WordPress Vulnerability Report - March 8, 2023

Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging vulnerabilities and help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper analysis of trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

Please note the Metform Elementor Contact Form Builder plugin has an important update that patches two recently disclosed vulnerabilities. One is a high-risk XSS vulnerability. Update Metform to version 3.2.3 as soon as possible.

The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.

Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.

The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 5

The first release candidate (RC1) for the WordPress 6.2 development cycle has been postponed two days, to Thursday, March 9, and an additional fifth Beta release came out on Tuesday, March 7. Additional time and testing were needed to deal with a regression that came to light last week. The project is still on track for the final release of WordPress 6.2 on March 28. You can get a preview of what’s coming in 6.2 thanks to Anne McCarthy and Rich Tabor, who hosted a live demo. Anne has also written a detailed overview.

No new WordPress core vulnerabilities were disclosed this week.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WordPress Yoast SEO plugin

Plugin Slug: wordpress-seo
Installations: 5,000,000+
Vulnerability: Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched in Version: 20.2.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 20.2.1.

WordPress Cookie Notice & Compliance for GDPR / CCPA plugin

Plugin Slug: cookie-notice
Installations: 1,000,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.4.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.4.7.

WordPress WPCode plugin

Plugin Slug: insert-headers-and-footers
Installations: 1,000,000+
Vulnerability: Contributor+ WPCode Library Auth Key Update/Deletion
Patched in Version: 2.0.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.0.7.

WordPress Popup Builder by OptinMonster plugin

Plugin Slug: optinmonster
Installations: 1,000,000+
Vulnerability: Subscriber+ Arbitrary Post Content Disclosure
Patched in Version: 2.12.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.12.2.

WordPress Smart Slider 3 plugin

Plugin Slug: smart-slider-3
Installations: 900,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.5.1.14
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.5.1.14.

WordPress Shortcodes Ultimate plugin

Plugin Slug: shortcodes-ultimate
Installations: 700,000+
Vulnerability: Subscriber+ User Meta Disclosure
Patched in Version: 5.12.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.12.8.

WordPress Metform Elementor Contact Form Builder plugin

Plugin Slug: metform
Installations: 200,000+
Vulnerability: reCaptcha Protection Bypass Vulnerability
Patched in Version: 3.2.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.2.

WordPress FluentSMTP plugin

Plugin Slug: fluent-smtp
Installations: 100,000+
Vulnerability: Stored XSS via Email Logs
Patched in Version: 2.2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.2.3.

WordPress Paid Memberships Pro plugin

Plugin Slug: paid-memberships-pro
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 2.9.12
Severity Score: High

The vulnerability has been patched, so you should update to version 2.9.12.

WordPress VK All in One Expansion Unit plugin

Plugin Slug: vk-all-in-one-expansion-unit
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 9.86.0.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 9.86.0.0.

WordPress Slimstat Analytics plugin

Plugin Slug: wp-slimstat
Installations: 100,000+
Vulnerability: SQL Injection
Patched in Version: 4.9.3.3
Severity Score: High

The vulnerability has been patched, so you should update to version 4.9.3.3.

WordPress Auto Featured Image plugin

Plugin Slug: auto-post-thumbnail
Installations: 80,000+
Vulnerability: Author+ Arbitrary File Upload
Patched in Version: 3.9.16
Severity Score: Critical

The vulnerability has been patched, so you should update to version 3.9.16.

WordPress Calculated Fields Form plugin

Plugin Slug: calculated-fields-form
Installations: 60,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.1.121
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.121.

WordPress Dokan plugin

Plugin Slug: dokan-lite
Installations: 60,000+
Vulnerability: SQL Injection
Patched in Version: 3.7.13
Severity Score: High

The vulnerability has been patched, so you should update to version 3.7.13.

WordPress Quiz And Survey Master plugin

Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 8.1.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 8.1.0.

WordPress Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation plugin

Plugin Slug: zero-bs-crm
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.5.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.5.0.

WordPress GN Publisher plugin

Plugin Slug: gn-publisher
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5.6
Severity Score: High

The vulnerability has been patched, so you should update to version 1.5.6.

WordPress Rife Elementor Extensions & Templates plugin

Plugin Slug: rife-elementor-extensions
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.0.

WordPress When Last Login plugin

Plugin Slug: when-last-login
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.2.

WordPress WP Meteor Page Speed Optimization Topping plugin

Plugin Slug: wp-meteor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.1.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.1.5.

WordPress Gallery Blocks with Lightbox plugin

Plugin Slug: simply-gallery-block
Installations: 20,000+
Vulnerability: Missing Authorization in pgc_sgb_add_dashboard_widget
Patched in Version: 3.0.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.0.8.

WordPress Wholesale Suite plugin

Plugin Slug: woocommerce-wholesale-prices
Installations: 20,000+
Vulnerability: Settings Change
Patched in Version: 2.1.5.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.5.1.

WordPress Yasr – Yet Another Stars Rating plugin

Plugin Slug: yet-another-stars-rating
Installations: 20,000+
Vulnerability: XSS & Arbitrary Shortcode Execution
Patched in Version: 3.1.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.1.3.

WordPress Admin CSS MU plugin

Plugin Slug: admin-css-mu
Installations: 10,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 2.7
Severity Score: High

The vulnerability has been patched, so you should update to version 2.7.

WordPress Maspik – Spam blacklist plugin

Plugin Slug: contact-forms-anti-spam
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 0.7.9
Severity Score: Medium

The vulnerability has been patched, so you should update to version 0.7.9.

WordPress GTmetrix for WordPress plugin

Plugin Slug: gtmetrix-for-wordpress
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.4.6
Severity Score: Low

The vulnerability has been patched, so you should update to version 0.4.6.

WordPress HT Slider For Elementor plugin

Plugin Slug: ht-slider-for-elementor
Installations: 10,000+
Vulnerability: Arbitrary Plugin Activation via CSRF
Patched in Version: 1.4.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.4.0.

WordPress 10WebMapBuilder plugin

Plugin Slug: wd-google-maps
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 1.0.73
Severity Score: High

The vulnerability has been patched, so you should update to version 1.0.73.

WordPress WP SMS plugin

Plugin Slug: wp-sms
Installations: 9,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 6.0.4.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.0.4.1.

WordPress WP SMS plugin

Plugin Slug: wp-sms
Installations: 9,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.4.13
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.4.13.

WordPress YITH WooCommerce Product Slider Carousel plugin

Plugin Slug: yith-woocommerce-product-slider-carousel
Installations: 9,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.16.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.16.1.

WordPress JCH Optimize plugin

Plugin Slug: jch-optimize
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.3.

WordPress LWS Tools plugin

Plugin Slug: lws-tools
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.4.

WordPress ProfileGrid plugin

Plugin Slug: profilegrid-user-profiles-groups-and-communities
Installations: 7,000+
Vulnerability: Subscriber+ Arbitrary Password Reset
Patched in Version: 5.3.1
Severity Score: High

The vulnerability has been patched, so you should update to version 5.3.1.

WordPress Add Expires Headers & Optimized Minify plugin

Plugin Slug: add-expires-headers
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.7.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.7.1.

WordPress Button Generator plugin

Plugin Slug: button-generation
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.3.4.

WordPress WpStream plugin

Plugin Slug: wpstream
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.4.10.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.4.10.6.

WordPress Dashboard Widgets Suite plugin

Plugin Slug: dashboard-widgets-suite
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.2
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.2.2.

WordPress Publish to Schedule plugin

Plugin Slug: publish-to-schedule
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.5.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.5.5.

WordPress Simple File List plugin

Plugin Slug: simple-file-list
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 6.0.10
Severity Score: Medium

The vulnerability has been patched, so you should update to version 6.0.10.

WordPress Watu Quiz plugin

Plugin Slug: watu
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.3.9.1
Severity Score: High

The vulnerability has been patched, so you should update to version 3.3.9.1.

WordPress WP OAuth Server plugin

Plugin Slug: oauth2-provider
Installations: 4,000+
Vulnerability: Subscriber+ Arbitrary Client Deletion
Patched in Version: 4.3.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.3.0.

WordPress Pie Register plugin

Plugin Slug: pie-register
Installations: 4,000+
Vulnerability: Arbitrary Content Deletion
Patched in Version: 3.8.1.3
Severity Score: High

The vulnerability has been patched, so you should update to version 3.8.1.3.

WordPress Pie Register plugin

Plugin Slug: pie-register
Installations: 4,000+
Vulnerability: Open Redirection
Patched in Version: 3.8.2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.8.2.3.

WordPress We’re Open! plugin

Plugin Slug: opening-hours
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.47
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.47.

WordPress Search in Place plugin

Plugin Slug: search-in-place
Installations: 3,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.0.105
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.105.

WordPress WP Plugin Manager plugin

Plugin Slug: wp-plugin-manager
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.8
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.8.

WordPress DeepL API translation

Plugin Slug: wpdeepl
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.1.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.5.

WordPress Cart Lift

Plugin Slug: cart-lift
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.6
Severity Score: High

The vulnerability has been patched, so you should update to version 3.1.6.

WordPress CP Contact Form with PayPal

Plugin Slug: cp-contact-form-with-paypal
Installations: 2,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.3.35
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.3.35.

WordPress Simple Slug Translate plugin

Plugin Slug: simple-slug-translate
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.7.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.7.3.

WordPress DecaLog plugin

Plugin Slug: decalog
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.7.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 3.7.1.

WordPress Easy Testimonial Slider and Form

Plugin Slug: easy-testimonial-rotator
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.16
Severity Score: High

The vulnerability has been patched, so you should update to version 1.0.16.

WordPress Event Espresso 4 Decaf plugin

Plugin Slug: event-espresso-decaf
Installations: 1,000+
Vulnerability: Bypass Vulnerability
Patched in Version: 4.10.45.decaf
Severity Score: Low

The vulnerability has been patched, so you should update to version 4.10.45.decaf.

WordPress Sheets To WP Table Live Sync

Plugin Slug: sheets-to-wp-table-live-sync
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.13.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.13.0.

WordPress Total Poll Lite

Plugin Slug: totalpoll-lite
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 4.8.7
Severity Score: Medium

The vulnerability has been patched, so you should update to version 4.8.7.

WordPress WP Time Slots Booking Form

Plugin Slug: wp-time-slots-booking-form
Installations: 1,000+
Vulnerability: Missing Authorization Leading To Feedback Submission
Patched in Version: 1.1.77
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.77.

WordPress Donation Block For PayPal

Plugin Slug: donations-block
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.1.0.

WordPress Namaste! LMS plugin

Plugin Slug: namaste-lms
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.6.

WordPress Namaste! LMS plugin

Plugin Slug: namaste-lms
Installations: 700+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.9.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 2.5.9.4.

WordPress real.Kit plugin

Plugin Slug: real-kit
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.1.1
Severity Score: Medium

The vulnerability has been patched, so you should update to version 5.1.1.

WordPress Custom Login Admin Front-end CSS

Plugin Slug: custom-login-admin-front-end-css-with-multisite-support
Installations: 500+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 1.5
Severity Score: High

The vulnerability has been patched, so you should update to version 1.5.

WordPress HT Portfolio plugin

Plugin Slug: ht-portfolio
Installations: 300+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.6
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.1.6.

WordPress WooCommerce Checkout Field Manager plugin

Plugin Slug: n-media-woocommerce-checkout-fields
Installations: 200+
Vulnerability: Arbitrary File Upload
Patched in Version: 18.0
Severity Score: Critical

The vulnerability has been patched, so you should update to version 18.0.

WordPress GS Insever Portfolio plugin

Plugin Slug: gs-instagram-portfolio
Installations: 100+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.4.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.4.5.

WordPress WC Sales Notification plugin

Plugin Slug: wc-sales-notification
Installations: 100+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.3
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.2.3.

WordPress Debug Assistant plugin

Plugin Slug: debug-assistant
Installations: 80+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.5
Severity Score: High

The vulnerability has been patched, so you should update to version 1.5.

WordPress Debug Assistant plugin

Plugin Slug: debug-assistant
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.5
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.5.

WordPress Preview Link Generator plugin

Plugin Slug: preview-link-generator
Installations: 10+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.0.4
Severity Score: Medium

The vulnerability has been patched, so you should update to version 1.0.4.

WordPress Replyable plugin

Plugin: Postmatic
Plugin Slug: postmatic
Vulnerability: PHP Object Injection
Patched in Version: 2.2.10
Severity Score: High

The vulnerability has been patched, so you should update to version 2.2.10.

WordPress Toolset Types plugin

Plugin: Types
Plugin Slug: types
Vulnerability: Arbitrary File Upload
Patched in Version: 3.4.18
Severity Score: High

The vulnerability has been patched, so you should update to version 3.4.18.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WordPress Instant Images

Plugin Slug: instant-images
Installations: 100,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Rus-To-Lat plugin

Plugin Slug: rustolat
Installations: 90,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP Social Bookmarking Light plugin

Plugin Slug: wp-social-bookmarking-light
Installations: 60,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress clickfunnels plugin

Plugin Slug: clickfunnels
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP Translitera plugin

Plugin Slug: wp-translitera
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP TFeed plugin

Plugin Slug: accesspress-twitter-feed
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Custom Content Shortcode plugin

Plugin Slug: custom-content-shortcode
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Custom Content Shortcode plugin

Plugin Slug: custom-content-shortcode
Installations: 10,000+
Vulnerability: Local File Inclusion
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress menu shortcode plugin

Plugin Slug: menu-shortcode
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Smart YouTube PRO plugin

Plugin Slug: smart-youtube
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Styles plugin

Plugin Slug: styles
Installations: 10,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Video Background plugin

Plugin Slug: video-background
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP Clean Up plugin

Plugin Slug: wp-clean-up
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress XML Sitemap Generator for Google plugin

Plugin Slug: xml-sitemap-generator-for-google
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress FareHarbor for WordPress plugin

Plugin Slug: fareharbor
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Blog Floating Button plugin

Plugin Slug: blog-floating-button
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Classic Editor and Classic Widgets plugin

Plugin Slug: classic-editor-and-classic-widgets
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress CPO Content Types plugin

Plugin Slug: cpo-content-types
Installations: 7,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Resize at Upload Plus plugin

Plugin Slug: resize-at-upload-plus
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Advanced Text Widget plugin

Plugin Slug: advanced-text-widget
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Advanced Text Widget plugin

Plugin Slug: advanced-text-widget
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress New Adman plugin

Plugin Slug: new-adman
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress New Adman plugin

Plugin Slug: new-adman
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP No External Links plugin

Plugin Slug: no-external-links
Installations: 6,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Simple CSV/XLS Exporter plugin

Plugin Slug: simple-csv-xls-exporter
Installations: 6,000+
Vulnerability: CSV Injection
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Social Auto Poster plugin

Plugin Slug: accesspress-facebook-auto-post
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Elegant Custom Fonts plugin

Plugin Slug: elegant-custom-fonts
Installations: 5,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress About Me 3000 widget plugin

Plugin Slug: about-me-3000
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Leyka plugin

Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Leyka plugin

Plugin Slug: leyka
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Wpopal Core Features plugin

Plugin Slug: wpopal-core-features
Installations: 2,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Simple Vimeo Shortcode

Plugin Slug: the-very-simple-vimeo-shortcode
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Sales Report Email for WooCommerce

Plugin Slug: woo-advanced-sales-report-email
Installations: 1,000+
Vulnerability: Other Vulnerability Type
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP Google Tag Manager plugin

Plugin Slug: wp-google-tag-manager
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Ever Compare plugin

Plugin Slug: ever-compare
Installations: 800+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress React Webcam plugin

Plugin Slug: react-webcam
Installations: 600+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress User Activity plugin

Plugin Slug: user-activity
Installations: 300+
Vulnerability: Content Spoofing
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress GoToWP plugin

Plugin Slug: gotowp
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP Repost plugin

Plugin Slug: wp-repost
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress WP Repost plugin

Plugin Slug: wp-repost
Installations: 200+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress wp2syslog plugin

Plugin Slug: wp2syslog
Installations: 80+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress CSS Adder By Agene-Press

Plugin Slug: css-adder-by-agence-press
Installations: 60+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress AMP Toolbox plugin

Plugin Slug: amp-toolbox
Installations: 50+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Start plugin

Plugin Slug: iksweb
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Manage Upload Limit plugin

Plugin Slug: wpsimpletools-upload-limit
Installations: 40+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress DupeOff plugin

Plugin Slug: dupeoff
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Shipyaari Shipping Management

Plugin Slug: manage-shipyaari-shipping
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Advanced Recent Posts plugin

Plugin: Advanced Recent Posts
Plugin Slug: advanced-recent-posts
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Confirm Data plugin

Plugin Slug: confirm-data
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Correos Oficial plugin

Plugin: Correos Oficial
Plugin Slug: correosoficial
Vulnerability: Arbitrary File Download
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Custom Add User plugin

Plugin: Custom Add User
Plugin Slug: custom-add-user
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Download Attachments plugin

Plugin: Download Attachments
Plugin Slug: download-attachments
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress GigPress plugin

Plugin: GigPress
Plugin Slug: gigpress
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress i2 Pros & Cons plugin

Plugin: i2 Pros & Cons
Plugin Slug: i2-pro-cons
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress PHPFreeChat plugin

Plugin: PHPFreeChat
Plugin Slug: phpfreechat
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Product GTIN (EAN, UPC, ISBN) for WooCommerce plugin

Plugin: Product GTIN (EAN, UPC, ISBN) for WooCommerce
Plugin Slug: product-gtin-ean-upc-isbn-for-woocommerce
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Page Builder – Qards

Plugin: WordPress Page Builder – Qards
Plugin Slug: qards-free
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Resume Builder plugin

Plugin: Resume Builder
Plugin Slug: resume-builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Saan World Clock plugin

Plugin: Saan World Clock
Plugin Slug: saan-world-clock
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Smart Logo Showcase Lite plugin

Plugin: Smart Logo Showcase Lite
Plugin Slug: smart-logo-showcase-lite
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Synved Shortcodes plugin

Plugin: Synved Shortcodes
Plugin Slug: synved-shortcodes
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Minifier plugin

Plugin: Theme Minifier
Plugin Slug: theme-minifier
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress UpQode Google Maps plugin

Plugin: UpQode Google Maps
Plugin Slug: upqode-google-maps
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Galleries by Angie Makes

Plugin: Galleries by Angie Makes
Plugin Slug: wc-gallery
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress WooSupply plugin

Plugin: WooSupply – Suppliers, Supply Orders and Stock Management
Plugin Slug: woosupply
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress WooVIP plugin

Plugin: WooVIP – Membership plugin for WordPress and WooCommerce
Plugin Slug: woovip
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress WooVirtualWallet plugin

Plugin: WooVirtualWallet – A virtual wallet for WooCommerce
Plugin Slug: woovirtualwallet
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress AMO for WP plugin

Plugin: AMO for WP – Membership Management
Plugin Slug: wp-amo
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: No Fix
Severity Score: High

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress WPaudio MP3 Player plugin

Plugin: WPaudio MP3 Player
Plugin Slug: wpaudio-mp3-player
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress WPB Advanced FAQ plugin

Plugin: WPB Advanced FAQ
Plugin Slug: wpb-advanced-faq
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium

The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.