This week, the total patched and unpatched vulnerabilities may impact well over 8 million WordPress sites. There are 58 plugin vulnerabilities with security patches available, so run those updates if you use these plugins! Additionally, there are 25 plugin vulnerabilities and 1 theme vulnerability with no patch available yet. If you use any of these unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or a vulnerable plugin or theme has been “closed” (dropped from the WordPress.org repository), you should consider deactivating it in favor of alternative solutions.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 is the current (short-cycle maintenance) release of WordPress core. It is a minor release issued on November 15, 2022. It features 29 bug fixes in Core and 21 bug fixes for the Gutenberg block editor. You can review a summary of the key updates in this release at WordPress.org.
If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.1.1 automatically. You can download WordPress 6.1.1 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.1.1 HelpHub documentation page.
WordPress 6.2 is the next major WordPress release, and it’s on track for a March 29, 2023 debut today after a brief, one-day delay. As of this writing, it has not been released yet. You can learn more about what’s coming in the WordPress 6.2 RC1 release announcement and the WordPress 6.2 Field Guide, as well as our post on the upcoming features for WordPress 6.2.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WordPress LiteSpeed Cache
- Plugin Slug
- litespeed-cache
- Installations
- 4,000,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 5.3.1
- Severity Score
- Medium
WordPress IThemes Security
- Plugin Slug
- better-wp-security
- Installations
- 1,000,000+
- Vulnerability
- Open Redirection via Host header
- Patched in Version
- 8.1.5
- Severity Score
- Low
WordPress Save SVG
- Plugin Slug
- safe-svg
- Installations
- 800,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 2.1.0
- Severity Score
- Medium
WordPress WP Statistics
- Plugin Slug
- wp-statistics
- Installations
- 600,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 13.2.11
- Severity Score
- High
WordPress WooCommerce Payments
- Plugin Slug
- woocommerce-payments
- Installations
- 500,000+
- Vulnerability
- Unauthenticated Privilege Escalation
- Patched in Version
- 5.6.2
- Severity Score
- Critical
WordPress Newsletter plugin
- Plugin Slug
- newsletter
- Installations
- 300,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 7.6.9
- Severity Score
- High
WordPress FileBird
- Plugin Slug
- filebird
- Installations
- 100,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 5.1.5
- Severity Score
- Medium
WordPress GiveWP
- Plugin Slug
- give
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.25.3
- Severity Score
- Medium
WordPress OoohBoi Steroids for Elementor
- Plugin Slug
- ooohboi-steroids-for-elementor
- Installations
- 60,000+
- Vulnerability
- Subscriber+ Attachment Deletion
- Patched in Version
- 2.1.5
- Severity Score
- High
WordPress Simple Author Box
- Plugin Slug
- simple-author-box
- Installations
- 60,000+
- Vulnerability
- Cross-Site Request Forgery via save_user_profile
- Patched in Version
- 2.51
- Severity Score
- Medium
WordPress Advanced Shipment Tracking for WooCommerce
- Plugin Slug
- woo-advanced-shipment-tracking
- Installations
- 60,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.5.3
- Severity Score
- Medium
WordPress Maps Widget for Google Maps
- Plugin Slug
- google-maps-widget
- Installations
- 50,000+
- Vulnerability
- Cross-Site Request Forgery via dismiss_notice
- Patched in Version
- 4.24
- Severity Score
- Medium
WordPress Popup Anything
- Plugin Slug
- popup-anything-on-click
- Installations
- 50,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.2.2
- Severity Score
- Medium
WordPress Visibility Logic for Elementor
- Plugin Slug
- visibility-logic-elementor
- Installations
- 30,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.3.4
- Severity Score
- Medium
WordPress Gallery by BestWebSoft
- Plugin Slug
- gallery-plugin
- Installations
- 20,000+
- Vulnerability
- Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
- Patched in Version
- 4.7.0
- Severity Score
- Medium
WordPress HT Contact Form 7
- Plugin Slug
- ht-contactform
- Installations
- 10,000+
- Vulnerability
- Arbitrary Plugin Activation via CSRF
- Patched in Version
- 1.1.6
- Severity Score
- Medium
WordPress Advanced Page Visit Counter
- Plugin Slug
- advanced-page-visit-counter
- Installations
- 10,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 6.4.2.1
- Severity Score
- High
WordPress NEX-Forms
- Plugin Slug
- nex-forms-express-wp-form-builder
- Installations
- 10,000+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- 8.3.3
- Severity Score
- Medium
WordPress TH Advance Product Search
- Plugin Slug
- th-advance-product-search
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.1.5
- Severity Score
- Medium
WordPress WP Dark Mode
- Plugin Slug
- wp-dark-mode
- Installations
- 10,000+
- Vulnerability
- Subscriber+ Local File Inclusion
- Patched in Version
- 4.0.8
- Severity Score
- High
WordPress TH Side Cart and Menu Cart for Woocommerce
- Plugin Slug
- th-all-in-one-woo-cart
- Installations
- 9,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- 1.1.2
- Severity Score
- Medium
WordPress Pagination by BestWebSoft
- Plugin Slug
- pagination
- Installations
- 7,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 1.2.3
- Severity Score
- Medium
WordPress TH Variation Swatches
- Plugin Slug
- th-variation-swatches
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.2.8
- Severity Score
- Medium
WordPress Advanced Local Pickup for WooCommerce
- Plugin Slug
- advanced-local-pickup-for-woocommerce
- Installations
- 4,000+
- Vulnerability
- Other Vulnerability Type
- Patched in Version
- 1.5.3
- Severity Score
- Medium
WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales
- Plugin Slug
- woo-thank-you-page-customizer
- Installations
- 4,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.0.14
- Severity Score
- Medium
WordPress GS Pins for Pinterest
- Plugin Slug
- gs-pinterest-portfolio
- Installations
- 3,000+
- Vulnerability
- Stored (Contributor+) Cross-Site Scripting via Shortcode
- Patched in Version
- 1.6.2
- Severity Score
- Medium
WordPress Quick Paypal Payments
- Plugin Slug
- quick-paypal-payments
- Installations
- 3,000+
- Vulnerability
- Authenticated (Administrator+) Stored Cross-Site Scripting
- Patched in Version
- 5.7.26.4
- Severity Score
- Medium
WordPress ARMember
- Plugin Slug
- armember-membership
- Installations
- 2,000+
- Vulnerability
- SQL Injection
- Patched in Version
- 4.0
- Severity Score
- High
WordPress Continuous Image Carousel With Lightbox
- Plugin Slug
- continuous-image-carousel-with-lightbox
- Installations
- 2,000+
- Vulnerability
- Reflected Cross-Site Scripting (XSS)
- Patched in Version
- 1.0.16
- Severity Score
- High
WordPress Continuous Image Carousel With Lightbox
- Plugin Slug
- continuous-image-carousel-with-lightbox
- Installations
- 2,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.0.16
- Severity Score
- High
WordPress Albo Pretorio On line
- Plugin Slug
- albo-pretorio-on-line
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 4.6.1
- Severity Score
- High
WordPress CBX Currency Converter
- Plugin Slug
- cbcurrencyconverter
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 3.0.4
- Severity Score
- Medium
WordPress Contact Forms by Cimatti
- Plugin Slug
- contact-forms
- Installations
- 1,000+
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- 1.5.5
- Severity Score
- High
WordPress Contact Forms by Cimatti
- Plugin Slug
- contact-forms
- Installations
- 1,000+
- Vulnerability
- Unauth. Stored Cross Site Scripting (XSS)
- Patched in Version
- 1.5.5
- Severity Score
- High
WordPress Contest Gallery
- Plugin Slug
- contest-gallery
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 21.1.2.1
- Severity Score
- High
WordPress Stock Sync for WooCommerce
- Plugin Slug
- stock-sync-for-woocommerce
- Installations
- 1,000+
- Vulnerability
- Broken Access Control + CSRF
- Patched in Version
- 2.4.0
- Severity Score
- Medium
WordPress HT Politic
- Plugin Slug
- wp-politic
- Installations
- 600+
- Vulnerability
- Arbitrary Plugin Activation via CSRF
- Patched in Version
- 2.3.8
- Severity Score
- Medium
WordPress Free WooCommerce Theme 99fy Extension
- Plugin Slug
- 99fy-core
- Installations
- 500+
- Vulnerability
- Arbitrary Plugin Activation via CSRF
- Patched in Version
- 1.2.8
- Severity Score
- Medium
WordPress WP Film Studio
- Plugin Slug
- wp-film-studio
- Installations
- 500+
- Vulnerability
- Arbitrary Plugin Activation via CSRF
- Patched in Version
- 1.3.5
- Severity Score
- Medium
WordPress WP News
- Plugin Slug
- wp-news-magazine
- Installations
- 500+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.2.0
- Severity Score
- Medium
WordPress QuickSwish
- Plugin Slug
- quickswish
- Installations
- 200+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.1.0
- Severity Score
- Medium
WordPress WP Education
- Plugin Slug
- wp-education
- Installations
- 200+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.2.7
- Severity Score
- Medium
WordPress HT Event
- Plugin Slug
- ht-event
- Installations
- 100+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 1.4.6
- Severity Score
- Medium
WordPress WP Insurance
- Plugin Slug
- wp-insurance
- Installations
- 100+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 2.1.4
- Severity Score
- Medium
WordPress Complianz – GDPR/CCPA Cookie Consent
- Plugin
- Complianz Premium
- Plugin Slug
- complianz-gdpr-premium
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 6.4.2
- Severity Score
- Medium
WordPress directory-pro
- Plugin
- directory-pro
- Plugin Slug
- directory-pro
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.9.5
- Severity Score
- High
WordPress doctor-listing
- Plugin
- doctor-listing
- Plugin Slug
- doctor-listing
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.3.6
- Severity Score
- High
WordPress Elementor Pro
- Plugin
- Elementor Pro
- Plugin Slug
- elementor-pro
- Vulnerability
- Broken Access Control
- Patched in Version
- 3.11.7
- Severity Score
- High
WordPress final-user-wp-frontend-user-profiles
- Plugin
- final-user-wp-frontend-user-profiles
- Plugin Slug
- final-user-wp-frontend-user-profiles
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.2.2
- Severity Score
- High
WordPress fitness-trainer
- Plugin
- fitness-trainer
- Plugin Slug
- fitness-trainer
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.4.1
- Severity Score
- High
WordPress hotel-listing
- Plugin
- Hotel Listing
- Plugin Slug
- hotel-listing
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.3.7
- Severity Score
- High
WordPress institutions-directory
- Plugin
- institutions-directory
- Plugin Slug
- institutions-directory
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.3.1
- Severity Score
- High
WordPress lawyer-directory
- Plugin
- lawyer-directory
- Plugin Slug
- lawyer-directory
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.2.9
- Severity Score
- High
WordPress OAuth Single Sign On – SSO (OAuth Client) Premium plugin
- Plugin
- OAuth Single Sign On – SSO (OAuth Client) Premium
- Plugin Slug
- miniorange-oauth-oidc-single-sign-on
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- 48.4.9
- Severity Score
- Medium
WordPress Slider, Gallery, and Carousel by MetaSlider
- Plugin
- Meta Slider
- Plugin Slug
- ml-slider1
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- 3.29.1
- Severity Score
- High
WordPress photographer-directory
- Plugin
- photographer-directory
- Plugin Slug
- photographer-directory
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.0.9
- Severity Score
- High
WordPress real-estate-pro
- Plugin
- real-estate-pro
- Plugin Slug
- real-estate-pro
- Vulnerability
- Privilege Escalation
- Patched in Version
- 1.7.1
- Severity Score
- High
WordPress WC Fields Factory
- Plugin
- WC Fields Factory
- Plugin Slug
- wc-fields-factory
- Vulnerability
- SQL Injection
- Patched in Version
- 4.1.6
- Severity Score
- High
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WordPress Product Feed PRO for WooCommerce
- Plugin Slug
- woo-product-feed-pro
- Installations
- 100,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress If Menu – Visibility control for Menus
- Plugin Slug
- if-menu
- Installations
- 80,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Increase Maximum Upload File Size | Increase Execution Time
- Plugin Slug
- wp-maximum-upload-file-size
- Installations
- 40,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP Shamsi
- Plugin Slug
- wp-shamsi
- Installations
- 40,000+
- Vulnerability
- Subscriber+ Attachment Deletion
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Fuse Social Floating Sidebar
- Plugin Slug
- fuse-social-floating-sidebar
- Installations
- 20,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress eRoom plugin
- Plugin Slug
- eroom-zoom-meetings-webinar
- Installations
- 10,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Product Carousel Slider & Grid Ultimate for WooCommerce
- Plugin Slug
- woo-product-carousel-slider-and-grid-ultimate
- Installations
- 10,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress I Recommend This
- Plugin Slug
- i-recommend-this
- Installations
- 9,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Worth The Read
- Plugin Slug
- worth-the-read
- Installations
- 6,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP Content Pilot – Autoblogging & Affiliate Marketing Plugin
- Plugin Slug
- wp-content-pilot
- Installations
- 5,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Owl Carousel
- Plugin Slug
- owl-carousel
- Installations
- 4,000+
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Easy Media Replace
- Plugin Slug
- easy-media-replace
- Installations
- 3,000+
- Vulnerability
- Arbitrary File Deletion
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Full Width Banner Slider Wp
- Plugin Slug
- full-width-responsive-slider-wp
- Installations
- 3,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WordPress GS Pins for Pinterest
- Plugin Slug
- gs-pinterest-portfolio
- Installations
- 3,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress amr users
- Plugin Slug
- amr-users
- Installations
- 2,000+
- Vulnerability
- CSV Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Wbcom Designs – BuddyPress Activity Social Share
- Plugin Slug
- bp-activity-social-share
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress LionScripts: IP Blocker Lite
- Plugin Slug
- ip-address-blocker
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WooCommerce JazzCash Gateway Plugin
- Plugin Slug
- jazzcash-woocommerce-gateway
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Review Stream
- Plugin Slug
- review-stream
- Installations
- 1,000+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Onepage Builder – Easiest Landing Page Builder For WordPress
- Plugin Slug
- tx-onepager
- Installations
- 1,000+
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Schedulicity
- Plugin Slug
- schedulicity-online-appointment-booking
- Installations
- 500+
- Vulnerability
- Contributor+ Stored XSS
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress WP Image Carousel
- Plugin Slug
- wp-image-carousel
- Installations
- 500+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Woocommerce Custom Checkout Fields Editor With Drag & Drop
- Plugin Slug
- woo-custom-checkout-fields
- Installations
- 400+
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Export Users Data Distinct
- Plugin Slug
- export-users-data-distinct
- Installations
- 10+
- Vulnerability
- CSV Injection
- Patched in Version
- No Fix
- Severity Score
- Medium
WordPress Product Specifications for WooCommerce
- Plugin
- Product Specifications for Woocommerce
- Plugin Slug
- product-specifications
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- Severity Score
- High
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
WordPress Resoto
- Theme Slug
- resoto
- Downloads
- 18,877
- Vulnerability
- Broken Access Control
- Patched in Version
- No Fix
- Severity Score
- Medium
