WordPress Vulnerability Report — January 10, 2024

In this report, 106 new vulnerabilities have been publicly disclosed. Security patches for 61 of these plugins and one theme are available now, so run those updates as soon as possible. If you're a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Sarah Ulmer

Published:Jan 10, 2024

Filed Under:WordPress Vulnerability Report

Reading Time:2 min.

In this report, 106 new vulnerabilities have been publicly disclosed. Security patches for 61 of these plugins and one theme are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 44 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are a

mong the reasons why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 61 Patched / 44 Unpatched

2.1 Nginx Helper
2.2 Contact Form 7 Extension For Mailchimp
2.3 WooCommerce Conversion Tracking
2.4 Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building
2.5 Seraphinite Accelerator
2.6 MailerLite – WooCommerce integration
2.7 MailerLite – WooCommerce integration
2.8 WP Ultimate Review
2.9 Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
2.10 RabbitLoader
2.11 Revolut Gateway for WooCommerce
2.12 Word Replacer Pro
2.13 Beds24 Online Booking
2.14 JS & CSS Script Optimizer
2.15 Advanced Flamingo
2.16 Laybuy Payment Extension for WooCommerce
2.17 Mapster WP Maps
2.18 Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
2.19 HTML5 MP3 Player with Playlist Free
2.20 HTML5 SoundCloud Player with Playlist Free
2.21 Woocommerce Tranzila Payment Gateway
2.22 Gecka Terms Thumbnails
2.23 HTML5 MP3 Player with Folder Feedburner Playlist Free
2.24 Ads Invalid Click Protection
2.25 CformsII
2.26 Coupon Referral Program
2.27 CPT Bootstrap Carousel
2.28 Easy SVG Allow
2.29 1 click disable all
2.30 Footer Putter
2.31 Ideal Interactive Map
2.32 Infogram
2.33 Keap Official Opt-in Forms
2.34 Page Builder: Live Composer
2.35 oEmbed Gist
2.36 Posts to Page
2.37 Private Google Calendars
2.38 pTypeConverter
2.39 Randomize
2.40 Site Notes
2.41 TJ Shortcodes
2.42 WordPress Users
2.43 WP Plugin Lister
2.44 WP Social Bookmark Menu
2.45 WooCommerce
2.46 MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
2.47 ElementsKit Elementor addons
2.48 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
2.49 Hostinger
2.50 LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
2.51 Happy Addons for Elementor
2.52 OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
2.53 Metform Elementor Contact Form Builder
2.54 POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
2.55 POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
2.56 POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
2.57 Orbit Fox by ThemeIsle
2.58 Download Monitor
2.59 Gallery Plugin for WordPress – Envira Photo Gallery
2.60 Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
2.61 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
2.62 WP Job Manager
2.63 WP Job Manager
2.64 LearnPress – WordPress LMS Plugin
2.65 LearnPress – WordPress LMS Plugin
2.66 LearnPress – WordPress LMS Plugin
2.67 Ajax Search Lite
2.68 Depicter Slider – Responsive Image Slider, Video Slider & Post Slider
2.69 EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
2.70 3D FlipBook – PDF Flipbook WordPress
2.71 AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
2.72 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
2.73 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
2.74 MapPress Maps for WordPress
2.75 WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
2.76 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
2.77 WP 2FA – Two-factor authentication for WordPress
2.78 WP 2FA – Two-factor authentication for WordPress
2.79 Void Contact Form 7 Widget For Elementor Page Builder
2.80 Constant Contact Forms
2.81 OneClick Chat to Order
2.82 Quiz Maker
2.83 Swift SMTP (formerly Welcome Email Editor)
2.84 WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
2.85 WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
2.86 WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
2.87 ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
2.88 ActivityPub
2.89 WordPress Live Chat Plugin for WooCommerce – LiveChat
2.90 WordPress Live Chat Plugin for WooCommerce – LiveChat
2.91 Product Delivery Date for WooCommerce – Lite
2.92 Football Pool
2.93 GD Rating System
2.94 TNC PDF viewer
2.95 Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
2.96 Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
2.97 Rate Star Review – AJAX Reviews for Content, with Star Ratings
2.98 Booster Elite for WooCommerce
2.99 Booster Plus for WooCommerce
2.100 Booster Plus for WooCommerce
2.101 Booster Plus for WooCommerce
2.102 FooGallery Premium
2.103 Page Builder: Live Composer
2.104 MaxButtons
2.105 Oxygen Builder

3. WordPress Themes — 1 Patched / 0 Unpatched

3.1 Weaver Xtreme

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.2 was released on December 6, 2023, as a short-cycle maintenance and security release with seven bug fixes and one security patch for a potential Remote Code Execution (RCE) vulnerability that is not directly exploitable in most situations. However, combined with certain vulnerabilities in third-party plugins on a multisite network, this vulnerability could be exploited and pose a high-severity risk. The 6.4.1 update will prevent PHP object injections from being chained into a potential RCE, according to details published by Patchstack.

WordPress Plugins — 61 Patched / 44 Unpatched

Plugin:: Nginx Helper
Plugin Slug:: nginx-helper
Installations:: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-44992

Plugin:: Contact Form 7 Extension For Mailchimp
Plugin Slug:: contact-form-7-mailchimp-extension
Installations:: 90,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22134

Plugin:: WooCommerce Conversion Tracking
Plugin Slug:: woocommerce-conversion-tracking
Installations:: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52217

Plugin:: Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building
Plugin Slug:: icegram
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-21748

Plugin:: Seraphinite Accelerator
Plugin Slug:: seraphinite-accelerator
Installations:: 20,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22138

Plugin:: MailerLite – WooCommerce integration
Plugin Slug:: woo-mailerlite
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52227

Plugin:: MailerLite – WooCommerce integration
Plugin Slug:: woo-mailerlite
Installations:: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52223

Plugin:: WP Ultimate Review
Plugin Slug:: wp-ultimate-review
Installations:: 10,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-21746

Plugin:: Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
Plugin Slug:: droit-elementor-addons
Installations:: 8,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-22136

Plugin:: RabbitLoader
Plugin Slug:: rabbit-loader
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-21751

Plugin:: Revolut Gateway for WooCommerce
Plugin Slug:: revolut-gateway-for-woocommerce
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52224

Plugin:: Word Replacer Pro
Plugin Slug:: word-replacer-ultra
Installations:: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52229

Plugin:: Beds24 Online Booking
Plugin Slug:: beds24-online-booking
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52228

Plugin:: JS & CSS Script Optimizer
Plugin Slug:: js-css-script-optimizer
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52216

Plugin:: Advanced Flamingo
Plugin Slug:: advanced-flamingo
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52226

Plugin:: Laybuy Payment Extension for WooCommerce
Plugin Slug:: laybuy-gateway-for-woocommerce
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-21745

Plugin:: Mapster WP Maps
Plugin Slug:: mapster-wp-maps
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-21744

Plugin:: Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
Plugin Slug:: taggbox-widget
Installations:: 1,000+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-52225

Plugin:: HTML5 MP3 Player with Playlist Free
Plugin Slug:: html5-mp3-player-with-playlist
Installations:: 600+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-52207

Plugin:: HTML5 SoundCloud Player with Playlist Free
Plugin Slug:: html5-soundcloud-player-with-playlist
Installations:: 300+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-52205

Plugin:: Woocommerce Tranzila Payment Gateway
Plugin Slug:: woo-tranzila-gateway
Installations:: 300+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-52218

Plugin:: Gecka Terms Thumbnails
Plugin Slug:: gecka-terms-thumbnails
Installations:: 100+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-52219

Plugin:: HTML5 MP3 Player with Folder Feedburner Playlist Free
Plugin Slug:: html5-mp3-player-with-mp3-folder-feedburner-playlist
Installations:: 90+
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-52202

Plugin:: Ads Invalid Click Protection
Plugin Slug:: ads-invalid-click-protection
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52197

Plugin:: CformsII
Plugin Slug:: cforms2
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52203

Plugin:: Coupon Referral Program
Plugin Slug:: coupon-referral-program
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-52190

Plugin:: CPT Bootstrap Carousel
Plugin Slug:: cpt-bootstrap-carousel
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-52196

Plugin:: Easy SVG Allow
Plugin Slug:: easy-svg-image-allow
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-7089

Plugin:: 1 click disable all
Plugin Slug:: first-graders-toolbox
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-21749

Plugin:: Footer Putter
Plugin Slug:: footer-putter
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52188

Plugin:: Ideal Interactive Map
Plugin Slug:: ideal-interactive-map
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52189

Plugin:: Infogram
Plugin Slug:: infogram
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52191

Plugin:: Keap Official Opt-in Forms
Plugin Slug:: infusionsoft-official-opt-in-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52192

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-52206

Plugin:: oEmbed Gist
Plugin Slug:: oembed-gist
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52194

Plugin:: Posts to Page
Plugin Slug:: posts-to-page
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52195

Plugin:: Private Google Calendars
Plugin Slug:: private-google-calendars
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-52198

Plugin:: pTypeConverter
Plugin Slug:: ptypeconverter
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-52201

Plugin:: Randomize
Plugin Slug:: randomize
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-52204

Plugin:: Site Notes
Plugin Slug:: site-notes
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6633

Plugin:: TJ Shortcodes
Plugin Slug:: theme-junkie-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6530

Plugin:: WordPress Users
Plugin Slug:: wordpress-users
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6390

Plugin:: WP Plugin Lister
Plugin Slug:: wp-plugin-lister
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-6503

Plugin:: WP Social Bookmark Menu
Plugin Slug:: wp-social-bookmark-menu
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-7074

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations:: 5,000,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 8.3.0
Severity Score:: Medium
CVE:: 2023-52222

Plugin:: MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)
Plugin Slug:: google-analytics-for-wordpress
Installations:: 3,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 8.22.0
Severity Score:: Medium
CVE:: 2023-52220

Plugin:: ElementsKit Elementor addons
Plugin Slug:: elementskit-lite
Installations:: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.0.4
Severity Score:: Medium
CVE:: 2023-6582

Plugin:: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Plugin Slug:: essential-addons-for-elementor-lite
Installations:: 1,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.9.3
Severity Score:: Medium
CVE:: 2023-7044

Plugin:: Hostinger
Plugin Slug:: hostinger
Installations:: 1,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.9.8
Severity Score:: High
CVE:: 2023-6751

Plugin:: LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
Plugin Slug:: wp-maintenance-mode
Installations:: 700,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.9
Severity Score:: Medium
CVE:: 2023-7019

Plugin:: Happy Addons for Elementor
Plugin Slug:: happy-elementor-addons
Installations:: 400,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.10.0
Severity Score:: Medium
CVE:: 2023-6632

Plugin:: OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.
Plugin Slug:: host-webfonts-local
Installations:: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.7.10
Severity Score:: High
CVE:: 2023-6600

Plugin:: Metform Elementor Contact Form Builder
Plugin Slug:: metform
Installations:: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.8.2
Severity Score:: Medium
CVE:: 2023-6788

Plugin:: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
Plugin Slug:: post-smtp
Installations:: 300,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.8.7
Severity Score:: High
CVE:: 2023-52233

Plugin:: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
Plugin Slug:: post-smtp
Installations:: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.8
Severity Score:: High
CVE:: 2023-7027

Plugin:: POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications
Plugin Slug:: post-smtp
Installations:: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8.7
Severity Score:: High
CVE:: 2023-6629

Plugin:: Orbit Fox by ThemeIsle
Plugin Slug:: themeisle-companion
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.10.27
Severity Score:: Medium
CVE:: 2023-6781

Plugin:: Download Monitor
Plugin Slug:: download-monitor
Installations:: 100,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.5
Severity Score:: High

Plugin:: Gallery Plugin for WordPress – Envira Photo Gallery
Plugin Slug:: envira-gallery-lite
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.8.7.3
Severity Score:: Medium
CVE:: 2023-6742

Plugin:: Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)
Plugin Slug:: mystickymenu
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.7
Severity Score:: Low
CVE:: 2023-7048

Plugin:: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Plugin Slug:: powerpack-lite-for-elementor
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.14
Severity Score:: Medium
CVE:: 2023-6984

Plugin:: WP Job Manager
Plugin Slug:: wp-job-manager
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2023-52212

Plugin:: WP Job Manager
Plugin Slug:: wp-job-manager
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.0
Severity Score:: Medium
CVE:: 2023-52211

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations:: 90,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 4.2.5.8
Severity Score:: High
CVE:: 2023-6634

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations:: 90,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 4.2.5.8
Severity Score:: Medium
CVE:: 2023-6223

Plugin:: LearnPress – WordPress LMS Plugin
Plugin Slug:: learnpress
Installations:: 90,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.2.5.8
Severity Score:: Critical
CVE:: 2023-6567

Plugin:: Ajax Search Lite
Plugin Slug:: ajax-search-lite
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.11.5
Severity Score:: High
CVE:: 2024-21752

Plugin:: Depicter Slider – Responsive Image Slider, Video Slider & Post Slider
Plugin Slug:: depicter
Installations:: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.7
Severity Score:: Medium
CVE:: 2023-6493

Plugin:: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.6
Severity Score:: Medium
CVE:: 2023-6986

Plugin:: 3D FlipBook – PDF Flipbook WordPress
Plugin Slug:: interactive-3d-flipbook-powered-physics-engine
Installations:: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.15.3
Severity Score:: Medium
CVE:: 2023-6776

Plugin:: AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!
Plugin Slug:: ai-engine
Installations:: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.9.99
Severity Score:: Critical
CVE:: 2023-51409

Plugin:: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations:: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.3
Severity Score:: Low
CVE:: 2023-6798

Plugin:: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
Plugin Slug:: feedzy-rss-feeds
Installations:: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.3.3
Severity Score:: Medium
CVE:: 2023-6801

Plugin:: MapPress Maps for WordPress
Plugin Slug:: mappress-google-maps-for-wordpress
Installations:: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.88.14
Severity Score:: Medium
CVE:: 2023-6524

Plugin:: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Plugin Slug:: print-invoices-packing-slip-labels-for-woocommerce
Installations:: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.3.1
Severity Score:: Medium
CVE:: 2023-7068

Plugin:: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations:: 50,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 3.10.8
Severity Score:: Medium
CVE:: 2023-6504

Plugin:: WP 2FA – Two-factor authentication for WordPress
Plugin Slug:: wp-2fa
Installations:: 50,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 2.6.0
Severity Score:: Medium
CVE:: 2023-6506

Plugin:: WP 2FA – Two-factor authentication for WordPress
Plugin Slug:: wp-2fa
Installations:: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.6.0
Severity Score:: Medium
CVE:: 2023-6520

Plugin:: Void Contact Form 7 Widget For Elementor Page Builder
Plugin Slug:: cf7-widget-elementor
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4
Severity Score:: Medium
CVE:: 2023-52214

Plugin:: Constant Contact Forms
Plugin Slug:: constant-contact-forms
Installations:: 30,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.4.3
Severity Score:: Medium
CVE:: 2023-52208

Plugin:: OneClick Chat to Order
Plugin Slug:: oneclick-whatsapp-order
Installations:: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.6
Severity Score:: Medium

Plugin:: Quiz Maker
Plugin Slug:: quiz-maker
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.5.1.2
Severity Score:: Medium
CVE:: 2024-21743

Plugin:: Swift SMTP (formerly Welcome Email Editor)
Plugin Slug:: welcome-email-editor
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.0.7
Severity Score:: Medium

Plugin:: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug:: wp-sms
Installations:: 9,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.5.1
Severity Score:: Medium
CVE:: 2023-6980

Plugin:: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Plugin Slug:: wp-sms
Installations:: 9,000+
Vulnerability:: SQL Injection
Patched in Version:: 6.5.1
Severity Score:: High
CVE:: 2023-6981

Plugin:: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Plugin Slug:: erp
Installations:: 8,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.12.9
Severity Score:: High
CVE:: 2024-21747

Plugin:: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Plugin Slug:: armember-membership
Installations:: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.0.23
Severity Score:: Critical
CVE:: 2023-52200

Plugin:: ActivityPub
Plugin Slug:: activitypub
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.0.6
Severity Score:: Medium
CVE:: 2023-52199

Plugin:: WordPress Live Chat Plugin for WooCommerce – LiveChat
Plugin Slug:: livechat-woocommerce
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.14
Severity Score:: Medium

Plugin:: WordPress Live Chat Plugin for WooCommerce – LiveChat
Plugin Slug:: livechat-woocommerce
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.17
Severity Score:: Medium

Plugin:: Product Delivery Date for WooCommerce – Lite
Plugin Slug:: product-delivery-date-for-woocommerce-lite
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.7.1
Severity Score:: Medium
CVE:: 2023-52210

Plugin:: Football Pool
Plugin Slug:: football-pool
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.11.4
Severity Score:: Medium

Plugin:: GD Rating System
Plugin Slug:: gd-rating-system
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.5.1
Severity Score:: Medium

Plugin:: TNC PDF viewer
Plugin Slug:: pdf-viewer-by-themencode
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.0
Severity Score:: Medium

Plugin:: Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
Plugin Slug:: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Installations:: 800+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.5.2
Severity Score:: Critical
CVE:: 2023-52221

Plugin:: Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce
Plugin Slug:: barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Installations:: 800+
Vulnerability:: SQL Injection
Patched in Version:: 1.5.2
Severity Score:: Critical
CVE:: 2023-52215

Plugin:: Rate Star Review – AJAX Reviews for Content, with Star Ratings
Plugin Slug:: rate-star-review
Installations:: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.2
Severity Score:: High
CVE:: 2023-52213

Plugin:: Booster Elite for WooCommerce
Plugin Slug:: booster-elite-for-woocommerce
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.1.2
Severity Score:: Medium
CVE:: 2023-52234

Plugin:: Booster Plus for WooCommerce
Plugin Slug:: booster-plus-for-woocommerce
Vulnerability:: Arbitrary Content Deletion
Patched in Version:: 7.1.2
Severity Score:: Medium
CVE:: 2023-52232

Plugin:: Booster Plus for WooCommerce
Plugin Slug:: booster-plus-for-woocommerce
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.1.2
Severity Score:: Medium
CVE:: 2023-52231

Plugin:: Booster Plus for WooCommerce
Plugin Slug:: booster-plus-for-woocommerce
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.1.3
Severity Score:: Medium
CVE:: 2023-52230

Plugin:: FooGallery Premium
Plugin Slug:: foogallery-premium
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.6
Severity Score:: Medium
CVE:: 2023-6747

Plugin:: Page Builder: Live Composer
Plugin Slug:: live-composer-page-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.24
Severity Score:: Medium
CVE:: 2023-52193

Plugin:: MaxButtons
Plugin Slug:: maxbutton
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.6
Severity Score:: Medium
CVE:: 2023-6594

Plugin:: Oxygen Builder
Plugin Slug:: oxygenbuilder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.8.1
Severity Score:: Medium
CVE:: 2023-6938

WordPress Themes — 1 Patched / 0 Unpatched

Theme:: Weaver Xtreme
Theme Slug:: weaver-xtreme
Downloads:: 494,749
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.4
Severity Score:: Medium
CVE:: 2023-6990

Author:

Sarah Ulmer

Sarah has been with SolidWP since 2015. As our product marketer, Sarah works on providing helpful content for our customers and building the most beautiful spreadsheets you’ll ever behold. When not at work, Sarah can be found at home with her husband, their three boys, and their dogs. Sarah enjoys long family walks, running with her lab, and watching her two older boys play soccer. Sarah is originally from Texas and loves watching football games (Go Longhorns!)

Browse all of Sarah's articles

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Core

WordPress Plugins — 61 Patched / 44 Unpatched

WordPress Themes — 1 Patched / 0 Unpatched

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 24, 2024

Solid Security Pro Feature Spotlight – Password Requirements

WordPress Vulnerability Report — April 17, 2024

WordPress Vulnerability Report — April 10, 2024