WordPress Vulnerability Report — November 1, 2023

This week, 136 new vulnerabilities have been publicly disclosed in WordPress plugins.

Updated:Nov 15, 2023

Published:Nov 1, 2023

Reading Time:2 min.

Since our last report, 136 new vulnerabilities have been publicly disclosed.¹ They all affect WordPress plugins, so there are no theme vulnerabilities to report this week. Security patches for 64 plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 72 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

New Releases: Solid Security Pro 8.0.3 and Basic 9.0.2. Please update!

Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 64 Patched / 72 Unpatched

2.1 WP Word Count
2.2 Convertful – Your Ultimate On-Site Conversion Tool
2.3 User Avatar
2.4 Remove Add to Cart WooCommerce
2.5 Export WP Page to Static HTML/CSS
2.6 SAHU TikTok Pixel for E-Commerce
2.7 DeepL API translation plugin
2.8 Custom My Account for Woocommerce
2.9 DoLogin Security
2.10 FeedFocal
2.11 Product Recommendation Quiz for eCommerce
2.12 Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress
2.13 Group Chat & Video Chat by AtomChat
2.14 Category SEO Meta Tags
2.15 Custom Header Images
2.16 Autolinks Manager
2.17 Generate Dummy Posts
2.18 My Shortcodes
2.19 Simple User Listing
2.20 WDSocialWidgets
2.21 Parcel Pro
2.22 WP Glossary
2.23 WP iCal Availability
2.24 WordPress Simple HTML Sitemap
2.25 FLOWFACT WP Connector
2.26 Ni WooCommerce Sales Report
2.27 WP Simple Galleries
2.28 WP Post Popup
2.29 WP Post Columns
2.30 WP Knowledgebase
2.31 Google Maps made Simple
2.32 WP Font Awesome
2.33 NinjaTeam Live Chat (Messenger API)
2.34 Magic Embeds
2.35 Related Products for WooCommerce
2.36 WhatsApp Share Button
2.37 Weather Atlas Widget
2.38 WCP OpenWeather
2.39 Theme Blvd Shortcodes
2.40 TCD Google Maps
2.41 Simple Shortcodes
2.42 Shortcode Menu
2.43 Reusable Text Blocks
2.44 PubyDoc
2.45 PHP to Page
2.46 Original texts Yandex WebMaster
2.47 Mediabay
2.48 KD Coming Soon
2.49 Live updates from Excel
2.50 iframe forms
2.51 idbbee
2.52 Grid Plus
2.53 Grid Plus
2.54 Feather Login Page
2.55 FareHarbor for WordPress
2.56 EasyRecipe
2.57 WordPress CTA
2.58 Delete Me
2.59 Deeper Comments
2.60 Current Menu Item for Custom Post Types
2.61 CPO Shortcodes
2.62 Form Builder
2.63 CloudNet360
2.64 Buzzsprout Podcasting
2.65 BSK PDF Manager
2.66 Bellows Accordion Menu
2.67 Auto Limit Posts Reloaded
2.68 Auto Excerpt everywhere
2.69 Article analytics
2.70 Alter
2.71 Advanced Menu Widget
2.72 Ads by datafeedr.com
2.73 LiteSpeed Cache
2.74 kk Star Ratings
2.75 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
2.76 VK Blocks
2.77 News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry)
2.78 CallRail Phone Call Tracking
2.79 Interactive Image Map Plugin – Draw Attention
2.80 Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
2.81 Security & Malware scan by CleanTalk
2.82 YOP Poll
2.83 404 Solution
2.84 Admin and Site Enhancements (ASE)
2.85 ICS Calendar
2.86 Image Regenerate & Select Crop
2.87 Seraphinite Accelerator
2.88 Seraphinite Accelerator
2.89 Seraphinite Accelerator
2.90 Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
2.91 WP EXtra
2.92 WP EXtra
2.93 YITH WooCommerce Product Add-Ons
2.94 Fathom Analytics for WP
2.95 Pre-Orders for WooCommerce
2.96 Image horizontal reel scroll slideshow
2.97 VK Filter Search
2.98 Assistant – Every Day Productivity Apps
2.99 Very Simple Google Maps
2.100 Slick Popup: Contact Form 7 Popup Plugin
2.101 Vertical marquee plugin
2.102 Thumbnail carousel slider
2.103 Accordion
2.104 GD Security Headers
2.105 WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
2.106 ImageLinks Interactive Image Builder for WordPress
2.107 Popup with fancybox
2.108 Tab Ultimate
2.109 TK Google Fonts GDPR Compliant
2.110 WP Helper Premium
2.111 Zotpress
2.112 Add to Calendar Button
2.113 MomentoPress for Momento360
2.114 Thumbnail Slider With Lightbox
2.115 WPPizza – A Restaurant Plugin
2.116 Image vertical reel scroll slideshow
2.117 Animated Counters
2.118 Jquery news ticker
2.119 Medialist
2.120 Post Meta Data Manager
2.121 Post Meta Data Manager
2.122 Information Reel
2.123 Message ticker
2.124 WP fade in text news
2.125 Wp anything slider
2.126 Neon text
2.127 Superb slideshow gallery
2.128 wp image slideshow
2.129 Left right image slideshow gallery
2.130 Wp photo text slider 50
2.131 Jquery accordion slideshow
2.132 Up down image slideshow gallery
2.133 HTML filter and csv-file search
2.134 HTML filter and csv-file search
2.135 Bonus for Woo
2.136 Advanced Booking Calendar

3. WordPress Themes — 0 Patched / 0 Unpatched
4. Notes

Our weekly WordPress Vulnerability Report covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.3.2 is a Maintenance and Security release issued on October 12. It features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

Because this is a security release, it is recommended that you apply it and update your sites to WordPress 6.3.2 as soon as possible. Backports are also available for older supported major WordPress releases from version 4.1 onward.

The next major release will be version 6.4, expected on 7 November 2023.

WordPress Plugins — 64 Patched / 72 Unpatched

Plugin:: WP Word Count
Plugin Slug:: wp-word-count
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46628

Plugin:: Convertful – Your Ultimate On-Site Conversion Tool
Plugin Slug:: convertful
Installations:: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46605

Plugin:: User Avatar
Plugin Slug:: user-avatar
Installations:: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46621

Plugin:: Remove Add to Cart WooCommerce
Plugin Slug:: remove-add-to-cart-woocommerce
Installations:: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46629

Plugin:: Export WP Page to Static HTML/CSS
Plugin Slug:: export-wp-page-to-static-html
Installations:: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-31077

Plugin:: SAHU TikTok Pixel for E-Commerce
Plugin Slug:: sahu-tiktok-pixel
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46642

Plugin:: DeepL API translation plugin
Plugin Slug:: wpdeepl
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46620

Plugin:: Custom My Account for Woocommerce
Plugin Slug:: custom-my-account-for-woocommerce
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46634

Plugin:: DoLogin Security
Plugin Slug:: dologin
Installations:: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46608

Plugin:: FeedFocal
Plugin Slug:: feedfocal
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46609

Plugin:: Product Recommendation Quiz for eCommerce
Plugin Slug:: product-recommendation-quiz-for-ecommerce
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46631

Plugin:: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress
Plugin Slug:: quillforms
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46610

Plugin:: Group Chat & Video Chat by AtomChat
Plugin Slug:: atomchat
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46606

Plugin:: Category SEO Meta Tags
Plugin Slug:: category-seo-meta-tags
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46618

Plugin:: Custom Header Images
Plugin Slug:: custom-header-images
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46636

Plugin:: Autolinks Manager
Plugin Slug:: daext-autolinks-manager
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46625

Plugin:: Generate Dummy Posts
Plugin Slug:: generate-dummy-posts
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46637

Plugin:: My Shortcodes
Plugin Slug:: my-shortcodes
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46632

Plugin:: Simple User Listing
Plugin Slug:: simple-user-listing
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-32298

Plugin:: WDSocialWidgets
Plugin Slug:: spider-facebook
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46619

Plugin:: Parcel Pro
Plugin Slug:: woo-parcel-pro
Installations:: 1,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46624

Plugin:: WP Glossary
Plugin Slug:: wp-glossary
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46633

Plugin:: WP iCal Availability
Plugin Slug:: wp-ical-availability
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46607

Plugin:: WordPress Simple HTML Sitemap
Plugin Slug:: wp-simple-html-sitemap
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46627

Plugin:: FLOWFACT WP Connector
Plugin Slug:: flowfact-wp-connector
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46626

Plugin:: Ni WooCommerce Sales Report
Plugin Slug:: ni-woocommerce-sales-report
Installations:: 900+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-32299

Plugin:: WP Simple Galleries
Plugin Slug:: wp-simple-galleries
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5583

Plugin:: WP Post Popup
Plugin Slug:: wp-post-modal
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4808

Plugin:: WP Post Columns
Plugin Slug:: wp-post-columns
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5708

Plugin:: WP Knowledgebase
Plugin Slug:: wp-knowledgebase
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5802

Plugin:: Google Maps made Simple
Plugin Slug:: wp-gmappity-easy-google-maps
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5315

Plugin:: WP Font Awesome
Plugin Slug:: wp-font-awesome
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5127

Plugin:: NinjaTeam Live Chat (Messenger API)
Plugin Slug:: wp-facebook-messenger
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5740

Plugin:: Magic Embeds
Plugin Slug:: wp-embed-facebook
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4799

Plugin:: Related Products for WooCommerce
Plugin Slug:: woo-related-products-refresh-on-reload
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5234

Plugin:: WhatsApp Share Button
Plugin Slug:: whatsapp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5668

Plugin:: Weather Atlas Widget
Plugin Slug:: weather-atlas
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5163

Plugin:: WCP OpenWeather
Plugin Slug:: wcp-openweather
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46638

Plugin:: Theme Blvd Shortcodes
Plugin Slug:: theme-blvd-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5338

Plugin:: TCD Google Maps
Plugin Slug:: tcd-google-maps
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5128

Plugin:: Simple Shortcodes
Plugin Slug:: smpl-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5566

Plugin:: Shortcode Menu
Plugin Slug:: shortcode-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5565

Plugin:: Reusable Text Blocks
Plugin Slug:: reusable-text-blocks
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5745

Plugin:: PubyDoc
Plugin Slug:: pubydoc-data-tables-and-charts
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4970

Plugin:: PHP to Page
Plugin Slug:: php-to-page
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-5199

Plugin:: Original texts Yandex WebMaster
Plugin Slug:: original-texts-yandex-webmaster
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46775

Plugin:: Mediabay
Plugin Slug:: mediabay-lite
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46612

Plugin:: KD Coming Soon
Plugin Slug:: kd-coming-soon
Vulnerability:: PHP Object Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46615

Plugin:: Live updates from Excel
Plugin Slug:: ipushpull
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5116

Plugin:: iframe forms
Plugin Slug:: iframe-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5073

Plugin:: idbbee
Plugin Slug:: idbbee
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5114

Plugin:: Grid Plus
Plugin Slug:: grid-plus
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5250

Plugin:: Grid Plus
Plugin Slug:: grid-plus
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-34014

Plugin:: Feather Login Page
Plugin Slug:: feather-login-page
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46777

Plugin:: FareHarbor for WordPress
Plugin Slug:: fareharbor
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5252

Plugin:: EasyRecipe
Plugin Slug:: easyrecipe
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46779

Plugin:: WordPress CTA
Plugin Slug:: easy-sticky-sidebar
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46644

Plugin:: Delete Me
Plugin Slug:: delete-me
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5126

Plugin:: Deeper Comments
Plugin Slug:: deeper-comments
Vulnerability:: Settings Change
Patched in Version:: No Fix
Severity Score:: High

Plugin:: Current Menu Item for Custom Post Types
Plugin Slug:: current-menu-item-for-custom-post-types
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46781

Plugin:: CPO Shortcodes
Plugin Slug:: cpo-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5704

Plugin:: Form Builder
Plugin Slug:: contact-form-builder
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5048

Plugin:: CloudNet360
Plugin Slug:: cloudnet-sync
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46643

Plugin:: Buzzsprout Podcasting
Plugin Slug:: buzzsprout-podcasting
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5335

Plugin:: BSK PDF Manager
Plugin Slug:: bsk-pdf-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5110

Plugin:: Bellows Accordion Menu
Plugin Slug:: bellows-accordion-menu
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5164

Plugin:: Auto Limit Posts Reloaded
Plugin Slug:: auto-limit-posts-reloaded
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46778

Plugin:: Auto Excerpt everywhere
Plugin Slug:: auto-excerpt-everywhere
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46776

Plugin:: Article analytics
Plugin Slug:: article-analytics
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-5640

Plugin:: Alter
Plugin Slug:: alter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46780

Plugin:: Advanced Menu Widget
Plugin Slug:: advanced-menu-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5085

Plugin:: Ads by datafeedr.com
Plugin Slug:: ads-by-datafeedrcom
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-5843

Plugin:: LiteSpeed Cache
Plugin Slug:: litespeed-cache
Installations:: 4,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.7
Severity Score:: Medium
CVE:: 2023-4372

Plugin:: kk Star Ratings
Plugin Slug:: kk-star-ratings
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.6
Severity Score:: Medium
CVE:: 2023-46639

Plugin:: 10Web Booster – Website speed optimization, Cache & Page Speed optimizer
Plugin Slug:: tenweb-speed-optimizer
Installations:: 80,000+
Vulnerability:: Settings Change
Patched in Version:: 2.24.18
Severity Score:: Medium

Plugin:: VK Blocks
Plugin Slug:: vk-blocks
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.64.0.0
Severity Score:: Medium
CVE:: 2023-5706

Plugin:: News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry)
Plugin Slug:: blog-designer-pack
Installations:: 30,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 3.4.2
Severity Score:: Critical
CVE:: 2023-5815

Plugin:: CallRail Phone Call Tracking
Plugin Slug:: callrail-phone-call-tracking
Installations:: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 0.5.3
Severity Score:: Medium
CVE:: 2023-5051

Plugin:: Interactive Image Map Plugin – Draw Attention
Plugin Slug:: draw-attention
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.16
Severity Score:: Medium
CVE:: 2023-46616

Plugin:: Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
Plugin Slug:: rafflepress
Installations:: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.2
Severity Score:: Medium
CVE:: 2023-5049

Plugin:: Security & Malware scan by CleanTalk
Plugin Slug:: security-malware-firewall
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.51
Severity Score:: High
CVE:: 2020-36698

Plugin:: YOP Poll
Plugin Slug:: yop-poll
Installations:: 20,000+
Vulnerability:: Broken Authentication
Patched in Version:: 6.5.29
Severity Score:: Medium
CVE:: 2023-46611

Plugin:: 404 Solution
Plugin Slug:: 404-solution
Installations:: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.34.0
Severity Score:: High

Plugin:: Admin and Site Enhancements (ASE)
Plugin Slug:: admin-site-enhancements
Installations:: 10,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 5.8.0
Severity Score:: High
CVE:: 2023-46630

Plugin:: ICS Calendar
Plugin Slug:: ics-calendar
Installations:: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 10.12.0.4
Severity Score:: High
CVE:: 2023-46784

Plugin:: Image Regenerate & Select Crop
Plugin Slug:: image-regenerate-select-crop
Installations:: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.3.1
Severity Score:: Medium
CVE:: 2023-46820

Plugin:: Seraphinite Accelerator
Plugin Slug:: seraphinite-accelerator
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.20.32
Severity Score:: Medium

Plugin:: Seraphinite Accelerator
Plugin Slug:: seraphinite-accelerator
Installations:: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.20.29
Severity Score:: High
CVE:: 2023-5609

Plugin:: Seraphinite Accelerator
Plugin Slug:: seraphinite-accelerator
Installations:: 10,000+
Vulnerability:: Open Redirection
Patched in Version:: 2.20.29
Severity Score:: Medium
CVE:: 2023-5610

Plugin:: Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More
Plugin Slug:: woocommerce-exporter
Installations:: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.2.1
Severity Score:: High
CVE:: 2023-46822

Plugin:: WP EXtra
Plugin Slug:: wp-extra
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3
Severity Score:: Medium
CVE:: 2023-5314

Plugin:: WP EXtra
Plugin Slug:: wp-extra
Installations:: 10,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 6.3
Severity Score:: Critical
CVE:: 2023-46623

Plugin:: YITH WooCommerce Product Add-Ons
Plugin Slug:: yith-woocommerce-product-add-ons
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.1
Severity Score:: Medium
CVE:: 2023-46635

Plugin:: Fathom Analytics for WP
Plugin Slug:: fathom-analytics
Installations:: 8,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.0
Severity Score:: Medium

Plugin:: Pre-Orders for WooCommerce
Plugin Slug:: pre-orders-for-woocommerce
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.14
Severity Score:: Medium
CVE:: 2023-46783

Plugin:: Image horizontal reel scroll slideshow
Plugin Slug:: image-horizontal-reel-scroll-slideshow
Installations:: 5,000+
Vulnerability:: SQL Injection
Patched in Version:: 13.3
Severity Score:: High
CVE:: 2023-5412

Plugin:: VK Filter Search
Plugin Slug:: vk-filter-search
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2023-5705

Plugin:: Assistant – Every Day Productivity Apps
Plugin Slug:: assistant
Installations:: 4,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 1.4.4
Severity Score:: Medium
CVE:: 2023-5798

Plugin:: Very Simple Google Maps
Plugin Slug:: very-simple-google-maps
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.1
Severity Score:: Medium
CVE:: 2023-5744

Plugin:: Slick Popup: Contact Form 7 Popup Plugin
Plugin Slug:: slick-popup
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.15
Severity Score:: Medium
CVE:: 2023-46824

Plugin:: Vertical marquee plugin
Plugin Slug:: vertical-marquee-plugin
Installations:: 3,000+
Vulnerability:: SQL Injection
Patched in Version:: 7.2
Severity Score:: High
CVE:: 2023-5436

Plugin:: Thumbnail carousel slider
Plugin Slug:: wp-responsive-thumbnail-slider
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.1
Severity Score:: Medium
CVE:: 2023-5821

Plugin:: Accordion
Plugin Slug:: accordions-wp
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7
Severity Score:: Medium
CVE:: 2023-5666

Plugin:: GD Security Headers
Plugin Slug:: gd-security-headers
Installations:: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.7.1
Severity Score:: High
CVE:: 2023-46821

Plugin:: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Plugin Slug:: groundhogg
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7.11.11
Severity Score:: Medium
CVE:: 2023-40681

Plugin:: ImageLinks Interactive Image Builder for WordPress
Plugin Slug:: imagelinks-interactive-image-builder-lite
Installations:: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.6.0
Severity Score:: High
CVE:: 2023-46823

Plugin:: Popup with fancybox
Plugin Slug:: popup-with-fancybox
Installations:: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.6
Severity Score:: High
CVE:: 2023-5465

Plugin:: Tab Ultimate
Plugin Slug:: tabs-pro
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2023-5667

Plugin:: TK Google Fonts GDPR Compliant
Plugin Slug:: tk-google-fonts
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.2.12
Severity Score:: Medium
CVE:: 2023-5823

Plugin:: WP Helper Premium
Plugin Slug:: wp-helper-lite
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.5.2
Severity Score:: Medium
CVE:: 2023-46614

Plugin:: Zotpress
Plugin Slug:: zotpress
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.3.5
Severity Score:: High
CVE:: 2023-46313

Plugin:: Add to Calendar Button
Plugin Slug:: add-to-calendar-button
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.5.1
Severity Score:: Medium
CVE:: 2023-46613

Plugin:: MomentoPress for Momento360
Plugin Slug:: cmyee-momentopress
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.2
Severity Score:: Medium
CVE:: 2023-46782

Plugin:: Thumbnail Slider With Lightbox
Plugin Slug:: wp-responsive-slider-with-lightbox
Installations:: 1,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.0.1
Severity Score:: Critical
CVE:: 2023-5820

Plugin:: WPPizza – A Restaurant Plugin
Plugin Slug:: wppizza
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.18.3
Severity Score:: High
CVE:: 2023-46622

Plugin:: Image vertical reel scroll slideshow
Plugin Slug:: image-vertical-reel-scroll-slideshow
Installations:: 800+
Vulnerability:: SQL Injection
Patched in Version:: 9.1
Severity Score:: High
CVE:: 2023-5428

Plugin:: Animated Counters
Plugin Slug:: animated-counters
Installations:: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8
Severity Score:: Medium
CVE:: 2023-5774

Plugin:: Jquery news ticker
Plugin Slug:: jquery-news-ticker
Installations:: 700+
Vulnerability:: SQL Injection
Patched in Version:: 3.1
Severity Score:: High
CVE:: 2023-5430

Plugin:: Medialist
Plugin Slug:: media-list
Installations:: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.0
Severity Score:: Medium
CVE:: 2023-46640

Plugin:: Post Meta Data Manager
Plugin Slug:: post-meta-data-manager
Installations:: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.1
Severity Score:: High
CVE:: 2023-5426

Plugin:: Post Meta Data Manager
Plugin Slug:: post-meta-data-manager
Installations:: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.1
Severity Score:: High
CVE:: 2023-5425

Plugin:: Information Reel
Plugin Slug:: information-reel
Installations:: 600+
Vulnerability:: SQL Injection
Patched in Version:: 10.1
Severity Score:: High
CVE:: 2023-5429

Plugin:: Message ticker
Plugin Slug:: message-ticker
Installations:: 600+
Vulnerability:: SQL Injection
Patched in Version:: 9.3
Severity Score:: High
CVE:: 2023-5433

Plugin:: WP fade in text news
Plugin Slug:: wp-fade-in-text-news
Installations:: 600+
Vulnerability:: SQL Injection
Patched in Version:: 12.1
Severity Score:: High
CVE:: 2023-5437

Plugin:: Wp anything slider
Plugin Slug:: wp-anything-slider
Installations:: 400+
Vulnerability:: SQL Injection
Patched in Version:: 9.2
Severity Score:: High
CVE:: 2023-5466

Plugin:: Neon text
Plugin Slug:: neon-text
Installations:: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2
Severity Score:: Medium
CVE:: 2023-5817

Plugin:: Superb slideshow gallery
Plugin Slug:: superb-slideshow-gallery
Installations:: 300+
Vulnerability:: SQL Injection
Patched in Version:: 13.2
Severity Score:: High
CVE:: 2023-5434

Plugin:: wp image slideshow
Plugin Slug:: wp-image-slideshow
Installations:: 300+
Vulnerability:: SQL Injection
Patched in Version:: 12.1
Severity Score:: High
CVE:: 2023-5438

Plugin:: Left right image slideshow gallery
Plugin Slug:: left-right-image-slideshow-gallery
Installations:: 100+
Vulnerability:: SQL Injection
Patched in Version:: 12.1
Severity Score:: High
CVE:: 2023-5431

Plugin:: Wp photo text slider 50
Plugin Slug:: wp-photo-text-slider-50
Installations:: 100+
Vulnerability:: SQL Injection
Patched in Version:: 8.1
Severity Score:: High
CVE:: 2023-5439

Plugin:: Jquery accordion slideshow
Plugin Slug:: jquery-accordion-slideshow
Installations:: 70+
Vulnerability:: SQL Injection
Patched in Version:: 8.2
Severity Score:: High
CVE:: 2023-5464

Plugin:: Up down image slideshow gallery
Plugin Slug:: up-down-image-slideshow-gallery
Installations:: 40+
Vulnerability:: SQL Injection
Patched in Version:: 12.1
Severity Score:: High
CVE:: 2023-5435

Plugin:: HTML filter and csv-file search
Plugin Slug:: hk-filter-and-search
Vulnerability:: Local File Inclusion
Patched in Version:: 2.8
Severity Score:: High
CVE:: 2023-5099

Plugin:: HTML filter and csv-file search
Plugin Slug:: hk-filter-and-search
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.8
Severity Score:: Medium
CVE:: 2023-5096

Plugin:: Bonus for Woo
Plugin Slug:: bonus-for-woo
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.8.3
Severity Score:: High
CVE:: 2023-5140

Plugin:: Advanced Booking Calendar
Plugin Slug:: advanced-booking-calendar
Vulnerability:: SQL Injection
Patched in Version:: 3.2.12
Severity Score:: High

WordPress Themes — 0 Patched / 0 Unpatched

Notes

This report comes out on Wednesdays and covers the last seven days of public disclosures in the Patchstack vulnerability database from the beginning of the previous week to the beginning of the current week — from last Monday to this Monday. This period intentionally excludes any vulnerabilities added to the database in the last 48 hours. However, that up-to-the-minute Patchstack vulnerability data powers Solid Security Pro for our customers who have purchased Solid Suite or Solid Security Pro. Using Patchstack’s virtual patches, Solid Security Pro automatically protects WordPress sites from active exploits aimed at unpatched vulnerabilities. ?

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Core

WordPress Plugins — 64 Patched / 72 Unpatched

WordPress Themes — 0 Patched / 0 Unpatched

Notes

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up