This week, 140 total vulnerabilities emerged in public disclosure. They may affect over 13 million WordPress sites. There are 116 plugin vulnerabilities and one theme vulnerability that has security patches available, so run those updates!
Additionally, there are 23 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress and repositories, you should consider deactivation and removal in favor of alternative solutions.
WordPress Core Vulnerabilities — Patched
- No new WordPress core vulnerabilities were disclosed this week.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress Plugin Vulnerabilities — Patched
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
WPForms Lite
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-30500
Ninja Forms Contact Form
- CVE
- 2023-36505
Complianz
- Vulnerability
- Cross Site Request Forgery (CSRF) lead to Site Wide Cross Site Scripting (XSS)
- CVE
- 2023-33333
Complianz
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- CVE
- 2023-34030
MainWP Child
- Vulnerability
- Information Disclosure via Back-Up Files
- CVE
- 2023-3132
WooCommerce Payments
- CVE
- 2023-35915
WooCommerce Payments
- Vulnerability
- Insecure Direct Object References (IDOR)
- CVE
- 2023-35916
WooCommerce PayPal Payments
- Plugin
- WooCommerce PayPal Payments
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-35917
ProfilePress
- Vulnerability
- Reflected Cross Site Scripting (XSS) via error message
Spam protection, AntiSpam, FireWall by CleanTalk
- CVE
- 2023-33996
Metform Elementor Contact Form Builder
- Vulnerability
- Cross Site Request Forgery (CSRF) via permalink_setup
- CVE
- 2023-2517
Photo Gallery by 10Web
- CVE
- 2023-33995
Ultimate Member
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-31216
Unlimited Elements For Elementor
- Vulnerability
- Multiple Broken Access Control
- CVE
- 2023-31080
Unlimited Elements For Elementor
- CVE
- 2023-31231
WP Mail Logging
- Plugin
- WP Mail Logging
- Vulnerability
- Missing Authorization to Notice Dismissal
WP Activity Log
- Plugin
- WP Activity Log
- CVE
- 2023-2261
Colibri Page Builder
- Plugin
- Colibri Page Builder
- CVE
- 2023-2188
WordPress Button Plugin MaxButtons
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-36503
WooCommerce Square
- Plugin
- WooCommerce Square
- Vulnerability
- Insecure Direct Object References (IDOR)
- CVE
- 2023-35876
EmbedPress
- CVE
- 2023-3371
Bookly
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS) via service titles
- CVE
- 2023-1159
Conditional Menus
- Plugin
- Conditional Menus
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-2654
Tutor LMS
- Vulnerability
- Unauthenticated Access to Tutor LMS Lesson Resources via REST API
- CVE
- 2023-3133
Dokan
CF7 Google Sheets Connector
- Plugin
- CF7 Google Sheets Connector
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2320
ConvertKit
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2337
Super Socializer
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-35882
Super Socializer
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2779
Login/Signup Popup
- Vulnerability
- Cross Site Request Forgery (CSRF)
Float menu
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-3225
Gutenverse – Gutenberg Blocks – Page Builder for Site Editor
- CVE
- 2023-35875
Icegram
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2398
- CVE
- 2023-1844
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-3407
PostX – Gutenberg Post Grid Blocks
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-36385
Abandoned Cart Lite for WooCommerce
- Vulnerability
- Stored Cross Site Scripting (XSS)
- CVE
- 2019-25152
ND Shortcodes
- Plugin
- ND Shortcodes
- CVE
- 2023-1273
Supsystic Popup
- Plugin
- Popup by Supsystic
- CVE
- 2023-3186
Protect WP Admin
- Plugin
- Protect WP Admin
- Vulnerability
- Unauthenticated Protection Bypass Vulnerability
- CVE
- 2023-3139
Quiz Maker
- Plugin
- Quiz Maker
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2571
wpForo Forum
- Plugin
- wpForo Forum
- Vulnerability
- Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents
- CVE
- 2023-2249
WP ERP
- CVE
- 2023-2744
BookIt
- CVE
- 2023-2834
CMS Commander
- Vulnerability
- Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
- CVE
- 2023-3325
Contact Form Email
- Plugin
- Contact Form Email
- Vulnerability
- Unauthenticated Stored Cross Site Scripting (XSS)
- CVE
- 2023-2718
Custom 404 Pro
- Plugin
- Custom 404 Pro
- CVE
- 2023-2032
File Renaming on Upload
- Plugin
- File Renaming on Upload
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-2684
Accordion & FAQ
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-1891
Five Star Restaurant Reservations
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-34017
Restrict Content
- Vulnerability
- Missing Authorization to Notice Dismissal
Restrict Content
- Vulnerability
- Reflected Cross Site Scripting (XSS)
SupportCandy
- CVE
- 2023-2719
SupportCandy
- CVE
- 2023-2805
Event Manager and Tickets Selling Plugin for WooCommerce
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-36383
Buy Me a Coffee
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- CVE
- 2023-2578
FormCraft Premium
- CVE
- 2023-2592
WPForms Google Sheet Connector
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2321
MStore API
- Plugin
- MStore API
- CVE
- 2023-3197
MStore API
- Plugin
- MStore API
- CVE
- 2022-47614
Poll Maker
- Vulnerability
- Server Side Request Forgery (SSRF)
- CVE
- 2023-34013
Simple Iframe
- Plugin
- Simple Iframe
- Vulnerability
- Contributor+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-2964
WP Custom Cursors
- CVE
- 2023-2221
AI ChatBot
- Plugin
- AI ChatBot
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-2742
AI ChatBot
- Plugin
- AI ChatBot
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-2811
Survey Maker
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2572
Integration for Contact Form 7 and Zoho CRM, Bigin
- CVE
- 2023-2527
CHP Ads Block Detector
- Plugin
- CHP Ads Block Detector
- CVE
- 2023-36509
Potent Donations for WooCommerce
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-35912
EventON
EventON
Core Web Vitals & PageSpeed Booster
- CVE
- 2023-35883
Extra User Details
- Plugin
- Extra User Details
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-35877
Extra User Details
- Plugin
- Extra User Details
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-35878
KiviCare Management System
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2624
KiviCare Management System
- CVE
- 2023-2623
KiviCare Management System
- CVE
- 2023-2627
KiviCare Management System
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- CVE
- 2023-2628
teachPress
- Plugin
- teachPress
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-36501
WP Directory Kit
- Plugin
- WP Directory Kit
- Vulnerability
- Unauthenticated Local File Inclusion
- CVE
- 2023-2278
Contact Form to DB by BestWebSoft
- CVE
- 2023-36508
EventPrime
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-35884
Photo Gallery by Ays
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2568
Elementor Forms Google Sheet Connector
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2324
Ninja Forms Google Sheet Connector
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2333
MyCurator Content Curation
- Plugin
- MyCurator Content Curation
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-32104
OOPSpam Anti-Spam
- Plugin
- OOPSpam Anti-Spam
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-35913
ReDi Restaurant Reservation
- Plugin
- ReDi Restaurant Reservation
- CVE
- 2023-36510
Booking Calendar Contact Form
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-36384
Customer Service Software & Support Ticket System
- Vulnerability
- Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
WP Sticky Social
- Plugin
- WP Sticky Social
- Vulnerability
- Cross-Site Request Forgery to Stored Cross-Site Scripting
- CVE
- 2023-3320
Mail Queue
- Plugin
- Mail Queue
- Vulnerability
- Unauthenticated Stored Cross-Site Scripting via Email Subject
- CVE
- 2023-3167
Lana Shortcodes
- Plugin
- Lana Shortcodes
- Vulnerability
- Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Mailtree Log Mail
- Plugin
- Mailtree Log Mail
- Vulnerability
- Unauth. Stored Cross Site Scripting (XSS)
- CVE
- 2023-3135
AutomateWoo
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-36513
AutomateWoo
- CVE
- 2023-36512
Complianz Premium
- Vulnerability
- Cross Site Request Forgery (CSRF) to Site Wide Cross Site Scripting (XSS
- CVE
- 2023-33333
Complianz Premiumy
- Vulnerability
- Multiple Cross Site Request Forgery (CSRF)
- CVE
- 2023-34030
Elementor Pro
- Vulnerability
- Auth. Broken Access Control
- CVE
- 2023-35050
Go Pricing – WordPress Responsive Pricing Tables
- CVE
- 2023-2494
Go Pricing – WordPress Responsive Pricing Tables
- Vulnerability
- Contributor+ Cross Site Scripting (XSS)
- CVE
- 2023-2498
MonsterInsights Pro
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32291
Gravity Forms
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-2701
WPBakery Page Builder
- Vulnerability
- Contributor+ Cross Site Scripting (XSS)
- CVE
- 2023-31213
Lana Text to Image
- Plugin
- Lana Text to Image
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- CVE
- 2023-3387
PixelYourSite PRO
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-2584
USM Premium
- Vulnerability
- Admin+ Stored Cross Site Scripting (XSS)
- CVE
- 2023-1166
Abandoned Cart Pro for WooCommerce
- Vulnerability
- Stored Cross Site Scripting (XSS)
- CVE
- 2019-25152
WooCommerce Brands
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-35880
WooCommerce Bulk Stock Management
- Plugin
- WooCommerce Bulk Stock Management
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-35918
WooCommerce Order Barcodes
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-36511
WooCommerce Product Vendors
- Vulnerability
- Shop Manager+ SQL Injection
- CVE
- 2023-35879
WooCommerce Ship to Multiple Addresses
- Plugin
- WooCommerce Ship to Multiple Addresses
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-36514
WooCommerce Subscriptions
- Vulnerability
- Insecure Direct Object References (IDOR)
- CVE
- 2023-35914
WordPress File Upload
- CVE
- 2023-2688
WPForms Pro
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-30500
WordPress Plugin Vulnerabilities — Unpatched
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
WP Cookie Notice for GDPR, CCPA & ePrivacy Consent
- Patched in Version
- No Fix
- CVE
- 2023-23678
Form Builder
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-23795
ApplyOnline – Application Form Builder and Manager
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-24391
JS Help Desk – Best Help Desk & Support Plugin
- Vulnerability
- Insecure Direct Object References (IDOR) Leading To Ticket Deletion
- Patched in Version
- No Fix
- CVE
- 2023-23679
MojoPlug Slide Panel
- Plugin
- MojoPlug Slide Panel
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-23807
Smoothscroller
- Plugin
- Smoothscroller
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-23811
Enable SVG Uploads
- Plugin
- Enable SVG Uploads
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2529
Caldera Forms Google Sheets Connector
- Vulnerability
- Access Code Update via Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-2330
About Me 3000 widget
- Plugin
- About Me 3000 widget
- Vulnerability
- Authenticated (Administrator+) Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-3369
AN_GradeBook
- Vulnerability
- Auth. Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2709
BBS e-Popup
- Patched in Version
- No Fix
- CVE
- 2023-36504
CF7 Google Sheets Connector Pro
- Plugin
- CF7 Google Sheets Connector Pro
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2320
Contact Form by WD
- Plugin
- Contact Form by WD
- Patched in Version
- No Fix
- CVE
- 2023-2655
Image Protector
- Plugin
- Defa Online Image Protector
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2026
Gallery Metabox
- Vulnerability
- Missing Authorization via gallery_remove
- Patched in Version
- No Fix
- CVE
- 2023-2561
Gallery Metabox
- Patched in Version
- No Fix
- CVE
- 2023-2562
Greeklish-permalink
- Vulnerability
- Unauth. Post Slug Update
- Patched in Version
- No Fix
- CVE
- 2023-2495
Image Map Pro
- Vulnerability
- Missing Authorization to Stored Cross-Site Scripting
- Patched in Version
- No Fix
- CVE
- 2023-3412
InventoryPress
- Vulnerability
- Author+ Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2579
PrePost SEO
- Vulnerability
- Auth. Stored Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2029
Quick Post Duplicator
- Vulnerability
- Authenticated (Contributor+) SQL Injection
- Patched in Version
- No Fix
- CVE
- 2023-2229
Upload Resume
- Patched in Version
- No Fix
- CVE
- 2023-2751
User Email Verification for WooCommerce
- Plugin
- User Email Verification for WooCommerce
- Vulnerability
- Authentication bypass via weak token generation
- Patched in Version
- No Fix
- CVE
- 2023-2781
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Balkon
- Vulnerability
- Reflected Cross Site Scripting (XSS)
- CVE
- 2023-36502
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
The post WordPress Vulnerability Report – June 28, 2023 appeared first on iThemes.
This content was originally published here.