WordPress Vulnerability Report — October 25, 2023

Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. Our weekly WordPress Vulnerability Report powered by Patchstack covers the latest WordPress plugin, theme, and core vulnerabilities to emerge.

Dan Knauss

Updated:Oct 31, 2023

Published:Oct 25, 2023

Filed Under:WordPress Security

Reading Time:1 min.

Since our last report, 125 new vulnerabilities have been publicly disclosed.¹ Security patches for 61 plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 64 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are why WordPress websites get hacked. (See our Annual Vulnerability Report for 2022.) Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

1. WordPress Core
2. WordPress Plugins — 61 Patched / 64 Unpatched

2.1 Simple Calendar – Google Calendar Plugin
2.2 Web Push Notifications – Webpushr
2.3 Wp Ultimate Review
2.4 Motors – Car Dealer, Classifieds & Listing
2.5 Motors – Car Dealer, Classifieds & Listing
2.6 Protección de Datos RGPD
2.7 Grid Plus – Unlimited grid layout
2.8 WC Captcha
2.9 ApplyOnline – Application Form Builder and Manager
2.10 Advanced Local Pickup for WooCommerce
2.11 Ashe Extra
2.12 Custom post types, Custom Fields & more
2.13 DX Delete Attached Media
2.14 EventON
2.15 Minimum Purchase for WooCommerce
2.16 Rocket Font
2.17 Contact Form Builder, Contact Widget
2.18 Duplicate Theme
2.19 Internal Link Building
2.20 Internal Link Building
2.21 WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
2.22 Auto Login New User After Registration
2.23 Auto Login New User After Registration
2.24 Smart Online Order for Clover
2.25 FreshMail For WordPress
2.26 Open Graph Metabox
2.27 Userback
2.28 Appointment Calendar
2.29 Archivist – Custom Archive Templates
2.30 Category SEO Meta Tags
2.31 EG-Attachments
2.32 Eonet Manual User Approve
2.33 Headline Analyzer
2.34 Icons Font Loader
2.35 Just Custom Fields
2.36 Lava Directory Manager
2.37 Novo-Map : your WP posts on custom google maps
2.38 SALESmanago
2.39 Smart App Banner
2.40 Smooth Scroll Links [SSL]
2.41 WDSocialWidgets
2.42 Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
2.43 WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce
2.44 Webmaster Tools
2.45 Webmaster Tools
2.46 WP Radio – Worldwide Online Radio Stations Directory for WordPress
2.47 The Awesome Feed – Custom Feed
2.48 Triberr
2.49 Soisy Pagamento Rateale
2.50 WP Post Columns
2.51 WP Full Stripe Free
2.52 Who Hit The Page – Hit Counter
2.53 WhatsApp Share Button
2.54 Theme Blvd Shortcodes
2.55 TCD Google Maps
2.56 Skype Legacy Buttons
2.57 WP Simple Table Manager
2.58 Product Category Tree
2.59 MpOperationLogs
2.60 Mediabay
2.61 Magee Shortcodes
2.62 CPO Shortcodes
2.63 Add Custom Body Class
2.64 Add Shortcodes Actions And Filters
2.65 WooCommerce Stripe Payment Gateway
2.66 WordPress Gallery Plugin – NextGEN Gallery
2.67 WordPress Gallery Plugin – NextGEN Gallery
2.68 WordPress Gallery Plugin – NextGEN Gallery
2.69 Widgets for Google Reviews
2.70 MW WP Form
2.71 Page Builder: Pagelayer – Drag and Drop website builder
2.72 Page Builder: Pagelayer – Drag and Drop website builder
2.73 Templately – Templates Cloud for Elementor & Gutenberg : 4000+ Free & Premium Designs!
2.74 Social Media Share Buttons & Social Sharing Icons
2.75 Social Media Share Buttons & Social Sharing Icons
2.76 User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
2.77 Comments – wpDiscuz
2.78 Comments – wpDiscuz
2.79 Comments – wpDiscuz
2.80 WordPress Online Booking and Scheduling Plugin – Bookly
2.81 Tutor LMS – eLearning and online course solution
2.82 Booking Calendar
2.83 Booster for WooCommerce
2.84 File Manager Pro – Filester
2.85 File Manager Pro – Filester
2.86 PowerPress Podcasting plugin by Blubrry
2.87 Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce
2.88 Contact Form builder with drag & drop for WordPress – Kali Forms
2.89 Security & Malware scan by CleanTalk
2.90 BetterLinks – Shorten, Track and Manage any URL
2.91 E2Pdf – Export To Pdf Tool for WordPress
2.92 Envo Extra
2.93 Popup by Supsystic
2.94 Weaver Xtreme Theme Support
2.95 WP EXtra
2.96 Freesoul Deactivate Plugins – Plugin manager and cleanup
2.97 iPanorama 360 – WordPress Virtual Tour Builder
2.98 Modern Footnotes
2.99 WOLF – WordPress Posts Bulk Editor and Manager Professional
2.100 Active Directory Integration / LDAP Integration
2.101 Theme Switcha – Easily Switch Themes for Development and Testing
2.102 Broken Link Checker | Finder
2.103 AI ChatBot
2.104 AI ChatBot
2.105 AI ChatBot
2.106 AI ChatBot
2.107 EventON
2.108 WP Matterport Shortcode
2.109 WP Matterport Shortcode
2.110 Team Showcase
2.111 DoLogin Security
2.112 Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads
2.113 Tab Ultimate
2.114 School Management System – WPSchoolPress
2.115 Ajax Archive Calendar
2.116 Social proof testimonials and reviews by Repuso
2.117 Thumbnail Slider With Lightbox
2.118 History Log by click5
2.119 Maileon for WordPress
2.120 Delete Usermetas
2.121 File Uploader
2.122 WooCommerce Ninja Forms Product Add-ons
2.123 Ultimate Addons for WPBakery Page Builder
2.124 Ultimate Addons for WPBakery Page Builder
2.125 Super Testimonial Pro

3. WordPress Themes
4. Notes

Our weekly WordPress Vulnerability Report covers the latest WordPress plugin, theme, and core vulnerabilities to emerge. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

WordPress Core

WordPress 6.3.2 is a Maintenance and Security release issued on October 12. It features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

Because this is a security release, it is recommended that you apply it and update your sites to WordPress 6.3.2 as soon as possible. Backports are also available for older supported major WordPress releases from version 4.1 onward.

The next major release will be version 6.4, expected on 7 November 2023.

WordPress Plugins — 61 Patched / 64 Unpatched

Plugin:: Simple Calendar – Google Calendar Plugin
Plugin Slug:: google-calendar-events
Installations:: 60,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46189

Plugin:: Web Push Notifications – Webpushr
Plugin Slug:: webpushr-web-push-notifications
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-35041

Plugin:: Wp Ultimate Review
Plugin Slug:: wp-ultimate-review
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46085

Plugin:: Motors – Car Dealer, Classifieds & Listing
Plugin Slug:: motors-car-dealership-classified-listings
Installations:: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46208

Plugin:: Motors – Car Dealer, Classifieds & Listing
Plugin Slug:: motors-car-dealership-classified-listings
Installations:: 9,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46207

Plugin:: Protección de Datos RGPD
Plugin Slug:: click-datos-lopd
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46071

Plugin:: Grid Plus – Unlimited grid layout
Plugin Slug:: grid-plus
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46209

Plugin:: WC Captcha
Plugin Slug:: wc-captcha
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46210

Plugin:: ApplyOnline – Application Form Builder and Manager
Plugin Slug:: apply-online
Installations:: 5,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46080

Plugin:: Advanced Local Pickup for WooCommerce
Plugin Slug:: advanced-local-pickup-for-woocommerce
Installations:: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-2841

Plugin:: Ashe Extra
Plugin Slug:: ashe-extra
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46079

Plugin:: Custom post types, Custom Fields & more
Plugin Slug:: custom-post-types
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-32116

Plugin:: DX Delete Attached Media
Plugin Slug:: dx-delete-attached-media
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46073

Plugin:: EventON
Plugin Slug:: eventon-lite
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4635

Plugin:: Minimum Purchase for WooCommerce
Plugin Slug:: minimum-purchase-for-woocommerce
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-30492

Plugin:: Rocket Font
Plugin Slug:: rocket-font
Installations:: 4,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46067

Plugin:: Contact Form Builder, Contact Widget
Plugin Slug:: contact-forms-builder
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46075

Plugin:: Duplicate Theme
Plugin Slug:: duplicate-theme
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46204

Plugin:: Internal Link Building
Plugin Slug:: internal-link-building-plugin
Installations:: 3,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46193

Plugin:: Internal Link Building
Plugin Slug:: internal-link-building-plugin
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46192

Plugin:: WooCommerce PDF Invoice Builder, Create invoices, packing slips and more
Plugin Slug:: woo-pdf-invoice-builder
Installations:: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46076

Plugin:: Auto Login New User After Registration
Plugin Slug:: auto-login-new-user-after-registration
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46202

Plugin:: Auto Login New User After Registration
Plugin Slug:: auto-login-new-user-after-registration
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46201

Plugin:: Smart Online Order for Clover
Plugin Slug:: clover-online-orders
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46312

Plugin:: FreshMail For WordPress
Plugin Slug:: freshmail-integration
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46074

Plugin:: Open Graph Metabox
Plugin Slug:: open-graph-metabox
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46191

Plugin:: Userback
Plugin Slug:: userback
Installations:: 2,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46089

Plugin:: Appointment Calendar
Plugin Slug:: appointment-calendar
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46198

Plugin:: Archivist – Custom Archive Templates
Plugin Slug:: archivist-custom-archive-templates
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46194

Plugin:: Category SEO Meta Tags
Plugin Slug:: category-seo-meta-tags
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46091

Plugin:: EG-Attachments
Plugin Slug:: eg-attachments
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46070

Plugin:: Eonet Manual User Approve
Plugin Slug:: eonet-manual-user-approve
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-32738

Plugin:: Headline Analyzer
Plugin Slug:: headline-analyzer
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46195

Plugin:: Icons Font Loader
Plugin Slug:: icons-font-loader
Installations:: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46084

Plugin:: Just Custom Fields
Plugin Slug:: just-custom-fields
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46203

Plugin:: Lava Directory Manager
Plugin Slug:: lava-directory-manager
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46081

Plugin:: Novo-Map : your WP posts on custom google maps
Plugin Slug:: novo-map
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46190

Plugin:: SALESmanago
Plugin Slug:: salesmanago
Installations:: 1,000+
Vulnerability:: Other Vulnerability Type
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4939

Plugin:: Smart App Banner
Plugin Slug:: smart-app-banner
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46200

Plugin:: Smooth Scroll Links [SSL]
Plugin Slug:: smooth-scrolling-links-ssl
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46095

Plugin:: WDSocialWidgets
Plugin Slug:: spider-facebook
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46090

Plugin:: Taggbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics
Plugin Slug:: taggbox-widget
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-33215

Plugin:: WC Serial Numbers – Ultimate License Manager Plugin for Selling, Licensing & Securely Delivering Digital Products with WooCommerce
Plugin Slug:: wc-serial-numbers
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46078

Plugin:: Webmaster Tools
Plugin Slug:: webmaster-tools
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46093

Plugin:: Webmaster Tools
Plugin Slug:: webmaster-tools
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46092

Plugin:: WP Radio – Worldwide Online Radio Stations Directory for WordPress
Plugin Slug:: wp-radio
Installations:: 1,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46150

Plugin:: The Awesome Feed – Custom Feed
Plugin Slug:: wp-facebook-feed
Installations:: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46077

Plugin:: Triberr
Plugin Slug:: triberr-wordpress-plugin
Installations:: 700+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46199

Plugin:: Soisy Pagamento Rateale
Plugin Slug:: soisy-pagamento-rateale
Installations:: 400+
Vulnerability:: Broken Access Control
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5132

Plugin:: WP Post Columns
Plugin Slug:: wp-post-columns
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5708

Plugin:: WP Full Stripe Free
Plugin Slug:: wp-full-stripe-free
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46088

Plugin:: Who Hit The Page – Hit Counter
Plugin Slug:: who-hit-the-page-hit-counter
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46087

Plugin:: WhatsApp Share Button
Plugin Slug:: whatsapp
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5668

Plugin:: Theme Blvd Shortcodes
Plugin Slug:: theme-blvd-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5338

Plugin:: TCD Google Maps
Plugin Slug:: tcd-google-maps
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5128

Plugin:: Skype Legacy Buttons
Plugin Slug:: skype-online-status
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5615

Plugin:: WP Simple Table Manager
Plugin Slug:: simple-table-manager
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4858

Plugin:: Product Category Tree
Plugin Slug:: product-category-tree
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46151

Plugin:: MpOperationLogs
Plugin Slug:: mpoperationlogs
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-5538

Plugin:: Mediabay
Plugin Slug:: mediabay-lite
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-46066

Plugin:: Magee Shortcodes
Plugin Slug:: magee-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-4783

Plugin:: CPO Shortcodes
Plugin Slug:: cpo-shortcodes
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5704

Plugin:: Add Custom Body Class
Plugin Slug:: add-custom-body-class
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2023-5205

Plugin:: Add Shortcodes Actions And Filters
Plugin Slug:: add-actions-and-filters
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2023-46072

Plugin:: WooCommerce Stripe Payment Gateway
Plugin Slug:: woocommerce-gateway-stripe
Installations:: 900,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 7.6.1
Severity Score:: Medium
CVE:: 2023-44999

Plugin:: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations:: 500,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 3.39
Severity Score:: Medium
CVE:: 2023-3279

Plugin:: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations:: 500,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 3.39
Severity Score:: Medium
CVE:: 2023-3155

Plugin:: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug:: nextgen-gallery
Installations:: 500,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 3.39
Severity Score:: Medium
CVE:: 2023-3154

Plugin:: Widgets for Google Reviews
Plugin Slug:: wp-reviews-plugin-for-google
Installations:: 300,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 10.9.1
Severity Score:: Medium
CVE:: 2023-3254

Plugin:: MW WP Form
Plugin Slug:: mw-wp-form
Installations:: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.0.0
Severity Score:: Medium
CVE:: 2023-46206

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.8
Severity Score:: Medium
CVE:: 2023-5087

Plugin:: Page Builder: Pagelayer – Drag and Drop website builder
Plugin Slug:: pagelayer
Installations:: 200,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.7
Severity Score:: High
CVE:: 2023-4687

Plugin:: Templately – Templates Cloud for Elementor & Gutenberg : 4000+ Free & Premium Designs!
Plugin Slug:: templately
Installations:: 200,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.2.6
Severity Score:: Medium
CVE:: 2023-5454

Plugin:: Social Media Share Buttons & Social Sharing Icons
Plugin Slug:: ultimate-social-media-icons
Installations:: 100,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 2.8.6
Severity Score:: Medium
CVE:: 2023-5602

Plugin:: Social Media Share Buttons & Social Sharing Icons
Plugin Slug:: ultimate-social-media-icons
Installations:: 100,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 2.8.6
Severity Score:: Medium
CVE:: 2023-5070

Plugin:: User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds
Plugin Slug:: userfeedback-lite
Installations:: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.10
Severity Score:: High
CVE:: 2023-46153

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations:: 80,000+
Vulnerability:: Insecure Direct Object References (IDOR)
Patched in Version:: 7.6.4
Severity Score:: Low
CVE:: 2023-46311

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations:: 80,000+
Vulnerability:: Content Injection
Patched in Version:: 7.6.11
Severity Score:: Medium
CVE:: 2023-46310

Plugin:: Comments – wpDiscuz
Plugin Slug:: wpdiscuz
Installations:: 80,000+
Vulnerability:: Broken Access Control
Patched in Version:: 7.6.11
Severity Score:: Medium
CVE:: 2023-46309

Plugin:: WordPress Online Booking and Scheduling Plugin – Bookly
Plugin Slug:: bookly-responsive-appointment-booking-tool
Installations:: 70,000+
Vulnerability:: SQL Injection
Patched in Version:: 22.4
Severity Score:: High
CVE:: 2023-4691

Plugin:: Tutor LMS – eLearning and online course solution
Plugin Slug:: tutor
Installations:: 70,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.0
Severity Score:: Medium
CVE:: 2023-4805

Plugin:: Booking Calendar
Plugin Slug:: booking
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 9.7.3.1
Severity Score:: High
CVE:: 2023-4620

Plugin:: Booster for WooCommerce
Plugin Slug:: woocommerce-jetpack
Installations:: 60,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 7.1.3
Severity Score:: Medium
CVE:: 2023-5638

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations:: 50,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.8.1
Severity Score:: Medium
CVE:: 2023-4862

Plugin:: File Manager Pro – Filester
Plugin Slug:: filester
Installations:: 50,000+
Vulnerability:: Remote Code Execution (RCE)
Patched in Version:: 1.8.1
Severity Score:: High
CVE:: 2023-4861

Plugin:: PowerPress Podcasting plugin by Blubrry
Plugin Slug:: powerpress
Installations:: 40,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 11.0.12
Severity Score:: Medium
CVE:: 2023-4820

Plugin:: Track Google Analytics 4, Facebook Pixel & Conversions API via Google Tag Manager for WooCommerce
Plugin Slug:: enhanced-e-commerce-for-woocommerce-store
Installations:: 30,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 6.5.4
Severity Score:: High
CVE:: 2023-46094

Plugin:: Contact Form builder with drag & drop for WordPress – Kali Forms
Plugin Slug:: kali-forms
Installations:: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.3.28
Severity Score:: Medium
CVE:: 2023-46083

Plugin:: Security & Malware scan by CleanTalk
Plugin Slug:: security-malware-firewall
Installations:: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.51
Severity Score:: High
CVE:: 2020-36698

Plugin:: BetterLinks – Shorten, Track and Manage any URL
Plugin Slug:: betterlinks
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.6.1
Severity Score:: High
CVE:: 2023-45104

Plugin:: E2Pdf – Export To Pdf Tool for WordPress
Plugin Slug:: e2pdf
Installations:: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 1.20.19
Severity Score:: Medium
CVE:: 2023-46154

Plugin:: Envo Extra
Plugin Slug:: envo-extra
Installations:: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.8.4
Severity Score:: Medium

Plugin:: Popup by Supsystic
Plugin Slug:: popup-by-supsystic
Installations:: 10,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.10.20
Severity Score:: Medium
CVE:: 2023-46197

Plugin:: Weaver Xtreme Theme Support
Plugin Slug:: weaverx-theme-support
Installations:: 10,000+
Vulnerability:: PHP Object Injection
Patched in Version:: 6.3.1
Severity Score:: Medium
CVE:: 2023-4971

Plugin:: WP EXtra
Plugin Slug:: wp-extra
Installations:: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 6.3
Severity Score:: Medium
CVE:: 2023-46212

Plugin:: Freesoul Deactivate Plugins – Plugin manager and cleanup
Plugin Slug:: freesoul-deactivate-plugins
Installations:: 9,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2023-46188

Plugin:: iPanorama 360 – WordPress Virtual Tour Builder
Plugin Slug:: ipanorama-360-virtual-tour-builder-lite
Installations:: 7,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.8.1
Severity Score:: High
CVE:: 2023-5336

Plugin:: Modern Footnotes
Plugin Slug:: modern-footnotes
Installations:: 6,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4.17
Severity Score:: Medium
CVE:: 2023-5618

Plugin:: WOLF – WordPress Posts Bulk Editor and Manager Professional
Plugin Slug:: bulk-editor
Installations:: 5,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.0.7.2
Severity Score:: Medium
CVE:: 2023-46152

Plugin:: Active Directory Integration / LDAP Integration
Plugin Slug:: ldap-login-for-intranet-sites
Installations:: 5,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.1.10
Severity Score:: Medium
CVE:: 2023-5003

Plugin:: Theme Switcha – Easily Switch Themes for Development and Testing
Plugin Slug:: theme-switcha
Installations:: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.3.1
Severity Score:: Medium
CVE:: 2023-5614

Plugin:: Broken Link Checker | Finder
Plugin Slug:: broken-link-finder
Installations:: 4,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.5.0
Severity Score:: Medium
CVE:: 2023-46082

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 4.9.1
Severity Score:: Medium
CVE:: 2023-5254

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Directory Traversal
Patched in Version:: 4.9.1
Severity Score:: Critical
CVE:: 2023-5241

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: Arbitrary File Deletion
Patched in Version:: 4.9.1
Severity Score:: Critical
CVE:: 2023-5212

Plugin:: AI ChatBot
Plugin Slug:: chatbot
Installations:: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 4.9.1
Severity Score:: Critical
CVE:: 2023-5204

Plugin:: EventON
Plugin Slug:: eventon-lite
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: Medium
CVE:: 2023-4388

Plugin:: WP Matterport Shortcode
Plugin Slug:: shortcode-gallery-for-matterport-showcase
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.7
Severity Score:: High
CVE:: 2023-4290

Plugin:: WP Matterport Shortcode
Plugin Slug:: shortcode-gallery-for-matterport-showcase
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2023-4289

Plugin:: Team Showcase
Plugin Slug:: team-showcase
Installations:: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2
Severity Score:: Medium
CVE:: 2023-5639

Plugin:: DoLogin Security
Plugin Slug:: dologin
Installations:: 3,000+
Vulnerability:: Sensitive Data Exposure
Patched in Version:: 3.7.1
Severity Score:: Medium
CVE:: 2023-4800

Plugin:: Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads
Plugin Slug:: shared-files
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.7.6
Severity Score:: High
CVE:: 2023-4819

Plugin:: Tab Ultimate
Plugin Slug:: tabs-pro
Installations:: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.4
Severity Score:: Medium
CVE:: 2023-5667

Plugin:: School Management System – WPSchoolPress
Plugin Slug:: wpschoolpress
Installations:: 2,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.2.5
Severity Score:: High
CVE:: 2023-4776

Plugin:: Ajax Archive Calendar
Plugin Slug:: ajax-archive-calendar
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.6.8
Severity Score:: Medium
CVE:: 2023-46069

Plugin:: Social proof testimonials and reviews by Repuso
Plugin Slug:: social-testimonials-and-reviews-widget
Installations:: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.00
Severity Score:: Medium
CVE:: 2023-46196

Plugin:: Thumbnail Slider With Lightbox
Plugin Slug:: wp-responsive-slider-with-lightbox
Installations:: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.1
Severity Score:: Medium
CVE:: 2023-5621

Plugin:: History Log by click5
Plugin Slug:: history-log-by-click5
Installations:: 800+
Vulnerability:: SQL Injection
Patched in Version:: 1.0.13
Severity Score:: High
CVE:: 2023-5082

Plugin:: Maileon for WordPress
Plugin Slug:: xqueue-maileon
Installations:: 100+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.16.1
Severity Score:: Medium
CVE:: 2023-46068

Plugin:: Delete Usermetas
Plugin Slug:: delete-usermetas
Installations:: 20+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 1.2.0
Severity Score:: Medium
CVE:: 2023-5537

Plugin:: File Uploader
Plugin Slug:: wp-file-uploader
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.23.3
Severity Score:: Medium
CVE:: 2023-4811

Plugin:: WooCommerce Ninja Forms Product Add-ons
Plugin Slug:: woocommerce-ninjaforms-product-addons
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.7.1
Severity Score:: Critical
CVE:: 2023-5601

Plugin:: Ultimate Addons for WPBakery Page Builder
Plugin Slug:: ultimate_vc_addons
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.15
Severity Score:: Medium
CVE:: 2023-46211

Plugin:: Ultimate Addons for WPBakery Page Builder
Plugin Slug:: ultimate_vc_addons
Vulnerability:: Local File Inclusion
Patched in Version:: 3.19.15
Severity Score:: High
CVE:: 2023-46205

Plugin:: Super Testimonial Pro
Plugin Slug:: super-testimonial-pro
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.0
Severity Score:: Medium
CVE:: 2023-5613

WordPress Themes

Notes

This report comes out on Wednesdays and covers the last seven days of public disclosures in the Patchstack vulnerability database from the beginning of the previous week to the beginning of the current week — from last Monday to this Monday. This period intentionally excludes any vulnerabilities added to the database in the last 48 hours. However, that up-to-the-minute vulnerability data powers Solid Security Pro for our customers who have purchased Solid Suite. Solid Security Pro automatically protects WordPress sites from active exploits aimed at unpatched vulnerabilities. ↩︎

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

Table of Contents

WordPress Core

WordPress Plugins — 61 Patched / 64 Unpatched

WordPress Themes

Notes

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 24, 2024

Solid Security Pro Feature Spotlight – Password Requirements

WordPress Vulnerability Report — April 17, 2024

WordPress Vulnerability Report — April 10, 2024