WordPress Vulnerability Report — November 15, 2023

There have been 109 new WordPress plugin and theme vulnerabilities disclosed since our last report.

Updated:Nov 22, 2023

Published:Nov 15, 2023

Reading Time:1 min.

Since our last report, 109 new vulnerabilities have been publicly disclosed. Security patches for 57 plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there is one theme and 52 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are protected by the Solid Security firewall with virtual patches from Patchstack.

Coupled with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — # Patched / # Unpatched

2.1 Qi Addons For Elementor
2.2 Popup Anything – Popup for opt-ins and Lead Generation Conversions
2.3 WP Logo Showcase Responsive Slider and Carousel
2.4 WP Maintenance
2.5 WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
2.6 Pz-LinkCard
2.7 WP Responsive Recent Post Slider/Carousel
2.8 WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
2.9 WP Slick Slider and Image Carousel
2.10 AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
2.11 Flo Forms – Easy Drag & Drop Form Builder
2.12 Multi Step Form
2.13 WP News and Scrolling Widgets
2.14 Welcome Email Editor
2.15 WP Blog and Widgets
2.16 Footer Putter
2.17 Podlove Web Player
2.18 WP responsive FAQ with category plugin
2.19 EasyAzon – Amazon Associates Affiliate Plugin
2.20 Animator – Scroll Triggered Animations
2.21 Shortcodes Finder
2.22 Korea SNS
2.23 Permalinks Customizer
2.24 Additional Order Filters for WooCommerce
2.25 Featured Post Creative
2.26 Foyer – Digital Signage for WordPress
2.27 Product Enquiry for WooCommerce
2.28 CodeBard's Patron Button and Widgets for Patreon
2.29 Plainview Protect Passwords
2.30 Plainview Protect Passwords
2.31 Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
2.32 Team Members Showcase
2.33 Interactive World Map
2.34 Preloader Matrix
2.35 Post Pay Counter
2.36 Woo Custom and Sequential Order Number
2.37 WooCommerce Product Enquiry
2.38 Youtube SpeedLoad
2.39 Mini Cart Drawer For WooCommerce
2.40 Simply Excerpts
2.41 WP Not Login Hide
2.42 WP Full Stripe Free
2.43 WP Featured Content and Slider
2.44 WP Category Post List Widget
2.45 Vertical scroll recent post
2.46 WooCommerce Product Carousel Slider
2.47 LuckyWP Scripts Control
2.48 Leadster
2.49 ElementsKit Pro
2.50 EasyRotator
2.51 BSK Contact Form 7 Blacklist
2.52 AMP+ Plus
2.53 EWWW Image Optimizer
2.54 WP Fastest Cache
2.55 Code Snippets
2.56 Forminator – Contact Form, Payment Form & Custom Form Builder
2.57 Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
2.58 Simple 301 Redirects by BetterLinks
2.59 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
2.60 Qi Addons For Elementor
2.61 Checkout Field Manager (Checkout Manager) for WooCommerce
2.62 Brizy – Page Builder
2.63 Big File Uploads – Increase Maximum File Upload Size
2.64 Comments – wpDiscuz
2.65 Ultimate Dashboard – Custom WordPress Dashboard
2.66 Solid Central – Site Management, Backups, Security, and Reporting
2.67 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
2.68 Ditty – Responsive News Tickers, Sliders, and Lists
2.69 BetterDocs – Best Documentation & Knowledge Base Plugin
2.70 Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
2.71 Ultimate Addons for Contact Form 7
2.72 WP Custom Admin Interface
2.73 Delete Duplicate Posts
2.74 Ecwid Ecommerce Shopping Cart
2.75 MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance
2.76 Welcart e-Commerce
2.77 WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin
2.78 eCommerce Product Catalog Plugin for WordPress
2.79 Membership Plugin – Restrict Content
2.80 Japanized For WooCommerce
2.81 YOP Poll
2.82 Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
2.83 Gift Up Gift Cards for WordPress and WooCommerce
2.84 Hreflang Manager
2.85 Job Manager & Career – Manage job board listings, and recruitments
2.86 Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
2.87 avalex – Automatisch sichere Rechtstexte
2.88 Arigato Autoresponder and Newsletter
2.89 Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic
2.90 Frontend File Manager Plugin
2.91 Website Optimization – Plerdy
2.92 Post Status Notifier Lite
2.93 Product Catalog Simple
2.94 Bus Ticket Booking with Seat Reservation
2.95 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.96 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.97 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.98 Namaste! LMS
2.99 Image Compressor & Optimizer – iLoveIMG
2.100 WooCommerce Canada Post Shipping
2.101 WooCommerce Bookings
2.102 Star CloudPRNT for WooCommerce
2.103 Slider Revolution
2.104 Slider Revolution
2.105 LayerSlider
2.106 LayerSlider
2.107 Essential Grid
2.108 Essential Grid

3. WordPress Themes — # Patched / # Unpatched

3.1 Themify Ultra

Our weekly WordPress Vulnerability Report covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.1 was released on November 8 as a short-cycle maintenance release to address several bugs, including loss of backward compatibility with a dependency, cURL 7.29 or earlier. This broke the WordPress internal update facility on servers running very old, insecure cURL versions.

WordPress 6.4 was released on November 7 as the third major release of 2023. Following a major release, you should not update live sites without taking backups and testing the update in a non-production environment first.

WordPress Plugins — # Patched / # Unpatched

Plugin:: Qi Addons For Elementor
Plugin Slug:: qi-addons-for-elementor
Installations:: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47680

Plugin:: Popup Anything – Popup for opt-ins and Lead Generation Conversions
Plugin Slug:: popup-anything-on-click
Installations:: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: WP Logo Showcase Responsive Slider and Carousel
Plugin Slug:: wp-logo-showcase-responsive-slider-slider
Installations:: 50,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: WP Maintenance
Plugin Slug:: wp-maintenance
Installations:: 40,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: No Fix
Severity Score:: Low
CVE:: 2023-47769

Plugin:: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
Plugin Slug:: miniorange-login-openid
Installations:: 30,000+
Vulnerability:: Privilege Escalation
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47683

Plugin:: Pz-LinkCard
Plugin Slug:: pz-linkcard
Installations:: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47790

Plugin:: WP Responsive Recent Post Slider/Carousel
Plugin Slug:: wp-responsive-recent-post-slider
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Plugin Slug:: wp-event-manager
Installations:: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47697

Plugin:: WP Slick Slider and Image Carousel
Plugin Slug:: wp-slick-slider-and-image-carousel
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Plugin Slug:: aweber-web-form-widget
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47757

Plugin:: Flo Forms – Easy Drag & Drop Form Builder
Plugin Slug:: flo-forms
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47692

Plugin:: Multi Step Form
Plugin Slug:: multi-step-form
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47758

Plugin:: WP News and Scrolling Widgets
Plugin Slug:: sp-news-and-widget
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: Welcome Email Editor
Plugin Slug:: welcome-email-editor
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47756

Plugin:: WP Blog and Widgets
Plugin Slug:: wp-blog-and-widgets
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: Footer Putter
Plugin Slug:: footer-putter
Installations:: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47768

Plugin:: Podlove Web Player
Plugin Slug:: podlove-web-player
Installations:: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47691

Plugin:: WP responsive FAQ with category plugin
Plugin Slug:: sp-faq
Installations:: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: EasyAzon – Amazon Associates Affiliate Plugin
Plugin Slug:: easyazon
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47780

Plugin:: Animator – Scroll Triggered Animations
Plugin Slug:: scroll-triggered-animations
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47689

Plugin:: Shortcodes Finder
Plugin Slug:: shortcodes-finder
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47695

Plugin:: Korea SNS
Plugin Slug:: korea-sns
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47670

Plugin:: Permalinks Customizer
Plugin Slug:: permalinks-customizer
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47773

Plugin:: Additional Order Filters for WooCommerce
Plugin Slug:: additional-order-filters-for-woocommerce
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47690

Plugin:: Featured Post Creative
Plugin Slug:: featured-post-creative
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: Foyer – Digital Signage for WordPress
Plugin Slug:: foyer
Installations:: 2,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47663

Plugin:: Product Enquiry for WooCommerce
Plugin Slug:: gm-woocommerce-quote-popup
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47696

Plugin:: CodeBard's Patron Button and Widgets for Patreon
Plugin Slug:: patron-button-and-widgets-by-codebard
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47765

Plugin:: Plainview Protect Passwords
Plugin Slug:: plainview-protect-passwords
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47665

Plugin:: Plainview Protect Passwords
Plugin Slug:: plainview-protect-passwords
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47664

Plugin:: Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms
Plugin Slug:: cf7-constant-contact
Installations:: 1,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47779

Plugin:: Team Members Showcase
Plugin Slug:: dazzlersoft-teams
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-32957

Plugin:: Interactive World Map
Plugin Slug:: interactive-world-map
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47767

Plugin:: Preloader Matrix
Plugin Slug:: matrix-pre-loader
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47685

Plugin:: Post Pay Counter
Plugin Slug:: post-pay-counter
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47673

Plugin:: Woo Custom and Sequential Order Number
Plugin Slug:: woo-custom-and-sequential-order-number
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47687

Plugin:: WooCommerce Product Enquiry
Plugin Slug:: woo-product-enquiry
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-32796

Plugin:: Youtube SpeedLoad
Plugin Slug:: youtube-speedload
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47688

Plugin:: Mini Cart Drawer For WooCommerce
Plugin Slug:: woo-mini-cart-drawer
Installations:: 800+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47694

Plugin:: Simply Excerpts
Plugin Slug:: simply-excerpts
Installations:: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5137

Plugin:: WP Not Login Hide
Plugin Slug:: wp-not-login-hide-wpnlh
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5940

Plugin:: WP Full Stripe Free
Plugin Slug:: wp-full-stripe-free
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47667

Plugin:: WP Featured Content and Slider
Plugin Slug:: wp-featured-content-and-slide
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-40200

Plugin:: WP Category Post List Widget
Plugin Slug:: wp-category-posts-list
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47672

Plugin:: Vertical scroll recent post
Plugin Slug:: vertical-scroll-recent-post
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47671

Plugin:: WooCommerce Product Carousel Slider
Plugin Slug:: product-carousel-slider-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47755

Plugin:: LuckyWP Scripts Control
Plugin Slug:: luckywp-scripts-contro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47778

Plugin:: Leadster
Plugin Slug:: leadster-marketing-conversaciona
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47791

Plugin:: ElementsKit Pro
Plugin Slug:: elementskit
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-39993

Plugin:: EasyRotator
Plugin Slug:: easyrotator-for-wordpress
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5742

Plugin:: BSK Contact Form 7 Blacklist
Plugin Slug:: bsk-contact-form-7-blacklist
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5141

Plugin:: AMP+ Plus
Plugin Slug:: amp-plus
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5210

Plugin:: EWWW Image Optimizer
Plugin Slug:: ewww-image-optimizer
Installations:: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.2.1
Severity Score:: Medium
CVE:: 2023-40600

Plugin:: WP Fastest Cache
Plugin Slug:: wp-fastest-cache
Installations:: 1,000,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.2
Severity Score:: Critical
CVE:: 2023-6063

Plugin:: Code Snippets
Plugin Slug:: code-snippets
Installations:: 800,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.6.0
Severity Score:: Medium
CVE:: 2023-47666

Plugin:: Forminator – Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations:: 400,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.28.0
Severity Score:: Medium
CVE:: 2023-6133

Plugin:: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
Plugin Slug:: chaty
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2023-47759

Plugin:: Simple 301 Redirects by BetterLinks
Plugin Slug:: simple-301-redirects
Installations:: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2023-47761

Plugin:: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.1
Severity Score:: Medium
CVE:: 2023-47760

Plugin:: Qi Addons For Elementor
Plugin Slug:: qi-addons-for-elementor
Installations:: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.6.4
Severity Score:: Medium
CVE:: 2023-47679

Plugin:: Checkout Field Manager (Checkout Manager) for WooCommerce
Plugin Slug:: woocommerce-checkout-manager
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.3.1
Severity Score:: Medium
CVE:: 2023-47681

Plugin:: Brizy – Page Builder
Plugin Slug:: brizy
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.30
Severity Score:: High

Plugin:: Big File Uploads – Increase Maximum File Upload Size
Plugin Slug:: tuxedo-big-file-uploads
Installations:: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2023-47792

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations:: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.6.12
Severity Score:: Medium
CVE:: 2023-47775

Plugin:: Ultimate Dashboard – Custom WordPress Dashboard
Plugin Slug:: ultimate-dashboard
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.8
Severity Score:: Medium
CVE:: 2023-4726

Plugin:: Solid Central – Site Management, Backups, Security, and Reporting
Plugin Slug:: ithemes-sync
Installations:: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.1
Severity Score:: Medium

Plugin:: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Plugin Slug:: profile-builder
Installations:: 50,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.10.4
Severity Score:: Medium
CVE:: 2023-47669

Plugin:: Ditty – Responsive News Tickers, Sliders, and Lists
Plugin Slug:: ditty-news-ticker
Installations:: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.25
Severity Score:: Medium
CVE:: 2023-47764

Plugin:: BetterDocs – Best Documentation & Knowledge Base Plugin
Plugin Slug:: betterdocs
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2023-47762

Plugin:: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
Plugin Slug:: shareaholic
Installations:: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.9
Severity Score:: Medium
CVE:: 2023-4889

Plugin:: Ultimate Addons for Contact Form 7
Plugin Slug:: ultimate-addons-for-contact-form-7
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.7
Severity Score:: High
CVE:: 2023-47693

Plugin:: WP Custom Admin Interface
Plugin Slug:: wp-custom-admin-interface
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.32
Severity Score:: Medium
CVE:: 2023-47763

Plugin:: Delete Duplicate Posts
Plugin Slug:: delete-duplicate-posts
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9
Severity Score:: Medium
CVE:: 2023-47754

Plugin:: Ecwid Ecommerce Shopping Cart
Plugin Slug:: ecwid-shopping-cart
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.12.4
Severity Score:: Medium

Plugin:: MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance
Plugin Slug:: mainwp
Installations:: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.4.3.4
Severity Score:: High
CVE:: 2023-38519

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations:: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.9.5
Severity Score:: High

Plugin:: WP User Frontend – Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission Plugin
Plugin Slug:: wp-user-frontend
Installations:: 20,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 3.6.6
Severity Score:: High
CVE:: 2023-47682

Plugin:: eCommerce Product Catalog Plugin for WordPress
Plugin Slug:: ecommerce-product-catalog
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.3.26
Severity Score:: Medium

Plugin:: Membership Plugin – Restrict Content
Plugin Slug:: restrict-content
Installations:: 10,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.2.8
Severity Score:: Medium
CVE:: 2023-47668

Plugin:: Japanized For WooCommerce
Plugin Slug:: woocommerce-for-japan
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.6.5
Severity Score:: High
CVE:: 2023-47698

Plugin:: YOP Poll
Plugin Slug:: yop-poll
Installations:: 10,000+
Vulnerability:: Race Condition
Patched in Version:: 6.5.27
Severity Score:: Medium
CVE:: 2023-6109

Plugin:: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
Plugin Slug:: miniorange-otp-verification
Installations:: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2023-47776

Plugin:: Gift Up Gift Cards for WordPress and WooCommerce
Plugin Slug:: gift-up
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.20.2
Severity Score:: Medium
CVE:: 2023-5703

Plugin:: Hreflang Manager
Plugin Slug:: hreflang-manager-lite
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.7
Severity Score:: Medium

Plugin:: Job Manager & Career – Manage job board listings, and recruitments
Plugin Slug:: job-manager-career
Installations:: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 1.4.4
Severity Score:: High
CVE:: 2023-5906

Plugin:: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Plugin Slug:: sprout-invoices
Installations:: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 20.5.4
Severity Score:: Medium

Plugin:: avalex – Automatisch sichere Rechtstexte
Plugin Slug:: avalex
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.9
Severity Score:: Medium

Plugin:: Arigato Autoresponder and Newsletter
Plugin Slug:: bft-autoresponder
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.7.2.3
Severity Score:: Medium
CVE:: 2023-47686

Plugin:: Martins Free & Easy SEO BackLink Link Building Network – Improve Rankings & Traffic
Plugin Slug:: martins-link-network
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.30
Severity Score:: High
CVE:: 2023-5641

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations:: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 22.6
Severity Score:: Critical
CVE:: 2023-5105

Plugin:: Website Optimization – Plerdy
Plugin Slug:: plerdy-heatmap
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2023-5715

Plugin:: Post Status Notifier Lite
Plugin Slug:: post-status-notifier-lite
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.1
Severity Score:: High
CVE:: 2023-47766

Plugin:: Product Catalog Simple
Plugin Slug:: post-type-x
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.7.6
Severity Score:: Medium

Plugin:: Bus Ticket Booking with Seat Reservation
Plugin Slug:: bus-ticket-booking-with-seat-reservation
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.6
Severity Score:: High
CVE:: 2023-30496

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations:: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.4
Severity Score:: Medium

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations:: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: Medium

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations:: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: High

Plugin:: Namaste! LMS
Plugin Slug:: namaste-lms
Installations:: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1.2
Severity Score:: High
CVE:: 2023-4602

Plugin:: Image Compressor & Optimizer – iLoveIMG
Plugin Slug:: iloveimg
Installations:: 100+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.0.6
Severity Score:: Medium

Plugin:: WooCommerce Canada Post Shipping
Plugin Slug:: woocommerce-shipping-canada-post
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.8.4
Severity Score:: Medium
CVE:: 2023-47789

Plugin:: WooCommerce Bookings
Plugin Slug:: woocommerce-bookings
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2023-47787

Plugin:: Star CloudPRNT for WooCommerce
Plugin Slug:: star-cloudprnt-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.4
Severity Score:: High
CVE:: 2023-4603

Plugin:: Slider Revolution
Plugin Slug:: revslider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.6.15
Severity Score:: Medium
CVE:: 2023-47772

Plugin:: Slider Revolution
Plugin Slug:: revslider
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.6.16
Severity Score:: High
CVE:: 2023-47784

Plugin:: LayerSlider
Plugin Slug:: layerslider
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.7.10
Severity Score:: High
CVE:: 2023-47785

Plugin:: LayerSlider
Plugin Slug:: layerslider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.7.10
Severity Score:: Medium
CVE:: 2023-47786

Plugin:: Essential Grid
Plugin Slug:: essential-grid
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.1
Severity Score:: High
CVE:: 2023-47684

Plugin:: Essential Grid
Plugin Slug:: essential-grid
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.19
Severity Score:: High
CVE:: 2023-47771

WordPress Themes — # Patched / # Unpatched

Theme:: Themify Ultra
Theme Slug:: themify-ultra
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46146

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Core

WordPress Plugins — # Patched / # Unpatched

WordPress Themes — # Patched / # Unpatched

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 24, 2024

Solid Security Pro Feature Spotlight – Password Requirements

WordPress Vulnerability Report — April 17, 2024

WordPress Vulnerability Report — April 10, 2024