• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

virusword.com

Learn Wordpress

  • Home
  • WordPress Shop
    • Fotopress
    • SEO Tool Kit
    • Social Contact
    • Tag Machine 2
    • Video Profits
  • Latest News
  • WordPress
    • Plugins
    • Themes
    • Tutorials
    • Videos
    • Woocommerce
  • About Us
  • Contact Us
    • Terms of Service
    • Privacy Policy
  • Show Search
Hide Search
Home/Woocommerce/WordPress Vulnerability Report – May 10, 2023

WordPress Vulnerability Report – May 10, 2023

Written by

Dan Knauss

on

May 10, 2023

Last Updated on May 10, 2023

This week, 66 vulnerabilities may affect over 5.8 million WordPress sites. There are 42 plugin vulnerabilities and five in themes that have security patches available, so run those updates! Additionally, there are 18 plugin vulnerabilities and one theme with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

Please note we’ve revised last week’s report to correct the list of vulnerable code after many of the previous week’s vulnerabilities were mistakenly included. Thanks to Jeff Severson of JTS Design for bringing this to our attention.

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Advanced Custom Fields

Product image for Advanced Custom Fields (ACF).

Plugin Slug
advanced-custom-fields

Installations
2,000,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
6.1.6

Severity Score
High

The vulnerability has been patched, so you should update to version 6.1.6.

Advanced Custom Fields

Product image for Advanced Custom Fields (ACF).

Plugin Slug
advanced-custom-fields

Installations
2,000,000+

Vulnerability
PHP Object Injection

Patched in Version
5.12.5

Severity Score
Medium

The vulnerability has been patched, so you should update to version 5.12.5.

Ninja Forms

Product image for Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress.

Plugin Slug
ninja-forms

Installations
900,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
3.6.22

Severity Score
High

The vulnerability has been patched, so you should update to version 3.6.22.

Otter – Gutenberg Blocks

Product image for Otter – Gutenberg Blocks – Page Builder for Gutenberg Editor & FSE.

Plugin Slug
otter-blocks

Installations
300,000+

Vulnerability
PHP Object Injection

Patched in Version
2.2.6

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.2.6.

Metform Elementor Contact Form Builder

Product image for Metform Elementor Contact Form Builder – Flexible and Design-Friendly Contact Form builder plugin for WordPress.

Plugin Slug
metform

Installations
200,000+

Vulnerability
Broken Access Control

Patched in Version
3.3.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 3.3.1.

YARPP

Product image for YARPP – Yet Another Related Posts Plugin.

Plugin Slug
yet-another-related-posts-plugin

Installations
100,000+

Vulnerability
SQL Injection

Patched in Version
5.30.3

Severity Score
High

The vulnerability has been patched, so you should update to version 5.30.3.

Advanced Woo Search

Product image for Advanced Woo Search.

Plugin Slug
advanced-woo-search

Installations
70,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.78

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.78.

Easy Digital Downloads

Product image for Easy Digital Downloads – Simple eCommerce for Selling Digital Files.

Plugin Slug
easy-digital-downloads

Installations
50,000+

Vulnerability
Privilege Escalation

Patched in Version
3.1.1.4.2

Severity Score
Critical

The vulnerability has been patched, so you should update to version 3.1.1.4.2.

FV Flowplayer Video Player

Product image for FV Flowplayer Video Player.

Plugin Slug
fv-wordpress-flowplayer

Installations
30,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
7.5.35.7212

Severity Score
High

The vulnerability has been patched, so you should update to version 7.5.35.7212.

Product Addons & Fields for WooCommerce

Product image for Product Addons & Fields for WooCommerce.

Plugin Slug
woocommerce-product-addon

Installations
20,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
32.0.6

Severity Score
Medium

The vulnerability has been patched, so you should update to version 32.0.6.

WP Visitor Statistics (Real Time Traffic)

Product image for WP Visitor Statistics (Real Time Traffic).

Plugin Slug
wp-stats-manager

Installations
20,000+

Vulnerability
SQL Injection

Patched in Version
6.9

Severity Score
Critical

The vulnerability has been patched, so you should update to version 6.9.

CM Pop-Up banners for WordPress

Product image for CM Pop-Up banners for WordPress.

Plugin Slug
cm-pop-up-banners

Installations
10,000+

Vulnerability
SQL Injection

Patched in Version
1.6.0

Severity Score
High

The vulnerability has been patched, so you should update to version 1.6.0.

Image Optimizer by 10web

Product image for Image Optimizer by 10web – Image Optimizer and Compression plugin.

Plugin Slug
image-optimizer-wd

Installations
10,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
1.0.27

Severity Score
High

The vulnerability has been patched, so you should update to version 1.0.27.

Participants Database

Product image for Participants Database.

Plugin Slug
participants-database

Installations
10,000+

Vulnerability
Cross Site Request Forgery (CSRF)

Patched in Version
2.5.0

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.5.0.

URL Params

Product image for URL Params.

Plugin Slug
url-params

Installations
10,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.5

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.5.

Product Catalog Feed by PixelYourSite

Product image for Product Catalog Feed by PixelYourSite.

Plugin Slug
product-catalog-feed

Installations
8,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.1.1

Severity Score
High

The vulnerability has been patched, so you should update to version 2.1.1.

WOLF

Product image for WOLF – WordPress Posts Bulk Editor and Manager Professional.

Plugin Slug
bulk-editor

Installations
5,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
1.0.7

Severity Score
High

The vulnerability has been patched, so you should update to version 1.0.7.

HollerBox

Product image for Fast & Effective Popups & Lead-Generation for WordPress – HollerBox.

Plugin Slug
holler-box

Installations
5,000+

Vulnerability
SQL Injection

Patched in Version
2.1.4

Severity Score
High

The vulnerability has been patched, so you should update to version 2.1.4.

Ko-fi Button

Product image for Ko-fi Button.

Plugin Slug
ko-fi-button

Installations
5,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
1.3.3

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.3.3.

Booking Manager

Product image for Booking Manager.

Plugin Slug
booking-manager

Installations
4,000+

Vulnerability
Server Side Request Forgery (SSRF)

Patched in Version
2.0.29

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.0.29.

WPO365 | Mail Integration for Office 365 / Outlook

Product image for WPO365 | Mail Integration for Office 365 / Outlook.

Plugin Slug
mail-integration-365

Installations
4,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
1.9.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.9.1.

Spiffy Calendar

Product image for Spiffy Calendar.

Plugin Slug
spiffy-calendar

Installations
3,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
4.9.4

Severity Score
Medium

The vulnerability has been patched, so you should update to version 4.9.4.

Stagtools

Product image for StagTools.

Plugin Slug
stagtools

Installations
3,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.3.7

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.3.7.

WP EasyPay

Product image for WP EasyPay – Square for WordPress.

Plugin Slug
wp-easy-pay

Installations
3,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
4.1

Severity Score
High

The vulnerability has been patched, so you should update to version 4.1.

TK Google Fonts GDPR Compliant

Product image for TK Google Fonts GDPR Compliant.

Plugin Slug
tk-google-fonts

Installations
2,000+

Vulnerability
Broken Access Control

Patched in Version
2.2.8

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.2.8.

WP Inventory Manager

Product image for WP Inventory Manager.

Plugin Slug
wp-inventory-manager

Installations
2,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.1.0.13

Severity Score
High

The vulnerability has been patched, so you should update to version 2.1.0.13.

WP Directory Kit

Product image for WP Directory Kit.

Plugin Slug
wpdirectorykit

Installations
2,000+

Vulnerability
Cross Site Request Forgery (CSRF)

Patched in Version
1.2.2

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.2.2.

WP Directory Kit

Product image for WP Directory Kit.

Plugin Slug
wpdirectorykit

Installations
2,000+

Vulnerability
Broken Access Control

Patched in Version
1.2.3

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.2.3.

Albo Pretorio On line

Product image for Albo Pretorio On line.

Plugin Slug
albo-pretorio-on-line

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
4.6.4

Severity Score
High

The vulnerability has been patched, so you should update to version 4.6.4.

Albo Pretorio On line

Product image for Albo Pretorio On line.

Plugin Slug
albo-pretorio-on-line

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
4.6.4

Severity Score
High

The vulnerability has been patched, so you should update to version 4.6.4.

Contact Form 7 extension for Google Map fields

Plugin Slug
cf7-google-map

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
1.8.4

Severity Score
High

The vulnerability has been patched, so you should update to version 1.8.4.

Photo Gallery by Ays

Product image for Photo Gallery by Ays – Responsive Image Gallery.

Plugin Slug
gallery-photo-gallery

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
5.1.4

Severity Score
High

The vulnerability has been patched, so you should update to version 5.1.4.

TP Education

Product image for TP Education.

Plugin Slug
tp-education

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
4.5

Severity Score
Medium

The vulnerability has been patched, so you should update to version 4.5.

WP Docs

Product image for WP Docs.

Plugin Slug
wp-docs

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.0.0

Severity Score
High

The vulnerability has been patched, so you should update to version 2.0.0.

WPPizza – A Restaurant Plugin

Product image for WPPizza – A Restaurant Plugin.

Plugin Slug
wppizza

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
3.17.2

Severity Score
High

The vulnerability has been patched, so you should update to version 3.17.2.

WP SMTP Mailing Queue

Plugin Slug
smtp-mailing-queue

Installations
900+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.0.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.0.1.

Library Viewer

Product image for Library Viewer.

Plugin Slug
library-viewer

Installations
400+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
2.0.6.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.0.6.1.

Library Viewer

Product image for Library Viewer.

Plugin Slug
library-viewer

Installations
400+

Vulnerability
Open Redirection

Patched in Version
2.0.6.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 2.0.6.1.

Hostel

Product image for Hostel.

Plugin Slug
hostel

Installations
80+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
1.1.5.2

Severity Score
Medium

The vulnerability has been patched, so you should update to version 1.1.5.2.

Advanced Custom Fields Pro

Plugin
Advanced Custom Fields PRO

Plugin Slug
advanced-custom-fields-pro

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
6.1.6

Severity Score
High

The vulnerability has been patched, so you should update to version 6.1.6.

Advanced Custom Fields Pro

Plugin
Advanced Custom Fields PRO

Plugin Slug
advanced-custom-fields-pro

Vulnerability
PHP Object Injection

Patched in Version
6.1.0

Severity Score
Medium

The vulnerability has been patched, so you should update to version 6.1.0.

tagDiv Composer

Plugin
tagDiv Composer

Plugin Slug
td-composer

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
4.0

Severity Score
High

The vulnerability has been patched, so you should update to version 4.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Easy Appointments

Product image for Easy Appointments.

Plugin Slug
easy-appointments

Installations
20,000+

Vulnerability
Cross Site Request Forgery (CSRF)

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Points and Rewards for WooCommerce

Product image for Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Referral Points & Redemptions.

Plugin Slug
points-and-rewards-for-woocommerce

Installations
6,000+

Vulnerability
Broken Access Control

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Points and Rewards for WooCommerce

Product image for Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, Referral Points & Redemptions.

Plugin Slug
points-and-rewards-for-woocommerce

Installations
6,000+

Vulnerability
Settings Change

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Community by PeepSo

Product image for Community by PeepSo – Social Network, Membership, Registration, User Profiles.

Plugin Slug
peepso-core

Installations
4,000+

Vulnerability
Sensitive Data Exposure

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Cryptocurrency Payment & Donation Box

Product image for Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.

Plugin Slug
cryptocurrency-donation-box

Installations
3,000+

Vulnerability
SQL Injection

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

WP Job Portal

Product image for WP Job Portal – A Complete Job Board.

Plugin Slug
wp-job-portal

Installations
3,000+

Vulnerability
Other Vulnerability Type

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Multi Rating

Product image for Multi Rating.

Plugin Slug
multi-rating

Installations
2,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Multi Rating

Product image for Multi Rating.

Plugin Slug
multi-rating

Installations
2,000+

Vulnerability
Other Vulnerability Type

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Multi Rating

Product image for Multi Rating.

Plugin Slug
multi-rating

Installations
2,000+

Vulnerability
Cross Site Request Forgery (CSRF)

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Booking Ultra Pro Appointments

Product image for Booking Ultra Pro Appointments Booking Calendar Plugin.

Plugin Slug
booking-ultra-pro

Installations
1,000+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

REST API TO MiniProgram

Product image for REST API TO MiniProgram.

Plugin Slug
rest-api-to-miniprogram

Installations
1,000+

Vulnerability
Arbitrary Content Deletion

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Tiempo.com

Plugin Slug
tiempocom

Installations
600+

Vulnerability
Cross Site Request Forgery (CSRF)

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Tiempo.com

Plugin Slug
tiempocom

Installations
600+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

Tiempo.com

Plugin Slug
tiempocom

Installations
600+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

Manager for Icommon

Product image for Manager for Icomoon.

Plugin Slug
manager-for-icomoon

Installations
500+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

Manager for Icommon

Product image for Manager for Icomoon.

Plugin Slug
manager-for-icomoon

Installations
500+

Vulnerability
Arbitrary File Upload

Patched in Version
No Fix

Severity Score
Critical

The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Product image for WP Abstracts.

Plugin Slug
wp-abstracts-manuscripts-manager

Installations
400+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
High

The vulnerability has not been patched. You should deactivate the plugin.

UserAgent-Spy

Plugin Slug
useragent-spy

Installations
10+

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Editorialmag

Product image for Editorialmag.

Theme Slug
editorialmag

Downloads
81,155

Vulnerability
Broken Authentication

Patched in Version
No Fix

Severity Score
Medium

The vulnerability has not been patched. You should switch themes.

JupiterX

Theme
JupiterX

Theme Slug
jupiterx

Vulnerability
Local File Inclusion

Patched in Version
3.1.0

Severity Score
High

The vulnerability has been patched, so you should update to version 3.1.0.

TheGem (Elementor)

Theme
TheGem

Theme Slug
thegem

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
5.8.1.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 5.8.1.1.

TheGem (Elementor)

Theme
TheGem

Theme Slug
thegem

Vulnerability
Broken Access Control

Patched in Version
5.8.1.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 5.8.1.1.

TheGem (WPBakery)

Theme
TheGem

Theme Slug
thegem

Vulnerability
Broken Access Control

Patched in Version
5.8.1.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 5.8.1.1.

TheGem (WPBakery)

Theme
TheGem

Theme Slug
thegem

Vulnerability
Cross Site Scripting (XSS)

Patched in Version
5.8.1.1

Severity Score
Medium

The vulnerability has been patched, so you should update to version 5.8.1.1.
Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

Source link

Written by:
Abdul Wahid
Published on:
May 11, 2023

Categories: Woocommerce

Primary Sidebar

Wordpress

  • Content Management Systems (2)
  • Digital Marketing (4)
  • Internet Marketing (6)
  • Latest News (458)
  • Online Business (2)
  • Plugins (519)
  • Themes (521)
  • Videos (1,350)
  • Website Development (1)
  • Woocommerce (589)
  • WordPress (6)

Recent Articles

Unlock Your Internet Marketing Success with WordPress: The Ultimate CMS for Achieving Online Goals

WordPress: A Powerhouse for Achieving Internet …

Continue Reading about Unlock Your Internet Marketing Success with WordPress: The Ultimate CMS for Achieving Online Goals

Unlock Your Internet Marketing Potential with WordPress: A Comprehensive Guide

How to Use WordPress to Achieve Your Internet …

Continue Reading about Unlock Your Internet Marketing Potential with WordPress: A Comprehensive Guide

Search our site

Explore more

Get our Wordpress Guide Get Plugins Get Connected

Footer

VirusWord by Promaps, Inc.

Barnes Place
Colombo 7, Western 00700

Copyright © 2025 · Promaps, Inc.

Keep In Touch

  • Email
  • Facebook
  • Instagram
  • Pinterest
  • Twitter