WordPress Vulnerability Report — November 22, 2023

Published:Nov 22, 2023

Reading Time:2 min.

Since our last report, 141 new vulnerabilities have been publicly disclosed, including three in Jetpack and others in WooCommerce, EWW Image Optimizer, WP Fastest Cache, and Forminator. Security patches are available for them now, along with 77 other plugins, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 57 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 84 Patched / 57 Unpatched

2.1 Shortcodes and extra features for Phlox theme
2.2 Conditional Fields for Contact Form 7
2.3 Premium Portfolio Features for Phlox theme
2.4 Theme Editor
2.5 Pz-LinkCard
2.6 wpForo Forum
2.7 wpForo Forum
2.8 Multi Step Form
2.9 myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
2.10 Welcome Email Editor
2.11 WP Child Theme Generator
2.12 Footer Putter
2.13 WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation
2.14 Acme Fix Images
2.15 EasyAzon – Amazon Associates Affiliate Plugin
2.16 Disable User Login
2.17 Parallax Image
2.18 Permalinks Customizer
2.19 Contact Form to Any API
2.20 CodeBard's Patron Button and Widgets for Patreon
2.21 SearchIQ – The Search Solution
2.22 Bootstrap Shortcodes Ultimate
2.23 Interactive World Map
2.24 Theater for WordPress
2.25 Simply Excerpts
2.26 wpMandrill
2.27 WP Not Login Hide
2.28 WP Like Button
2.29 WP Githuber MD
2.30 10WebAnalytics
2.31 Tainacan
2.32 Grab & Save
2.33 Grab & Save
2.34 Quick Call Button
2.35 WooCommerce Product Carousel Slider
2.36 PayTR Taksit Tablosu
2.37 LuckyWP Scripts Control
2.38 Leadster
2.39 ElementsKit Pro
2.40 Easy Call Now by ThikShare
2.41 DrawIt (draw.io)
2.42 Live Preview for Contact Form 7
2.43 Integration for Contact Form 7 and Constant Contact
2.44 CataBlog
2.45 CataBlog
2.46 BSK Contact Form 7 Blacklist
2.47 BP Profile Shortcodes Extra
2.48 BMI Calculator Plugin
2.49 Better RSS Widget
2.50 Bamboo Columns
2.51 Phlox Shop
2.52 Audio Merchant
2.53 Audio Merchant
2.54 Anywhere Flash Embed
2.55 AMP+ Plus
2.56 Ajax Domain Checker
2.57 Add Widgets to Page
2.58 Jetpack – WP Security, Backup, Speed, & Growth
2.59 Jetpack – WP Security, Backup, Speed, & Growth
2.60 Jetpack – WP Security, Backup, Speed, & Growth
2.61 WooCommerce
2.62 EWWW Image Optimizer
2.63 WP Fastest Cache
2.64 Forminator – Contact Form, Payment Form & Custom Form Builder
2.65 Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
2.66 Simple 301 Redirects by BetterLinks
2.67 Elementor Addon Elements
2.68 Elementor Addon Elements
2.69 Elementor Addon Elements
2.70 Elementor Addon Elements
2.71 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
2.72 Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
2.73 WooCommerce Blocks
2.74 WP Meta and Date Remover
2.75 Email Encoder – Protect Email Addresses and Phone Numbers
2.76 EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
2.77 Big File Uploads – Increase Maximum File Upload Size
2.78 Comments – wpDiscuz
2.79 Ultimate Dashboard – Custom WordPress Dashboard
2.80 Ditty – Responsive News Tickers, Sliders, and Lists
2.81 Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
2.82 Slider – Ultimate Responsive Image Slider
2.83 Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
2.84 WP Maintenance
2.85 BetterDocs – Best Documentation & Knowledge Base Plugin
2.86 BlossomThemes Email Newsletter
2.87 Link Whisper Free
2.88 Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
2.89 WP Custom Admin Interface
2.90 Delete Duplicate Posts
2.91 MP3 Audio Player for Music, Radio & Podcast by Sonaar
2.92 Welcart e-Commerce
2.93 Welcart e-Commerce
2.94 wpForo Forum
2.95 wpForo Forum
2.96 AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
2.97 Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
2.98 eCommerce Product Catalog Plugin for WordPress
2.99 eCommerce Product Catalog Plugin for WordPress
2.100 Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
2.101 LWS Hide Login
2.102 WP EXtra
2.103 WP Mail Log
2.104 YOP Poll
2.105 Events Addon for Elementor
2.106 Drop Shadow Boxes
2.107 Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
2.108 ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
2.109 Auto Affiliate Links
2.110 FormCraft – Contact Form Builder for WordPress
2.111 Community by PeepSo – Social Network, Membership, Registration, User Profiles
2.112 Community by PeepSo – Social Network, Membership, Registration, User Profiles
2.113 ARI Stream Quiz – WordPress Quizzes Builder
2.114 Hreflang Manager
2.115 Accordion
2.116 Restaurant & Cafe Addon for Elementor
2.117 Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
2.118 avalex – Automatisch sichere Rechtstexte
2.119 Daily Prayer Time
2.120 Frontend File Manager Plugin
2.121 Website Optimization – Plerdy
2.122 Post Status Notifier Lite
2.123 Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
2.124 Post Meta Data Manager
2.125 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.126 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.127 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
2.128 Namaste! LMS
2.129 Image Compressor & Optimizer – iLoveIMG
2.130 WooCommerce Canada Post Shipping
2.131 WooCommerce Bookings
2.132 Star CloudPRNT for WooCommerce
2.133 Slider Revolution
2.134 Slider Revolution
2.135 Perfmatters
2.136 Perfmatters
2.137 Perfmatters
2.138 Perfmatters
2.139 LayerSlider
2.140 LayerSlider
2.141 Essential Grid

3. WordPress Themes — 0 Patched / 0 Unpatched

Our weekly WordPress Vulnerability Report covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.1 was released on November 8 as a short-cycle maintenance release to address several bugs, including loss of backward compatibility with a dependency, cURL 7.29 or earlier. This broke the WordPress internal update facility on servers running very old, insecure cURL versions.

WordPress 6.4 was released on November 7 as the third major release of 2023. Following a major release, you should not update live sites without taking backups and testing the update in a non-production environment first.

WordPress Plugins — 84 Patched / 57 Unpatched

Plugin:: Shortcodes and extra features for Phlox theme
Plugin Slug:: auxin-elements
Installations:: 100,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-37888

Plugin:: Conditional Fields for Contact Form 7
Plugin Slug:: cf7-conditional-fields
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47838

Plugin:: Premium Portfolio Features for Phlox theme
Plugin Slug:: auxin-portfolio
Installations:: 50,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-38399

Plugin:: Theme Editor
Plugin Slug:: theme-editor
Installations:: 50,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-6091

Plugin:: Pz-LinkCard
Plugin Slug:: pz-linkcard
Installations:: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47790

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations:: 20,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47870

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations:: 20,000+
Vulnerability:: Content Injection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47869

Plugin:: Multi Step Form
Plugin Slug:: multi-step-form
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47758

Plugin:: myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin
Plugin Slug:: mycred
Installations:: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47853

Plugin:: Welcome Email Editor
Plugin Slug:: welcome-email-editor
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47756

Plugin:: WP Child Theme Generator
Plugin Slug:: wp-child-theme-generator
Installations:: 10,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-47873

Plugin:: Footer Putter
Plugin Slug:: footer-putter
Installations:: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47768

Plugin:: WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation
Plugin Slug:: wp-cafe
Installations:: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47805

Plugin:: Acme Fix Images
Plugin Slug:: acme-fix-images
Installations:: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47793

Plugin:: EasyAzon – Amazon Associates Affiliate Plugin
Plugin Slug:: easyazon
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47780

Plugin:: Disable User Login
Plugin Slug:: disable-user-login
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47806

Plugin:: Parallax Image
Plugin Slug:: parallax-image
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47854

Plugin:: Permalinks Customizer
Plugin Slug:: permalinks-customizer
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47773

Plugin:: Contact Form to Any API
Plugin Slug:: contact-form-to-any-api
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47871

Plugin:: CodeBard's Patron Button and Widgets for Patreon
Plugin Slug:: patron-button-and-widgets-by-codebard
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47765

Plugin:: SearchIQ – The Search Solution
Plugin Slug:: searchiq
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47832

Plugin:: Bootstrap Shortcodes Ultimate
Plugin Slug:: bs-shortcode-ultimate
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47851

Plugin:: Interactive World Map
Plugin Slug:: interactive-world-map
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47767

Plugin:: Theater for WordPress
Plugin Slug:: theatre
Installations:: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47833

Plugin:: Simply Excerpts
Plugin Slug:: simply-excerpts
Installations:: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5137

Plugin:: wpMandrill
Plugin Slug:: wpmandrill
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47828

Plugin:: WP Not Login Hide
Plugin Slug:: wp-not-login-hide-wpnlh
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5940

Plugin:: WP Like Button
Plugin Slug:: wp-like-button
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47820

Plugin:: WP Githuber MD
Plugin Slug:: wp-githuber-md
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-47846

Plugin:: 10WebAnalytics
Plugin Slug:: wd-google-analytics
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47807

Plugin:: Tainacan
Plugin Slug:: tainacan
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47848

Plugin:: Grab & Save
Plugin Slug:: save-grab
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47844

Plugin:: Grab & Save
Plugin Slug:: save-grab
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47845

Plugin:: Quick Call Button
Plugin Slug:: quick-call-button
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47829

Plugin:: WooCommerce Product Carousel Slider
Plugin Slug:: product-carousel-slider-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47755

Plugin:: PayTR Taksit Tablosu
Plugin Slug:: paytr-taksit-tablosu-woocommerce
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47847

Plugin:: LuckyWP Scripts Control
Plugin Slug:: luckywp-scripts-contro
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47778

Plugin:: Leadster
Plugin Slug:: leadster-marketing-conversaciona
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47791

Plugin:: ElementsKit Pro
Plugin Slug:: elementskit
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-39993

Plugin:: Easy Call Now by ThikShare
Plugin Slug:: easy-call-now
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47819

Plugin:: DrawIt (draw.io)
Plugin Slug:: drawit
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47831

Plugin:: Live Preview for Contact Form 7
Plugin Slug:: cf7-live-preview
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47830

Plugin:: Integration for Contact Form 7 and Constant Contact
Plugin Slug:: cf7-constant-contact
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47779

Plugin:: CataBlog
Plugin Slug:: catablog
Vulnerability:: Arbitrary File Upload
Patched in Version:: No Fix
Severity Score:: Critical
CVE:: 2023-47842

Plugin:: CataBlog
Plugin Slug:: catablog
Vulnerability:: Arbitrary File Deletion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-47843

Plugin:: BSK Contact Form 7 Blacklist
Plugin Slug:: bsk-contact-form-7-blacklist
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5141

Plugin:: BP Profile Shortcodes Extra
Plugin Slug:: bp-profile-shortcodes-extra
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47815

Plugin:: BMI Calculator Plugin
Plugin Slug:: bmi-calculator-shortcode
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47814

Plugin:: Better RSS Widget
Plugin Slug:: better-rss-widget
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47813

Plugin:: Bamboo Columns
Plugin Slug:: bamboo-columns
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47812

Plugin:: Phlox Shop
Plugin Slug:: auxin-shop
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-39163

Plugin:: Audio Merchant
Plugin Slug:: audio-merchant
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-6196

Plugin:: Audio Merchant
Plugin Slug:: audio-merchant
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-6197

Plugin:: Anywhere Flash Embed
Plugin Slug:: anywhere-flash-embed
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47811

Plugin:: AMP+ Plus
Plugin Slug:: amp-plus
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5210

Plugin:: Ajax Domain Checker
Plugin Slug:: ajax-domain-checker
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47810

Plugin:: Add Widgets to Page
Plugin Slug:: add-widgets-to-page
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-47808

Plugin:: Jetpack – WP Security, Backup, Speed, & Growth
Plugin Slug:: jetpack
Installations:: 5,000,000+
Vulnerability:: Broken Access Control
Patched in Version:: 12.7
Severity Score:: Medium
CVE:: 2023-47788

Plugin:: Jetpack – WP Security, Backup, Speed, & Growth
Plugin Slug:: jetpack
Installations:: 5,000,000+
Vulnerability:: Clickjacking
Patched in Version:: 12.7
Severity Score:: Medium
CVE:: 2023-47774

Plugin:: Jetpack – WP Security, Backup, Speed, & Growth
Plugin Slug:: jetpack
Installations:: 5,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 12.8-a.3
Severity Score:: Medium
CVE:: 2023-45050

Plugin:: WooCommerce
Plugin Slug:: woocommerce
Installations:: 5,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.2.0
Severity Score:: Medium
CVE:: 2023-47777

Plugin:: EWWW Image Optimizer
Plugin Slug:: ewww-image-optimizer
Installations:: 1,000,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 7.2.1
Severity Score:: Medium
CVE:: 2023-40600

Plugin:: WP Fastest Cache
Plugin Slug:: wp-fastest-cache
Installations:: 1,000,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.2.2
Severity Score:: Critical
CVE:: 2023-6063

Plugin:: Forminator – Contact Form, Payment Form & Custom Form Builder
Plugin Slug:: forminator
Installations:: 400,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.28.0
Severity Score:: Medium
CVE:: 2023-6133

Plugin:: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty
Plugin Slug:: chaty
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.3
Severity Score:: Medium
CVE:: 2023-47759

Plugin:: Simple 301 Redirects by BetterLinks
Plugin Slug:: simple-301-redirects
Installations:: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.8
Severity Score:: Medium
CVE:: 2023-47761

Plugin:: Elementor Addon Elements
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.12.8
Severity Score:: Medium
CVE:: 2023-4689

Plugin:: Elementor Addon Elements
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations:: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.12.8
Severity Score:: Medium
CVE:: 2023-5381

Plugin:: Elementor Addon Elements
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.12.8
Severity Score:: Medium
CVE:: 2023-4723

Plugin:: Elementor Addon Elements
Plugin Slug:: addon-elements-for-elementor-page-builder
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.12.8
Severity Score:: Medium
CVE:: 2023-4690

Plugin:: Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Plugin Slug:: essential-blocks
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.1
Severity Score:: Medium
CVE:: 2023-47760

Plugin:: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)
Plugin Slug:: mailin
Installations:: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.61
Severity Score:: High
CVE:: 2023-2472

Plugin:: WooCommerce Blocks
Plugin Slug:: woo-gutenberg-products-block
Installations:: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.1.2
Severity Score:: Medium
CVE:: 2023-47777

Plugin:: WP Meta and Date Remover
Plugin Slug:: wp-meta-and-date-remover
Installations:: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.1
Severity Score:: Medium
CVE:: 2023-47836

Plugin:: Email Encoder – Protect Email Addresses and Phone Numbers
Plugin Slug:: email-encoder-bundle
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.9
Severity Score:: Medium
CVE:: 2023-47821

Plugin:: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor
Plugin Slug:: embedpress
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.9.2
Severity Score:: High

Plugin:: Big File Uploads – Increase Maximum File Upload Size
Plugin Slug:: tuxedo-big-file-uploads
Installations:: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.2
Severity Score:: Medium
CVE:: 2023-47792

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations:: 80,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.6.12
Severity Score:: Medium
CVE:: 2023-47775

Plugin:: Ultimate Dashboard – Custom WordPress Dashboard
Plugin Slug:: ultimate-dashboard
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7.8
Severity Score:: Medium
CVE:: 2023-4726

Plugin:: Ditty – Responsive News Tickers, Sliders, and Lists
Plugin Slug:: ditty-news-ticker
Installations:: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.1.25
Severity Score:: Medium
CVE:: 2023-47764

Plugin:: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug:: quiz-master-next
Installations:: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.1.14
Severity Score:: Medium
CVE:: 2023-47834

Plugin:: Slider – Ultimate Responsive Image Slider
Plugin Slug:: ultimate-responsive-image-slider
Installations:: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.5.12
Severity Score:: Medium

Plugin:: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Plugin Slug:: wp-analytify
Installations:: 40,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.2.0
Severity Score:: Medium
CVE:: 2023-47841

Plugin:: WP Maintenance
Plugin Slug:: wp-maintenance
Installations:: 40,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 6.1.4
Severity Score:: Low
CVE:: 2023-47769

Plugin:: BetterDocs – Best Documentation & Knowledge Base Plugin
Plugin Slug:: betterdocs
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.3
Severity Score:: Medium
CVE:: 2023-47762

Plugin:: BlossomThemes Email Newsletter
Plugin Slug:: blossomthemes-email-newsletter
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.5
Severity Score:: Medium
CVE:: 2023-47849

Plugin:: Link Whisper Free
Plugin Slug:: link-whisper
Installations:: 30,000+
Vulnerability:: SQL Injection
Patched in Version:: 0.6.6
Severity Score:: High
CVE:: 2023-47852

Plugin:: Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
Plugin Slug:: shareaholic
Installations:: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.9
Severity Score:: Medium
CVE:: 2023-4889

Plugin:: WP Custom Admin Interface
Plugin Slug:: wp-custom-admin-interface
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.32
Severity Score:: Medium
CVE:: 2023-47763

Plugin:: Delete Duplicate Posts
Plugin Slug:: delete-duplicate-posts
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9
Severity Score:: Medium
CVE:: 2023-47754

Plugin:: MP3 Audio Player for Music, Radio & Podcast by Sonaar
Plugin Slug:: mp3-music-player-by-sonaar
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.10.1
Severity Score:: Medium
CVE:: 2023-47822

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations:: 20,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 2.9.6
Severity Score:: Medium

Plugin:: Welcart e-Commerce
Plugin Slug:: usc-e-shop
Installations:: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 2.9.5
Severity Score:: High

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations:: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.4
Severity Score:: Medium
CVE:: 2023-47872

Plugin:: wpForo Forum
Plugin Slug:: wpforo
Installations:: 20,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 2.2.4
Severity Score:: High
CVE:: 2023-47868

Plugin:: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth
Plugin Slug:: aweber-web-form-widget
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.3.10
Severity Score:: Medium
CVE:: 2023-47757

Plugin:: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
Plugin Slug:: charitable
Installations:: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.0.14
Severity Score:: Medium
CVE:: 2023-47816

Plugin:: eCommerce Product Catalog Plugin for WordPress
Plugin Slug:: ecommerce-product-catalog
Installations:: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.27
Severity Score:: Medium
CVE:: 2023-47839

Plugin:: eCommerce Product Catalog Plugin for WordPress
Plugin Slug:: ecommerce-product-catalog
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.3.26
Severity Score:: Medium

Plugin:: Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator
Plugin Slug:: legal-pages
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.3.9
Severity Score:: Medium
CVE:: 2023-47824

Plugin:: LWS Hide Login
Plugin Slug:: lws-hide-login
Installations:: 10,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 2.1.9
Severity Score:: Low
CVE:: 2023-47818

Plugin:: WP EXtra
Plugin Slug:: wp-extra
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.5
Severity Score:: Medium
CVE:: 2023-47825

Plugin:: WP Mail Log
Plugin Slug:: wp-mail-log
Installations:: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.3
Severity Score:: High

Plugin:: YOP Poll
Plugin Slug:: yop-poll
Installations:: 10,000+
Vulnerability:: Race Condition
Patched in Version:: 6.5.27
Severity Score:: Medium
CVE:: 2023-6109

Plugin:: Events Addon for Elementor
Plugin Slug:: events-addon-for-elementor
Installations:: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2023-47827

Plugin:: Drop Shadow Boxes
Plugin Slug:: drop-shadow-boxes
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.14
Severity Score:: Medium
CVE:: 2023-5469

Plugin:: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification
Plugin Slug:: miniorange-otp-verification
Installations:: 6,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.2.2
Severity Score:: Medium
CVE:: 2023-47776

Plugin:: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Plugin Slug:: armember-membership
Installations:: 5,000+
Vulnerability:: Bypass Vulnerability
Patched in Version:: 4.0.11
Severity Score:: High
CVE:: 2023-47837

Plugin:: Auto Affiliate Links
Plugin Slug:: wp-auto-affiliate-links
Installations:: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.4.2.6
Severity Score:: Medium

Plugin:: FormCraft – Contact Form Builder for WordPress
Plugin Slug:: formcraft-form-builder
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.2.8
Severity Score:: Medium
CVE:: 2023-47823

Plugin:: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Plugin Slug:: peepso-core
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.3.0
Severity Score:: Medium
CVE:: 2023-47850

Plugin:: Community by PeepSo – Social Network, Membership, Registration, User Profiles
Plugin Slug:: peepso-core
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 6.2.0.0
Severity Score:: Medium
CVE:: 2023-39925

Plugin:: ARI Stream Quiz – WordPress Quizzes Builder
Plugin Slug:: ari-stream-quiz
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.0
Severity Score:: Medium
CVE:: 2023-47835

Plugin:: Hreflang Manager
Plugin Slug:: hreflang-manager-lite
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.7
Severity Score:: Medium

Plugin:: Accordion
Plugin Slug:: accordions-wp
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.7
Severity Score:: Medium
CVE:: 2023-47809

Plugin:: Restaurant & Cafe Addon for Elementor
Plugin Slug:: restaurant-cafe-addon-for-elementor
Installations:: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.5.4
Severity Score:: Medium
CVE:: 2023-47826

Plugin:: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Plugin Slug:: sprout-invoices
Installations:: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 20.5.4
Severity Score:: Medium

Plugin:: avalex – Automatisch sichere Rechtstexte
Plugin Slug:: avalex
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.9
Severity Score:: Medium

Plugin:: Daily Prayer Time
Plugin Slug:: daily-prayer-time-for-mosques
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2023.10.21
Severity Score:: Medium
CVE:: 2023-47817

Plugin:: Frontend File Manager Plugin
Plugin Slug:: nmedia-user-file-uploader
Installations:: 1,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 22.6
Severity Score:: Critical
CVE:: 2023-5105

Plugin:: Website Optimization – Plerdy
Plugin Slug:: plerdy-heatmap
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.3
Severity Score:: Medium
CVE:: 2023-5715

Plugin:: Post Status Notifier Lite
Plugin Slug:: post-status-notifier-lite
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.11.1
Severity Score:: High
CVE:: 2023-47766

Plugin:: Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin
Plugin Slug:: bus-ticket-booking-with-seat-reservation
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.6
Severity Score:: High
CVE:: 2023-30496

Plugin:: Post Meta Data Manager
Plugin Slug:: post-meta-data-manager
Installations:: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.2
Severity Score:: Medium
CVE:: 2023-5776

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations:: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.4
Severity Score:: Medium

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations:: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: Medium

Plugin:: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Plugin Slug:: wp-courses
Installations:: 700+
Vulnerability:: Broken Access Control
Patched in Version:: 3.2.4
Severity Score:: High

Plugin:: Namaste! LMS
Plugin Slug:: namaste-lms
Installations:: 600+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.1.2
Severity Score:: High
CVE:: 2023-4602

Plugin:: Image Compressor & Optimizer – iLoveIMG
Plugin Slug:: iloveimg
Installations:: 100+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.0.6
Severity Score:: Medium

Plugin:: WooCommerce Canada Post Shipping
Plugin Slug:: woocommerce-shipping-canada-post
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.8.4
Severity Score:: Medium
CVE:: 2023-47789

Plugin:: WooCommerce Bookings
Plugin Slug:: woocommerce-bookings
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.0.4
Severity Score:: Medium
CVE:: 2023-47787

Plugin:: Star CloudPRNT for WooCommerce
Plugin Slug:: star-cloudprnt-for-woocommerce
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.4
Severity Score:: High
CVE:: 2023-4603

Plugin:: Slider Revolution
Plugin Slug:: revslider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.6.15
Severity Score:: Medium
CVE:: 2023-47772

Plugin:: Slider Revolution
Plugin Slug:: revslider
Vulnerability:: Arbitrary File Upload
Patched in Version:: 6.6.16
Severity Score:: High
CVE:: 2023-47784

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.7
Severity Score:: Medium
CVE:: 2023-47874

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.1.7
Severity Score:: Medium
CVE:: 2023-47875

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2023-47876

Plugin:: Perfmatters
Plugin Slug:: perfmatters
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.0
Severity Score:: Medium
CVE:: 2023-47877

Plugin:: LayerSlider
Plugin Slug:: layerslider
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.7.10
Severity Score:: High
CVE:: 2023-47785

Plugin:: LayerSlider
Plugin Slug:: layerslider
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.7.10
Severity Score:: Medium
CVE:: 2023-47786

Plugin:: Essential Grid
Plugin Slug:: essential-grid
Vulnerability:: Broken Access Control
Patched in Version:: 3.0.19
Severity Score:: High
CVE:: 2023-47771

WordPress Themes — 0 Patched / 0 Unpatched

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Core

WordPress Plugins — 84 Patched / 57 Unpatched

WordPress Themes — 0 Patched / 0 Unpatched

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe