This week, 66 vulnerabilities may affect over 5.8 million WordPress sites. There are 42 plugin vulnerabilities and five in themes that have security patches available, so run those updates! Additionally, there are 18 plugin vulnerabilities and one theme with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress and repositories, you should consider deactivation and removal in favor of alternative solutions.
Please note we’ve revised last week’s report to correct the list of vulnerable code after many of the previous week’s vulnerabilities were mistakenly included. Thanks to Jeff Severson of JTS Design for bringing this to our attention.
- No new WordPress core vulnerabilities were disclosed this week.
WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.
WordPress Plugin Vulnerabilities with Patches
In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!
These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.
Advanced Custom Fields
- Plugin
- Advanced Custom Fields (ACF)
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-30777
Advanced Custom Fields
- Plugin
- Advanced Custom Fields (ACF)
- CVE
- 2023-1196
Ninja Forms
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-1835
Otter – Gutenberg Blocks
- CVE
- 2023-2288
Metform Elementor Contact Form Builder
- CVE
- 2023-1843
YARPP
- CVE
- 2023-0579
Advanced Woo Search
- Plugin
- Advanced Woo Search
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-2452
Easy Digital Downloads
- CVE
- 2023-30869
FV Flowplayer Video Player
- Plugin
- FV Flowplayer Video Player
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-30499
Product Addons & Fields for WooCommerce
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-1839
WP Visitor Statistics (Real Time Traffic)
CM Pop-Up banners for WordPress
- CVE
- 2023-30750
Image Optimizer by 10web
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-2122
Participants Database
- Plugin
- Participants Database
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-31235
URL Params
- Plugin
- URL Params
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-0274
Product Catalog Feed by PixelYourSite
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-1804
WOLF
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-31218
HollerBox
Ko-fi Button
- Plugin
- Ko-fi Button
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-2254
Booking Manager
- Plugin
- Booking Manager
- Vulnerability
- Server Side Request Forgery (SSRF)
- CVE
- 2023-1977
WPO365 | Mail Integration for Office 365 / Outlook
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32119
Spiffy Calendar
- Plugin
- Spiffy Calendar
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32122
Stagtools
WP EasyPay
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-1465
TK Google Fonts GDPR Compliant
WP Inventory Manager
- Plugin
- WP Inventory Manager
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-2123
WP Directory Kit
- Plugin
- WP Directory Kit
- Vulnerability
- Cross Site Request Forgery (CSRF)
- CVE
- 2023-2279
WP Directory Kit
- Plugin
- WP Directory Kit
- CVE
- 2023-2280
Albo Pretorio On line
- Plugin
- Albo Pretorio On line
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32109
Albo Pretorio On line
- Plugin
- Albo Pretorio On line
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32108
Contact Form 7 extension for Google Map fields
- Vulnerability
- Cross Site Scripting (XSS)
Photo Gallery by Ays
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32107
TP Education
- Plugin
- TP Education
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32103
WP Docs
- Plugin
- WP Docs
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32106
WPPizza – A Restaurant Plugin
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32105
WP SMTP Mailing Queue
- Plugin
- SMTP Mailing Queue
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-1090
Library Viewer
- Plugin
- Library Viewer
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32102
Library Viewer
- Plugin
- Library Viewer
- CVE
- 2023-32101
Hostel
- Plugin
- Hostel
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32120
Advanced Custom Fields Pro
- Plugin
- Advanced Custom Fields PRO
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-30777
Advanced Custom Fields Pro
- Plugin
- Advanced Custom Fields PRO
- CVE
- 2023-1196
tagDiv Composer
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-1596
WordPress Plugin Vulnerabilities – No Known Fix
This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.
Easy Appointments
- Plugin
- Easy Appointments
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2022-36424
Points and Rewards for WooCommerce
- Patched in Version
- No Fix
- CVE
- 2023-27608
Points and Rewards for WooCommerce
- Patched in Version
- No Fix
- CVE
- 2023-27607
Community by PeepSo
- Patched in Version
- No Fix
- CVE
- 2023-27630
Cryptocurrency Payment & Donation Box
- Patched in Version
- No Fix
- CVE
- 2023-32128
WP Job Portal
- Patched in Version
- No Fix
- CVE
- 2022-41786
Multi Rating
- Plugin
- Multi Rating
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-32130
Multi Rating
- Plugin
- Multi Rating
- Patched in Version
- No Fix
- CVE
- 2023-32127
Multi Rating
- Plugin
- Multi Rating
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-32125
Booking Ultra Pro Appointments
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-32236
REST API TO MiniProgram
- Plugin
- REST API TO MiniProgram
- Patched in Version
- No Fix
- CVE
- 2023-0551
Tiempo.com
- Plugin
- Tiempo.com
- Vulnerability
- Cross Site Request Forgery (CSRF)
- Patched in Version
- No Fix
- CVE
- 2023-2271
Tiempo.com
- Plugin
- Tiempo.com
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-0058
Tiempo.com
- Plugin
- Tiempo.com
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2272
Manager for Icommon
- Plugin
- Manager for Icomoon
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-29387
Manager for Icommon
- Plugin
- Manager for Icomoon
- Patched in Version
- No Fix
- CVE
- 2023-29386
WP Abstracts
- Plugin
- WP Abstracts
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-29385
UserAgent-Spy
- Plugin
- UserAgent-Spy
- Vulnerability
- Cross Site Scripting (XSS)
- Patched in Version
- No Fix
- CVE
- 2023-2490
WordPress Theme Vulnerabilities
In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.
Editorialmag
- Theme
- Editorialmag
- Patched in Version
- No Fix
- CVE
- 2023-32129
JupiterX
- CVE
- 2023-32110
TheGem (Elementor)
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32237
TheGem (Elementor)
- CVE
- 2023-32238
TheGem (WPBakery)
- CVE
- 2023-32238
TheGem (WPBakery)
- Vulnerability
- Cross Site Scripting (XSS)
- CVE
- 2023-32237
Never worry about running a vulnerable plugin or theme again.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
The post WordPress Vulnerability Report – May 10, 2023 appeared first on iThemes.
This content was originally published here.