Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging vulnerabilities and help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper analysis of trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
WordPress 6.2 Beta 5
The first release candidate (RC1) for the WordPress 6.2 development cycle has been postponed two days, to Thursday, March 9, and an additional fifth Beta release came out on Tuesday, March 7. Additional time and testing were needed to deal with a regression that came to light last week. The project is still on track for the final release of WordPress 6.2 on March 28. You can get a preview of what’s coming in 6.2 thanks to Anne McCarthy and Rich Tabor, who hosted a live demo. Anne has also written a detailed overview.
No new WordPress core vulnerabilities were disclosed this week.
Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.
WordPress Plugin Vulnerabilities
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WordPress Yoast SEO plugin
Plugin Slug
wordpress-seo
Installations
5,000,000+
Vulnerability
Authenticated (Contributor+) DOM-Based Cross-Site Scripting
Patched in Version
20.2.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 20.2.1.
WordPress Cookie Notice & Compliance for GDPR / CCPA plugin
Plugin Slug
cookie-notice
Installations
1,000,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.4.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.4.7.
WordPress WPCode plugin
Plugin Slug
insert-headers-and-footers
Installations
1,000,000+
Vulnerability
Contributor+ WPCode Library Auth Key Update/Deletion
Patched in Version
2.0.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.0.7.
WordPress Popup Builder by OptinMonster plugin
Plugin Slug
optinmonster
Installations
1,000,000+
Vulnerability
Subscriber+ Arbitrary Post Content Disclosure
Patched in Version
2.12.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.12.2.
WordPress Smart Slider 3 plugin
Plugin Slug
smart-slider-3
Installations
900,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.5.1.14
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.5.1.14.
WordPress Shortcodes Ultimate plugin
Plugin Slug
shortcodes-ultimate
Installations
700,000+
Vulnerability
Subscriber+ User Meta Disclosure
Patched in Version
5.12.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.12.8.
WordPress Metform Elementor Contact Form Builder plugin
Plugin Slug
metform
Installations
200,000+
Vulnerability
reCaptcha Protection Bypass Vulnerability
Patched in Version
3.2.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.2.2.
WordPress FluentSMTP plugin
Plugin Slug
fluent-smtp
Installations
100,000+
Vulnerability
Stored XSS via Email Logs
Patched in Version
2.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.2.3.
WordPress Paid Memberships Pro plugin
Plugin Slug
paid-memberships-pro
Installations
100,000+
Vulnerability
SQL Injection
Patched in Version
2.9.12
Severity Score
High
The vulnerability has been patched, so you should update to version 2.9.12.
WordPress VK All in One Expansion Unit plugin
Plugin Slug
vk-all-in-one-expansion-unit
Installations
100,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
9.86.0.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 9.86.0.0.
WordPress Slimstat Analytics plugin
Plugin Slug
wp-slimstat
Installations
100,000+
Vulnerability
SQL Injection
Patched in Version
4.9.3.3
Severity Score
High
The vulnerability has been patched, so you should update to version 4.9.3.3.
WordPress Auto Featured Image plugin
Plugin Slug
auto-post-thumbnail
Installations
80,000+
Vulnerability
Author+ Arbitrary File Upload
Patched in Version
3.9.16
Severity Score
Critical
The vulnerability has been patched, so you should update to version 3.9.16.
WordPress Calculated Fields Form plugin
Plugin Slug
calculated-fields-form
Installations
60,000+
Vulnerability
Missing Authorization Leading To Feedback Submission
Patched in Version
1.1.121
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.121.
WordPress Dokan plugin
Plugin Slug
dokan-lite
Installations
60,000+
Vulnerability
SQL Injection
Patched in Version
3.7.13
Severity Score
High
The vulnerability has been patched, so you should update to version 3.7.13.
WordPress Quiz And Survey Master plugin
Plugin Slug
quiz-master-next
Installations
40,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
8.1.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 8.1.0.
WordPress Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation plugin
Plugin Slug
zero-bs-crm
Installations
40,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
5.5.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.5.0.
WordPress GN Publisher plugin
Plugin Slug
gn-publisher
Installations
30,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.5.6
Severity Score
High
The vulnerability has been patched, so you should update to version 1.5.6.
WordPress Rife Elementor Extensions & Templates plugin
Plugin Slug
rife-elementor-extensions
Installations
30,000+
Vulnerability
Broken Access Control
Patched in Version
1.2.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.2.0.
WordPress When Last Login plugin
Plugin Slug
when-last-login
Installations
30,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.2.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.2.2.
WordPress WP Meteor Page Speed Optimization Topping plugin
Plugin Slug
wp-meteor
Installations
30,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.1.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.1.5.
WordPress Gallery Blocks with Lightbox plugin
Plugin Slug
simply-gallery-block
Installations
20,000+
Vulnerability
Missing Authorization in pgc_sgb_add_dashboard_widget
Patched in Version
3.0.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.0.8.
WordPress Wholesale Suite plugin
Plugin Slug
woocommerce-wholesale-prices
Installations
20,000+
Vulnerability
Settings Change
Patched in Version
2.1.5.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.5.1.
WordPress Yasr – Yet Another Stars Rating plugin
Plugin Slug
yet-another-stars-rating
Installations
20,000+
Vulnerability
XSS & Arbitrary Shortcode Execution
Patched in Version
3.1.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.1.3.
WordPress Admin CSS MU plugin
Plugin Slug
admin-css-mu
Installations
10,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
2.7
Severity Score
High
The vulnerability has been patched, so you should update to version 2.7.
WordPress Maspik – Spam blacklist plugin
Plugin Slug
contact-forms-anti-spam
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
0.7.9
Severity Score
Medium
The vulnerability has been patched, so you should update to version 0.7.9.
WordPress GTmetrix for WordPress plugin
Plugin Slug
gtmetrix-for-wordpress
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
0.4.6
Severity Score
Low
The vulnerability has been patched, so you should update to version 0.4.6.
WordPress HT Slider For Elementor plugin
Plugin Slug
ht-slider-for-elementor
Installations
10,000+
Vulnerability
Arbitrary Plugin Activation via CSRF
Patched in Version
1.4.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.4.0.
WordPress 10WebMapBuilder plugin
Plugin Slug
wd-google-maps
Installations
10,000+
Vulnerability
SQL Injection
Patched in Version
1.0.73
Severity Score
High
The vulnerability has been patched, so you should update to version 1.0.73.
WordPress WP SMS plugin
Plugin Slug
wp-sms
Installations
9,000+
Vulnerability
Sensitive Data Exposure
Patched in Version
6.0.4.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.0.4.1.
WordPress WP SMS plugin
Plugin Slug
wp-sms
Installations
9,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
5.4.13
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.4.13.
WordPress YITH WooCommerce Product Slider Carousel plugin
Plugin Slug
yith-woocommerce-product-slider-carousel
Installations
9,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.16.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.16.1.
WordPress JCH Optimize plugin
Plugin Slug
jch-optimize
Installations
8,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.2.3.
WordPress LWS Tools plugin
Plugin Slug
lws-tools
Installations
7,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.4.
WordPress ProfileGrid plugin
Plugin Slug
profilegrid-user-profiles-groups-and-communities
Installations
7,000+
Vulnerability
Subscriber+ Arbitrary Password Reset
Patched in Version
5.3.1
Severity Score
High
The vulnerability has been patched, so you should update to version 5.3.1.
WordPress Add Expires Headers & Optimized Minify plugin
Plugin Slug
add-expires-headers
Installations
6,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.7.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.7.1.
WordPress Button Generator plugin
Plugin Slug
button-generation
Installations
6,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.3.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.3.4.
WordPress WpStream plugin
Plugin Slug
wpstream
Installations
6,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
4.4.10.6
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.4.10.6.
WordPress Dashboard Widgets Suite plugin
Plugin Slug
dashboard-widgets-suite
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.2.2
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.2.2.
WordPress Publish to Schedule plugin
Plugin Slug
publish-to-schedule
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
4.5.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.5.5.
WordPress Simple File List plugin
Plugin Slug
simple-file-list
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
6.0.10
Severity Score
Medium
The vulnerability has been patched, so you should update to version 6.0.10.
WordPress Watu Quiz plugin
Plugin Slug
watu
Installations
5,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.3.9.1
Severity Score
High
The vulnerability has been patched, so you should update to version 3.3.9.1.
WordPress WP OAuth Server plugin
Plugin Slug
oauth2-provider
Installations
4,000+
Vulnerability
Subscriber+ Arbitrary Client Deletion
Patched in Version
4.3.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.3.0.
WordPress Pie Register plugin
Plugin Slug
pie-register
Installations
4,000+
Vulnerability
Arbitrary Content Deletion
Patched in Version
3.8.1.3
Severity Score
High
The vulnerability has been patched, so you should update to version 3.8.1.3.
WordPress Pie Register plugin
Plugin Slug
pie-register
Installations
4,000+
Vulnerability
Open Redirection
Patched in Version
3.8.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.8.2.3.
WordPress We’re Open! plugin
Plugin Slug
opening-hours
Installations
3,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.47
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.47.
WordPress Search in Place plugin
Plugin Slug
search-in-place
Installations
3,000+
Vulnerability
Missing Authorization Leading To Feedback Submission
Patched in Version
1.0.105
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.0.105.
WordPress WP Plugin Manager plugin
Plugin Slug
wp-plugin-manager
Installations
3,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.1.8
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.8.
WordPress DeepL API translation
Plugin Slug
wpdeepl
Installations
3,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.1.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.5.
WordPress Cart Lift
Plugin Slug
cart-lift
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.1.6
Severity Score
High
The vulnerability has been patched, so you should update to version 3.1.6.
WordPress CP Contact Form with PayPal
Plugin Slug
cp-contact-form-with-paypal
Installations
2,000+
Vulnerability
Missing Authorization Leading To Feedback Submission
Patched in Version
1.3.35
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.3.35.
WordPress Simple Slug Translate plugin
Plugin Slug
simple-slug-translate
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.7.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.7.3.
Plugin Slug
decalog
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.7.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.7.1.
WordPress Easy Testimonial Slider and Form
Plugin Slug
easy-testimonial-rotator
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.0.16
Severity Score
High
The vulnerability has been patched, so you should update to version 1.0.16.
WordPress Event Espresso 4 Decaf plugin
Plugin Slug
event-espresso-decaf
Installations
1,000+
Vulnerability
Bypass Vulnerability
Patched in Version
4.10.45.decaf
Severity Score
Low
The vulnerability has been patched, so you should update to version 4.10.45.decaf.
WordPress Sheets To WP Table Live Sync
Plugin Slug
sheets-to-wp-table-live-sync
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
2.13.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.13.0.
WordPress Total Poll Lite
Plugin Slug
totalpoll-lite
Installations
1,000+
Vulnerability
Broken Access Control
Patched in Version
4.8.7
Severity Score
Medium
The vulnerability has been patched, so you should update to version 4.8.7.
WordPress WP Time Slots Booking Form
Plugin Slug
wp-time-slots-booking-form
Installations
1,000+
Vulnerability
Missing Authorization Leading To Feedback Submission
Patched in Version
1.1.77
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.77.
WordPress Donation Block For PayPal
Plugin Slug
donations-block
Installations
700+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.1.0
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.0.
WordPress Namaste! LMS plugin
Plugin Slug
namaste-lms
Installations
700+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.6
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.6.
WordPress Namaste! LMS plugin
Plugin Slug
namaste-lms
Installations
700+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
2.5.9.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.5.9.4.
WordPress real.Kit plugin
Plugin Slug
real-kit
Installations
600+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
5.1.1
Severity Score
Medium
The vulnerability has been patched, so you should update to version 5.1.1.
WordPress Custom Login Admin Front-end CSS
Plugin Slug
custom-login-admin-front-end-css-with-multisite-support
Installations
500+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
1.5
Severity Score
High
The vulnerability has been patched, so you should update to version 1.5.
WordPress HT Portfolio plugin
Plugin Slug
ht-portfolio
Installations
300+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.1.6
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.1.6.
WordPress WooCommerce Checkout Field Manager plugin
Plugin Slug
n-media-woocommerce-checkout-fields
Installations
200+
Vulnerability
Arbitrary File Upload
Patched in Version
18.0
Severity Score
Critical
The vulnerability has been patched, so you should update to version 18.0.
WordPress GS Insever Portfolio plugin
Plugin Slug
gs-instagram-portfolio
Installations
100+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.4.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.4.5.
WordPress WC Sales Notification plugin
Plugin Slug
wc-sales-notification
Installations
100+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.2.3
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.2.3.
WordPress Debug Assistant plugin
Plugin Slug
debug-assistant
Installations
80+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.5
Severity Score
High
The vulnerability has been patched, so you should update to version 1.5.
WordPress Debug Assistant plugin
Plugin Slug
debug-assistant
Installations
80+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.5.
WordPress Preview Link Generator plugin
Plugin Slug
preview-link-generator
Installations
10+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.0.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.0.4.
WordPress Replyable plugin
Plugin
Postmatic
Plugin Slug
postmatic
Vulnerability
PHP Object Injection
Patched in Version
2.2.10
Severity Score
High
The vulnerability has been patched, so you should update to version 2.2.10.
WordPress Toolset Types plugin
Plugin
Types
Plugin Slug
types
Vulnerability
Arbitrary File Upload
Patched in Version
3.4.18
Severity Score
High
The vulnerability has been patched, so you should update to version 3.4.18.
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WordPress Instant Images
Plugin Slug
instant-images
Installations
100,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Rus-To-Lat plugin
Plugin Slug
rustolat
Installations
90,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP Social Bookmarking Light plugin
Plugin Slug
wp-social-bookmarking-light
Installations
60,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress clickfunnels plugin
Plugin Slug
clickfunnels
Installations
30,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP Translitera plugin
Plugin Slug
wp-translitera
Installations
30,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP TFeed plugin
Plugin Slug
accesspress-twitter-feed
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Custom Content Shortcode plugin
Plugin Slug
custom-content-shortcode
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Custom Content Shortcode plugin
Plugin Slug
custom-content-shortcode
Installations
10,000+
Vulnerability
Local File Inclusion
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress menu shortcode plugin
Plugin Slug
menu-shortcode
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Smart YouTube PRO plugin
Plugin Slug
smart-youtube
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Styles plugin
Plugin Slug
styles
Installations
10,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Video Background plugin
Plugin Slug
video-background
Installations
10,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP Clean Up plugin
Plugin Slug
wp-clean-up
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress XML Sitemap Generator for Google plugin
Plugin Slug
xml-sitemap-generator-for-google
Installations
10,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress FareHarbor for WordPress plugin
Plugin Slug
fareharbor
Installations
8,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Blog Floating Button plugin
Plugin Slug
blog-floating-button
Installations
7,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Classic Editor and Classic Widgets plugin
Plugin Slug
classic-editor-and-classic-widgets
Installations
7,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress CPO Content Types plugin
Plugin Slug
cpo-content-types
Installations
7,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Resize at Upload Plus plugin
Plugin Slug
resize-at-upload-plus
Installations
7,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Advanced Text Widget plugin
Plugin Slug
advanced-text-widget
Installations
6,000+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Advanced Text Widget plugin
Plugin Slug
advanced-text-widget
Installations
6,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress New Adman plugin
Plugin Slug
new-adman
Installations
6,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress New Adman plugin
Plugin Slug
new-adman
Installations
6,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP No External Links plugin
Plugin Slug
no-external-links
Installations
6,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Simple CSV/XLS Exporter plugin
Plugin Slug
simple-csv-xls-exporter
Installations
6,000+
Vulnerability
CSV Injection
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Social Auto Poster plugin
Plugin Slug
accesspress-facebook-auto-post
Installations
5,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Elegant Custom Fonts plugin
Plugin Slug
elegant-custom-fonts
Installations
5,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress About Me 3000 widget plugin
Plugin Slug
about-me-3000
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Leyka plugin
Plugin Slug
leyka
Installations
2,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Leyka plugin
Plugin Slug
leyka
Installations
2,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Wpopal Core Features plugin
Plugin Slug
wpopal-core-features
Installations
2,000+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Simple Vimeo Shortcode
Plugin Slug
the-very-simple-vimeo-shortcode
Installations
1,000+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Sales Report Email for WooCommerce
Plugin Slug
woo-advanced-sales-report-email
Installations
1,000+
Vulnerability
Other Vulnerability Type
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP Google Tag Manager plugin
Plugin Slug
wp-google-tag-manager
Installations
1,000+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Ever Compare plugin
Plugin Slug
ever-compare
Installations
800+
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress React Webcam plugin
Plugin Slug
react-webcam
Installations
600+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress User Activity plugin
Plugin Slug
user-activity
Installations
300+
Vulnerability
Content Spoofing
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress GoToWP plugin
Plugin Slug
gotowp
Installations
200+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP Repost plugin
Plugin Slug
wp-repost
Installations
200+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress WP Repost plugin
Plugin Slug
wp-repost
Installations
200+
Vulnerability
Broken Access Control
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress wp2syslog plugin
Plugin Slug
wp2syslog
Installations
80+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress CSS Adder By Agene-Press
Plugin Slug
css-adder-by-agence-press
Installations
60+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress AMP Toolbox plugin
Plugin Slug
amp-toolbox
Installations
50+
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Start plugin
Plugin Slug
iksweb
Installations
40+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Manage Upload Limit plugin
Plugin Slug
wpsimpletools-upload-limit
Installations
40+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
Plugin Slug
dupeoff
Installations
10+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Shipyaari Shipping Management
Plugin Slug
manage-shipyaari-shipping
Installations
10+
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Advanced Recent Posts plugin
Plugin
Advanced Recent Posts
Plugin Slug
advanced-recent-posts
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Confirm Data plugin
Plugin Slug
confirm-data
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Correos Oficial plugin
Plugin
Correos Oficial
Plugin Slug
correosoficial
Vulnerability
Arbitrary File Download
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched. You should deactivate the plugin.
WordPress Custom Add User plugin
Plugin
Custom Add User
Plugin Slug
custom-add-user
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Download Attachments plugin
Plugin
Download Attachments
Plugin Slug
download-attachments
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress GigPress plugin
Plugin
GigPress
Plugin Slug
gigpress
Vulnerability
SQL Injection
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress i2 Pros & Cons plugin
Plugin
i2 Pros & Cons
Plugin Slug
i2-pro-cons
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress PHPFreeChat plugin
Plugin
PHPFreeChat
Plugin Slug
phpfreechat
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Product GTIN (EAN, UPC, ISBN) for WooCommerce plugin
Plugin
Product GTIN (EAN, UPC, ISBN) for WooCommerce
Plugin Slug
product-gtin-ean-upc-isbn-for-woocommerce
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Page Builder – Qards
Plugin
WordPress Page Builder – Qards
Plugin Slug
qards-free
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Resume Builder plugin
Plugin
Resume Builder
Plugin Slug
resume-builder
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Saan World Clock plugin
Plugin
Saan World Clock
Plugin Slug
saan-world-clock
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Smart Logo Showcase Lite plugin
Plugin
Smart Logo Showcase Lite
Plugin Slug
smart-logo-showcase-lite
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Synved Shortcodes plugin
Plugin
Synved Shortcodes
Plugin Slug
synved-shortcodes
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Minifier plugin
Plugin
Theme Minifier
Plugin Slug
theme-minifier
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress UpQode Google Maps plugin
Plugin
UpQode Google Maps
Plugin Slug
upqode-google-maps
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Galleries by Angie Makes
Plugin
Galleries by Angie Makes
Plugin Slug
wc-gallery
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress WooSupply plugin
Plugin
WooSupply – Suppliers, Supply Orders and Stock Management
Plugin Slug
woosupply
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Plugin
WooVIP – Membership plugin for WordPress and WooCommerce
Plugin Slug
woovip
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress WooVirtualWallet plugin
Plugin
WooVirtualWallet – A virtual wallet for WooCommerce
Plugin Slug
woovirtualwallet
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress AMO for WP plugin
Plugin
AMO for WP – Membership Management
Plugin Slug
wp-amo
Vulnerability
Server Side Request Forgery (SSRF)
Patched in Version
No Fix
Severity Score
High
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress WPaudio MP3 Player plugin
Plugin
WPaudio MP3 Player
Plugin Slug
wpaudio-mp3-player
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress WPB Advanced FAQ plugin
Plugin
WPB Advanced FAQ
Plugin Slug
wpb-advanced-faq
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
Severity Score
Medium
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
WordPress OceanWP theme
Theme Slug
oceanwp
Downloads
5,985,364
Vulnerability
Local File Inclusion
Patched in Version
3.4.2
Severity Score
High
The vulnerability has been patched, so you should update to version 3.4.2.
WordPress Total theme
Theme Slug
total
Downloads
956,513
Vulnerability
Broken Authentication
Patched in Version
2.1.20
Severity Score
Medium
The vulnerability has been patched, so you should update to version 2.1.20.
WordPress Big Store theme
Theme Slug
big-store
Downloads
104,293
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
1.9.4
Severity Score
Medium
The vulnerability has been patched, so you should update to version 1.9.4.
WordPress darcie theme
Theme Slug
darcie
Downloads
14,911
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
1.1.6
Severity Score
High
The vulnerability has been patched, so you should update to version 1.1.6.
Theme
Houzez
Theme Slug
houzez
Vulnerability
Privilege Escalation
Patched in Version
2.7.2
Severity Score
Critical
The vulnerability has been patched, so you should update to version 2.7.2.
WordPress Real Estate 7 theme
Theme
Real Estate 7
Theme Slug
realestate-7
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
3.3.5
Severity Score
Medium
The vulnerability has been patched, so you should update to version 3.3.5.
WordPress Real Estate 7 theme
Theme
Real Estate 7
Theme Slug
realestate-7
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
3.3.5
Severity Score
High
The vulnerability has been patched, so you should update to version 3.3.5.
