WordPress Vulnerability Report – October 11, 2023

Since last week, 101 new plugin vulnerabilities emerged. 42 have security patches. 59 do not. Not to worry — our firewall has you covered.

Dan Knauss

Updated:Oct 25, 2023

Published:Oct 11, 2023

Filed Under:WordPress Security

Reading Time:1 min.

Between last Monday (October 2) and Monday this week (October 9), 101 new vulnerabilities were publicly disclosed.¹ They may affect nearly two million WordPress sites. There are 42 plugin vulnerabilities with security patches, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 59 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

This report comes out on Wednesdays and covers the last seven days of public disclosures in the Patchstack vulnerability database from the previous to the current Monday. It excludes any vulnerabilities added to the database in the last 48 hours. However, that up-to-the-minute vulnerability data powers Solid Security Pro. Solid Security Pro automatically protects WordPress sites from active exploits aimed at unpatched vulnerabilities. ↩︎

1. WordPress Core Vulnerabilities
2. WordPress Plugin Vulnerabilities (59 Unpatched / 42 Patched)

2.1 Contact Form builder with drag & drop for WordPress – Kali Forms
2.2 Contact Form by Supsystic
2.3 Video Gallery – Best WordPress YouTube Gallery Plugin
2.4 WP Custom Widget area
2.5 Export All Posts, Products, Orders, Refunds & Users
2.6 WP Power Stats
2.7 Simple SEO
2.8 WP Forms Puzzle Captcha
2.9 Post View Count
2.10 Pinpoint Booking System – #1 WordPress Booking Plugin
2.11 Complete Open Graph
2.12 AI Content Writing Assistant (Content Writer, GPT 3 & 4, ChatGPT, Image Generator) All in One
2.13 Sp*tify Play Button for WordPress
2.14 Permalinks Customizer
2.15 Urvanov Syntax Highlighter
2.16 WooCommerce Login Redirect
2.17 GoodBarber
2.18 Gumroad
2.19 ShortCodes UI
2.20 Short URL
2.21 Social Feed | Custom Feed for Social Media Networks
2.22 Blog Manager Light
2.23 WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location
2.24 canvasio3D Light
2.25 Contact Form Generator : Creative form builder for WordPress
2.26 Copy or Move Comments
2.27 Ebook Store
2.28 Hitsteps Web Analytics
2.29 Hitsteps Web Analytics
2.30 Interactive World Map
2.31 LeadSquared Suite
2.32 Mailrelay
2.33 OPcache Dashboard
2.34 Order auto complete for WooCommerce
2.35 SendPulse Free Web Push
2.36 Social proof testimonials and reviews by Repuso
2.37 Timely Booking Button
2.38 WhitePage
2.39 IRivYou – Add reviews from AliExpress and Amazon to woocommerce
2.40 Sharkdropship for AliExpress Dropship and Affiliate
2.41 WordPress Simple HTML Sitemap
2.42 Image vertical reel scroll slideshow
2.43 Stout Google Calendar
2.44 Category Meta plugin
2.45 User Location and IP
2.46 Fotomoto
2.47 Mendeley Plugin
2.48 Publish Confirm Message
2.49 AmpedSense – AdSense Split Tester
2.50 Automated Editor
2.51 Dropshipping & Affiliation with Amazon
2.52 Woo Custom Emails
2.53 Slick Contact Forms
2.54 WP Responsive header image slide
2.55 Product Category Tree
2.56 Pressference Exporter
2.57 Instagram for WordPress
2.58 Hotjar
2.59 Contact form Form For All
2.60 POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
2.61 Redirection for Contact Form 7
2.62 WordPress Popular Posts
2.63 Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
2.64 Media Library Assistant
2.65 Customer Reviews for WooCommerce
2.66 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.67 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
2.68 Booster for WooCommerce
2.69 Abandoned Cart Lite for WooCommerce
2.70 WP Custom Admin Interface
2.71 WP Job Openings – Job Listing, Career Page and Recruitment Plugin
2.72 User Submitted Posts – Enable Users to Submit Posts from the Front End
2.73 WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin
2.74 Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
2.75 Bold Timeline Lite
2.76 10Web Map Builder for Google Maps
2.77 bbp style pack
2.78 Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Post Layout
2.79 Podcast Subscribe Buttons
2.80 Seriously Simple Stats
2.81 Seriously Simple Stats
2.82 WOLF – WordPress Posts Bulk Editor and Manager Professional
2.83 GEO my WordPress
2.84 Connect to external APIs – WPGetAPI
2.85 Captcha/Honeypot (CF7, Avada, Elementor, Comments, WPForms) – GDPR ready
2.86 AI ChatBot
2.87 MStore API
2.88 Smart Cookie Kit
2.89 ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks
2.90 WP Content Pilot – Autoblogging & Affiliate Marketing Plugin
2.91 affiliate-toolkit – WordPress Affiliate Plugin
2.92 Open User Map
2.93 Profile Extra Fields by BestWebSoft
2.94 WP Bing Map Pro
2.95 BuddyMeet
2.96 Bulk NoIndex & NoFollow Toolkit
2.97 Geo Controller
2.98 YouTube Playlist Player
2.99 Comment Reply Email
2.100 WP Mail SMTP Pro
2.101 Optimize Database after Deleting Revisions

3. WordPress Theme Vulnerabilities

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities (59 Unpatched / 42 Patched)

Plugin:: Contact Form builder with drag & drop for WordPress – Kali Forms
Plugin Slug:: kali-forms
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45275

Plugin:: Contact Form by Supsystic
Plugin Slug:: contact-form-by-supsystic
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45068

Plugin:: Video Gallery – Best WordPress YouTube Gallery Plugin
Plugin Slug:: gallery-videos
Installations:: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45069

Plugin:: WP Custom Widget area
Plugin Slug:: wp-custom-widget-area
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45045

Plugin:: Export All Posts, Products, Orders, Refunds & Users
Plugin Slug:: wp-ultimate-exporter
Installations:: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-2487

Plugin:: WP Power Stats
Plugin Slug:: wp-power-stats
Installations:: 9,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45011

Plugin:: Simple SEO
Plugin Slug:: cds-simple-seo
Installations:: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45269

Plugin:: WP Forms Puzzle Captcha
Plugin Slug:: wp-forms-puzzle-captcha
Installations:: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44997

Plugin:: Post View Count
Plugin Slug:: wp-simple-post-view
Installations:: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44996

Plugin:: Pinpoint Booking System – #1 WordPress Booking Plugin
Plugin Slug:: booking-system
Installations:: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45270

Plugin:: Complete Open Graph
Plugin Slug:: complete-open-graph
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45010

Plugin:: AI Content Writing Assistant (Content Writer, GPT 3 & 4, ChatGPT, Image Generator) All in One
Plugin Slug:: ai-content-writing-assistant
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45063

Plugin:: Sp*tify Play Button for WordPress
Plugin Slug:: spotify-play-button-for-wordpress
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-41131

Plugin:: Permalinks Customizer
Plugin Slug:: permalinks-customizer
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45103

Plugin:: Urvanov Syntax Highlighter
Plugin Slug:: urvanov-syntax-highlighter
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45106

Plugin:: WooCommerce Login Redirect
Plugin Slug:: woo-login-redirect
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44995

Plugin:: GoodBarber
Plugin Slug:: goodbarber
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45107

Plugin:: Gumroad
Plugin Slug:: gumroad
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45059

Plugin:: ShortCodes UI
Plugin Slug:: shortcodes-ui
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44994

Plugin:: Short URL
Plugin Slug:: shorten-url
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45058

Plugin:: Social Feed | Custom Feed for Social Media Networks
Plugin Slug:: wp-social-feed
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45003

Plugin:: Blog Manager Light
Plugin Slug:: blog-manager-light
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45102

Plugin:: WooODT Lite – WooCommerce Order Delivery or Pickup with Date Time Location
Plugin Slug:: byconsole-woo-order-delivery-time
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45006

Plugin:: canvasio3D Light
Plugin Slug:: canvasio3d-light
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45062

Plugin:: Contact Form Generator : Creative form builder for WordPress
Plugin Slug:: contact-form-generator
Installations:: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-35911

Plugin:: Copy or Move Comments
Plugin Slug:: copy-or-move-comments
Installations:: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-28748

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45602

Plugin:: Hitsteps Web Analytics
Plugin Slug:: hitsteps-visitor-manager
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45268

Plugin:: Hitsteps Web Analytics
Plugin Slug:: hitsteps-visitor-manager
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45057

Plugin:: Interactive World Map
Plugin Slug:: interactive-world-map
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45060

Plugin:: LeadSquared Suite
Plugin Slug:: leadsquared-suite
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45047

Plugin:: Mailrelay
Plugin Slug:: mailrelay
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45108

Plugin:: OPcache Dashboard
Plugin Slug:: opcache
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45064

Plugin:: Order auto complete for WooCommerce
Plugin Slug:: order-auto-complete-for-woocommerce
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45072

Plugin:: SendPulse Free Web Push
Plugin Slug:: sendpulse-web-push
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45274

Plugin:: Social proof testimonials and reviews by Repuso
Plugin Slug:: social-testimonials-and-reviews-widget
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45048

Plugin:: Timely Booking Button
Plugin Slug:: timely-booking-button
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44987

Plugin:: WhitePage
Plugin Slug:: white-page-publication
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45109

Plugin:: IRivYou – Add reviews from AliExpress and Amazon to woocommerce
Plugin Slug:: wooreviews-importer
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45267

Plugin:: Sharkdropship for AliExpress Dropship and Affiliate
Plugin Slug:: wooshark-aliexpress-importer
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-30870

Plugin:: WordPress Simple HTML Sitemap
Plugin Slug:: wp-simple-html-sitemap
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45067

Plugin:: Image vertical reel scroll slideshow
Plugin Slug:: image-vertical-reel-scroll-slideshow
Installations:: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45051

Plugin:: Stout Google Calendar
Plugin Slug:: stout-google-calendar
Installations:: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45273

Plugin:: Category Meta plugin
Plugin Slug:: wp-category-meta
Installations:: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44998

Plugin:: User Location and IP
Plugin Slug:: user-location-and-ip
Installations:: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-31217

Plugin:: Fotomoto
Plugin Slug:: fotomoto
Installations:: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45007

Plugin:: Mendeley Plugin
Plugin Slug:: mendeleyplugin
Installations:: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45073

Plugin:: Publish Confirm Message
Plugin Slug:: publish-confirm-message
Installations:: 100+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-32124

Plugin:: AmpedSense – AdSense Split Tester
Plugin Slug:: ampedsense-adsense-split-tester
Installations:: 80+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-25476

Plugin:: Automated Editor
Plugin Slug:: automated-editor
Installations:: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45276

Plugin:: Dropshipping & Affiliation with Amazon
Plugin Slug:: wp-amazon-shop
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-31215

Plugin:: Woo Custom Emails
Plugin Slug:: woo-custom-emails
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45004

Plugin:: Slick Contact Forms
Plugin Slug:: slick-contact-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5468

Plugin:: WP Responsive header image slide
Plugin Slug:: responsive-header-image-slider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5334

Plugin:: Product Category Tree
Plugin Slug:: product-category-tree
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45054

Plugin:: Pressference Exporter
Plugin Slug:: pressference-exporter
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45046

Plugin:: Instagram for WordPress
Plugin Slug:: instagram-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5357

Plugin:: Hotjar
Plugin Slug:: hotjar
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-1259

Plugin:: Contact form Form For All
Plugin Slug:: formforall
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5337

Plugin:: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug:: post-smtp
Installations:: 300,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.6.1
Severity Score:: High

Plugin:: Redirection for Contact Form 7
Plugin Slug:: wpcf7-redirect
Installations:: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: High
CVE:: 2023-39920

Plugin:: WordPress Popular Posts
Plugin Slug:: wordpress-popular-posts
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.3
Severity Score:: Medium
CVE:: 2023-45607

Plugin:: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug:: wp-user-avatar
Installations:: 200,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.13.3
Severity Score:: High
CVE:: 2023-44150

Plugin:: Media Library Assistant
Plugin Slug:: media-library-assistant
Installations:: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.12
Severity Score:: Medium
CVE:: 2023-24385

Plugin:: Customer Reviews for WooCommerce
Plugin Slug:: customer-reviews-woocommerce
Installations:: 60,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.36.1
Severity Score:: Medium
CVE:: 2023-45101

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.19
Severity Score:: High
CVE:: 2023-45071

Plugin:: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Plugin Slug:: form-maker
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.19
Severity Score:: High
CVE:: 2023-45070

Plugin:: Booster for WooCommerce
Plugin Slug:: woocommerce-jetpack
Installations:: 60,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.1.2
Severity Score:: Medium
CVE:: 2023-40002

Plugin:: Abandoned Cart Lite for WooCommerce
Plugin Slug:: woocommerce-abandoned-cart
Installations:: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.16.0
Severity Score:: Medium
CVE:: 2023-44986

Plugin:: WP Custom Admin Interface
Plugin Slug:: wp-custom-admin-interface
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.33
Severity Score:: Medium
CVE:: 2023-44988

Plugin:: WP Job Openings – Job Listing, Career Page and Recruitment Plugin
Plugin Slug:: wp-job-openings
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.4.2
Severity Score:: Medium
CVE:: 2023-45061

Plugin:: User Submitted Posts – Enable Users to Submit Posts from the Front End
Plugin Slug:: user-submitted-posts
Installations:: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 20230914
Severity Score:: Critical
CVE:: 2023-45603

Plugin:: WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin
Plugin Slug:: wp-user-frontend
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.6.9
Severity Score:: Medium
CVE:: 2023-45002

Plugin:: Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress
Plugin Slug:: advanced-page-visit-counter
Installations:: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 8.0.1
Severity Score:: High
CVE:: 2023-45074

Plugin:: Bold Timeline Lite
Plugin Slug:: bold-timeline-lite
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2023-45110

Plugin:: 10Web Map Builder for Google Maps
Plugin Slug:: wd-google-maps
Installations:: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.74
Severity Score:: Medium
CVE:: 2023-45272

Plugin:: bbp style pack
Plugin Slug:: bbp-style-pack
Installations:: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.6.8
Severity Score:: Medium
CVE:: 2023-44984

Plugin:: Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Post Layout
Plugin Slug:: blog-filter
Installations:: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2023-5291

Plugin:: Podcast Subscribe Buttons
Plugin Slug:: podcast-subscribe-buttons
Installations:: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.9
Severity Score:: Medium
CVE:: 2023-5308

Plugin:: Seriously Simple Stats
Plugin Slug:: seriously-simple-stats
Installations:: 6,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.1
Severity Score:: High
CVE:: 2023-45001

Plugin:: Seriously Simple Stats
Plugin Slug:: seriously-simple-stats
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.2
Severity Score:: High
CVE:: 2023-45005

Plugin:: WOLF – WordPress Posts Bulk Editor and Manager Professional
Plugin Slug:: bulk-editor
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.7.2
Severity Score:: Medium
CVE:: 2023-44990

Plugin:: GEO my WordPress
Plugin Slug:: geo-my-wp
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2023-5467

Plugin:: Connect to external APIs – WPGetAPI
Plugin Slug:: wpgetapi
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.2
Severity Score:: Medium

Plugin:: Captcha/Honeypot (CF7, Avada, Elementor, Comments, WPForms) – GDPR ready
Plugin Slug:: captcha-for-contact-form-7
Installations:: 4,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 1.11.4
Severity Score:: Medium
CVE:: 2023-45009

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.7.9
Severity Score:: Medium
CVE:: 2023-44993

Plugin:: MStore API
Plugin Slug:: mstore-api
Installations:: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.0.7
Severity Score:: High
CVE:: 2023-45055

Plugin:: Smart Cookie Kit
Plugin Slug:: smart-cookie-kit
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2023-45608

Plugin:: ProductX – WooCommerce Builder & Gutenberg WooCommerce Blocks
Plugin Slug:: product-blocks
Installations:: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.0
Severity Score:: Medium
CVE:: 2023-45271

Plugin:: WP Content Pilot – Autoblogging & Affiliate Marketing Plugin
Plugin Slug:: wp-content-pilot
Installations:: 3,000+
Vulnerability:: Content Injection
Patched in Version:: 1.3.4
Severity Score:: Medium
CVE:: 2023-45053

Plugin:: affiliate-toolkit – WordPress Affiliate Plugin
Plugin Slug:: affiliate-toolkit-starter
Installations:: 2,000+
Vulnerability:: Open Redirection
Patched in Version:: 3.4.0
Severity Score:: Medium
CVE:: 2023-45105

Plugin:: Open User Map
Plugin Slug:: open-user-map
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.27
Severity Score:: Medium
CVE:: 2023-45056

Plugin:: Profile Extra Fields by BestWebSoft
Plugin Slug:: profile-extra-fields
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2023-4469

Plugin:: WP Bing Map Pro
Plugin Slug:: api-bing-map-2018
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.0
Severity Score:: Medium
CVE:: 2023-45052

Plugin:: BuddyMeet
Plugin Slug:: buddymeet
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2023-44985

Plugin:: Bulk NoIndex & NoFollow Toolkit
Plugin Slug:: bulk-noindex-nofollow-toolkit-by-mad-fish
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5
Severity Score:: High
CVE:: 2023-45065

Plugin:: Geo Controller
Plugin Slug:: cf-geoplugin
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.5.3
Severity Score:: Medium

Plugin:: YouTube Playlist Player
Plugin Slug:: youtube-playlist-player
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.6.8
Severity Score:: Medium
CVE:: 2023-45049

Plugin:: Comment Reply Email
Plugin Slug:: comment-reply-email
Installations:: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.4
Severity Score:: Medium
CVE:: 2023-45008

Plugin:: WP Mail SMTP Pro
Plugin Slug:: wp-mail-smtp-pro
Vulnerability:: Broken Access Control
Patched in Version:: 3.8.1
Severity Score:: Medium
CVE:: 2023-3213

Plugin:: Optimize Database after Deleting Revisions
Plugin Slug:: rvg-optimize-database
Vulnerability:: Broken Access Control
Patched in Version:: 5.1
Severity Score:: Medium

WordPress Theme Vulnerabilities

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Solid Suite

Protect

Repair

Manage

Free Plugins

Solid Suite

Academy

Solid Academy

Guides

Livestreams

Tutorials Academy

Resources

Blog

Vulnerability Report

Support

Documentation

Table of Contents

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities (59 Unpatched / 42 Patched)

WordPress Theme Vulnerabilities

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 22, 2026

WordPress Vulnerability Report — April 15, 2026

WordPress Vulnerability Report — April 8, 2026

WordPress Vulnerability Report — April 1, 2026