WordPress Vulnerability Report – June 28, 2023


Warning: getimagesize(https://ps.w.org/woocommerce-payments/assets/banner-1544x500.png?rev=2429229): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/woocommerce-paypal-payments/assets/banner-1544x500.png?rev=2598902): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-user-avatar/assets/banner-1544x500.png?rev=2532489): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/unlimited-elements-for-elementor/assets/banner-1544x500.png?rev=2928064): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-security-audit-log/assets/banner-772x250.jpg?rev=2327238): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/colibri-page-builder/assets/banner-772x250.jpg?rev=2748397): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/cf7-google-sheets-connector/assets/banner-772x250.jpg?rev=2561755): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/icegram/assets/banner-1544x500.png?rev=2314881): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/nd-shortcodes/assets/banner-1544x500.jpg?rev=1498667): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/protect-wp-admin/assets/banner-772x250.jpg?rev=2313728): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/afterpay-gateway-for-woocommerce/assets/banner-1544x500.png?rev=2352720): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/bookit/assets/banner-1544x500.jpg?rev=2385587): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/cms-commander-client/assets/banner-772x250.png?rev=1171860): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/contact-form-to-email/assets/banner-772x250.png?rev=695808): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/custom-404-pro/assets/banner-772x250.png?rev=2346327): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/file-renaming-on-upload/assets/banner-1544x500.png?rev=1847446): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/mage-eventpress/assets/banner-772x250.jpg?rev=2729982): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/formcraft-form-builder/assets/banner-1544x500.png?rev=1739951): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/gsheetconnector-wpforms/assets/banner-772x250.png?rev=2415782): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/mstore-api/assets/banner-1544x500.png?rev=2161217): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/poll-maker/assets/banner-1544x500.jpg?rev=2072435): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-custom-cursors/assets/banner-772x250.jpg?rev=2911931): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/survey-maker/assets/banner-1544x500.jpg?rev=2444468): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/donations-for-woocommerce/assets/banner-1544x500.png?rev=2498416): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/eventon-lite/assets/banner-1544x500.png?rev=2820760): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/core-web-vitals-pagespeed-booster/assets/banner-1544x500.png?rev=2839971): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/extra-user-details/assets/banner-772x250.png?rev=529079): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/kivicare-clinic-management-system/assets/banner-772%C3%97250.jpg?rev=2927678): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wpdirectorykit/assets/banner-772x250.jpg?rev=2607747): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/contact-form-to-db/assets/banner-1544x500.jpg?rev=2312367): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/gallery-photo-gallery/assets/banner-1544x500.png?rev=2452024): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/gsheetconnector-for-elementor-forms/assets/banner-772x250.png?rev=2825100): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/gsheetconnector-ninja-forms/assets/banner-772x250.png?rev=2600542): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/mycurator/assets/banner-772x250.png?rev=1626228): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/oopspam-anti-spam/assets/banner-772x250.png?rev=2920385): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/booking-calendar-contact-form/assets/banner-772x250.png?rev=790925): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-ticket/assets/banner-772x250.jpg?rev=1418319): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-sticky-social/assets/banner-772x250.png?rev=835454): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/mail-queue/assets/banner-1544x500.png?rev=2650489): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/lana-shortcodes/assets/banner-772x250.jpg?rev=1512700): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/mailtree-log-mail/assets/banner-772x250.png?rev=2767263): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/lana-text-to-image/assets/banner-772x250.jpg?rev=2641161): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/gdpr-cookie-consent/assets/banner-1544x500.png?rev=2255445): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/contact-form-add/assets/banner-1544x500.png?rev=1627811): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/apply-online/assets/banner-772x250.jpeg?rev=2349398): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/js-support-ticket/assets/banner-772x250.png?rev=2352338): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/mojoplug-slide-panel/assets/banner-1544x500.png?rev=1544020): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/smoothscroller/assets/banner-772x250.jpg?rev=1249929): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/enable-svg-uploads/assets/banner-1544x500.png?rev=2404934): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/gsheetconnector-caldera-forms/assets/banner-772x250.png?rev=2408249): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

This week, 140 total vulnerabilities emerged in public disclosure. They may affect over 13 million WordPress sites. There are 116 plugin vulnerabilities and one theme vulnerability that has security patches available, so run those updates!

Additionally, there are 23 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress and repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Complianz

Product image for Complianz – GDPR/CCPA Cookie Consent.

Vulnerability
Cross Site Request Forgery (CSRF) lead to Site Wide Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 6.4.5.

WooCommerce PayPal Payments

Product image for WooCommerce PayPal Payments.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2.0.5.

WP Mail Logging

Product image for WP Mail Logging.

Vulnerability
Missing Authorization to Notice Dismissal
The vulnerability has been patched, so you should update to version 1.12.0.

WP Activity Log

Product image for WP Activity Log.

CVE
2023-2261
The vulnerability has been patched, so you should update to version 4.5.2.

WooCommerce Square

Product image for WooCommerce Square.

Vulnerability
Insecure Direct Object References (IDOR)
The vulnerability has been patched, so you should update to version 3.8.2.

Conditional Menus

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-2654
The vulnerability has been patched, so you should update to version 1.2.1.

CF7 Google Sheets Connector

Product image for CF7 Google Sheets Connector.

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2320
The vulnerability has been patched, so you should update to version 5.0.2.

ConvertKit

Product image for ConvertKit – Email Marketing, Email Newsletter, Subscribers and Landing Pages.

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2337
The vulnerability has been patched, so you should update to version 2.2.1.

Super Socializer

Product image for Social Share, Social Login and Social Comments Plugin – Super Socializer.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 7.13.53.

Super Socializer

Product image for Social Share, Social Login and Social Comments Plugin – Super Socializer.

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2779
The vulnerability has been patched, so you should update to version 7.13.52.
CVE
2023-1844
The vulnerability has been patched, so you should update to version 10.41.
Vulnerability
Cross Site Request Forgery (CSRF)
CVE
2023-3407
The vulnerability has been patched, so you should update to version 10.41.

ND Shortcodes

Product image for ND Shortcodes.

Plugin
ND Shortcodes
CVE
2023-1273
The vulnerability has been patched, so you should update to version 7.0.

Protect WP Admin

Product image for Protect WP Admin.

Vulnerability
Unauthenticated Protection Bypass Vulnerability
CVE
2023-3139
The vulnerability has been patched, so you should update to version 4.0.

Quiz Maker

Product image for Quiz Maker.

Plugin
Quiz Maker
Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2571
The vulnerability has been patched, so you should update to version 6.4.2.7.

wpForo Forum

Product image for wpForo Forum.

Plugin
wpForo Forum
Vulnerability
Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
CVE
2023-2249
The vulnerability has been patched, so you should update to version 2.1.8.

CMS Commander

Product image for CMS Commander – Manage Multiple Sites.

Vulnerability
Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
CVE
2023-3325
The vulnerability has been patched, so you should update to version 2.288.

Contact Form Email

Product image for Contact Form Email.

Vulnerability
Unauthenticated Stored Cross Site Scripting (XSS)
CVE
2023-2718
The vulnerability has been patched, so you should update to version 1.3.38.

Custom 404 Pro

Product image for Custom 404 Pro.

CVE
2023-2032
The vulnerability has been patched, so you should update to version 3.8.1.

File Renaming on Upload

Product image for File Renaming on Upload.

Vulnerability
Admin+ Stored Cross Site Scripting (XSS)
CVE
2023-2684
The vulnerability has been patched, so you should update to version 2.5.2.

Restrict Content

Product image for Membership Plugin – Restrict Content.

Vulnerability
Missing Authorization to Notice Dismissal
The vulnerability has been patched, so you should update to version 3.2.3.

Restrict Content

Product image for Membership Plugin – Restrict Content.

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 3.2.3.

WPForms Google Sheet Connector

Product image for WPForms Google Sheet Connector.

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2321
The vulnerability has been patched, so you should update to version 3.4.6.

MStore API

Product image for MStore API.

Plugin
MStore API
CVE
2023-3197
The vulnerability has been patched, so you should update to version 4.0.2.

MStore API

Product image for MStore API.

Plugin
MStore API
The vulnerability has been patched, so you should update to version 3.9.8.

Simple Iframe

Plugin
Simple Iframe
Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
CVE
2023-2964
The vulnerability has been patched, so you should update to version 1.2.0.

AI ChatBot

Product image for AI ChatBot.

Plugin
AI ChatBot
Vulnerability
Admin+ Stored Cross Site Scripting (XSS)
CVE
2023-2742
The vulnerability has been patched, so you should update to version 4.5.5.

AI ChatBot

Product image for AI ChatBot.

Plugin
AI ChatBot
Vulnerability
Admin+ Stored Cross Site Scripting (XSS)
CVE
2023-2811
The vulnerability has been patched, so you should update to version 4.5.6.

Potent Donations for WooCommerce

Product image for Potent Donations for WooCommerce.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.1.10.

EventON

Product image for EventON.

Plugin
EventON
CVE
2023-2796
The vulnerability has been patched, so you should update to version 2.1.2.

EventON

Product image for EventON.

Plugin
EventON
Vulnerability
Unauthenticated Post Access via Insecure Direct Object References (IDOR)
CVE
2023-3219
The vulnerability has been patched, so you should update to version 2.1.2.

Extra User Details

Product image for Extra User Details.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 0.5.1.

Extra User Details

Product image for Extra User Details.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 0.5.1.

teachPress

Plugin
teachPress
Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 9.0.3.

WP Directory Kit

Product image for WP Directory Kit.

Vulnerability
Unauthenticated Local File Inclusion
CVE
2023-2278
The vulnerability has been patched, so you should update to version 1.2.4.

Ninja Forms Google Sheet Connector

Product image for Ninja Forms Google Sheet Connector.

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2333
The vulnerability has been patched, so you should update to version 1.2.7.

MyCurator Content Curation

Product image for MyCurator Content Curation.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 3.75.

OOPSpam Anti-Spam

Product image for OOPSpam Anti-Spam.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.1.45.

Booking Calendar Contact Form

Product image for Booking Calendar Contact Form.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.2.41.

Customer Service Software & Support Ticket System

Product image for Customer Service Software & Support Ticket System.

Vulnerability
Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 5.13.

WP Sticky Social

Product image for WP Sticky Social.

Vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE
2023-3320
The vulnerability has been patched, so you should update to version 1.0.2.

Mail Queue

Product image for Mail Queue.

Plugin
Mail Queue
Vulnerability
Unauthenticated Stored Cross-Site Scripting via Email Subject
CVE
2023-3167
The vulnerability has been patched, so you should update to version 1.2.

Lana Shortcodes

Product image for Lana Shortcodes.

Vulnerability
Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The vulnerability has been patched, so you should update to version 1.2.0.

Mailtree Log Mail

Product image for Mailtree Log Mail.

Vulnerability
Unauth. Stored Cross Site Scripting (XSS)
CVE
2023-3135
The vulnerability has been patched, so you should update to version 1.0.1.

AutomateWoo

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 5.7.6.

AutomateWoo

The vulnerability has been patched, so you should update to version 5.7.6.

Complianz Premium

Vulnerability
Cross Site Request Forgery (CSRF) to Site Wide Cross Site Scripting (XSS
The vulnerability has been patched, so you should update to version 6.4.7.

Complianz Premiumy

Vulnerability
Multiple Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 6.4.8.

Elementor Pro

Vulnerability
Auth. Broken Access Control
The vulnerability has been patched, so you should update to version 3.13.1.

Go Pricing – WordPress Responsive Pricing Tables

CVE
2023-2494
The vulnerability has been patched, so you should update to version 3.4.

Go Pricing – WordPress Responsive Pricing Tables

Vulnerability
Contributor+ Cross Site Scripting (XSS)
CVE
2023-2498
The vulnerability has been patched, so you should update to version 3.4.

MonsterInsights Pro

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 8.15.

Gravity Forms

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2701
The vulnerability has been patched, so you should update to version 2.7.5.

WPBakery Page Builder

Vulnerability
Contributor+ Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 6.13.0.

Lana Text to Image

Product image for Lana Text to Image.

Vulnerability
Auth. Stored Cross Site Scripting (XSS)
CVE
2023-3387
The vulnerability has been patched, so you should update to version 1.1.0.

PixelYourSite PRO

Vulnerability
Admin+ Stored Cross Site Scripting (XSS)
CVE
2023-2584
The vulnerability has been patched, so you should update to version 9.6.2.

USM Premium

Vulnerability
Admin+ Stored Cross Site Scripting (XSS)
CVE
2023-1166
The vulnerability has been patched, so you should update to version 16.3.

Abandoned Cart Pro for WooCommerce

Vulnerability
Stored Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 7.13.0.

WooCommerce Brands

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.6.50.

WooCommerce Bulk Stock Management

Plugin
WooCommerce Bulk Stock Management
Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.2.34.

WooCommerce Order Barcodes

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.6.5.

WooCommerce Product Vendors

Vulnerability
Shop Manager+ SQL Injection
The vulnerability has been patched, so you should update to version 2.1.79.

WooCommerce Ship to Multiple Addresses

Plugin
WooCommerce Ship to Multiple Addresses
Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 3.8.6.

WooCommerce Subscriptions

Vulnerability
Insecure Direct Object References (IDOR)
The vulnerability has been patched, so you should update to version 5.1.3.

WordPress File Upload

CVE
2023-2688
The vulnerability has been patched, so you should update to version 4.19.2.

WPForms Pro

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.8.1.3.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

JS Help Desk – Best Help Desk & Support Plugin

Product image for JS Help Desk – Best Help Desk & Support Plugin.

Vulnerability
Insecure Direct Object References (IDOR) Leading To Ticket Deletion
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

MojoPlug Slide Panel

Product image for MojoPlug Slide Panel.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Smoothscroller

Product image for Smoothscroller.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Enable SVG Uploads

Product image for Enable SVG Uploads.

Vulnerability
Auth. Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2529
The vulnerability has not been patched. You should deactivate the plugin.

Caldera Forms Google Sheets Connector

Product image for Caldera Forms Google Sheets Connector.

Vulnerability
Access Code Update via Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
CVE
2023-2330
The vulnerability has not been patched. You should deactivate the plugin.

About Me 3000 widget

Plugin
About Me 3000 widget
Vulnerability
Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-3369
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

AN_GradeBook

Vulnerability
Auth. Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2709
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

BBS e-Popup

Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

CF7 Google Sheets Connector Pro

Plugin
CF7 Google Sheets Connector Pro
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2320
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form by WD

Plugin
Contact Form by WD
Patched in Version
No Fix
CVE
2023-2655
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Image Protector

Plugin
Defa Online Image Protector
Vulnerability
Auth. Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2026
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Gallery Metabox

Vulnerability
Missing Authorization via gallery_remove
Patched in Version
No Fix
CVE
2023-2561
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Gallery Metabox

Patched in Version
No Fix
CVE
2023-2562
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Greeklish-permalink

Vulnerability
Unauth. Post Slug Update
Patched in Version
No Fix
CVE
2023-2495
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Image Map Pro

Vulnerability
Missing Authorization to Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-3412
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

InventoryPress

Vulnerability
Author+ Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2579
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

PrePost SEO

Vulnerability
Auth. Stored Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2029
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Quick Post Duplicator

Vulnerability
Authenticated (Contributor+) SQL Injection
Patched in Version
No Fix
CVE
2023-2229
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Upload Resume

Patched in Version
No Fix
CVE
2023-2751
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

User Email Verification for WooCommerce

Plugin
User Email Verification for WooCommerce
Vulnerability
Authentication bypass via weak token generation
Patched in Version
No Fix
CVE
2023-2781
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Balkon

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.3.3.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

The post WordPress Vulnerability Report – June 28, 2023 appeared first on iThemes.

This content was originally published here.