WordPress Vulnerability Report – April 26, 2023

This week, 160 vulnerabilities may affect over 8 million WordPress sites. There are 68 plugin vulnerabilities with security patches available, so run those updates if you use these plugins! Additionally, there are 92 plugin vulnerabilities with no patch available yet. At least eight of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.

For reference, these reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

WordPress Core News

WordPress 6.2 is the first major release of 2023, with over 900 enhancements and fixes. You’ll notice a reimagined Site Editor, blocks get even better, and new tools and improvements in WordPress 6.2. As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

If your WordPress sites have enabled automatic background updates, they should have upgraded to 6.2 automatically. You can download WordPress 6.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates,” and then click the “Update Now” button, which will appear when any core updates are available. For more information, check out the version 6.2 HelpHub documentation page.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Elementor

Plugin: Elementor Website Builder

Autoptimize

Plugin: Autoptimize
Vulnerability: Cross Site Scripting (XSS)

Limit Login Attempts

Plugin: Limit Login Attempts
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1861

Ninja Tables – Best Data Table Plugin for WordPress

Plugin: Ninja Tables – Best Data Table Plugin for WordPress
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2022-47136

Stream

Plugin: Stream
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2022-43490

CMS Tree Page View

Plugin: CMS Tree Page View
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30868

TaxoPress

Plugin: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-2168

OoohBoi Steroids for Elementor

Plugin: OoohBoi Steroids for Elementor
CVE: 2023-1169

PowerPress Podcasting plugin by Blubrry

Plugin: PowerPress Podcasting plugin by Blubrry
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30778

Visual CSS Style Editor

Plugin: Visual CSS Style Editor
Vulnerability: Cross Site Scripting (XSS)
CVE: 2022-33961

Jetpack CRM

Plugin: Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2022-3342

miniOrange’s Google Authenticator

Plugin: miniOrange’s Google Authenticator – WordPress Two Factor Authentication (2FA , Two Factor, OTP SMS and Email) | Passwordless login
CVE: 2022-4943

Donation Forms by Charitable

Plugin: Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress
Vulnerability: Cross Site Scripting (XSS)
CVE: 2022-47441

Helpie FAQ

Plugin: Accordion & FAQ – Helpie WordPress Frequently Asked Questions plugin
Vulnerability: Cross Site Scripting (XSS)

Image Optimizer by 10web

Plugin: Image Optimizer by 10web – Image Optimizer and Compression plugin

Kaya QR Code Generator

Plugin: Kaya QR Code Generator
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30784

Ultimate Addons for Contact Form 7

Plugin: Ultimate Addons for Contact Form 7
CVE: 2023-30495

YML for Yandex Market

Plugin: YML for Yandex Market
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30473

WP Original Media Path

Plugin: WP Original Media Path
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-23674

LearnPress Export Import

Plugin: LearnPress Export Import – WordPress extension for LearnPress
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30487

Integration for Contact Form 7 HubSpot

Plugin: Integration for Contact Form 7 HubSpot
CVE: 2023-31095

Category Specific RSS feed Subscription

Plugin: Category Specific RSS feed Subscription
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-22685

Captcha Them All

Plugin: Captcha Them All
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30786

Live Chat by Formilla

Plugin: Live Chat by Formilla – Real-time Chat & Chatbots Plugin
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-23727

Album Gallery – WordPress Gallery

Plugin: Album Gallery – WordPress Gallery
Vulnerability: Cross Site Request Forgery (CSRF)
CVE: 2023-23646

Tablesome

Plugin: Tablesome – Data table & Workflow Automation ( Contact Form Entries, Email Log, OpenAI / ChatGPT )
Vulnerability: Cross Site Scripting (XSS)

XML for Google Merchant Center

Plugin: XML for Google Merchant Center
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30877

ChatBot

Plugin: AI ChatBot
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1651

ChatBot

Plugin: AI ChatBot
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1660

ChatBot

Plugin: AI ChatBot
CVE: 2023-1650

ChatBot

Plugin: AI ChatBot
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1011

Vimeotheque

Plugin: Vimeotheque / Vimeo
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30498

WooCommerce Easy Duplicate Product

Plugin: WooCommerce Easy Duplicate Product
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30747

Thumbnail carousel slider

Plugin: Thumbnail carousel slider
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-2120

WPJAM Basic

Plugin: WPJAM Basic
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-23709

File Gallery

Plugin: File Gallery
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-23676

WP-FormAssembly

Plugin: WP-FormAssembly
Vulnerability: Cross Site Scripting (XSS)

Robokassa payment gateway for Woocommerce

Plugin: Robokassa payment gateway for Woocommerce
Vulnerability: Cross Site Scripting (XSS)

Recipe Maker For Your Food Blog from Zip Recipes

Plugin: Recipe Maker For Your Food Blog from Zip Recipes
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-31076

Locatoraid Store Locator

Plugin: Locatoraid Store Locator
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-2031

WP Custom Author URL

Plugin: WP Custom Author URL
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1614

WP Inventory Manager

Plugin: WP Inventory Manager
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1806

BSK Forms Blacklist

Plugin: BSK Forms Blacklist
CVE: 2023-30872

Church Admin

Plugin: Church Admin
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30782

Contact Form to DB by BestWebSoft

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
CVE: 2023-29096

Contact Form to DB

Plugin: Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress
Vulnerability: Cross Site Scripting (XSS)

Extensions for Leaflet Map

Plugin: Extensions for Leaflet Map
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-31074

Modal Dialog

Plugin: Modal Dialog
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-31071

Query Wrangler

Plugin: Query Wrangler
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30779

Shortcode to display post and user data

Plugin: Display custom fields in the frontend – Post and User Profile Fields
CVE: 2023-31073

Stock Exporter for WooCommerce

Plugin: Stock Exporter for WooCommerce
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30871

Stock Sync for WooCommerce

Plugin: Stock Sync for WooCommerce
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-31094

Video Grid

Plugin: Video Grid
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-30785

WP Docs

Plugin: WP Docs
CVE: 2023-30873

Panorama

Plugin: Panorama – WordPress Project Management Plugin
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-23810

Formilla Chat and Marketing Automation

Plugin: Customer Support Software, Live Chat, & Marketing Automation
Vulnerability: Cross Site Scripting (XSS)

Formilla Edge

Plugin: Formilla Edge Targeted Messaging Platform for Sales and Marketing
Vulnerability: Cross Site Scripting (XSS)

ChatBot

Plugin: Blog Navigator Chatbot by Xatkit
Vulnerability: Cross Site Scripting (XSS)
CVE: 2023-1649

Form Block

Plugin: Form Block
Vulnerability: Cross Site Request Forgery (CSRF)

Google Analytics Top Content Widget

Plugin: Google Analytics Top Content Widget
Vulnerability: Cross Site Scripting (XSS)
CVE: 2015-10101

Ruby Help Desk

Plugin: Ruby Help Desk
Vulnerability: Insecure Direct Object References (IDOR)
CVE: 2023-1125

WP Cerber Security

Vulnerability: Cross Site Scripting (XSS)
CVE: 2022-4712

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Patched in Version: No Fix
CVE: 2022-45374

Simple Share Buttons Adder

Plugin: Simple Share Buttons Adder
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-47178

Themify Portfolio Post

Plugin: Themify Portfolio Post
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-32970

GDPR Compliance & Cookie Consent

Plugin: GDPR Compliance & Cookie Consent
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-45815

ShopEngine

Plugin: ShopEngine – Elementor WooCommerce Builder Addons, Variation Swatches, Wishlist, Products Compare – All in One Solution
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-45371

Pearl

Plugin: WordPress Header Builder Plugin – Pearl
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-38356

ReviewX – Multi-criteria Rating & Reviews for WooCommerce

Plugin: ReviewX – Multi-criteria Rating & Reviews for WooCommerce
Patched in Version: No Fix
CVE: 2023-26325

Simple Tooltips

Plugin: Simple Tooltips
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-25958

Smart WooCommerce Search

Plugin: Smart WooCommerce Search
Patched in Version: No Fix
CVE: 2023-30783

WP Page Numbers

Plugin: WP Page Numbers
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-27623

I Recommend This

Plugin: I Recommend This
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23673

Motors

Plugin: Motors – Car Dealer, Classifieds & Listing
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-38716

Redirect After Login

Plugin: Redirect After Login
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27624

SparkPost

Plugin: SparkPost
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23654

White Label Branding for Elementor Page Builder

Plugin: White Label Branding for Elementor Page Builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23683

Arconix Shortcodes

Plugin: Arconix Shortcodes
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23703

Rating-Widget: Star Review System

Plugin: Rating-Widget: Star Review System
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23831

BBSpoiler

Plugin: BBSpoiler
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23873

Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23657

SiteAlert

Plugin: SiteAlert – Uptime, Speed, and Security Monitoring for WordPress
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-46857

Social Share Boost

Plugin: Social Share Boost
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23688

FormCraft

Plugin: FormCraft – Contact Form Builder for WordPress
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-22717

WP-dTree

Plugin: WP-dTree
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-47423

WP Links Page

Plugin: WP Links Page
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-22720

BadgeOS

Plugin: BadgeOS
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-41987

Booking calendar, Appointment Booking System

Plugin: Booking calendar, Appointment Booking System
Patched in Version: No Fix
CVE: 2022-47428

Email posts to subscribers

Plugin: Email posts to subscribers
Patched in Version: No Fix
CVE: 2022-46818

Layer Slider

Plugin: Layer Slider
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-23671

Zendesk Support for WordPress

Plugin: Zendesk Support for WordPress
Patched in Version: No Fix
CVE: 2023-23716

Button Builder – Buttons X

Plugin: Button Builder – Buttons X
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23867

Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-22684

Uji Popup

Plugin: Uji Popup
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23641

Update Image Tag Alt Attribute

Plugin: Update Image Tag Alt Attribute
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27455

WCP Contact Form

Plugin: WCP Contact Form
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-22703

WP BrowserUpdate

Plugin: WP BrowserUpdate
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-31078

WP BrowserUpdate

Plugin: WP BrowserUpdate
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28690

ARMember

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-47140

Progress Bar

Plugin: Progress Bar
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23699

PropertyHive

Plugin: PropertyHive
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-22706

Updraft

Plugin: Updraft
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-26530

Advanced Category Template

Plugin: Advanced Category Template
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-31072

Continuous announcement scroller

Plugin: Continuous announcement scroller
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-46819

Easy Slider Revolution

Plugin: Easy Slider Revolution
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28622

Ebook Store

Plugin: Ebook Store
Patched in Version: No Fix
CVE: 2023-22701

Ebook Store

Plugin: Ebook Store
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-22690

Gallery Metabox

Plugin: Gallery Metabox
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-47134

Simple Giveaways

Plugin: Simple Giveaways – Grow your business, email lists and traffic with contests
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-31086

Inactive User Deleter

Plugin: Inactive User Deleter
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-27424

Kodex Posts likes

Plugin: Kodex Posts likes
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-46814

Verified Reviews (Avis Vérifiés)

Plugin: Verified Reviews (Avis Vérifiés)
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23720

Accessibility Suite by Online ADA

Plugin: Accessibility Suite by Online ADA
Patched in Version: No Fix
CVE: 2022-47420

Premmerce

Plugin: Premmerce
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-23719

The School Management

Plugin: The School Management – Education & Learning Management
Patched in Version: No Fix
CVE: 2022-47430

Shortcode IMDB

Plugin: Shortcode IMDB
Patched in Version: No Fix
CVE: 2022-47432

Tippy

Plugin: Tippy
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-31079

Video XML Sitemap Generator

Plugin: Video XML Sitemap Generator
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-31089

Yatra

Plugin: Best Travel Booking WordPress Plugin, Tour Booking System, Trip Booking WordPress Plugin – Yatra
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-47436

Semalt Blocker

Plugin: Semalt Blocker
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23794

Woocommerce Products Designer by ORION

Plugin: Woocommerce Products Designer by ORION – online product customizer for t-shirts, print cards, phone cases Lettering & Decals
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2022-46856

ApexChat

Plugin: ApexChat
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28414

eRocket

Plugin: eRocket
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28174

Flyzoo Chat

Plugin: Flyzoo Chat
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-46817

Cab Grid

Plugin: Cab Grid
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28533

Clock In Portal

Plugin: Clock In Portal- Staff & Attendance Management
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-0761

Clock In Portal

Plugin: Clock In Portal- Staff & Attendance Management
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-0762

Clock In Portal

Plugin: Clock In Portal- Staff & Attendance Management
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-0763

GPS Plotter

Plugin: Gps Plotter
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-30874

Woocommerce Tip/Donation

Plugin: Woocommerce Tip/Donation
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28783

Dynamically Register Sidebars

Plugin: Dynamically Register Sidebars
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-31091

Easy Bet

Plugin: Easy Bet
Patched in Version: No Fix
CVE: 2023-31092

Logo Scheduler

Plugin: Logo Scheduler – Great for holidays, events, and more
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-30875

Woocommerce Email Report

Plugin: Woocommerce Email Report
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27627

Pickup | Delivery | Dine-in date time

Plugin: Pickup | Delivery | Dine-in date time
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-0894

Advanced Youtube Channel Pagination

Plugin: Advanced Youtube Channel Pagination
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-28693

hiWeb Migration Simple

Plugin: hiWeb Migration Simple
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-0769

UserPlus

Plugin: User registration & user profile – UserPlus
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-0824

Chronosly Events Calendar

Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-31093

Cloud Manager

Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-0421

CRM Memberships

Plugin: CRM Memberships
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27427

Dave’s WordPress Live Search

Plugin: Dave’s WordPress Live Search
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-30876

Decon WP SMS

Plugin: Decon WP SMS
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27416

Easy Ad Manager

Plugin: Easy Ad Manager
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-25460

EZP Maintenance Mode

Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-23682

Forms Ada

Plugin: Forms Ada – Form Builder
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27613

Login Page Styler

Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2022-46861

NS Coupon to Become Customer

Plugin: NS Coupon To Become Customer
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-27422

Reservation.Studio widget

Plugin: Reservation.Studio widget
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-25468

Sloth Logo Customizer

Plugin: Sloth Logo Customizer
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-0603

vSlider Multi Image Slider for WordPress

Plugin: vSlider Multi Image Slider for WordPress
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
CVE: 2023-22672

WP Login Box

Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
CVE: 2023-0544

ZM Ajax Login & Register

Plugin: ZM Ajax Login & Register
Patched in Version: No Fix
CVE: 2023-2027

ZM Ajax Login & Register

Plugin: ZM Ajax Login & Register
Patched in Version: No Fix
CVE: 2023-2027

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

The post WordPress Vulnerability Report – April 26, 2023 appeared first on iThemes.

This content was originally published here.