WordPress Security

WordPress Vulnerability Report — November 8, 2023

This week, 109 new vulnerabilities emerged in WordPress plugins, and 79 have patches available now.

Dan Knauss

Updated:Nov 9, 2023
Published:Nov 8, 2023

Filed Under:WordPress Security

Reading Time:2 min.

Since our last report, 109 new vulnerabilities have been publicly disclosed in WordPress plugins.1 Security patches for 79 plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, version management has already warned you and updated these plugins if you’ve activated this feature in your settings.

Additionally, there are 30 vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

New Releases: Solid Security Pro 8.0.3, Solid Security Basic 9.0.2, and Solid Backups 9.1.1. Please update!

Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Our weekly WordPress Vulnerability Report covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.4.1 was released on November 8 as a short-cycle maintenance release to address several bugs, including loss of backward compatibility with a dependency, cURL 7.29 or earlier. This broke the WordPress internal update facility on servers running very old, insecure cURL versions.

WordPress 6.4 was released on November 7 as the third major release of 2023. Following a major release, you should not update live sites without taking backups and testing the update in a non-production environment first.

No new WordPress core vulnerabilities were disclosed this week.

WordPress Plugins — 79 Patched / 30 Unpatched

Finale Lite – Sales Countdown Timer & Discount for WooCommerce

Plugin:
Finale Lite – Sales Countdown Timer & Discount for WooCommerce
Plugin Slug:
finale-woocommerce-sales-countdown-timer-discount
Installations:
7,000+
Vulnerability:
Arbitrary Content Deletion
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47180
The vulnerability has not been patched. You should deactivate the plugin.

Comments Ratings

Plugin:
Comments Ratings
Plugin Slug:
comments-ratings
Installations:
6,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-23702
The vulnerability has not been patched. You should deactivate the plugin.

Linker

Plugin:
Linker
Plugin Slug:
linker
Installations:
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47177
The vulnerability has not been patched. You should deactivate the plugin.

Short URL

Plugin:
Short URL
Plugin Slug:
shorten-url
Installations:
2,000+
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47225
The vulnerability has not been patched. You should deactivate the plugin.

Login Screen Manager

Plugin:
Login Screen Manager
Plugin Slug:
login-screen-manager
Installations:
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5243
The vulnerability has not been patched. You should deactivate the plugin.

Login Screen Manager

Plugin:
Login Screen Manager
Plugin Slug:
login-screen-manager
Installations:
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-47182
The vulnerability has not been patched. You should deactivate the plugin.

Post Sliders & Post Grids

Plugin:
Post Sliders & Post Grids
Plugin Slug:
post-slider-carousel
Installations:
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47226
The vulnerability has not been patched. You should deactivate the plugin.

Top 25 Social Icons

Plugin:
Top 25 Social Icons
Plugin Slug:
top-25-social-icons
Installations:
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47229
The vulnerability has not been patched. You should deactivate the plugin.

WP MapIt

Plugin:
WP MapIt
Plugin Slug:
wp-mapit
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5658
The vulnerability has not been patched. You should deactivate the plugin.

wp-bitly

Plugin:
wp-bitly
Plugin Slug:
wp-bitly
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5577
The vulnerability has not been patched. You should deactivate the plugin.

WD WidgetTwitter

Plugin:
WD WidgetTwitter
Plugin Slug:
widget-twitter
Vulnerability:
SQL Injection
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-5709
The vulnerability has not been patched. You should deactivate the plugin.

Telephone Number Linker

Plugin:
Telephone Number Linker
Plugin Slug:
telephone-number-linker
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5743
The vulnerability has not been patched. You should deactivate the plugin.

Layer Slider

Plugin:
Layer Slider
Plugin Slug:
slider-slideshow
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47228
The vulnerability has not been patched. You should deactivate the plugin.

ShortCodes UI

Plugin:
ShortCodes UI
Plugin Slug:
shortcodes-ui
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47231
The vulnerability has not been patched. You should deactivate the plugin.

Shortcode Menu

Plugin:
Shortcode Menu
Plugin Slug:
shortcode-menu
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5565
The vulnerability has not been patched. You should deactivate the plugin.

QR Code Tag

Plugin:
QR Code Tag
Plugin Slug:
qr-code-tag
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5567
The vulnerability has not been patched. You should deactivate the plugin.

Live updates from Excel

Plugin:
Live updates from Excel
Plugin Slug:
ipushpull
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5116
The vulnerability has not been patched. You should deactivate the plugin.

ImageMapper

Plugin:
ImageMapper
Plugin Slug:
imagemapper
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5506
The vulnerability has not been patched. You should deactivate the plugin.

ImageMapper

Plugin:
ImageMapper
Plugin Slug:
imagemapper
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5507
The vulnerability has not been patched. You should deactivate the plugin.

ImageMapper

Plugin:
ImageMapper
Plugin Slug:
imagemapper
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-5532
The vulnerability has not been patched. You should deactivate the plugin.

iframe forms

Plugin:
iframe forms
Plugin Slug:
iframe-forms
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5073
The vulnerability has not been patched. You should deactivate the plugin.

idbbee

Plugin:
idbbee
Plugin Slug:
idbbee
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5114
The vulnerability has not been patched. You should deactivate the plugin.

Grid Plus

Plugin:
Grid Plus
Plugin Slug:
grid-plus
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-34014
The vulnerability has not been patched. You should deactivate the plugin.

Featured Image Caption

Plugin:
Featured Image Caption
Plugin Slug:
featured-image-caption
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5669
The vulnerability has not been patched. You should deactivate the plugin.

WooODT Lite

Plugin:
WooODT Lite
Plugin Slug:
byconsole-woo-order-delivery-time
Vulnerability:
Broken Access Control
Patched in Version:
No Fix
Severity Score:
High
CVE:
2023-47179
The vulnerability has not been patched. You should deactivate the plugin.

Ads by datafeedr.com

Plugin:
Ads by datafeedr.com
Plugin Slug:
ads-by-datafeedrcom
Vulnerability:
Remote Code Execution (RCE)
Patched in Version:
No Fix
Severity Score:
Critical
CVE:
2023-5843
The vulnerability has not been patched. You should deactivate the plugin.

Social Feed | All social media in one place

Plugin:
Social Feed | All social media in one place
Plugin Slug:
add-facebook
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-47227
The vulnerability has not been patched. You should deactivate the plugin.

Social Feed | All social media in one place

Plugin:
Social Feed | All social media in one place
Plugin Slug:
add-facebook
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
No Fix
Severity Score:
Medium
CVE:
2023-5661
The vulnerability has not been patched. You should deactivate the plugin.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:
give
Installations:
100,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.33.4
Severity Score:
Medium
CVE:
2023-4248
The vulnerability has been patched, so you should update to version 2.33.4.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:
give
Installations:
100,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.33.4
Severity Score:
Medium
CVE:
2023-4246
The vulnerability has been patched, so you should update to version 2.33.4.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:
give
Installations:
100,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.33.4
Severity Score:
Medium
CVE:
2023-4247
The vulnerability has been patched, so you should update to version 2.33.4.

GiveWP – Donation Plugin and Fundraising Platform

Plugin:
GiveWP – Donation Plugin and Fundraising Platform
Plugin Slug:
give
Installations:
100,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.33.2
Severity Score:
Medium
CVE:
2023-47183
The vulnerability has been patched, so you should update to version 2.33.2.

Kadence WooCommerce Email Designer

Plugin:
Kadence WooCommerce Email Designer
Plugin Slug:
kadence-woocommerce-email-designer
Installations:
100,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.5.12
Severity Score:
Medium
CVE:
2023-47186
The vulnerability has been patched, so you should update to version 1.5.12.

WP Meta and Date Remover

Plugin:
WP Meta and Date Remover
Plugin Slug:
wp-meta-and-date-remover
Installations:
100,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.0
Severity Score:
Medium
CVE:
2023-4823
The vulnerability has been patched, so you should update to version 2.2.0.

Comments – wpDiscuz

Plugin:
Comments – wpDiscuz
Plugin Slug:
wpdiscuz
Installations:
80,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
7.6.12
Severity Score:
High
CVE:
2023-47185
The vulnerability has been patched, so you should update to version 7.6.12.

Drag and Drop Multiple File Upload – Contact Form 7

Plugin:
Drag and Drop Multiple File Upload – Contact Form 7
Plugin Slug:
drag-and-drop-multiple-file-upload-contact-form-7
Installations:
50,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
1.3.7.4
Severity Score:
High
CVE:
2023-5822
The vulnerability has been patched, so you should update to version 1.3.7.4.

Apollo13 Framework Extensions

Plugin:
Apollo13 Framework Extensions
Plugin Slug:
apollo13-framework-extensions
Installations:
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.9.1
Severity Score:
Medium
CVE:
2023-47190
The vulnerability has been patched, so you should update to version 1.9.1.

Social Sharing Plugin – Social Warfare

Plugin:
Social Sharing Plugin – Social Warfare
Plugin Slug:
social-warfare
Installations:
30,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.4.4
Severity Score:
Medium
CVE:
2023-4842
The vulnerability has been patched, so you should update to version 4.4.4.

WP Customer Reviews

Plugin:
WP Customer Reviews
Plugin Slug:
wp-customer-reviews
Installations:
30,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
3.6.7
Severity Score:
Medium
CVE:
2023-4686
The vulnerability has been patched, so you should update to version 3.6.7.

Popup box

Plugin:
Popup box
Plugin Slug:
ays-popup-box
Installations:
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.7.2
Severity Score:
Medium
CVE:
2023-4390
The vulnerability has been patched, so you should update to version 3.7.2.

Responsive Pricing Table

Plugin:
Responsive Pricing Table
Plugin Slug:
dk-pricr-responsive-pricing-table
Installations:
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
5.1.8
Severity Score:
Medium
CVE:
2023-4810
The vulnerability has been patched, so you should update to version 5.1.8.

Simple Like Page Plugin

Plugin:
Simple Like Page Plugin
Plugin Slug:
simple-facebook-plugin
Installations:
20,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.5.2
Severity Score:
Medium
CVE:
2023-4888
The vulnerability has been patched, so you should update to version 1.5.2.

Simple Job Board

Plugin:
Simple Job Board
Plugin Slug:
simple-job-board
Installations:
20,000+
Vulnerability:
Broken Access Control
Patched in Version:
2.10.6
Severity Score:
Medium
CVE:
2023-47188
The vulnerability has been patched, so you should update to version 2.10.6.

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin:
Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:
awesome-support
Installations:
10,000+
Vulnerability:
Arbitrary File Deletion
Patched in Version:
6.1.5
Severity Score:
High
CVE:
2023-5355
The vulnerability has been patched, so you should update to version 6.1.5.

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin:
Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:
awesome-support
Installations:
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.1.5
Severity Score:
High
CVE:
2023-5354
The vulnerability has been patched, so you should update to version 6.1.5.

Awesome Support – WordPress HelpDesk & Support Plugin

Plugin:
Awesome Support – WordPress HelpDesk & Support Plugin
Plugin Slug:
awesome-support
Installations:
10,000+
Vulnerability:
Broken Access Control
Patched in Version:
6.1.5
Severity Score:
Medium
CVE:
2023-5352
The vulnerability has been patched, so you should update to version 6.1.5.

E2Pdf – Export To Pdf Tool for WordPress

Plugin:
E2Pdf – Export To Pdf Tool for WordPress
Plugin Slug:
e2pdf
Installations:
10,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.20.20
Severity Score:
Medium
CVE:
2023-5229
The vulnerability has been patched, so you should update to version 1.20.20.

Image Regenerate & Select Crop

Plugin:
Image Regenerate & Select Crop
Plugin Slug:
image-regenerate-select-crop
Installations:
10,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
7.3.1
Severity Score:
Medium
CVE:
2023-46820
The vulnerability has been patched, so you should update to version 7.3.1.

FareHarbor for WordPress

Plugin:
FareHarbor for WordPress
Plugin Slug:
fareharbor
Installations:
9,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.6.8
Severity Score:
Medium
CVE:
2023-5252
The vulnerability has been patched, so you should update to version 3.6.8.

Front End PM

Plugin:
Front End PM
Plugin Slug:
front-end-pm
Installations:
8,000+
Vulnerability:
Sensitive Data Exposure
Patched in Version:
11.4.3
Severity Score:
High
CVE:
2023-4930
The vulnerability has been patched, so you should update to version 11.4.3.

AI ChatBot

Plugin:
AI ChatBot
Plugin Slug:
chatbot
Installations:
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
4.9.7
Severity Score:
Medium
CVE:
2023-5606
The vulnerability has been patched, so you should update to version 4.9.7.

Garden Gnome Package

Plugin:
Garden Gnome Package
Plugin Slug:
garden-gnome-package
Installations:
5,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.2.9
Severity Score:
Medium
CVE:
2023-5664
The vulnerability has been patched, so you should update to version 2.2.9.

Image horizontal reel scroll slideshow

Plugin:
Image horizontal reel scroll slideshow
Plugin Slug:
image-horizontal-reel-scroll-slideshow
Installations:
5,000+
Vulnerability:
SQL Injection
Patched in Version:
13.3
Severity Score:
High
CVE:
2023-5412
The vulnerability has been patched, so you should update to version 13.3.

Admin Bar & Dashboard Access Control

Plugin:
Admin Bar & Dashboard Access Control
Plugin Slug:
admin-bar-dashboard-control
Installations:
4,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.2.9
Severity Score:
Medium
CVE:
2023-47184
The vulnerability has been patched, so you should update to version 1.2.9.

MStore API

Plugin:
MStore API
Plugin Slug:
mstore-api
Installations:
4,000+
Vulnerability:
Privilege Escalation
Patched in Version:
4.10.8
Severity Score:
Critical
CVE:
2023-3277
The vulnerability has been patched, so you should update to version 4.10.8.

SEO Slider

Plugin:
SEO Slider
Plugin Slug:
seo-slider
Installations:
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.1.1
Severity Score:
Medium
CVE:
2023-5707
The vulnerability has been patched, so you should update to version 1.1.1.

Slick Popup: Contact Form 7 Popup Plugin

Plugin:
Slick Popup: Contact Form 7 Popup Plugin
Plugin Slug:
slick-popup
Installations:
3,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.7.15
Severity Score:
Medium
CVE:
2023-46824
The vulnerability has been patched, so you should update to version 1.7.15.

Vertical marquee plugin

Plugin:
Vertical marquee plugin
Plugin Slug:
vertical-marquee-plugin
Installations:
3,000+
Vulnerability:
SQL Injection
Patched in Version:
7.2
Severity Score:
High
CVE:
2023-5436
The vulnerability has been patched, so you should update to version 7.2.

WP Affiliate Disclosure

Plugin:
WP Affiliate Disclosure
Plugin Slug:
wp-affiliate-disclosure
Installations:
3,000+
Vulnerability:
Broken Access Control
Patched in Version:
1.2.7
Severity Score:
Medium
CVE:
2023-47232
The vulnerability has been patched, so you should update to version 1.2.7.

EventPrime – Events Calendar, Bookings and Tickets

Plugin:
EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:
eventprime-event-calendar-management
Installations:
2,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.2.0
Severity Score:
High
CVE:
2023-4250
The vulnerability has been patched, so you should update to version 3.2.0.

EventPrime – Events Calendar, Bookings and Tickets

Plugin:
EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:
eventprime-event-calendar-management
Installations:
2,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.2.0
Severity Score:
Medium
CVE:
2023-4251
The vulnerability has been patched, so you should update to version 3.2.0.

EventPrime – Events Calendar, Bookings and Tickets

Plugin:
EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:
eventprime-event-calendar-management
Installations:
2,000+
Vulnerability:
Other Vulnerability Type
Patched in Version:
3.2.0
Severity Score:
Medium
CVE:
2023-5238
The vulnerability has been patched, so you should update to version 3.2.0.

GD Security Headers

Plugin:
GD Security Headers
Plugin Slug:
gd-security-headers
Installations:
2,000+
Vulnerability:
SQL Injection
Patched in Version:
1.7.1
Severity Score:
High
CVE:
2023-46821
The vulnerability has been patched, so you should update to version 1.7.1.

ImageLinks Interactive Image Builder for WordPress

Plugin:
ImageLinks Interactive Image Builder for WordPress
Plugin Slug:
imagelinks-interactive-image-builder-lite
Installations:
2,000+
Vulnerability:
SQL Injection
Patched in Version:
1.6.0
Severity Score:
High
CVE:
2023-46823
The vulnerability has been patched, so you should update to version 1.6.0.

iPages Flipbook For WordPress

Plugin:
iPages Flipbook For WordPress
Plugin Slug:
ipages-flipbook
Installations:
2,000+
Vulnerability:
SQL Injection
Patched in Version:
1.5.0
Severity Score:
High
CVE:
2023-47236
The vulnerability has been patched, so you should update to version 1.5.0.

Popup with fancybox

Plugin:
Popup with fancybox
Plugin Slug:
popup-with-fancybox
Installations:
2,000+
Vulnerability:
SQL Injection
Patched in Version:
3.6
Severity Score:
High
CVE:
2023-5465
The vulnerability has been patched, so you should update to version 3.6.

Advance Menu Manager

Plugin:
Advance Menu Manager
Plugin Slug:
advance-menu-manager
Installations:
1,000+
Vulnerability:
Broken Access Control
Patched in Version:
3.0.7
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 3.0.7.

Advance Menu Manager

Plugin:
Advance Menu Manager
Plugin Slug:
advance-menu-manager
Installations:
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
3.0.7
Severity Score:
Medium
The vulnerability has been patched, so you should update to version 3.0.7.

WordPress Contact Forms by Cimatti

Plugin:
WordPress Contact Forms by Cimatti
Plugin Slug:
contact-forms
Installations:
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.6.1
Severity Score:
Medium
CVE:
2023-47230
The vulnerability has been patched, so you should update to version 1.6.1.

Icons Font Loader

Plugin:
Icons Font Loader
Plugin Slug:
icons-font-loader
Installations:
1,000+
Vulnerability:
Arbitrary File Upload
Patched in Version:
1.1.3
Severity Score:
High
CVE:
2023-5860
The vulnerability has been patched, so you should update to version 1.1.3.

IdeaPush

Plugin:
IdeaPush
Plugin Slug:
ideapush
Installations:
1,000+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
8.53
Severity Score:
Medium
CVE:
2023-47181
The vulnerability has been patched, so you should update to version 8.53.

WordPress File Sharing Plugin

Plugin:
WordPress File Sharing Plugin
Plugin Slug:
user-private-files
Installations:
1,000+
Vulnerability:
Insecure Direct Object References (IDOR)
Patched in Version:
2.0.5
Severity Score:
Medium
CVE:
2023-4836
The vulnerability has been patched, so you should update to version 2.0.5.

video carousel slider with lightbox

Plugin:
video carousel slider with lightbox
Plugin Slug:
wp-responsive-video-gallery-with-lightbox
Installations:
1,000+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
1.0.1
Severity Score:
Medium
CVE:
2023-5945
The vulnerability has been patched, so you should update to version 1.0.1.

Basic Interactive World Map

Plugin:
Basic Interactive World Map
Plugin Slug:
basic-interactive-world-map
Installations:
900+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.7
Severity Score:
Medium
CVE:
2023-47223
The vulnerability has been patched, so you should update to version 2.7.

Image vertical reel scroll slideshow

Plugin:
Image vertical reel scroll slideshow
Plugin Slug:
image-vertical-reel-scroll-slideshow
Installations:
800+
Vulnerability:
SQL Injection
Patched in Version:
9.1
Severity Score:
High
CVE:
2023-5428
The vulnerability has been patched, so you should update to version 9.1.

Jquery news ticker

Plugin:
Jquery news ticker
Plugin Slug:
jquery-news-ticker
Installations:
700+
Vulnerability:
SQL Injection
Patched in Version:
3.1
Severity Score:
High
CVE:
2023-5430
The vulnerability has been patched, so you should update to version 3.1.

Memberlite Shortcodes

Plugin:
Memberlite Shortcodes
Plugin Slug:
memberlite-shortcodes
Installations:
700+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
1.3.9
Severity Score:
Medium
CVE:
2023-5237
The vulnerability has been patched, so you should update to version 1.3.9.

Information Reel

Plugin:
Information Reel
Plugin Slug:
information-reel
Installations:
600+
Vulnerability:
SQL Injection
Patched in Version:
10.1
Severity Score:
High
CVE:
2023-5429
The vulnerability has been patched, so you should update to version 10.1.

Message ticker

Plugin:
Message ticker
Plugin Slug:
message-ticker
Installations:
600+
Vulnerability:
SQL Injection
Patched in Version:
9.3
Severity Score:
High
CVE:
2023-5433
The vulnerability has been patched, so you should update to version 9.3.

WP fade in text news

Plugin:
WP fade in text news
Plugin Slug:
wp-fade-in-text-news
Installations:
600+
Vulnerability:
SQL Injection
Patched in Version:
12.1
Severity Score:
High
CVE:
2023-5437
The vulnerability has been patched, so you should update to version 12.1.

WP Discord Invite

Plugin:
WP Discord Invite
Plugin Slug:
wp-discord-invite
Installations:
500+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.5.2
Severity Score:
Medium
CVE:
2023-5181
The vulnerability has been patched, so you should update to version 2.5.2.

WP Discord Invite

Plugin:
WP Discord Invite
Plugin Slug:
wp-discord-invite
Installations:
500+
Vulnerability:
Cross Site Request Forgery (CSRF)
Patched in Version:
2.5.1
Severity Score:
Medium
CVE:
2023-5006
The vulnerability has been patched, so you should update to version 2.5.1.

Wp anything slider

Plugin:
Wp anything slider
Plugin Slug:
wp-anything-slider
Installations:
400+
Vulnerability:
SQL Injection
Patched in Version:
9.2
Severity Score:
High
CVE:
2023-5466
The vulnerability has been patched, so you should update to version 9.2.

Superb slideshow gallery

Plugin:
Superb slideshow gallery
Plugin Slug:
superb-slideshow-gallery
Installations:
300+
Vulnerability:
SQL Injection
Patched in Version:
13.2
Severity Score:
High
CVE:
2023-5434
The vulnerability has been patched, so you should update to version 13.2.

wp image slideshow

Plugin:
wp image slideshow
Plugin Slug:
wp-image-slideshow
Installations:
300+
Vulnerability:
SQL Injection
Patched in Version:
12.1
Severity Score:
High
CVE:
2023-5438
The vulnerability has been patched, so you should update to version 12.1.

Ziteboard Online Whiteboard

Plugin:
Ziteboard Online Whiteboard
Plugin Slug:
ziteboard-online-whiteboard
Installations:
200+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
3.0.0
Severity Score:
Medium
CVE:
2023-5076
The vulnerability has been patched, so you should update to version 3.0.0.

Left right image slideshow gallery

Plugin:
Left right image slideshow gallery
Plugin Slug:
left-right-image-slideshow-gallery
Installations:
100+
Vulnerability:
SQL Injection
Patched in Version:
12.1
Severity Score:
High
CVE:
2023-5431
The vulnerability has been patched, so you should update to version 12.1.

Wp photo text slider 50

Plugin:
Wp photo text slider 50
Plugin Slug:
wp-photo-text-slider-50
Installations:
100+
Vulnerability:
SQL Injection
Patched in Version:
8.1
Severity Score:
High
CVE:
2023-5439
The vulnerability has been patched, so you should update to version 8.1.

Jquery accordion slideshow

Plugin:
Jquery accordion slideshow
Plugin Slug:
jquery-accordion-slideshow
Installations:
80+
Vulnerability:
SQL Injection
Patched in Version:
8.2
Severity Score:
High
CVE:
2023-5464
The vulnerability has been patched, so you should update to version 8.2.

Up down image slideshow gallery

Plugin:
Up down image slideshow gallery
Plugin Slug:
up-down-image-slideshow-gallery
Installations:
30+
Vulnerability:
SQL Injection
Patched in Version:
12.1
Severity Score:
High
CVE:
2023-5435
The vulnerability has been patched, so you should update to version 12.1.

Digirisk

Plugin:
Digirisk
Plugin Slug:
digirisk
Installations:
20+
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
6.1.0.0
Severity Score:
High
CVE:
2023-5946
The vulnerability has been patched, so you should update to version 6.1.0.0.

The Plus Addons for Elementor Pro

Plugin:
The Plus Addons for Elementor Pro
Plugin Slug:
theplus_elementor_addon
Vulnerability:
Local File Inclusion
Patched in Version:
5.2.9
Severity Score:
High
CVE:
2023-47178
The vulnerability has been patched, so you should update to version 5.2.9.

HTML filter and csv-file search

Plugin:
HTML filter and csv-file search
Plugin Slug:
hk-filter-and-search
Vulnerability:
Local File Inclusion
Patched in Version:
2.8
Severity Score:
High
CVE:
2023-5099
The vulnerability has been patched, so you should update to version 2.8.

HTML filter and csv-file search

Plugin:
HTML filter and csv-file search
Plugin Slug:
hk-filter-and-search
Vulnerability:
Cross Site Scripting (XSS)
Patched in Version:
2.8
Severity Score:
Medium
CVE:
2023-5096
The vulnerability has been patched, so you should update to version 2.8.

Advanced Booking Calendar

Plugin:
Advanced Booking Calendar
Plugin Slug:
advanced-booking-calendar
Vulnerability:
SQL Injection
Patched in Version:
3.2.12
Severity Score:
High
The vulnerability has been patched, so you should update to version 3.2.12.

WordPress Themes — 0 Patched / 0 Unpatched

No new WordPress theme vulnerabilities were disclosed this week.

Notes

  1. This report comes out on Wednesdays and covers the last seven days of public disclosures in the Patchstack vulnerability database from the beginning of the previous week to the beginning of the current week — from last Monday to this Monday. This period intentionally excludes any vulnerabilities added to the database in the last 48 hours. However, that up-to-the-minute Patchstack vulnerability data powers Solid Security Pro for our customers who have purchased Solid Suite or Solid Security Pro. Using Patchstack’s virtual patches, Solid Security Pro automatically protects WordPress sites from active exploits aimed at unpatched vulnerabilities.

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Did you like this article? Spread the word:

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles