WordPress Vulnerability Report — October 18, 2023

Since last week, 151 new vulnerabilities emerged in the WordPress ecosystem, including 7 in WordPress core, 2 in themes, and 142 in plugins. More than half of the vulnerable plugins remain unpatched, but Solid Security Pro users are protected by virtual patching from Patchstack.

Dan Knauss

Updated:Oct 25, 2023

Published:Oct 18, 2023

Filed Under:WordPress Security

Reading Time:1 min.

Since our last report, 151 new vulnerabilities have been publicly disclosed¹, including 7 in WordPress core patched in the WordPress 6.3.2 update. Security patches for 66 plugins and 2 themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 76 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

1. WordPress Plugin Vulnerabilities — 66 Patched / 76 Unpatched

1.1 Widgets for Google Reviews
1.2 WP ULike – Most Advanced WordPress Marketing Toolkit
1.3 WP Lightbox 2
1.4 MailChimp Forms by MailMunch
1.5 Print, PDF, Email by PrintFriendly
1.6 Lazy Load for Videos
1.7 Wp Ultimate Review
1.8 HTML5 Maps
1.9 Proofreading
1.10 Protección de Datos RGPD
1.11 Comments Ratings
1.12 Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
1.13 ApplyOnline – Application Form Builder and Manager
1.14 ApplyOnline – Application Form Builder and Manager
1.15 Constant Contact Forms by MailMunch
1.16 Simple File List
1.17 WP Attachments
1.18 Ashe Extra
1.19 BuddyPress Global Search
1.20 Custom post types, Custom Fields & more
1.21 DX Delete Attached Media
1.22 Minimum Purchase for WooCommerce
1.23 Rocket Font
1.24 which template file
1.25 Contact Form Builder, Contact Widget
1.26 PDF Block
1.27 SpiderVPlayer
1.28 WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
1.29 FreshMail For WordPress
1.30 Libsyn Publisher Hub
1.31 Libsyn Publisher Hub
1.32 Responsive Column Widgets
1.33 Post Gallery
1.34 Tweeple
1.35 AMP WP – Google AMP For WordPress
1.36 Contact Form Generator : Creative form builder for WordPress
1.37 Contact Form With Captcha
1.38 Copy or Move Comments
1.39 Easy Testimonial Slider and Form
1.40 Ebook Store
1.41 EG-Attachments
1.42 Fast WP Speed
1.43 Gallery – Image and Video Gallery with Thumbnails
1.44 Gallery – Image and Video Gallery with Thumbnails
1.45 Gallery – Image and Video Gallery with Thumbnails
1.46 Icons Font Loader
1.47 Lava Directory Manager
1.48 LeadSquared Suite
1.49 Sendle Shipping Plugin
1.50 Remote Content Shortcode
1.51 RumbleTalk Live Group Chat – HTML5
1.52 Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
1.53 Video Playlist For YouTube
1.54 WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce
1.55 Next Page
1.56 Scroll post excerpt
1.57 Simple Tweet
1.58 The Awesome Feed – Custom Feed
1.59 QR Twitter Widget
1.60 Ultimate Taxonomy Manager
1.61 Ultimate Taxonomy Manager
1.62 Snap Pixel
1.63 Caret Country Access Limit
1.64 Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress
1.65 CPT Shortcode Generator
1.66 CPT Shortcode Generator
1.67 WP Report Post
1.68 IMPress Listings
1.69 Feed Statistics
1.70 Who Hit The Page – Hit Counter
1.71 Slick Contact Forms
1.72 Accessibility Suite by Online ADA
1.73 Mediabay
1.74 Magee Shortcodes
1.75 AGP Font Awesome Collection
1.76 Add Shortcodes Actions And Filters
1.77 WordPress Gallery Plugin – NextGEN Gallery
1.78 WordPress Gallery Plugin – NextGEN Gallery
1.79 WordPress Gallery Plugin – NextGEN Gallery
1.80 Gutenberg
1.81 Migration, Backup, Staging – WPvivid
1.82 Page Builder: Pagelayer – Drag and Drop website builder
1.83 Page Builder: Pagelayer – Drag and Drop website builder
1.84 Royal Elementor Addons and Templates
1.85 WordPress Popular Posts
1.86 Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce
1.87 Social Media Share Buttons & Social Sharing Icons
1.88 Social Media Share Buttons & Social Sharing Icons
1.89 Comments – wpDiscuz
1.90 WordPress Online Booking and Scheduling Plugin – Bookly
1.91 Tutor LMS – eLearning and online course solution
1.92 Booking Calendar
1.93 File Manager Pro – Filester
1.94 File Manager Pro – Filester
1.95 Master Addons for Elementor
1.96 PowerPress Podcasting plugin by Blubrry
1.97 Contact Form builder with drag & drop for WordPress – Kali Forms
1.98 Appointment Hour Booking – WordPress Booking Plugin
1.99 Embed Calendly
1.100 User Submitted Posts – Enable Users to Submit Posts from the Front End
1.101 Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
1.102 Weaver Xtreme Theme Support
1.103 WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
1.104 WordPress Backup & Migration
1.105 Responsive Tabs
1.106 Etsy Shop
1.107 GEO my WordPress
1.108 Active Directory Integration / LDAP Integration
1.109 Poll Maker – Best WordPress Poll Plugin
1.110 Broken Link Checker | Finder
1.111 AI ChatBot
1.112 AI ChatBot
1.113 AI ChatBot
1.114 AI ChatBot
1.115 AI ChatBot
1.116 AI ChatBot
1.117 EventON
1.118 WP Matterport Shortcode
1.119 WP Matterport Shortcode
1.120 Smart Cookie Kit
1.121 DoLogin Security
1.122 Amministrazione Trasparente
1.123 EventPrime – Events Calendar, Bookings and Tickets
1.124 Get Custom Field Values
1.125 Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads
1.126 WP Open Street Map
1.127 School Management System – WPSchoolPress
1.128 Ajax Archive Calendar
1.129 Eupago Gateway For Woocommerce
1.130 Sort SearchResult By Title
1.131 WP GoToWebinar
1.132 Thumbnail Slider With Lightbox
1.133 Nexter Extension
1.134 Nexter Extension
1.135 Fattura24
1.136 Campaign Monitor Forms by Optin Cat
1.137 Peter’s Custom Anti-Spam
1.138 Maileon for WordPress
1.139 File Uploader
1.140 WooCommerce Ninja Forms Product Add-ons
1.141 PixFields
1.142 cits-support-svg-webp-media-upload

2. WordPress Theme Vulnerabilities

2.1 Nexter
2.2 Nexter

3. Notes

Vulnerability:: Other Vulnerability Type
Patched in Version:: 6.3.2
Severity Score:: Medium

Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.2
Severity Score:: Medium

Vulnerability:: Sensitive Data Exposure
Patched in Version:: 6.3.2
Severity Score:: Medium

Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.2
Severity Score:: Medium

Vulnerability:: Broken Access Control
Patched in Version:: 6.3.2
Severity Score:: Medium
CVE:: 2023-39999

Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.2
Severity Score:: Medium
CVE:: 2023-38000

Vulnerability:: Denial of Service Attack
Patched in Version:: 6.3.2
Severity Score:: Medium

WordPress Plugin Vulnerabilities — 66 Patched / 76 Unpatched

Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. Our weekly WordPress Vulnerability Report powered by Patchstack covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and 40% of the web — more secure.

Plugin:: Widgets for Google Reviews
Plugin Slug:: wp-reviews-plugin-for-google
Installations:: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-3254

Plugin:: WP ULike – Most Advanced WordPress Marketing Toolkit
Plugin Slug:: wp-ulike
Installations:: 80,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45640

Plugin:: WP Lightbox 2
Plugin Slug:: wp-lightbox-2
Installations:: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45747

Plugin:: MailChimp Forms by MailMunch
Plugin Slug:: mailchimp-forms-by-mailmunch
Installations:: 30,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45748

Plugin:: Print, PDF, Email by PrintFriendly
Plugin Slug:: printfriendly
Installations:: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-25032

Plugin:: Lazy Load for Videos
Plugin Slug:: lazy-load-for-videos
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45656

Plugin:: Wp Ultimate Review
Plugin Slug:: wp-ultimate-review
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46085

Plugin:: HTML5 Maps
Plugin Slug:: html5-maps
Installations:: 7,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45650

Plugin:: Proofreading
Plugin Slug:: proofreading
Installations:: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45772

Plugin:: Protección de Datos RGPD
Plugin Slug:: click-datos-lopd
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46071

Plugin:: Comments Ratings
Plugin Slug:: comments-ratings
Installations:: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45654

Plugin:: Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management
Plugin Slug:: simple-urls
Installations:: 6,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45606

Plugin:: ApplyOnline – Application Form Builder and Manager
Plugin Slug:: apply-online
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46080

Plugin:: ApplyOnline – Application Form Builder and Manager
Plugin Slug:: apply-online
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45756

Plugin:: Constant Contact Forms by MailMunch
Plugin Slug:: constant-contact-forms-by-mailmunch
Installations:: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45647

Plugin:: Simple File List
Plugin Slug:: simple-file-list
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-39924

Plugin:: WP Attachments
Plugin Slug:: wp-attachments
Installations:: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45651

Plugin:: Ashe Extra
Plugin Slug:: ashe-extra
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46079

Plugin:: BuddyPress Global Search
Plugin Slug:: buddypress-global-search
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45755

Plugin:: Custom post types, Custom Fields & more
Plugin Slug:: custom-post-types
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-32116

Plugin:: DX Delete Attached Media
Plugin Slug:: dx-delete-attached-media
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46073

Plugin:: Minimum Purchase for WooCommerce
Plugin Slug:: minimum-purchase-for-woocommerce
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-30492

Plugin:: Rocket Font
Plugin Slug:: rocket-font
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46067

Plugin:: which template file
Plugin Slug:: which-template-file
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45753

Plugin:: Contact Form Builder, Contact Widget
Plugin Slug:: contact-forms-builder
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46075

Plugin:: PDF Block
Plugin Slug:: pdf-block
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45646

Plugin:: SpiderVPlayer
Plugin Slug:: player
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45632

Plugin:: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
Plugin Slug:: woo-pdf-invoice-builder
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46076

Plugin:: FreshMail For WordPress
Plugin Slug:: freshmail-integration
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46074

Plugin:: Libsyn Publisher Hub
Plugin Slug:: libsyn-podcasting
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45835

Plugin:: Libsyn Publisher Hub
Plugin Slug:: libsyn-podcasting
Installations:: 2,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45834

Plugin:: Responsive Column Widgets
Plugin Slug:: responsive-column-widgets
Installations:: 2,000+
Vulnerability:: Open Redirection
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45762

Plugin:: Post Gallery
Plugin Slug:: simple-post-gallery
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45752

Plugin:: Tweeple
Plugin Slug:: tweeple
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-30781

Plugin:: AMP WP – Google AMP For WordPress
Plugin Slug:: amp-wp
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45831

Plugin:: Contact Form Generator : Creative form builder for WordPress
Plugin Slug:: contact-form-generator
Installations:: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-35911

Plugin:: Contact Form With Captcha
Plugin Slug:: contact-form-with-captcha
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45771

Plugin:: Copy or Move Comments
Plugin Slug:: copy-or-move-comments
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45634

Plugin:: Easy Testimonial Slider and Form
Plugin Slug:: easy-testimonial-rotator
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45754

Plugin:: Ebook Store
Plugin Slug:: ebook-store
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45602

Plugin:: EG-Attachments
Plugin Slug:: eg-attachments
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46070

Plugin:: Fast WP Speed
Plugin Slug:: fast-wp-speed
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45770

Plugin:: Gallery – Image and Video Gallery with Thumbnails
Plugin Slug:: gallery-album
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45631

Plugin:: Gallery – Image and Video Gallery with Thumbnails
Plugin Slug:: gallery-album
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45630

Plugin:: Gallery – Image and Video Gallery with Thumbnails
Plugin Slug:: gallery-album
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45629

Plugin:: Icons Font Loader
Plugin Slug:: icons-font-loader
Installations:: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46084

Plugin:: Lava Directory Manager
Plugin Slug:: lava-directory-manager
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46081

Plugin:: LeadSquared Suite
Plugin Slug:: leadsquared-suite
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45833

Plugin:: Sendle Shipping Plugin
Plugin Slug:: official-sendle-shipping-method
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45761

Plugin:: Remote Content Shortcode
Plugin Slug:: remote-content-shortcode
Installations:: 1,000+
Vulnerability:: Local File Inclusion
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45652

Plugin:: RumbleTalk Live Group Chat – HTML5
Plugin Slug:: rumbletalk-chat-a-chat-with-themes
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45828

Plugin:: Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
Plugin Slug:: taggbox-widget
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-33214

Plugin:: Video Playlist For YouTube
Plugin Slug:: video-playlist-for-youtube
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45653

Plugin:: WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce
Plugin Slug:: wc-serial-numbers
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46078

Plugin:: Next Page
Plugin Slug:: next-page
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45768

Plugin:: Scroll post excerpt
Plugin Slug:: scroll-post-excerpt
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45764

Plugin:: Simple Tweet
Plugin Slug:: simple-tweet
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45767

Plugin:: The Awesome Feed – Custom Feed
Plugin Slug:: wp-facebook-feed
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46077

Plugin:: QR Twitter Widget
Plugin Slug:: qr-twitter-widget
Installations:: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45628

Plugin:: Ultimate Taxonomy Manager
Plugin Slug:: ultimate-taxonomy-manager
Installations:: 800+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45837

Plugin:: Ultimate Taxonomy Manager
Plugin Slug:: ultimate-taxonomy-manager
Installations:: 800+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45836

Plugin:: Snap Pixel
Plugin Slug:: snap-pixel
Installations:: 700+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45642

Plugin:: Caret Country Access Limit
Plugin Slug:: caret-country-access-limit
Installations:: 40+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45641

Plugin:: Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress
Plugin Slug:: newsletter-bulk-email
Installations:: 40+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45829

Plugin:: CPT Shortcode Generator
Plugin Slug:: cpt-shortcode
Installations:: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45644

Plugin:: CPT Shortcode Generator
Plugin Slug:: cpt-shortcode
Installations:: 10+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45643

Plugin:: WP Report Post
Plugin Slug:: wp-report-post
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45769

Plugin:: IMPress Listings
Plugin Slug:: wp-listings
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45633

Plugin:: Feed Statistics
Plugin Slug:: wordpress-feed-statistics
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45605

Plugin:: Who Hit The Page – Hit Counter
Plugin Slug:: who-hit-the-page-hit-counter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46087

Plugin:: Slick Contact Forms
Plugin Slug:: slick-contact-forms
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5468

Plugin:: Accessibility Suite by Online ADA
Plugin Slug:: online-accessibility
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-45830

Plugin:: Mediabay
Plugin Slug:: mediabay-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46066

Plugin:: Magee Shortcodes
Plugin Slug:: magee-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4783

Plugin:: AGP Font Awesome Collection
Plugin Slug:: agp-font-awesome-collection
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-45749

Plugin:: Add Shortcodes Actions And Filters
Plugin Slug:: add-actions-and-filters
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46072

Plugin:: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations:: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.39
Severity Score:: Medium
CVE:: 2023-3279

Plugin:: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations:: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.39
Severity Score:: Medium
CVE:: 2023-3155

Plugin:: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations:: 500,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.39
Severity Score:: Medium
CVE:: 2023-3154

Plugin:: Gutenberg
Plugin Slug:: gutenberg
Installations:: 300,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 16.8.1
Severity Score:: Medium
CVE:: 2023-38000

Plugin:: Migration, Backup, Staging – WPvivid
Plugin Slug:: wpvivid-backuprestore
Installations:: 300,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 0.9.92
Severity Score:: High
CVE:: 2023-5576

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.8
Severity Score:: Medium
CVE:: 2023-5087

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.7
Severity Score:: High
CVE:: 2023-4687

Plugin:: Royal Elementor Addons and Templates
Plugin Slug:: royal-elementor-addons
Installations:: 200,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.3.79
Severity Score:: Critical
CVE:: 2023-5360

Plugin:: WordPress Popular Posts
Plugin Slug:: wordpress-popular-posts
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.3.3
Severity Score:: Medium
CVE:: 2023-45607

Plugin:: Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce
Plugin Slug:: email-subscribers
Installations:: 100,000+
Vulnerability:: Path Traversal
Patched in Version:: 5.6.24
Severity Score:: High
CVE:: 2023-5414

Plugin:: Social Media Share Buttons & Social Sharing Icons
Plugin Slug:: ultimate-social-media-icons
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.8.6
Severity Score:: Medium
CVE:: 2023-5602

Plugin:: Social Media Share Buttons & Social Sharing Icons
Plugin Slug:: ultimate-social-media-icons
Installations:: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.8.6
Severity Score:: Medium
CVE:: 2023-5070

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations:: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.6.4
Severity Score:: Medium
CVE:: 2023-45760

Plugin:: WordPress Online Booking and Scheduling Plugin – Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations:: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 22.4
Severity Score:: High
CVE:: 2023-4691

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations:: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2023-4805

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.3.1
Severity Score:: High
CVE:: 2023-4620

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations:: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.1
Severity Score:: Medium
CVE:: 2023-4862

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations:: 50,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.8.1
Severity Score:: High
CVE:: 2023-4861

Plugin:: Master Addons for Elementor
Plugin Slug:: master-addons
Installations:: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.4
Severity Score:: Medium

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations:: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.0.12
Severity Score:: Medium
CVE:: 2023-4820

Plugin:: Contact Form builder with drag & drop for WordPress – Kali Forms
Plugin Slug:: kali-forms
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.28
Severity Score:: Medium
CVE:: 2023-46083

Plugin:: Appointment Hour Booking – WordPress Booking Plugin
Plugin Slug:: appointment-hour-booking
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.24
Severity Score:: Medium
CVE:: 2023-45649

Plugin:: Embed Calendly
Plugin Slug:: embed-calendly-scheduling
Installations:: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.7
Severity Score:: Medium
CVE:: 2023-4995

Plugin:: User Submitted Posts – Enable Users to Submit Posts from the Front End
Plugin Slug:: user-submitted-posts
Installations:: 20,000+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 20230914
Severity Score:: Critical
CVE:: 2023-45603

Plugin:: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
Plugin Slug:: wplegalpages
Installations:: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.9.3
Severity Score:: Medium
CVE:: 2023-4968

Plugin:: Weaver Xtreme Theme Support
Plugin Slug:: weaverx-theme-support
Installations:: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.3.1
Severity Score:: Medium
CVE:: 2023-4971

Plugin:: WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Plugin Slug:: erp
Installations:: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.12.7
Severity Score:: Medium
CVE:: 2023-45765

Plugin:: WordPress Backup & Migration
Plugin Slug:: wp-migration-duplicator
Installations:: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.4.2
Severity Score:: Medium
CVE:: 2023-45636

Plugin:: Responsive Tabs
Plugin Slug:: responsive-tabs
Installations:: 7,000+
Vulnerability:: Content Injection
Patched in Version:: 4.0.6
Severity Score:: Medium
CVE:: 2023-45635

Plugin:: Etsy Shop
Plugin Slug:: etsy-shop
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0.5
Severity Score:: Medium
CVE:: 2023-5470

Plugin:: GEO my WordPress
Plugin Slug:: geo-my-wp
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.1
Severity Score:: Medium
CVE:: 2023-5467

Plugin:: Active Directory Integration / LDAP Integration
Plugin Slug:: ldap-login-for-intranet-sites
Installations:: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.1.10
Severity Score:: Medium
CVE:: 2023-5003

Plugin:: Poll Maker – Best WordPress Poll Plugin
Plugin Slug:: poll-maker
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.7.2
Severity Score:: Medium
CVE:: 2023-45766

Plugin:: Broken Link Checker | Finder
Plugin Slug:: broken-link-finder
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2023-46082

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.1
Severity Score:: Critical
CVE:: 2023-5204

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.9.1
Severity Score:: Critical
CVE:: 2023-5212

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Path Traversal
Patched in Version:: 4.9.1
Severity Score:: Critical
CVE:: 2023-5241

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 4.9.1
Severity Score:: Medium
CVE:: 2023-5534

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 4.9.1
Severity Score:: Medium
CVE:: 2023-5533

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.9.1
Severity Score:: Medium
CVE:: 2023-5254

Plugin:: EventON
Plugin Slug:: eventon-lite
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: Medium
CVE:: 2023-4388

Plugin:: WP Matterport Shortcode
Plugin Slug:: shortcode-gallery-for-matterport-showcase
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2023-4290

Plugin:: WP Matterport Shortcode
Plugin Slug:: shortcode-gallery-for-matterport-showcase
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2023-4289

Plugin:: Smart Cookie Kit
Plugin Slug:: smart-cookie-kit
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.2
Severity Score:: Medium
CVE:: 2023-45608

Plugin:: DoLogin Security
Plugin Slug:: dologin
Installations:: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2023-4800

Plugin:: Amministrazione Trasparente
Plugin Slug:: amministrazione-trasparente
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 8.0.5
Severity Score:: Medium
CVE:: 2023-45758

Plugin:: EventPrime – Events Calendar, Bookings and Tickets
Plugin Slug:: eventprime-event-calendar-management
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.6
Severity Score:: High
CVE:: 2023-45637

Plugin:: Get Custom Field Values
Plugin Slug:: get-custom-field-values
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.1
Severity Score:: Medium
CVE:: 2023-45604

Plugin:: Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads
Plugin Slug:: shared-files
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.6
Severity Score:: High
CVE:: 2023-4819

Plugin:: WP Open Street Map
Plugin Slug:: wp-open-street-map
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.30
Severity Score:: Medium
CVE:: 2023-45645

Plugin:: School Management System – WPSchoolPress
Plugin Slug:: wpschoolpress
Installations:: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.5
Severity Score:: High
CVE:: 2023-4776

Plugin:: Ajax Archive Calendar
Plugin Slug:: ajax-archive-calendar
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.8
Severity Score:: Medium
CVE:: 2023-46069

Plugin:: Eupago Gateway For Woocommerce
Plugin Slug:: eupago-gateway-for-woocommerce
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.1.10
Severity Score:: Medium
CVE:: 2023-45638

Plugin:: Sort SearchResult By Title
Plugin Slug:: sort-searchresult-by-title
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 11.0
Severity Score:: Medium
CVE:: 2023-45639

Plugin:: WP GoToWebinar
Plugin Slug:: wp-gotowebinar
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.46
Severity Score:: Medium
CVE:: 2023-45832

Plugin:: Thumbnail Slider With Lightbox
Plugin Slug:: wp-responsive-slider-with-lightbox
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.1
Severity Score:: Medium
CVE:: 2023-5531

Plugin:: Nexter Extension
Plugin Slug:: nexter-extension
Installations:: 900+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 2.0.4
Severity Score:: Critical
CVE:: 2023-45751

Plugin:: Nexter Extension
Plugin Slug:: nexter-extension
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.4
Severity Score:: High
CVE:: 2023-45750

Plugin:: Fattura24
Plugin Slug:: fattura24
Installations:: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.2.8
Severity Score:: High
CVE:: 2023-5211

Plugin:: Campaign Monitor Forms by Optin Cat
Plugin Slug:: campaign-monitor-wp
Installations:: 400+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.6
Severity Score:: High
CVE:: 2023-5098

Plugin:: Peter’s Custom Anti-Spam
Plugin Slug:: peters-custom-anti-spam-image
Installations:: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.2.3
Severity Score:: High
CVE:: 2023-45759

Plugin:: Maileon for WordPress
Plugin Slug:: xqueue-maileon
Installations:: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.16.1
Severity Score:: Medium
CVE:: 2023-46068

Plugin:: File Uploader
Plugin Slug:: wp-file-uploader
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.23.3
Severity Score:: Medium
CVE:: 2023-4811

Plugin:: WooCommerce Ninja Forms Product Add-ons
Plugin Slug:: woocommerce-ninjaforms-product-addons
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.1
Severity Score:: Critical
CVE:: 2023-5601

Plugin:: PixFields
Plugin Slug:: pixfields
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 0.7.1
Severity Score:: Medium
CVE:: 2023-45655

Plugin:: cits-support-svg-webp-media-upload
Plugin Slug:: cits-support-svg-webp-media-upload
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2023-5458

WordPress Theme Vulnerabilities

Theme:: Nexter
Theme Slug:: nexter
Downloads:: 11,281
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.4
Severity Score:: High
CVE:: 2023-45658

Theme:: Nexter
Theme Slug:: nexter
Downloads:: 11,281
Vulnerability:: SQL Injection
Patched in Version:: 2.0.4
Severity Score:: High
CVE:: 2023-45657

Notes

This report comes out on Wednesdays and covers the last seven days of public disclosures in the Patchstack vulnerability database from the beginning of the previous week to the beginning of the current week — from last Monday to this Monday. This excludes any vulnerabilities added to the database in the last 48 hours. However, that up-to-the-minute vulnerability data powers Solid Security Pro for our customers who have purchased Solid Suite. Solid Security Pro automatically protects WordPress sites from active exploits aimed at unpatched vulnerabilities. ↩︎

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Plugin Vulnerabilities — 66 Patched / 76 Unpatched