WordPress Vulnerability Report – May 17, 2023

This week, WordPress 6.2.1 was released — the first security and maintenance update for the 6.2 version line. This release patched 5 security vulnerabilities, including Cross-Site Scripting (XSS), Cross-site request forgery (CSRF), and path traversal vulnerabilities. If you have your site set to auto-update point releases for WordPress core, your site is likely already protected. Still, it is good practice to verify that the update has been applied to protect your site. For a full review of these patches, you can review WordPress trac tickets for 6.2.1.

In the plugin and theme ecosystem, 146 total vulnerabilities emerged in public disclosure. They may affect over 17 million WordPress sites. Out of the total number, there are 92 plugin vulnerabilities and 5 in themes that have security patches available. This includes Elementor (used on 5+ million sites) and Divi, which is used on over 4 million sites.

Additionally, there are 49 plugin vulnerabilities with no patch available yet. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been closed and dropped from the official WordPress and repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

WordPress Plugin Vulnerabilities with Patches

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Elementor

Product image for Elementor Website Builder.

Vulnerability
Missing Authorization to Settings Update
The vulnerability has been patched, so you should update to version 3.13.2.

Loginizer

Product image for Loginizer.

Plugin
Loginizer
Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2296
The vulnerability has been patched, so you should update to version 1.7.9.

WP Fastest Cache

Product image for WP Fastest Cache.

Vulnerability
Server Side Request Forgery (SSRF)
CVE
2023-1938
The vulnerability has been patched, so you should update to version 1.1.5.

MW WP Form

Product image for MW WP Form.

Plugin
MW WP Form
Vulnerability
Directory Traversal via _file_upload
The vulnerability has been patched, so you should update to version 4.4.3.

Download Manager

Product image for Download Manager.

Vulnerability
Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE
2023-2305
The vulnerability has been patched, so you should update to version 3.2.71.

Download Monitor

Product image for Download Monitor.

The vulnerability has been patched, so you should update to version 4.7.70.
Vulnerability
Reflected Cross-Site Scripting via ‘lang’
The vulnerability has been patched, so you should update to version 3.1.61.

Slimstat Analytics

Product image for Slimstat Analytics.

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 5.0.5.

AnyWhere Elementor

Product image for AnyWhere Elementor.

CVE
2023-0443
The vulnerability has been patched, so you should update to version 1.2.8.

Custom Field Suite

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.6.3.

Easy Hide Login

Product image for Easy Hide Login.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.0.9.

Easy Hide Login

Product image for Easy Hide Login.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.0.8.

Login Rebuilder

Vulnerability
Admin+ Stored Cross Site Scripting (XSS)
CVE
2023-2223
The vulnerability has been patched, so you should update to version 2.8.1.

10Web Social Post Feed

Product image for 10Web Social Post Feed.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.2.9.

Custom 404 Pro

Product image for Custom 404 Pro.

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 3.8.2.

Custom 404 Pro

Product image for Custom 404 Pro.

Vulnerability
Reflected Cross Site Scripting (XSS)
CVE
2023-2023
The vulnerability has been patched, so you should update to version 3.7.3.

GTmetrix for WordPress

Product image for GTmetrix for WordPress.

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 0.4.7.

Snow Monkey Forms

Product image for Snow Monkey Forms.

Vulnerability
Directory Traversal via ‘view’ REST endpoint
The vulnerability has been patched, so you should update to version 5.0.7.

Wise Chat

Product image for Wise Chat.

Plugin
Wise Chat
Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 3.1.4.

My WP Customize Admin/Frontend

Vulnerability
Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
The vulnerability has been patched, so you should update to version 1.21.1.

Brands for WooCommerce

Product image for Brands for WooCommerce.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 3.8.2.

CM On Demand Search And Replace

Product image for CM On Demand Search And Replace.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.3.1.

Seo By 10Web

Product image for SEO by 10Web.

Plugin
SEO by 10Web
CVE
2023-2224
The vulnerability has been patched, so you should update to version 1.2.7.

Injection Guard

Product image for Injection Guard.

The vulnerability has been patched, so you should update to version 1.2.2.

Locatoraid Store Locator

Product image for Locatoraid Store Locator.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 3.9.19.

Pro Mime Types

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2.0.0.

WP Reactions Lite

Product image for WP Reactions Lite.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.3.9.

Video Gallery

Product image for Video Gallery.

Plugin
Video Gallery
Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.0.11.

Block Referer Spam

Product image for Block Referer Spam.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.1.9.5.

Featured Image Pro Post Grid

Product image for Featured Image Pro Post Grid.

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 5.15.

WP Replicate Post

Product image for WP Replicate Post.

Vulnerability
Authenticated (Contributor+) SQL Injection
CVE
2023-2237
The vulnerability has been patched, so you should update to version 4.1.

Custom Base Terms

Product image for Custom Base Terms.

Vulnerability
Authenticated (Administrator+) Stored Cross-Site Scripting via ‘base’
The vulnerability has been patched, so you should update to version 1.0.3.

Easy Form by AYS

Product image for Easy Form by AYS.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.2.1.

Predictive Search

Product image for Predictive Search.

The vulnerability has been patched, so you should update to version 1.2.3.

AutomateWoo

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 5.7.2.

AutomateWoo

Vulnerability
Shop Manager+ SQL Injection
The vulnerability has been patched, so you should update to version 5.7.2.

Essential Addons for Elementor Pro

Plugin
Essential Addons for Elementor Pro
Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 5.4.9.

Essential Addons for Elementor Pro

Plugin
Essential Addons for Elementor Pro
Vulnerability
Unauthenticated Server Side Request Forgery (SSRF)
The vulnerability has been patched, so you should update to version 5.4.9.

WooCommerce Bookings

Vulnerability
Insecure Direct Object References (IDOR)
The vulnerability has been patched, so you should update to version 1.15.79.

WooCommerce Brands

Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.6.46.

WooCommerce Composite Products

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 8.7.6.

WooCommerce Pre-Orders

Vulnerability
Contributor+ Stored Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.0.1.

WooCommerce Pre-Orders

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.0.0.

WooCommerce Product Add-ons

Vulnerability
Authenticated PHP Object Injection
The vulnerability has been patched, so you should update to version 6.2.0.

WooCommerce Product Add-ons

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 6.2.0.

WooCommerce Product Recommendations

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2.3.0.

WooCommerce Ship to Multiple Addresses

Plugin
WooCommerce Ship to Multiple Addresses
Vulnerability
Insecure Direct Object References (IDOR)
The vulnerability has been patched, so you should update to version 3.8.4.

Woodmart Core

The vulnerability has been patched, so you should update to version 1.0.37.

Woodmart Core

The vulnerability has been patched, so you should update to version 1.0.37.

Yoast SEO Premium

Vulnerability
Unauthenticated Zapier API Key Reset
The vulnerability has been patched, so you should update to version 20.5.

Predictive Search

The vulnerability has been patched, so you should update to version 1.2.3.

Yoast SEO: Local

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 14.9.

Yoast SEO: Local

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 14.9.

YITH WooCommerce Gift Cards Premium

Plugin
YITH WooCommerce Gift Cards Premium
Vulnerability
Unauth. Gift Card Creation Leading to Stored XSS
The vulnerability has been patched, so you should update to version 3.24.0.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Quick Page/Post Redirect Plugin

Product image for Quick Page/Post Redirect Plugin.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Link Whisper Free

Product image for Link Whisper Free.

Vulnerability
Unauthenticated Broken Access Control
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP-Chatbot for Messenger

Product image for WP-Chatbot for Messenger.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

SoundCloud Is Gold

Product image for SoundCloud Is Gold.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Category Post List Widget

Product image for WP Category Post List Widget.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Add Posts to Pages

Product image for Add Posts to Pages.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Button

Product image for Button.

Plugin
Button
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Owl Carousel

Product image for Owl Carousel.

Plugin
Owl Carousel
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Pinterest RSS Widget

Product image for Pinterest RSS Widget.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WCP Contact Form

Product image for WCP Contact Form.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WCP Contact Form

Product image for WCP Contact Form.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Hyphenator

Product image for Hyphenator.

Plugin
Hyphenator
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Woo Custom Emails

Product image for Woo Custom Emails.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Column-Matic

Product image for Column-Matic.

Plugin
Column-Matic
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

DevBuddy Twitter Feed

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Iframe Popup

Product image for iframe popup.

Plugin
iframe popup
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Order Your Posts Manually

Product image for Order Your Posts Manually.

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Order Your Posts Manually

Product image for Order Your Posts Manually.

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Order Your Posts Manually

Product image for Order Your Posts Manually.

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Post State Tags

Product image for Post State Tags.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Donations Made Easy – Smart Donations

Product image for Donations Made Easy – Smart Donations.

Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP All Backup

Product image for WP All Backup.

Plugin
WP All Backup
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Chinese Conversion

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

itemprop WP for SERP/SEO Rich snippets

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Register Profile With Shortcode

Product image for WP Register Profile With Shortcode.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Newsletter Popup

Product image for Newsletter Popup.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-0733
The vulnerability has not been patched. You should deactivate the plugin.

Newsletter Popup

Product image for Newsletter Popup.

Vulnerability
Record Deletion via CSRF
Patched in Version
No Fix
CVE
2023-0766
The vulnerability has not been patched. You should deactivate the plugin.

WP Multi Store Locator

Product image for WP Multi Store Locator.

Patched in Version
No Fix
CVE
2023-0152
The vulnerability has not been patched. You should deactivate the plugin.

WP Abstracts

Product image for WP Abstracts.

Plugin
WP Abstracts
Vulnerability
Reflected Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Add to Feedly

Product image for Add to Feedly.

Plugin
Add to Feedly
Patched in Version
No Fix
CVE
2023-2470
The vulnerability has not been patched. You should deactivate the plugin.

CALL ME NOW

Product image for CALL ME NOW.

Plugin
CALL ME NOW
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Dyslexiefont Free

Product image for Dyslexiefont Free.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Don8

Product image for Don8.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Sunny Search

Plugin
Sunny Search
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Sunny Search

Plugin
Sunny Search
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

AP Pricing Tables Lite

Plugin
AP Pricing Tables Lite
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

DBargain

Product image for DBargain.

Plugin
DBargain
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

eBecas

Product image for eBecas.

Plugin
eBecas
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Get Your Number

Patched in Version
No Fix
CVE
2023-2634
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

weebotLite

Plugin
weebotLite
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

Divi

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 4.20.3.

Flatsome

Vulnerability
Reflected Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 3.17.0.

WoodMart

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 7.1.2.

Woodmart

The vulnerability has been patched, so you should update to version 7.2.2.

Woodmart

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 7.2.2.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

The post WordPress Vulnerability Report – May 17, 2023 appeared first on iThemes.

This content was originally published here.