WordPress Vulnerability Report – October 4, 2023

Since last week, 97 new vulnerabilities have emerged in public disclosures. They may affect over two million WordPress sites. This includes 50 plugin vulnerabilities with security patches, so run those updates! Additionally, there are 47 plugin vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors' intentions and progress toward a security release.

Dan Knauss

Updated:Oct 5, 2023

Published:Oct 4, 2023

Filed Under:WordPress Vulnerability Report

Reading Time:34 min.

Additionally, there are 47 plugin vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress toward a security release. If no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme or plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

Table of Contents Plus

Plugin: Table of Contents Plus
Plugin Slug: table-of-contents-plus
Installations: 300,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2309
Severity Score: Medium
CVE: 2023-44473

ProfilePress

Plugin: Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Plugin Slug: wp-user-avatar
Installations: 200,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 4.13.3
Severity Score: High
CVE: 2023-44150

FooGallery

Plugin: Best WordPress Gallery Plugin – FooGallery
Plugin Slug: foogallery
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.2
Severity Score: High
CVE: 2023-44244

FooGallery

Plugin: Best WordPress Gallery Plugin – FooGallery
Plugin Slug: foogallery
Installations: 100,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.3.2
Severity Score: Medium
CVE: 2023-44233

iframe

Plugin: iframe
Plugin Slug: iframe
Installations: 100,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.7
Severity Score: Medium
CVE: 2023-4919

Advanced Custom Fields: Extended

Plugin: Advanced Custom Fields: Extended
Plugin Slug: acf-extended
Installations: 80,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 0.8.9.4
Severity Score: Medium
CVE: 2023-5292

Astra Bulk Edit

Plugin: Astra Bulk Edit
Plugin Slug: astra-bulk-edit
Installations: 70,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.8
Severity Score: Medium
CVE: 2023-44148

Simple Membership

Plugin: Simple Membership
Plugin Slug: simple-membership
Installations: 50,000+
Vulnerability: Privilege Escalation
Patched in Version: 4.3.5
Severity Score: High
CVE: 2023-41957

Simple Membership

Plugin: Simple Membership
Plugin Slug: simple-membership
Installations: 50,000+
Vulnerability: Privilege Escalation
Patched in Version: 4.3.5
Severity Score: High
CVE: 2023-41956

Ditty

Plugin: Ditty – Responsive News Tickers, Sliders, and Lists
Plugin Slug: ditty-news-ticker
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.25
Severity Score: High
CVE: 2023-4148

BEAR

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug: woo-bulk-editor
Installations: 30,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.4
Severity Score: Medium
CVE: 2023-4938

BEAR

Plugin: BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Plugin Slug: woo-bulk-editor
Installations: 30,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.1.4
Severity Score: Medium
CVE: 2023-4920

Abandoned Cart Lite for WooCommerce

Plugin: Abandoned Cart Lite for WooCommerce
Plugin Slug: woocommerce-abandoned-cart
Installations: 30,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.16.0
Severity Score: Medium
CVE: 2023-44986

WP Job Openings

Plugin: WP Job Openings – Job Listing, Career Page and Recruitment Plugin
Plugin Slug: wp-job-openings
Installations: 30,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 3.4.3
Severity Score: Low
CVE: 2023-4933

flowpaper

Plugin: flowpaper
Plugin Slug: flowpaper-lite-pdf-flipbook
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.4
Severity Score: Medium
CVE: 2023-5200

Simple Cloudflare Turnstile

Plugin: Simple Cloudflare Turnstile – CAPTCHA Alternative
Plugin Slug: simple-cloudflare-turnstile
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.23.2
Severity Score: Medium
CVE: 2023-5135

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce

Plugin: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce
Plugin Slug: wp-event-manager
Installations: 20,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.1.38
Severity Score: Medium
CVE: 2023-4423

Inactive Logout

Plugin: Inactive Logout
Plugin Slug: inactive-logout
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 3.2.3
Severity Score: Medium
CVE: 2023-44142

Modal Window

Plugin: Modal Window – create popup modal window
Plugin Slug: modal-window
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.3.6
Severity Score: Medium
CVE: 2023-5161

Options for Twenty Seventeen

Plugin: Options for Twenty Seventeen
Plugin Slug: options-for-twenty-seventeen
Installations: 10,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.5.1
Severity Score: Medium
CVE: 2023-5162

bbp style pack

Plugin: bbp style pack
Plugin Slug: bbp-style-pack
Installations: 8,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 5.6.8
Severity Score: Medium
CVE: 2023-44984

Brands for WooCommerce

Plugin: Brands for WooCommerce
Plugin Slug: brands-for-woocommerce
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: 3.8.2.3
Severity Score: Medium
CVE: 2023-44149

WOLF

Plugin: WOLF – WordPress Posts Bulk Editor and Manager Professional
Plugin Slug: bulk-editor
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.7.2
Severity Score: Medium
CVE: 2023-44990

Active Directory Integration / LDAP Integration

Plugin: Active Directory Integration / LDAP Integration
Plugin Slug: ldap-login-for-intranet-sites
Installations: 5,000+
Vulnerability: Broken Access Control
Patched in Version: 4.2
Severity Score: Low
CVE: 2023-4506

AI ChatBot

Plugin: AI ChatBot
Plugin Slug: chatbot
Installations: 4,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.7.9
Severity Score: Medium
CVE: 2023-44993

ActivityPub for WordPress

Plugin: ActivityPub
Plugin Slug: activitypub
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.0
Severity Score: Medium
CVE: 2023-3746

ActivityPub for WordPress

Plugin: ActivityPub
Plugin Slug: activitypub
Installations: 3,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 1.0.0
Severity Score: Medium
CVE: 2023-3706

ActivityPub for WordPress

Plugin: ActivityPub
Plugin Slug: activitypub
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.0
Severity Score: Medium
CVE: 2023-5057

ActivityPub for WordPress

Plugin: ActivityPub
Plugin Slug: activitypub
Installations: 3,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 1.0.0
Severity Score: Medium
CVE: 2023-3707

Checkfront Online Booking System

Plugin: Checkfront Online Booking System
Plugin Slug: checkfront-wp-booking
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.7
Severity Score: Medium
CVE: 2023-44146

DoLogin Security

Plugin: DoLogin Security
Plugin Slug: dologin
Installations: 3,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.7
Severity Score: High
CVE: 2023-4549

Import XML and RSS Feeds

Plugin: Import XML and RSS Feeds
Plugin Slug: import-xml-feed
Installations: 3,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 2.1.5
Severity Score: Critical
CVE: 2023-4521

Import XML and RSS Feeds

Plugin: Import XML and RSS Feeds
Plugin Slug: import-xml-feed
Installations: 3,000+
Vulnerability: Arbitrary File Upload
Patched in Version: 2.1.4
Severity Score: Critical
CVE: 2023-4300

Track The Click

Plugin: Track The Click
Plugin Slug: track-the-click
Installations: 3,000+
Vulnerability: SQL Injection
Patched in Version: 0.3.12
Severity Score: High
CVE: 2023-5041

Anchor Episodes Index (Spotify for Podcasters)

Plugin: Anchor Episodes Index (Spotify for Podcasters)
Plugin Slug: anchor-episodes-index
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.8
Severity Score: Medium
CVE: 2023-44145

Comment Blacklist Updater

Plugin: Comment Blacklist Updater
Plugin Slug: comment-blacklist-updater
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.2.0
Severity Score: Medium
CVE: 2023-44147

Instant CSS

Plugin: Instant CSS
Plugin Slug: instant-css
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.2.2
Severity Score: Medium
CVE: 2023-44243

Pretty Google Calendar

Plugin: Pretty Google Calendar
Plugin Slug: pretty-google-calendar
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.0
Severity Score: Medium

OpenHook

Plugin: OpenHook
Plugin Slug: thesis-openhook
Installations: 2,000+
Vulnerability: Remote Code Execution (RCE)
Patched in Version: 4.3.1
Severity Score: Critical
CVE: 2023-5201

BuddyMeet

Plugin: BuddyMeet
Plugin Slug: buddymeet
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.0
Severity Score: Medium
CVE: 2023-44985

Pre-Publish Checklist

Plugin: Pre-Publish Checklist
Plugin Slug: pre-publish-checklist
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 1.1.2
Severity Score: Medium
CVE: 2023-44151

Simple Posts Ticker

Plugin: Simple Posts Ticker – Easy, Lightweight & Flexible
Plugin Slug: simple-posts-ticker
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.6
Severity Score: Medium
CVE: 2023-4725

Simple Posts Ticker

Plugin: Simple Posts Ticker – Easy, Lightweight & Flexible
Plugin Slug: simple-posts-ticker
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.1.6
Severity Score: Medium
CVE: 2023-4646

User Avatar – Reloaded

Plugin: User Avatar – Reloaded
Plugin Slug: user-avatar-reloaded
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.2
Severity Score: Medium
CVE: 2023-4798

Payment gateway per Product for WooCommerce

Plugin: Payment gateway per Product for WooCommerce
Plugin Slug: woocommerce-product-payments
Installations: 500+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 3.2.8
Severity Score: High
CVE: 2023-44144

Staff / Employee Business Directory for Active Directory

Plugin: Staff / Employee Business Directory for Active Directory
Plugin Slug: ldap-ad-staff-employee-directory-search
Installations: 10+
Vulnerability: Broken Access Control
Patched in Version: 1.3
Severity Score: Low
CVE: 2023-4505

Modern Events Calendar lite

Plugin: Modern Events Calendar Lite
Plugin Slug: modern-events-calendar-lite
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 7.1.0
Severity Score: Medium
CVE: 2023-4021

Tiger Forms

Plugin: Tiger Forms – Drag and Drop Form Builder
Plugin Slug: tiger-form
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.1.0
Severity Score: High
CVE: 2023-44474

User Activity Log Pro

Plugin: User Activity Log Pro
Plugin Slug: user-activity-log-pro
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.3.4
Severity Score: High
CVE: 2023-5167

User Activity Log Pro

Plugin: User Activity Log Pro
Plugin Slug: user-activity-log-pro
Vulnerability: Bypass Vulnerability
Patched in Version: 2.3.4
Severity Score: Medium
CVE: 2023-5133

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Popup Builder

Plugin: Popup Builder – Create highly converting, mobile friendly marketing popups.
Plugin Slug: popup-builder
Installations: 200,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-3226

Unyson

Plugin: Unyson
Plugin Slug: unyson
Installations: 200,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44472

Media Library Assistant

Plugin: Media Library Assistant
Plugin Slug: media-library-assistant
Installations: 70,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-24385

Timthumb Vulnerability Scanner

Plugin: Timthumb Vulnerability Scanner
Plugin Slug: timthumb-vulnerability-scanner
Installations: 40,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44240

Mang Board WP

Plugin: Mang Board WP
Plugin Slug: mangboard
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44257

Mediavine Control Panel

Plugin: Mediavine Control Panel
Plugin Slug: mediavine-control-panel
Installations: 10,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44259

Schema App Structured Data

Plugin: Schema App Structured Data
Plugin Slug: schema-app-structured-data-for-schemaorg
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44258

Block Plugin Update

Plugin: Block Plugin Update
Plugin Slug: block-specific-plugin-updates
Installations: 7,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44261

Simple File List

Plugin: Simple File List
Plugin Slug: simple-file-list
Installations: 5,000+
Vulnerability: Arbitrary File Deletion
Patched in Version: No Fix
Severity Score: High
CVE: 2023-44227

WP Job Portal

Plugin: WP Job Portal – A Complete Job Board
Plugin Slug: wp-job-portal
Installations: 3,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: Critical
CVE: 2023-4490

WP Adminify

Plugin: WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders
Plugin Slug: adminify
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44266

Blocks

Plugin: Blocks
Plugin Slug: blocks
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44262

Contact Form

Plugin: Contact Form
Plugin Slug: contact-form-ready
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44231

Timely Booking Button

Plugin: Timely Booking Button
Plugin Slug: timely-booking-button
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44987

Tiny Carousel Horizontal Slider

Plugin: Tiny Carousel Horizontal Slider
Plugin Slug: tiny-carousel-horizontal-slider
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44229

Woocommerce ESTO

Plugin: Woocommerce ESTO
Plugin Slug: woo-esto
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44260

WP Hide Pages

Plugin: WP Hide Pages
Plugin Slug: wp-hide-pages
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44232

Popup contact form

Plugin: Popup contact form
Plugin Slug: popup-contact-form
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44230

Popup contact form

Plugin: Popup contact form
Plugin Slug: popup-contact-form
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44265

Social Metrics

Plugin: Social Metrics
Plugin Slug: social-metrics
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44263

The Awesome Feed – Custom Feed

Plugin: The Awesome Feed – Custom Feed
Plugin Slug: wp-facebook-feed
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44264

Onclick Show Popup

Plugin: Onclick show popup
Plugin Slug: onclick-show-popup
Installations: 400+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44228

Slideshow, Image Slider by 2J

Plugin: Images Slideshow by 2J
Plugin Slug: 2j-slideshow
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44242

Add Shortcodes Actions And Filters

Plugin: Add Shortcodes Actions And Filters
Plugin Slug: add-actions-and-filters
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44475

Contractor Contact Form Website to Workflow Tool

Plugin: Contractor Contact Form Website to Workflow Tool
Plugin Slug: contractor-contact-form-website-to-workflow-tool
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-44245

Cooked

Plugin: Cooked
Plugin Slug: cooked
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44477

CopyRightPro

Plugin: CopyRightPro
Plugin Slug: copyrightpro
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44476

Comments by Startbit

Plugin: Comments by Startbit
Plugin Slug: facebook-comment-by-vivacity
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5295

Font Awesome Integration

Plugin: Font Awesome Integration
Plugin Slug: font-awesome-integration
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5233

Font Awesome More Icons

Plugin: Font Awesome More Icons
Plugin Slug: font-awesome-more-icons
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5232

Contact form Form For All

Plugin: Contact form Form For All
Plugin Slug: formforall
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5337

Keap Landing Pages

Plugin: Keap Landing Pages
Plugin Slug: infusionsoft-landing-pages
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44241

Backend Localization

Plugin: Backend Localization
Plugin Slug: kau-boys-backend-localization
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44471

Kv TinyMCE Editor Add Fonts

Plugin: Kv TinyMCE Editor Add Fonts
Plugin Slug: kv-tinymce-editor-fonts
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44470

Magic Action Box

Plugin: Magic Action Box
Plugin Slug: magic-action-box
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5231

Remove slug from custom post type

Plugin: Remove slug from custom post type
Plugin Slug: remove-slug-from-custom-post-type
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44238

WP Responsive header image slider

Plugin: WP Responsive header image slide
Plugin Slug: responsive-header-image-slider
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5334

Events Rich Snippets for Google

Plugin: Events Rich Snippets for Google
Plugin Slug: rich-snippets-vevents
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-44478

Shockingly Simple Favicon

Plugin: Shockingly Simple Favicon
Plugin Slug: shockingly-simple-favicon
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44246

TM WooCommerce Compare & Wishlist

Plugin: TM WooCommerce Compare & Wishlist
Plugin Slug: tm-woocommerce-compare-wishlist
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5230

Vrm 360 3D Model Viewer

Plugin: Vrm 360 3D Model Viewer
Plugin Slug: vrm360
Vulnerability: Sensitive Data Exposure
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-5177

WP Captcha

Plugin: WP Captcha
Plugin Slug: wp-captcha
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44236

WP Captcha

Plugin: WP Captcha
Plugin Slug: wp-captcha
Vulnerability: Bypass Vulnerability
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44235

WP GPX Maps

Plugin: WP GPX Map
Plugin Slug: wp-gpx-maps
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44234

WP Jump Menu

Plugin: WP Jump Menu
Plugin Slug: wp-jump-menu
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44479

WP Site Protector

Plugin: WP Site Protector
Plugin Slug: wp-site-protector
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44237

WWM Social Share On Image Hover

Plugin: WWM Social Share On Image Hover
Plugin Slug: wwm-social-share-on-image-hover
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-44239

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

Author:

Dan Knauss

Dan Knauss has worked for and written about agencies and product companies in the WordPress space since 2015. He’s been involved in WordPress and open source web development since their beginning.

Browse all of Dan's articles

Follow Dan:

Sign up

Placeholder text

Thanks

Oops something went wrong, please try submitting again

WordPress Core Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Patched

WordPress Plugin Vulnerabilities — Unpatched

WordPress Theme Vulnerabilities

Never worry about running a vulnerable plugin or theme again.

Scans Your Website Twice a Day for Vulnerabilities

Automatically Updates if a Security Fix is Available

Emails You a Warning if Site Scan Detects a Vulnerability

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

Author:

Join us for the next Solid Academy Webinar!

What is a WordPress Phishing Attack?

Website Protection: 5 Ways to Keep Your Website Safe

23 Ideas To Grow Your WordPress Business in 2023

Author:

Sign up now — Get SolidWP updates and valuable content straight to your inbox

Sign up

Related Posts

WordPress Vulnerability Report — April 24, 2024

Solid Security Pro Feature Spotlight – Password Requirements

WordPress Vulnerability Report — April 17, 2024

WordPress Vulnerability Report — April 10, 2024