WordPress Vulnerability Report

This week there are 37 plugin vulnerabilities (and one theme vulnerability) affecting well over 6 million WordPress sites. Fortunately, all of these have patches available, so run those updates if you use these plugins! Additionally, there are 27 plugin vulnerabilities and 3 theme vulnerabilities with no patch available yet. Check with their vendors for an update or consider adopting alternative solutions if you use any of these plugins or themes.

Not included on this week’s list is the Postmatic Replyable plugin, since it was closed in the WordPress directory, possibly due to a CSRF vulnerability reported in CVE-2022-4265. The current release, version 2.2.10 (Trac SVN), can be downloaded from Replyable. It patches a high-severity PHP Object Injection vulnerability.

Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging vulnerabilities and help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper analysis of trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

WordPress Core News

WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.

WordPress 6.2 is the next major WordPress release, and it’s on track for a March 28, 2023 debut. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Updraft Plus

Plugin Slug: updraftplus
Installations: 3,000,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.23.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.23.1.

Popup Maker

Plugin Slug: popup-maker
Installations: 700,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 1.18.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.18.0.

Popup Maker

Plugin Slug: popup-maker
Installations: 700,000+
Vulnerability: Broken Access Control
Patched in Version: 1.18.0
Severity Score: Low

The vulnerability has been patched, so you should update to version 1.18.0.

Popup Maker

Plugin Slug: popup-maker
Installations: 700,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.18.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.18.1.

Complianz – GDPR/CCPA Cookie Consent

Plugin Slug: complianz-gdpr
Installations: 600,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.4.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.4.2.

Formidable Forms

Plugin Slug: formidable
Installations: 300,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 6.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.1.

301 Redirects – Easy Redirect Manager

Plugin Slug: eps-301-redirects
Installations: 200,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.73
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.73.

GiveWP

Plugin Slug: give
Installations: 100,000+
Vulnerability: Arbitrary Content Deletion
Patched in Version: 2.25.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Plugin Slug: give
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.25.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Plugin Slug: give
Installations: 100,000+
Vulnerability: CSV Injection
Patched in Version: 2.25.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Plugin Slug: give
Installations: 100,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 2.25.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Plugin Slug: give
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.25.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.25.2.

GiveWP

Plugin Slug: give
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.25.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.25.2.

External Links

Plugin Slug: wp-external-links
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.58
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.58.

WP Maps

Plugin Slug: wp-google-map-plugin
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.4.3.

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Plugin Slug: embed-any-document
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.7.2.

Ajax Load More

Plugin Slug: ajax-load-more
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.6.0.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.6.0.3.

Robo Gallery

Plugin Slug: robo-gallery
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.13
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.13.

Site Reviews

Plugin Slug: site-reviews
Installations: 50,000+
Vulnerability: Broken Access Control
Patched in Version: 6.6.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.6.0.

Site Reviews

Plugin Slug: site-reviews
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.6.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.6.0.

Site Reviews

Plugin Slug: site-reviews
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.6.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.6.0.

Klaviyo

Plugin Slug: klaviyo
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.0.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.8.

Customify

Plugin Slug: customify
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.10.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.10.5.

Redirect Redirection

Plugin Slug: redirect-redirection
Installations: 20,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.5.

Reusable Blocks Extended

Plugin Slug: reusable-blocks-extended
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.9.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 0.9.1.

Weaver Xtreme Theme Support

Plugin Slug: weaverx-theme-support
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.2.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.2.5.

Woo Products Widgets For Elementor

Plugin Slug: woo-products-widgets-for-elementor
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.8.

W4 Post List

Plugin Slug: w4-post-list
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.4.5.

Stock Ticker

Plugin Slug: stock-ticker
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: 3.23.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.23.1.

Auto Prune Posts

Plugin Slug: auto-prune-posts
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.0.

RapidLoad Power-Up for Autoptimize

Plugin Slug: unusedcss
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.7.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.7.2.

RapidLoad Power-Up for Autoptimize

Plugin Slug: unusedcss
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.7.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.7.2.

Mass Delete Unused Tags

Plugin Slug: mass-delete-unused-tags
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.0.

PhonePe Payment Solutions

Plugin Slug: phonepe-payment-solutions
Installations: 1,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 2.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.0.

Webmention

Plugin Slug: webmention
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.0.9
Severity Score: High

The vulnerability has been patched, so you should update to version 4.0.9.

LeadSnap

Plugin Slug: leadsnap
Installations: 800+
Vulnerability: PHP Object Injection
Patched in Version: 1.24
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.24.

Mass Delete Taxonomies

Plugin Slug: mass-delete-tags
Installations: 300+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.0.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.