plugin Slug
- easy-event-calendar
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Tags Cloud Manager
- Plugin Slug
- tags-cloud-manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Real Estate 7
- Theme
- Real Estate 7
- Theme Slug
- realestate-7
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.3.5
- Severity Score
- Medium
Brilliance
- Theme Slug
- brilliance
- Downloads
- 139,773
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Regina Lite
- Theme Slug
- regina-lite
- Downloads
- 116,354
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
Intrepidity
- Theme
- Intrepidity
- Theme Slug
- intrepidity
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- High
