This week, 79 vulnerabilities may affect over 6.6 million WordPress sites. There are 55 plugin vulnerabilities and 5 themes with security patches available, so run those updates if you use these plugins! Additionally, there are 19 plugin vulnerabilities with no patch available yet. At least three of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.
For reference, these reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
- No new WordPress core vulnerabilities were disclosed this week.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
WordPress Core News
WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Advanced Custom Fields
- Plugin
- Advanced Custom Fields (ACF)
- Vulnerability
- Authenticated (Contributor+) PHP Object Injection vulnerability
WPCode
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-1624
WP Fastest Cache
- Plugin
- WP Fastest Cache
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- CVE
- 2023-1926
WP Fastest Cache
- Plugin
- WP Fastest Cache
- CVE
- 2023-1931
Formidable Forms
- CVE
- 2023-1405
Health Check & Troubleshooting
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2022-47161
PHP Compatibility Checker
- Plugin
- PHP Compatibility Checker
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-24421
SEOPress
- Plugin
- SEOPress – On-site SEO
- Vulnerability
- Authenticated (Administrator+) PHP Object Injection
Ajax Search Lite
- Plugin
- Ajax Search Lite
- Vulnerability
- Reflected Cross-Site Scripting (XSS)
- CVE
- 2023-1420
User Registration
- CVE
- 2023-29429
Amelia
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29427
Maps Widget for Google Maps
- Plugin
- Maps Widget for Google Maps
- Vulnerability
- Authenticated (Administrator+) Stored Cross-Site Scripting
- CVE
- 2023-1913
MapPress Maps for WordPress
- Plugin
- MapPress Maps for WordPress
- CVE
- 2023-26015
WCFM Frontend Manager
- CVE
- 2022-4937
WCFM Frontend Manager
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2022-4938
WCFM Marketplace
- CVE
- 2022-4935
WCFM Marketplace
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2022-4936
Limit Login Attempts
- Plugin
- WP Limit Login Attempts
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting
- CVE
- 2023-1912
PixTypes
- Plugin
- PixTypes
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-25487
Simple Job Board
- Plugin
- Simple Job Board
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-29440
WCFM Membership
- CVE
- 2022-4940
WCFM Membership
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2022-4941
WCFM Membership
- CVE
- 2022-4939
Connections Business Directory
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29437
MasterStudy LMS WordPress
- Vulnerability
- Missing Authorization via wp_ajax_stm_wpcfto_get_settings
Superb Social Media Share Buttons and Follow Buttons
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-29428
WP Data Access
- Plugin
- WP Data Access
- CVE
- 2023-1874
Magic Post Thumbnail
- Plugin
- Magic Post Thumbnail
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29171
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-23704
Spreadshop Plugin
- Plugin
- Spreadshop Plugin
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-29426
WP EasyCart
- CVE
- 2023-1124
Sp*tify Play Button for WordPress
- Vulnerability
- Auth. Stored Cross-Site Scripting (XSS)
- CVE
- 2023-1840
Spiffy Calendar
- Plugin
- Spiffy Calendar
- Vulnerability
- Auth. SQL Injection (SQLi)
- CVE
- 2022-46859
PropertyHive
- Plugin
- PropertyHive
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29172
Albo Pretorio On line
- Plugin
- Albo Pretorio On line
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-28993
Cancel order request WooCommerce
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29423
Product Enquiry for WooCommerce
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29170
Dynamics 365 Integration
- Plugin
- Dynamics 365 Integration
- CVE
- 2023-29422
Product Catalog Simple
- Plugin
- Product Catalog Simple
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-29388
Product page shipping calculator for WooCommerce
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29094
qTranslate X Cleanup and WPML Import
- CVE
- 2023-29431
ShiftController Employee Shift Scheduling
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-29425
ShiftController Employee Shift Scheduling
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29424
CopySafe Web Protection
- Plugin
- CopySafe Web Protection
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29098
SMTP Mailing Queue
- Plugin
- SMTP Mailing Queue
- Vulnerability
- Authenticated (Admin+) Stored Cross-Site Scripting
HT Builder
- Vulnerability
- Cross Site Request Forgery (CSRF) via plugin_activation
Welcome Bar
- Plugin
- Welcome Bar
- Vulnerability
- Cross Site Request Forgery (CSRF)
Welcome Bar
- Plugin
- Welcome Bar
User Role by BestWebSoft
- Vulnerability
- Privilege Escalation via CSRF
- CVE
- 2023-0820
Ajax Search Lite Pro
- Vulnerability
- Multiple Cross Site Scripting (XSS)
- CVE
- 2023-1435
Ajax Search Pro
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-1420
Fancy Product Designer
- Vulnerability
- Insufficient Authorization to Arbitrary Options Update via fpd_update_options
- CVE
- 2021-4334
Fancy Product Designer
- Vulnerability
- Insufficient Authorization on Multiple AJAX Actions
- CVE
- 2021-4335
Image Over Image For WPBakery Page Builder
- Plugin
- Image Over Image For WPBakery Page Builder
- CVE
- 2023-0399
Transbank Webpay REST
- CVE
- 2023-27610
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Optin Forms
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-29434
Libsyn Publisher Hub
- Plugin
- Libsyn Publisher Hub
- Patched in Version
- No Fix
- CVE
- 2023-25057
Comment Reply Notification
- Plugin
- Comment Reply Notification
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-25051
Cryptocurrency All-in-One
- Plugin
- Cryptocurrency All-in-One
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-29435
Easy Sign Up
- Plugin
- Easy Sign Up
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-23701
iframe Shortcode
- Plugin
- IFrame Shortcode
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-29436
Tiny carousel horizontal slider plus
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-24418
SimpleModal Contact Form (SMCF)
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-29438
Solidres
- Vulnerability
- Multiple Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-1377
tencentcloud-cos
- Patched in Version
- No Fix
- CVE
- 2023-29433
WP FEvents Book
- Vulnerability
- Insecure Direct Object References (IDOR)
- Patched in Version
- No Fix
- CVE
- 2023-1129
IMPress Listings
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-22711
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Patched in Version
- No Fix
- CVE
- 2023-1865
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-1866
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-1867
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Patched in Version
- No Fix
- CVE
- 2023-1868
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-1869
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-1870
YourChannel
- Plugin
- YourChannel: Everything you want in a YouTube
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-1871
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Weaver Xtreme Theme
- Theme
- Weaver Xtreme
- Vulnerability
- Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name
- CVE
- 2023-1403
The7
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29100
Houzez
- CVE
- 2023-29432
Outdoor
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29236
TheRoof
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-29430
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
The post WordPress Vulnerability Report – April 12, 2023 appeared first on iThemes.
This content was originally published here.