WordPress Vulnerability Report – June 14, 2023
This week, 56 total vulnerabilities emerged in public disclosure. They may affect over 4 million WordPress sites. There are 37 plugin vulnerabilities and three in themes that have security patches available, so run those updates! Additionally, there are 16 plugin vulnerabilities with no patch available yet.
This week, 56 total vulnerabilities emerged in public disclosure. They may affect over 4 million WordPress sites. There are 37 plugin vulnerabilities and three in themes that have security patches available, so run those updates!
Additionally, there are 16 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.
WordPress Core Vulnerabilities — Patched
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
Get SolidWP tips direct in your inbox
Sign up
Get started with confidence — risk free, guaranteed
WordPress Plugin Vulnerabilities — Patched
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode
- Patched in Version:
- 3.3.2
- Severity Score:
- Medium
- CVE:
- 2023-0692
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Unauthenticated CSV Injection
- Patched in Version:
- 3.3.1
- Severity Score:
- Medium
- CVE:
- 2023-0721
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode
- Patched in Version:
- 3.3.1
- Severity Score:
- Medium
- CVE:
- 2023-0708
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
- Patched in Version:
- 3.3.2
- Severity Score:
- Medium
- CVE:
- 2023-0691
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
- Patched in Version:
- 3.3.2
- Severity Score:
- Medium
- CVE:
- 2023-0691
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode
- Patched in Version:
- 3.3.2
- Severity Score:
- Medium
- CVE:
- 2023-0688
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode
- Patched in Version:
- 3.3.1
- Severity Score:
- Medium
- CVE:
- 2023-0709
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode
- Patched in Version:
- 3.3.2
- Severity Score:
- Medium
- CVE:
- 2023-0693
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
- Patched in Version:
- 3.3.1
- Severity Score:
- Medium
- CVE:
- 2023-0695
Metform Elementor Contact Form Builder
- Plugin Slug:
- metform
- Installations:
- 200,000+
- Vulnerability:
- Authenticated (Subscriber+) Information Disclosure via mf shortcode
- Patched in Version:
- 3.3.2
- Severity Score:
- Medium
- CVE:
- 2023-0694
Social Media Share Buttons & Social Sharing Icons
- Plugin Slug:
- ultimate-social-media-icons
- Installations:
- 200,000+
- Vulnerability:
- CAuthenticated Stored Cross-Site Scripting
- Patched in Version:
- 2.8.2
- Severity Score:
- Medium
- CVE:
- 2023-1166
WP Mail Logging
- Plugin:
- WP Mail Logging
- Plugin Slug:
- wp-mail-logging
- Installations:
- 200,000+
- Vulnerability:
- Unauthenticated Stored Cross-Site Scripting via Email
- Patched in Version:
- 1.11.1
- Severity Score:
- High
- CVE:
- 2023-3081
FiboSearch – AJAX Search for WooCommerce
- Plugin Slug:
- ajax-search-for-woocommerce
- Installations:
- 100,000+
- Vulnerability:
- Authenticated (Admin+) Stored Cross-Site Scripting
- Patched in Version:
- 1.24.0
- Severity Score:
- Medium
- CVE:
- 2023-2450
Visual Composer
- Plugin Slug:
- visualcomposer
- Installations:
- 70,000+
- Vulnerability:
- Multiple Cross-Site Scripting (XSS)
- Patched in Version:
- 27.0
- Severity Score:
- Medium
- CVE:
- 2020-36722
VK Blocks
Easy Digital Downloads
- Plugin Slug:
- easy-digital-downloads
- Installations:
- 50,000+
- Vulnerability:
- Cross-Site Request Forgery Leading To Plugin Upgrade
- Patched in Version:
- 3.1.2
- Severity Score:
- Medium
Getwid – Gutenberg Blocks
- Plugin:
- Getwid – Gutenberg Blocks
- Plugin Slug:
- getwid
- Installations:
- 50,000+
- Vulnerability:
- Authenticated(Subscriber+) Server Side Request Forgery
- Patched in Version:
- 1.8.4
- Severity Score:
- Medium
- CVE:
- 2023-1895
Getwid – Gutenberg Blocks
- Plugin:
- Getwid – Gutenberg Blocks
- Plugin Slug:
- getwid
- Installations:
- 50,000+
- Vulnerability:
- Improper Authorization via get_remote_templates REST endpoint
- Patched in Version:
- 1.8.4
- Severity Score:
- Medium
- CVE:
- 2023-1910
PowerPress
- Plugin Slug:
- powerpress
- Installations:
- 40,000+
- Vulnerability:
- Authenticated Stored Cross-Site Scripting
- Patched in Version:
- 10.2.4
- Severity Score:
- Medium
Abandoned Cart Lite for WooCommerce
- Plugin Slug:
- woocommerce-abandoned-cart
- Installations:
- 30,000+
- Vulnerability:
- Authentication Bypass
- Patched in Version:
- 5.15.0
- Severity Score:
- Critical
- CVE:
- 2023-2986
Directorist
- Plugin Slug:
- directorist
- Installations:
- 10,000+
- Vulnerability:
- Authenticated Arbitrary Post Deletion
- Patched in Version:
- 7.5.5
- Severity Score:
- High
- CVE:
- 2023-1889
Directorist
- Plugin Slug:
- directorist
- Installations:
- 10,000+
- Vulnerability:
- Authenticated Privilege Escalation
- Patched in Version:
- 7.5.5
- Severity Score:
- High
- CVE:
- 2023-1888
WP Mail Catcher
- Plugin Slug:
- wp-mail-catcher
- Installations:
- 10,000+
- Vulnerability:
- Unauthenticated Stored Cross-Site Scripting via Email Subject
- Patched in Version:
- 2.1.3
- Severity Score:
- High
- CVE:
- 2023-3080
Ultimate Product Catalogue
- Plugin:
- Ultimate Product Catalog
- Plugin Slug:
- ultimate-product-catalogue
- Installations:
- 8,000+
- Vulnerability:
- Authenticated SQL Injection
- Patched in Version:
- 5.2.6
- Severity Score:
- High
- CVE:
- 2023-2711
B2BKing
- Plugin Slug:
- b2bking-wholesale-for-woocommerce
- Installations:
- 6,000+
- Vulnerability:
- Information Disclosure
- Patched in Version:
- 4.6.20
- Severity Score:
- Medium
- CVE:
- 2023-3126
B2BKing
- Plugin Slug:
- b2bking-wholesale-for-woocommerce
- Installations:
- 6,000+
- Vulnerability:
- Price Modification
- Patched in Version:
- 4.6.20
- Severity Score:
- Medium
- CVE:
- 2023-3125
WP EasyCart
- Plugin Slug:
- wp-easycart
- Installations:
- 6,000+
- Vulnerability:
- Authenticated (Administrator+) SQL Injection via 'orderby'
- Patched in Version:
- 5.4.11
- Severity Score:
- High
- CVE:
- 2023-3023
Online Booking & Scheduling Calendar for WordPress by vcita
- Plugin Slug:
- meeting-scheduler-by-vcita
- Installations:
- 3,000+
- Vulnerability:
- Missing Authorization to Account Logout
- Patched in Version:
- 4.3.0
- Severity Score:
- Medium
- CVE:
- 2023-2415
CodeColorer
- Plugin:
- CodeColorer
- Plugin Slug:
- codecolorer
- Installations:
- 2,000+
- Vulnerability:
- Admin+ Cross-Site Scripting
- Patched in Version:
- 0.10.1
- Severity Score:
- Medium
- CVE:
- 2023-2795
GD Mail Queue
- Plugin:
- GD Mail Queue
- Plugin Slug:
- gd-mail-queue
- Installations:
- 700+
- Vulnerability:
- Unauthenticated Stored Cross-Site Scripting via Email
- Patched in Version:
- 4.0
- Severity Score:
- High
- CVE:
- 2023-3122
Gravity Forms Google Sheet Connector
- Plugin Slug:
- gsheetconnector-gravity-forms
- Installations:
- 500+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.3.5
- Severity Score:
- Medium
- CVE:
- 2023-2326
Aajoda Testimonials
- Plugin:
- Aajoda Testimonials
- Plugin Slug:
- aajoda-testimonials
- Installations:
- 50+
- Vulnerability:
- Admin+ Cross Site Scripting (XSS)
- Patched in Version:
- 2.2.2
- Severity Score:
- Medium
- CVE:
- 2023-2178
Catalyst Connect Zoho CRM Client Portal
- Plugin Slug:
- catalyst-connect-client-portal
- Installations:
- 10+
- Vulnerability:
- Reflected Cross Site Scripting (XSS)
- Patched in Version:
- 2.1.0
- Severity Score:
- High
- CVE:
- 2023-0588
Lana Email Logger
- Plugin:
- Lana Email Logger
- Plugin Slug:
- lana-email-logger
- Vulnerability:
- Unauthenticated Stored Cross-Site Scripting via Email Subject
- Patched in Version:
- 1.1.0
- Severity Score:
- High
- CVE:
- 2023-3166
WP-Members Membership
WP Brutal AI
- Plugin:
- WP Brutal AI
- Plugin Slug:
- wpbrutalai
- Vulnerability:
- Admin+ Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.1
- Severity Score:
- Medium
- CVE:
- 2023-2605
WP Brutal AI
- Plugin:
- WP Brutal AI
- Plugin Slug:
- wpbrutalai
- Vulnerability:
- Admin+ SQL Injection
- Patched in Version:
- 2.0.0
- Severity Score:
- High
- CVE:
- 2023-2601
WordPress Plugin Vulnerabilities — Unpatched
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
VK Blocks
Online Booking & Scheduling Calendar for WordPress by vcita
- Plugin Slug:
- meeting-scheduler-by-vcita
- Installations:
- 3,000+
- Vulnerability:
- Unauth. Stored Cross-Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-2298
Online Booking & Scheduling Calendar for WordPress by vcita
- Plugin Slug:
- meeting-scheduler-by-vcita
- Installations:
- 3,000+
- Vulnerability:
- Missing Authorization on REST-API
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2299
Online Booking & Scheduling Calendar for WordPress by vcita
- Plugin Slug:
- meeting-scheduler-by-vcita
- Installations:
- 3,000+
- Vulnerability:
- Missing Authorization to Settings Update and Media Upload
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2414
WordPress Tables
- Plugin:
- WordPress Tables
- Plugin Slug:
- wptables
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-25453
Contact Form Builder by vcita
- Plugin Slug:
- contact-form-with-a-meeting-scheduler-by-vcita
- Installations:
- 1,000+
- Vulnerability:
- Cross-Site Request Forgery to Stored Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2301
Contact Form Builder by vcita
- Plugin Slug:
- contact-form-with-a-meeting-scheduler-by-vcita
- Installations:
- 1,000+
- Vulnerability:
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2300
Responsive CSS EDITOR
- Plugin:
- Responsive CSS EDITOR
- Plugin Slug:
- responsive-css-editor
- Installations:
- 600+
- Vulnerability:
- Admin+ SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-2482
Contact Form and Calls To Action by vcita
- Plugin Slug:
- lead-capturing-call-to-actions-by-vcita
- Installations:
- 400+
- Vulnerability:
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2302
Contact Form and Calls To Action by vcita
- Plugin Slug:
- lead-capturing-call-to-actions-by-vcita
- Installations:
- 400+
- Vulnerability:
- Cross-Site Request Forgery to Stored Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2303
CRM and Lead Management by vcita
- Plugin Slug:
- crm-customer-relationship-management-by-vcita
- Installations:
- 200+
- Vulnerability:
- Auth. Stored Cross-Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2404
CRM and Lead Management by vcita
- Plugin Slug:
- crm-customer-relationship-management-by-vcita
- Installations:
- 200+
- Vulnerability:
- Cross-Site Request Forgery to Stored Cross-Site Scripting
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-2405
Page Builder by AZEXO
- Plugin Slug:
- page-builder-by-azexo
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-3052
Page Builder by AZEXO
- Plugin Slug:
- page-builder-by-azexo
- Vulnerability:
- Auth. Stored Cross-Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-3051
Page Builder by AZEXO
- Plugin Slug:
- page-builder-by-azexo
- Vulnerability:
- Missing Authorization to Post Creation
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-3053
Page Builder by AZEXO
- Plugin Slug:
- page-builder-by-azexo
- Vulnerability:
- Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-3055
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Activello
- Theme:
- Activello
- Theme Slug:
- activello
- Downloads:
- 704,036
- Vulnerability:
- Unauthenticated Plugin Activation/Deactivation
- Patched in Version:
- 1.4.2
- Severity Score:
- Medium
- CVE:
- 2020-36721
Newspaper X
- Theme:
- Newspaper X
- Theme Slug:
- newspaper-x
- Downloads:
- 171,638
- Vulnerability:
- Unauthenticated Plugin Activation/Deactivation
- Patched in Version:
- 1.3.2
- Severity Score:
- Medium
- CVE:
- 2020-36721
Brilliance
- Theme:
- Brilliance
- Theme Slug:
- brilliance
- Downloads:
- 139,860
- Vulnerability:
- Unauthenticated Plugin Activation/Deactivation
- Patched in Version:
- 1.3.0
- Severity Score:
- Medium
- CVE:
- 2020-36721
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed