WordPress Vulnerability Report — October 18, 2023
Since last week, 151 new vulnerabilities emerged in the WordPress ecosystem, including 7 in WordPress core, 2 in themes, and 142 in plugins. More than half of the vulnerable plugins remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.
Since our last report, 151 new vulnerabilities have been publicly disclosed1, including 7 in WordPress core patched in the WordPress 6.3.2 update. Security patches for 66 plugins and 2 themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.
Additionally, there are 76 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core
- Vulnerability:
- Other Vulnerability Type
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
WordPress Core
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
WordPress Core
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
WordPress Core
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
WordPress Core
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
- CVE:
- 2023-39999
WordPress Core
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
- CVE:
- 2023-38000
WordPress Core
- Vulnerability:
- Denial of Service Attack
- Patched in Version:
- 6.3.2
- Severity Score:
- Medium
WordPress Plugin Vulnerabilities — 66 Patched / 76 Unpatched
Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. Our weekly WordPress Vulnerability Report powered by Patchstack covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and 40% of the web — more secure.
Widgets for Google Reviews
- Plugin:
- Widgets for Google Reviews
- Plugin Slug:
- wp-reviews-plugin-for-google
- Installations:
- 300,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-3254
WP ULike – Most Advanced WordPress Marketing Toolkit
- Plugin Slug:
- wp-ulike
- Installations:
- 80,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45640
WP Lightbox 2
- Plugin:
- WP Lightbox 2
- Plugin Slug:
- wp-lightbox-2
- Installations:
- 40,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45747
MailChimp Forms by MailMunch
- Plugin:
- MailChimp Forms by MailMunch
- Plugin Slug:
- mailchimp-forms-by-mailmunch
- Installations:
- 30,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45748
Print, PDF, Email by PrintFriendly
- Plugin Slug:
- printfriendly
- Installations:
- 30,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-25032
Lazy Load for Videos
- Plugin:
- Lazy Load for Videos
- Plugin Slug:
- lazy-load-for-videos
- Installations:
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45656
Wp Ultimate Review
- Plugin:
- Wp Ultimate Review
- Plugin Slug:
- wp-ultimate-review
- Installations:
- 10,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46085
HTML5 Maps
- Plugin:
- HTML5 Maps
- Plugin Slug:
- html5-maps
- Installations:
- 7,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45650
Proofreading
- Plugin:
- Proofreading
- Plugin Slug:
- proofreading
- Installations:
- 7,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45772
Protección de Datos RGPD
- Plugin:
- Protección de Datos RGPD
- Plugin Slug:
- click-datos-lopd
- Installations:
- 6,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46071
Comments Ratings
- Plugin:
- Comments Ratings
- Plugin Slug:
- comments-ratings
- Installations:
- 6,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45654
Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
- Plugin Slug:
- simple-urls
- Installations:
- 6,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45606
ApplyOnline – Application Form Builder and Manager
- Plugin Slug:
- apply-online
- Installations:
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46080
ApplyOnline – Application Form Builder and Manager
- Plugin Slug:
- apply-online
- Installations:
- 5,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45756
Constant Contact Forms by MailMunch
- Plugin Slug:
- constant-contact-forms-by-mailmunch
- Installations:
- 5,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45647
Simple File List
- Plugin:
- Simple File List
- Plugin Slug:
- simple-file-list
- Installations:
- 5,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-39924
WP Attachments
- Plugin:
- WP Attachments
- Plugin Slug:
- wp-attachments
- Installations:
- 5,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45651
Ashe Extra
- Plugin:
- Ashe Extra
- Plugin Slug:
- ashe-extra
- Installations:
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46079
BuddyPress Global Search
- Plugin:
- BuddyPress Global Search
- Plugin Slug:
- buddypress-global-search
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45755
Custom post types, Custom Fields & more
- Plugin Slug:
- custom-post-types
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-32116
DX Delete Attached Media
- Plugin:
- DX Delete Attached Media
- Plugin Slug:
- dx-delete-attached-media
- Installations:
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46073
Minimum Purchase for WooCommerce
- Plugin Slug:
- minimum-purchase-for-woocommerce
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-30492
Rocket Font
- Plugin:
- Rocket Font
- Plugin Slug:
- rocket-font
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46067
which template file
- Plugin:
- which template file
- Plugin Slug:
- which-template-file
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45753
Contact Form Builder, Contact Widget
- Plugin Slug:
- contact-forms-builder
- Installations:
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46075
PDF Block
- Plugin:
- PDF Block
- Plugin Slug:
- pdf-block
- Installations:
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45646
SpiderVPlayer
- Plugin:
- SpiderVPlayer
- Plugin Slug:
- player
- Installations:
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45632
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
- Plugin Slug:
- woo-pdf-invoice-builder
- Installations:
- 3,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46076
FreshMail For WordPress
- Plugin:
- FreshMail For WordPress
- Plugin Slug:
- freshmail-integration
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46074
Libsyn Publisher Hub
- Plugin:
- Libsyn Publisher Hub
- Plugin Slug:
- libsyn-podcasting
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45835
Libsyn Publisher Hub
- Plugin:
- Libsyn Publisher Hub
- Plugin Slug:
- libsyn-podcasting
- Installations:
- 2,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45834
Responsive Column Widgets
- Plugin:
- Responsive Column Widgets
- Plugin Slug:
- responsive-column-widgets
- Installations:
- 2,000+
- Vulnerability:
- Open Redirection
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45762
Post Gallery
- Plugin:
- Post Gallery
- Plugin Slug:
- simple-post-gallery
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45752
Tweeple
- Plugin:
- Tweeple
- Plugin Slug:
- tweeple
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-30781
AMP WP – Google AMP For WordPress
- Plugin Slug:
- amp-wp
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45831
Contact Form Generator : Creative form builder for WordPress
- Plugin Slug:
- contact-form-generator
- Installations:
- 1,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-35911
Contact Form With Captcha
- Plugin:
- Contact Form With Captcha
- Plugin Slug:
- contact-form-with-captcha
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45771
Copy or Move Comments
- Plugin:
- Copy or Move Comments
- Plugin Slug:
- copy-or-move-comments
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45634
Easy Testimonial Slider and Form
- Plugin Slug:
- easy-testimonial-rotator
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45754
Ebook Store
- Plugin:
- Ebook Store
- Plugin Slug:
- ebook-store
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45602
EG-Attachments
- Plugin:
- EG-Attachments
- Plugin Slug:
- eg-attachments
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46070
Fast WP Speed
- Plugin:
- Fast WP Speed
- Plugin Slug:
- fast-wp-speed
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45770
Gallery – Image and Video Gallery with Thumbnails
- Plugin Slug:
- gallery-album
- Installations:
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45631
Gallery – Image and Video Gallery with Thumbnails
- Plugin Slug:
- gallery-album
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45630
Gallery – Image and Video Gallery with Thumbnails
- Plugin Slug:
- gallery-album
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45629
Icons Font Loader
- Plugin:
- Icons Font Loader
- Plugin Slug:
- icons-font-loader
- Installations:
- 1,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46084
Lava Directory Manager
- Plugin:
- Lava Directory Manager
- Plugin Slug:
- lava-directory-manager
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46081
LeadSquared Suite
- Plugin:
- LeadSquared Suite
- Plugin Slug:
- leadsquared-suite
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45833
Sendle Shipping Plugin
- Plugin:
- Sendle Shipping Plugin
- Plugin Slug:
- official-sendle-shipping-method
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45761
Remote Content Shortcode
- Plugin:
- Remote Content Shortcode
- Plugin Slug:
- remote-content-shortcode
- Installations:
- 1,000+
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45652
RumbleTalk Live Group Chat – HTML5
- Plugin Slug:
- rumbletalk-chat-a-chat-with-themes
- Installations:
- 1,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45828
Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
- Plugin Slug:
- taggbox-widget
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-33214
Video Playlist For YouTube
- Plugin:
- Video Playlist For YouTube
- Plugin Slug:
- video-playlist-for-youtube
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45653
WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce
- Plugin Slug:
- wc-serial-numbers
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46078
Next Page
- Plugin:
- Next Page
- Plugin Slug:
- next-page
- Installations:
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45768
Scroll post excerpt
- Plugin:
- Scroll post excerpt
- Plugin Slug:
- scroll-post-excerpt
- Installations:
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45764
Simple Tweet
- Plugin:
- Simple Tweet
- Plugin Slug:
- simple-tweet
- Installations:
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45767
The Awesome Feed – Custom Feed
- Plugin Slug:
- wp-facebook-feed
- Installations:
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46077
QR Twitter Widget
- Plugin:
- QR Twitter Widget
- Plugin Slug:
- qr-twitter-widget
- Installations:
- 800+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45628
Ultimate Taxonomy Manager
- Plugin:
- Ultimate Taxonomy Manager
- Plugin Slug:
- ultimate-taxonomy-manager
- Installations:
- 800+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45837
Ultimate Taxonomy Manager
- Plugin:
- Ultimate Taxonomy Manager
- Plugin Slug:
- ultimate-taxonomy-manager
- Installations:
- 800+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45836
Snap Pixel
- Plugin:
- Snap Pixel
- Plugin Slug:
- snap-pixel
- Installations:
- 700+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45642
Caret Country Access Limit
- Plugin:
- Caret Country Access Limit
- Plugin Slug:
- caret-country-access-limit
- Installations:
- 40+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45641
Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress
- Plugin Slug:
- newsletter-bulk-email
- Installations:
- 40+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45829
CPT Shortcode Generator
- Plugin:
- CPT Shortcode Generator
- Plugin Slug:
- cpt-shortcode
- Installations:
- 10+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45644
CPT Shortcode Generator
- Plugin:
- CPT Shortcode Generator
- Plugin Slug:
- cpt-shortcode
- Installations:
- 10+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45643
WP Report Post
- Plugin:
- WP Report Post
- Plugin Slug:
- wp-report-post
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45769
IMPress Listings
- Plugin:
- IMPress Listings
- Plugin Slug:
- wp-listings
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45633
Feed Statistics
- Plugin:
- Feed Statistics
- Plugin Slug:
- wordpress-feed-statistics
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45605
Who Hit The Page – Hit Counter
- Plugin:
- Who Hit The Page – Hit Counter
- Plugin Slug:
- who-hit-the-page-hit-counter
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46087
Slick Contact Forms
- Plugin:
- Slick Contact Forms
- Plugin Slug:
- slick-contact-forms
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-5468
Accessibility Suite by Online ADA
- Plugin:
- Accessibility Suite by Online ADA
- Plugin Slug:
- online-accessibility
- Vulnerability:
- SQL Injection
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-45830
Mediabay
- Plugin:
- Mediabay
- Plugin Slug:
- mediabay-lite
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-46066
Magee Shortcodes
- Plugin:
- Magee Shortcodes
- Plugin Slug:
- magee-shortcodes
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-4783
AGP Font Awesome Collection
- Plugin:
- AGP Font Awesome Collection
- Plugin Slug:
- agp-font-awesome-collection
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2023-45749
Add Shortcodes Actions And Filters
- Plugin:
- Add Shortcodes Actions And Filters
- Plugin Slug:
- add-actions-and-filters
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- No Fix
- Severity Score:
- High
- CVE:
- 2023-46072
WordPress Gallery Plugin – NextGEN Gallery
- Plugin Slug:
- nextgen-gallery
- Installations:
- 500,000+
- Vulnerability:
- Local File Inclusion
- Patched in Version:
- 3.39
- Severity Score:
- Medium
- CVE:
- 2023-3279
WordPress Gallery Plugin – NextGEN Gallery
- Plugin Slug:
- nextgen-gallery
- Installations:
- 500,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 3.39
- Severity Score:
- Medium
- CVE:
- 2023-3155
WordPress Gallery Plugin – NextGEN Gallery
- Plugin Slug:
- nextgen-gallery
- Installations:
- 500,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 3.39
- Severity Score:
- Medium
- CVE:
- 2023-3154
Gutenberg
- Plugin:
- Gutenberg
- Plugin Slug:
- gutenberg
- Installations:
- 300,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 16.8.1
- Severity Score:
- Medium
- CVE:
- 2023-38000
Migration, Backup, Staging – WPvivid
- Plugin Slug:
- wpvivid-backuprestore
- Installations:
- 300,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 0.9.92
- Severity Score:
- High
- CVE:
- 2023-5576
Page Builder: Pagelayer – Drag and Drop website builder
- Plugin Slug:
- pagelayer
- Installations:
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.8
- Severity Score:
- Medium
- CVE:
- 2023-5087
Page Builder: Pagelayer – Drag and Drop website builder
- Plugin Slug:
- pagelayer
- Installations:
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.7
- Severity Score:
- High
- CVE:
- 2023-4687
Royal Elementor Addons and Templates
- Plugin Slug:
- royal-elementor-addons
- Installations:
- 200,000+
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 1.3.79
- Severity Score:
- Critical
- CVE:
- 2023-5360
WordPress Popular Posts
- Plugin:
- WordPress Popular Posts
- Plugin Slug:
- wordpress-popular-posts
- Installations:
- 200,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 6.3.3
- Severity Score:
- Medium
- CVE:
- 2023-45607
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce
- Plugin Slug:
- email-subscribers
- Installations:
- 100,000+
- Vulnerability:
- Path Traversal
- Patched in Version:
- 5.6.24
- Severity Score:
- High
- CVE:
- 2023-5414
Social Media Share Buttons & Social Sharing Icons
- Plugin Slug:
- ultimate-social-media-icons
- Installations:
- 100,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 2.8.6
- Severity Score:
- Medium
- CVE:
- 2023-5602
Social Media Share Buttons & Social Sharing Icons
- Plugin Slug:
- ultimate-social-media-icons
- Installations:
- 100,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 2.8.6
- Severity Score:
- Medium
- CVE:
- 2023-5070
Comments – wpDiscuz
- Plugin:
- Comments – wpDiscuz
- Plugin Slug:
- wpdiscuz
- Installations:
- 80,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 7.6.4
- Severity Score:
- Medium
- CVE:
- 2023-45760
WordPress Online Booking and Scheduling Plugin – Bookly
- Plugin Slug:
- bookly-responsive-appointment-booking-tool
- Installations:
- 70,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 22.4
- Severity Score:
- High
- CVE:
- 2023-4691
Tutor LMS – eLearning and online course solution
- Plugin Slug:
- tutor
- Installations:
- 70,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.3.0
- Severity Score:
- Medium
- CVE:
- 2023-4805
Booking Calendar
- Plugin:
- Booking Calendar
- Plugin Slug:
- booking
- Installations:
- 60,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 9.7.3.1
- Severity Score:
- High
- CVE:
- 2023-4620
File Manager Pro – Filester
- Plugin:
- File Manager Pro – Filester
- Plugin Slug:
- filester
- Installations:
- 50,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.8.1
- Severity Score:
- Medium
- CVE:
- 2023-4862
File Manager Pro – Filester
- Plugin:
- File Manager Pro – Filester
- Plugin Slug:
- filester
- Installations:
- 50,000+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 1.8.1
- Severity Score:
- High
- CVE:
- 2023-4861
Master Addons for Elementor
- Plugin:
- Master Addons for Elementor
- Plugin Slug:
- master-addons
- Installations:
- 40,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.4
- Severity Score:
- Medium
PowerPress Podcasting plugin by Blubrry
- Plugin Slug:
- powerpress
- Installations:
- 40,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 11.0.12
- Severity Score:
- Medium
- CVE:
- 2023-4820
Contact Form builder with drag & drop for WordPress – Kali Forms
- Plugin Slug:
- kali-forms
- Installations:
- 30,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.3.28
- Severity Score:
- Medium
- CVE:
- 2023-46083
Appointment Hour Booking – WordPress Booking Plugin
- Plugin Slug:
- appointment-hour-booking
- Installations:
- 20,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.4.24
- Severity Score:
- Medium
- CVE:
- 2023-45649
Embed Calendly
- Plugin:
- Embed Calendly
- Plugin Slug:
- embed-calendly-scheduling
- Installations:
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.7
- Severity Score:
- Medium
- CVE:
- 2023-4995
User Submitted Posts – Enable Users to Submit Posts from the Front End
- Plugin Slug:
- user-submitted-posts
- Installations:
- 20,000+
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 20230914
- Severity Score:
- Critical
- CVE:
- 2023-45603
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
- Plugin Slug:
- wplegalpages
- Installations:
- 20,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.9.3
- Severity Score:
- Medium
- CVE:
- 2023-4968
Weaver Xtreme Theme Support
- Plugin:
- Weaver Xtreme Theme Support
- Plugin Slug:
- weaverx-theme-support
- Installations:
- 10,000+
- Vulnerability:
- PHP Object Injection
- Patched in Version:
- 6.3.1
- Severity Score:
- Medium
- CVE:
- 2023-4971
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
- Plugin Slug:
- erp
- Installations:
- 8,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.12.7
- Severity Score:
- Medium
- CVE:
- 2023-45765
WordPress Backup & Migration
- Plugin:
- WordPress Backup & Migration
- Plugin Slug:
- wp-migration-duplicator
- Installations:
- 8,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 1.4.2
- Severity Score:
- Medium
- CVE:
- 2023-45636
Responsive Tabs
- Plugin:
- Responsive Tabs
- Plugin Slug:
- responsive-tabs
- Installations:
- 7,000+
- Vulnerability:
- Content Injection
- Patched in Version:
- 4.0.6
- Severity Score:
- Medium
- CVE:
- 2023-45635
Etsy Shop
GEO my WordPress
- Plugin:
- GEO my WordPress
- Plugin Slug:
- geo-my-wp
- Installations:
- 5,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.0.1
- Severity Score:
- Medium
- CVE:
- 2023-5467
Active Directory Integration / LDAP Integration
- Plugin Slug:
- ldap-login-for-intranet-sites
- Installations:
- 5,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 4.1.10
- Severity Score:
- Medium
- CVE:
- 2023-5003
Poll Maker – Best WordPress Poll Plugin
- Plugin Slug:
- poll-maker
- Installations:
- 5,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.7.2
- Severity Score:
- Medium
- CVE:
- 2023-45766
Broken Link Checker | Finder
- Plugin:
- Broken Link Checker | Finder
- Plugin Slug:
- broken-link-finder
- Installations:
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.5.0
- Severity Score:
- Medium
- CVE:
- 2023-46082
AI ChatBot
- Plugin:
- AI ChatBot
- Plugin Slug:
- chatbot
- Installations:
- 4,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 4.9.1
- Severity Score:
- Critical
- CVE:
- 2023-5204
AI ChatBot
- Plugin:
- AI ChatBot
- Plugin Slug:
- chatbot
- Installations:
- 4,000+
- Vulnerability:
- Arbitrary File Deletion
- Patched in Version:
- 4.9.1
- Severity Score:
- Critical
- CVE:
- 2023-5212
AI ChatBot
- Plugin:
- AI ChatBot
- Plugin Slug:
- chatbot
- Installations:
- 4,000+
- Vulnerability:
- Path Traversal
- Patched in Version:
- 4.9.1
- Severity Score:
- Critical
- CVE:
- 2023-5241
AI ChatBot
- Plugin:
- AI ChatBot
- Plugin Slug:
- chatbot
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 4.9.1
- Severity Score:
- Medium
- CVE:
- 2023-5534
AI ChatBot
- Plugin:
- AI ChatBot
- Plugin Slug:
- chatbot
- Installations:
- 4,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 4.9.1
- Severity Score:
- Medium
- CVE:
- 2023-5533
AI ChatBot
- Plugin:
- AI ChatBot
- Plugin Slug:
- chatbot
- Installations:
- 4,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 4.9.1
- Severity Score:
- Medium
- CVE:
- 2023-5254
EventON
WP Matterport Shortcode
- Plugin:
- WP Matterport Shortcode
- Plugin Slug:
- shortcode-gallery-for-matterport-showcase
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.1.7
- Severity Score:
- High
- CVE:
- 2023-4290
WP Matterport Shortcode
- Plugin:
- WP Matterport Shortcode
- Plugin Slug:
- shortcode-gallery-for-matterport-showcase
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.1.8
- Severity Score:
- Medium
- CVE:
- 2023-4289
Smart Cookie Kit
- Plugin:
- Smart Cookie Kit
- Plugin Slug:
- smart-cookie-kit
- Installations:
- 4,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.3.2
- Severity Score:
- Medium
- CVE:
- 2023-45608
DoLogin Security
- Plugin:
- DoLogin Security
- Plugin Slug:
- dologin
- Installations:
- 3,000+
- Vulnerability:
- Sensitive Data Exposure
- Patched in Version:
- 3.7.1
- Severity Score:
- Medium
- CVE:
- 2023-4800
Amministrazione Trasparente
- Plugin:
- Amministrazione Trasparente
- Plugin Slug:
- amministrazione-trasparente
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 8.0.5
- Severity Score:
- Medium
- CVE:
- 2023-45758
EventPrime – Events Calendar, Bookings and Tickets
- Plugin Slug:
- eventprime-event-calendar-management
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.1.6
- Severity Score:
- High
- CVE:
- 2023-45637
Get Custom Field Values
- Plugin:
- Get Custom Field Values
- Plugin Slug:
- get-custom-field-values
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.1
- Severity Score:
- Medium
- CVE:
- 2023-45604
Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads
- Plugin Slug:
- shared-files
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 1.7.6
- Severity Score:
- High
- CVE:
- 2023-4819
WP Open Street Map
- Plugin:
- WP Open Street Map
- Plugin Slug:
- wp-open-street-map
- Installations:
- 2,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.30
- Severity Score:
- Medium
- CVE:
- 2023-45645
School Management System – WPSchoolPress
- Plugin Slug:
- wpschoolpress
- Installations:
- 2,000+
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.2.5
- Severity Score:
- High
- CVE:
- 2023-4776
Ajax Archive Calendar
- Plugin:
- Ajax Archive Calendar
- Plugin Slug:
- ajax-archive-calendar
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.6.8
- Severity Score:
- Medium
- CVE:
- 2023-46069
Eupago Gateway For Woocommerce
- Plugin Slug:
- eupago-gateway-for-woocommerce
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 3.1.10
- Severity Score:
- Medium
- CVE:
- 2023-45638
Sort SearchResult By Title
- Plugin:
- Sort SearchResult By Title
- Plugin Slug:
- sort-searchresult-by-title
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 11.0
- Severity Score:
- Medium
- CVE:
- 2023-45639
WP GoToWebinar
- Plugin:
- WP GoToWebinar
- Plugin Slug:
- wp-gotowebinar
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 14.46
- Severity Score:
- Medium
- CVE:
- 2023-45832
Thumbnail Slider With Lightbox
- Plugin Slug:
- wp-responsive-slider-with-lightbox
- Installations:
- 1,000+
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 1.0.1
- Severity Score:
- Medium
- CVE:
- 2023-5531
Nexter Extension
- Plugin:
- Nexter Extension
- Plugin Slug:
- nexter-extension
- Installations:
- 900+
- Vulnerability:
- Remote Code Execution (RCE)
- Patched in Version:
- 2.0.4
- Severity Score:
- Critical
- CVE:
- 2023-45751
Nexter Extension
- Plugin:
- Nexter Extension
- Plugin Slug:
- nexter-extension
- Installations:
- 900+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.0.4
- Severity Score:
- High
- CVE:
- 2023-45750
Fattura24
Campaign Monitor Forms by Optin Cat
- Plugin Slug:
- campaign-monitor-wp
- Installations:
- 400+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.5.6
- Severity Score:
- High
- CVE:
- 2023-5098
Peter’s Custom Anti-Spam
- Plugin:
- Peter’s Custom Anti-Spam
- Plugin Slug:
- peters-custom-anti-spam-image
- Installations:
- 400+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.2.3
- Severity Score:
- High
- CVE:
- 2023-45759
Maileon for WordPress
- Plugin:
- Maileon for WordPress
- Plugin Slug:
- xqueue-maileon
- Installations:
- 100+
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 2.16.1
- Severity Score:
- Medium
- CVE:
- 2023-46068
File Uploader
- Plugin:
- File Uploader
- Plugin Slug:
- wp-file-uploader
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 4.23.3
- Severity Score:
- Medium
- CVE:
- 2023-4811
WooCommerce Ninja Forms Product Add-ons
- Plugin:
- WooCommerce Ninja Forms Product Add-ons
- Plugin Slug:
- woocommerce-ninjaforms-product-addons
- Vulnerability:
- Arbitrary File Upload
- Patched in Version:
- 1.7.1
- Severity Score:
- Critical
- CVE:
- 2023-5601
PixFields
- Plugin:
- PixFields
- Plugin Slug:
- pixfields
- Vulnerability:
- Cross Site Request Forgery (CSRF)
- Patched in Version:
- 0.7.1
- Severity Score:
- Medium
- CVE:
- 2023-45655
cits-support-svg-webp-media-upload
- Plugin:
- cits-support-svg-webp-media-upload
- Plugin Slug:
- cits-support-svg-webp-media-upload
- Vulnerability:
- Cross Site Scripting (XSS)
- Patched in Version:
- 3.0
- Severity Score:
- Medium
- CVE:
- 2023-5458
WordPress Theme Vulnerabilities
Nexter
- Theme:
- Nexter
- Theme Slug:
- nexter
- Downloads:
- 11,281
- Vulnerability:
- Broken Access Control
- Patched in Version:
- 2.0.4
- Severity Score:
- High
- CVE:
- 2023-45658
Nexter
- Theme:
- Nexter
- Theme Slug:
- nexter
- Downloads:
- 11,281
- Vulnerability:
- SQL Injection
- Patched in Version:
- 2.0.4
- Severity Score:
- High
- CVE:
- 2023-45657
Notes
- This report comes out on Wednesdays and covers the last seven days of public disclosures in the Patchstack vulnerability database from the beginning of the previous week to the beginning of the current week — from last Monday to this Monday. This excludes any vulnerabilities added to the database in the last 48 hours. However, that up-to-the-minute vulnerability data powers Solid Security Pro for our customers who have purchased Solid Suite. Solid Security Pro automatically protects WordPress sites from active exploits aimed at unpatched vulnerabilities. ↩︎
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Sign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed