WordPress Vulnerability Report – June 7, 2023


Warning: getimagesize(https://ps.w.org/ultimate-social-media-icons/assets/banner-1544x500.png?rev=2388690): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/brizy/assets/banner-1544x500.jpg?rev=1857924): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/vk-blocks/assets/banner-1544x500.png?rev=2754394): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/uncanny-learndash-toolkit/assets/banner-1544x500.jpg?rev=1814309): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/draw-attention/assets/banner-1544x500.png?rev=2897022): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/bbp-style-pack/assets/banner-1544x500.jpg?rev=2704518): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/drop-shadow-boxes/assets/banner-772x250.jpg?rev=2911882): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/bulk-editor/assets/banner-1544x500.png?rev=2731179): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/crm-perks-forms/assets/banner-772x250.png?rev=1926593): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-inventory-manager/assets/banner-1544x500.jpg?rev=2037929): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wpdirectorykit/assets/banner-772x250.jpg?rev=2607747): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/advanced-free-flat-shipping-woocommerce/assets/banner-1544x500.png?rev=2469945): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/cookie-consent-box/assets/banner-772x250.jpg?rev=2918723): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/kanban/assets/banner-1544x500.png?rev=2528808): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/telegram-bot/assets/banner-1544x500.png?rev=2391920): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-user-switch/assets/banner-772x250.png?rev=2237142): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/front-end-only-users/assets/banner-772x250.png?rev=1805921): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/accessibility-help-button/assets/banner-772x250.png?rev=2027016): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/vk-blocks/assets/banner-1544x500.png?rev=2754394): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/woo-smart-wishlist/assets/banner-772x250.png?rev=2425218): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/constant-contact-forms/assets/banner-1544x500.png?rev=2542237): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/ts-webfonts-for-sakura/assets/banner-1544x500.png?rev=1625339): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wordpress-social-login/assets/banner-772x250.png?rev=503808): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/counter-yandex-metrica/assets/banner-1544x500.png?rev=1937608): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/lws-hide-login/assets/banner-1544x500.jpg?rev=2777047): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/unite-gallery-lite/assets/banner-772x250.png?rev=1139127): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/disable-update-notifications/assets/banner-772x250.png?rev=1395014): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/call-now-icon-animate/assets/banner-772x250.jpg?rev=1674543): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/malinky-ajax-pagination/assets/banner-1544x500.png?rev=1241368): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/bbs-e-popup/assets/banner-772x250.jpg?rev=1092011): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/contact-form-with-a-meeting-scheduler-by-vcita/assets/banner-1544x500.png?rev=2391900): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wptables/assets/banner-1544x500.png?rev=1675472): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/dynamic-qr-code-generator/assets/banner-772x250.jpg?rev=1150721): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/extended-post-status/assets/banner-772x250.png?rev=1981802): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/floating-action-button/assets/banner-1544x500.png?rev=2018710): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/headless-cms/assets/banner-1544x500.png?rev=2333730): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/woocommerce-order-address-print/assets/banner-772x250.png?rev=1183946): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/wp-full-auto-tags-manager/assets/banner-1544x500.png?rev=1414940): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/lead-capturing-call-to-actions-by-vcita/assets/banner-1544x500.png?rev=2391909): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/crm-customer-relationship-management-by-vcita/assets/banner-1544x500.png?rev=2391889): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/lh-password-changer/assets/banner-772x250.jpg?rev=1339441): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

Warning: getimagesize(https://ps.w.org/tpg-redirect/assets/banner-772x250.png?rev=744193): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /home/customer/www/kerbco.com/public_html/wp-content/plugins/code-snippets/php/snippet-ops.php(582) : eval()'d code on line 22

This week, 101 total vulnerabilities emerged in public disclosure. They may affect over 6 million WordPress sites. Additionally, there are 64 plugin vulnerabilities with no patch available yet, but no new theme vulnerabilities surfaced. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress and repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Download Manager

Product image for Download Manager.

CVE
2023-1524
The vulnerability has been patched, so you should update to version 3.2.71.

Download Monitor

Product image for Download Monitor.

Vulnerability
Server Side Request Forgery (SSRF)
The vulnerability has been patched, so you should update to version 4.8.2.

Brizy Page Builder

Product image for Brizy – Page Builder.

Vulnerability
IP Address Spoofing to Protection Mechanism Bypass
CVE
2023-2897
The vulnerability has been patched, so you should update to version 2.4.19.

Nested Pages

Product image for Nested Pages.

Plugin
Nested Pages
Vulnerability
Missing Authorization to Authenticated (Editor+) Plugin Settings Reset
CVE
2023-2434
The vulnerability has been patched, so you should update to version 3.2.4.

VK Blocks

Product image for VK Blocks.

Plugin
VK Blocks
CVE
2023-0583
The vulnerability has been patched, so you should update to version 1.57.1.2.

Favorites

Product image for Favorites.

Plugin
Favorites
Vulnerability
Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE
2023-2304
The vulnerability has been patched, so you should update to version 2.3.3.

bbp style pack

Product image for bbp style pack.

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 5.5.6.

Drop Shadow Boxes

Product image for Drop Shadow Boxes.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.7.11.

WP Inventory Manager

Product image for WP Inventory Manager.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2.1.0.14.

WP Directory Kit

Product image for WP Directory Kit.

Vulnerability
Reflected Cross-Site Scripting via ‘search’
CVE
2023-2835
The vulnerability has been patched, so you should update to version 1.2.4.

GDPR Cookie Consent Notice Box

Product image for GDPR Cookie Consent Notice Box.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.1.7.

JS Jobs Manager

Product image for JS Job Manager.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2.0.1.

Kanban Boards for WordPress

Product image for Kanban Boards for WordPress.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.5.21.

Telegram Bot & Channel

Product image for Telegram Bot & Channel.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 3.6.3.

WP User Switch

Product image for WP User Switch.

Vulnerability
Authentication Bypass via Cookie
CVE
2023-2546
The vulnerability has been patched, so you should update to version 1.0.3.

Front End Users

Product image for Front End Users.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 3.2.25.

Call Now Accessibility Button

Product image for Call Now Accessibility Button.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.2.

B2BKing

Vulnerability
Authenticated Product Price Change
The vulnerability has been patched, so you should update to version 4.6.20.

Premium Addons PRO

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.8.25.

WooCommerce Box Office

Vulnerability
Unauthenticated Save Ticket Barcode
The vulnerability has been patched, so you should update to version 1.1.52.

WooCommerce Box Office

Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.1.51.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

VK Blocks

Product image for VK Blocks.

Plugin
VK Blocks
Patched in Version
No Fix
CVE
2023-0584
The vulnerability has not been patched. You should deactivate the plugin.

WPC Smart Wishlist for WooCommerce

Product image for WPC Smart Wishlist for WooCommerce.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Constant Contact Forms

Product image for Constant Contact Forms.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Social Login

Product image for WordPress Social Login.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Social Login

Product image for WordPress Social Login.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

`OSM – OpenStreetMap

Product image for OSM – OpenStreetMap.

Vulnerability
Contributor+ Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2022-4676
The vulnerability has not been patched. You should deactivate the plugin.

Yandex Metrica Counter

Product image for Yandex Metrica Counter.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

LWS Hide Login

Product image for LWS Hide Login.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Unite Gallery Lite

Product image for Unite Gallery Lite.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Hide Post

Plugin
WP Hide Post
Vulnerability
Cross Site Request Forgery (CSRF) Leading To Post Status Change
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Call Now Icon Animate

Product image for Call Now Icon Animate.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Google Fonts For WordPress

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Ajax Pagination and Infinite Scroll

Product image for Ajax Pagination and Infinite Scroll.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

BBS e-Popup

Product image for BBS e-Popup.

Plugin
BBS e-Popup
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form Builder by vcita

Product image for Contact Form Builder by vcita.

Vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-2301
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form Builder by vcita

Product image for Contact Form Builder by vcita.

Vulnerability
Auth. Stored Cross-Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2300
The vulnerability has not been patched. You should deactivate the plugin.

SpamReferrerBlock

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

SpamReferrerBlock

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Tables

Product image for WordPress Tables.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

bbPress Toolkit

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

bbPress Toolkit

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Chilexpress woo oficial

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Dynamic QR Code Generator

Product image for Dynamic QR Code Generator.

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Extended Post Status

Product image for Extended Post Status.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Floating Action Button

Product image for Floating Action Button.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Headless CMS

Product image for Headless CMS.

Plugin
Headless CMS
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Woocommerce Order address Print

Product image for Woocommerce Order address Print.

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress NextGen GalleryView

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP-Cache.com

Plugin
WP-Cache.com
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP-Cirrus

Plugin
WP-Cirrus
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Full Auto Tags Manager

Product image for WP Full Auto Tags Manager.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Report Post

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Report Post

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form and Calls To Action by vcita

Product image for Contact Form and Calls To Action by vcita.

Vulnerability
Auth. Stored Cross-Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2302
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form and Calls To Action by vcita

Product image for Contact Form and Calls To Action by vcita.

Vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-2303
The vulnerability has not been patched. You should deactivate the plugin.

CRM and Lead Management by vcita

Product image for CRM and Lead Management by vcita.

Vulnerability
Auth. Stored Cross-Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-2404
The vulnerability has not been patched. You should deactivate the plugin.

CRM and Lead Management by vcita

Product image for CRM and Lead Management by vcita.

Vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-2405
The vulnerability has not been patched. You should deactivate the plugin.

LH Password Changer

Product image for LH Password Changer.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

TPG Redirect

Product image for TPG Redirect.

Plugin
TPG Redirect
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Blog-in-Blog

Vulnerability
Authenticated (Editor+) Local File Inclusion via Shortcode
Patched in Version
No Fix
CVE
2023-2435
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Blog-in-Blog

Vulnerability
Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode
Patched in Version
No Fix
CVE
2023-2436
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Cart2Cart: Magento to WooCommerce Migration

Plugin
Cart2Cart: Magento to WooCommerce Migration
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Display post meta, term meta, comment meta, and user meta

Plugin
Display post meta, term meta, comment meta, and user meta
Vulnerability
Authenticated(Contributor+) Stored Cross-Site Scripting
Patched in Version
No Fix
CVE
2023-1661
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Feather Login Page

Vulnerability
Missing Authorization to Authentication Bypass and Privilege Escalation
Patched in Version
No Fix
CVE
2023-2545
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Feather Login Page

Vulnerability
Missing Authorization to Non-Arbitrary User Deletion
Patched in Version
No Fix
CVE
2023-2547
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Feather Login Page

Vulnerability
Cross Site Request Forgery (CSRF) to Privilege Escalation
Patched in Version
No Fix
CVE
2023-2549
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Kebo Twitter Feed

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Login Configurator

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Page Builder by AZEXO

Plugin
Page Builder with Image Map by AZEXO
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
CVE
2023-3052
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Page Builder by AZEXO

Plugin
Page Builder with Image Map by AZEXO
Vulnerability
Auth. Stored Cross-Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-3051
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Page Builder by AZEXO

Plugin
Page Builder with Image Map by AZEXO
Vulnerability
Missing Authorization to Post Creation
Patched in Version
No Fix
CVE
2023-3053
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Page Builder by AZEXO

Plugin
Page Builder with Image Map by AZEXO
Vulnerability
Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-3055
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Web Directory Free

Vulnerability
Authenticated (Contributor+) SQL Injection via post_id
Patched in Version
No Fix
CVE
2023-2201
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Wordapp

Vulnerability
Authorization Bypass through Use of Insufficiently Unique Cryptographic Signature
Patched in Version
No Fix
CVE
2023-2987
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

  • No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

The post WordPress Vulnerability Report – June 7, 2023 appeared first on iThemes.

This content was originally published here.