WordPress Vulnerability Report — November 22, 2023

WordPress Vulnerability Report — November 22, 2023 Since our last report, 141 new vulnerabilities have been publicly disclosed, including three in Jetpack and others in WooCommerce, EWW Image Optimizer, WP Fastest Cache, and Forminator. Security patches are available for them now, along with 77 other plugins, so run those updates as soon as possible! Since our last report, 141 new vulnerabilities have been publicly disclosed, including three in Jetpack and others in WooCommerce, EWW Image Optimizer, WP Fastest Cache, and Forminator. Security patches are available for them now, along with 77 other plugins, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings. Additionally, there are 57 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall with virtual patches from Patchstack. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions. WordPress Core WordPress 6.4.1 was released on November 8 as a short-cycle maintenance release to address several bugs, including loss of backward compatibility with a dependency, cURL 7.29 or earlier. This broke the WordPress internal update facility on servers running very old, insecure cURL versions. WordPress 6.4 was released on November 7 as the third major release of 2023. Following a major release, you should not update live sites without taking backups and testing the update in a non-production environment first. WordPress Plugins — 84 Patched / 57 Unpatched Shortcodes and extra features for Phlox theme Plugin Slug: auxin-elements Installations: 100,000+ Vulnerability: Local File Inclusion Patched in Version: No Fix Severity Score: High CVE: 2023-37888 Conditional Fields for Contact Form 7 Plugin Slug: cf7-conditional-fields Installations: 100,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47838 Premium Portfolio Features for Phlox theme Plugin Slug: auxin-portfolio Installations: 50,000+ Vulnerability: Local File Inclusion Patched in Version: No Fix Severity Score: High CVE: 2023-38399 Theme Editor Plugin: Theme Editor Plugin Slug: theme-editor Installations: 50,000+ Vulnerability: Arbitrary File Upload Patched in Version: No Fix Severity Score: High CVE: 2023-6091 Pz-LinkCard Plugin: Pz-LinkCard Plugin Slug: pz-linkcard Installations: 30,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2023-47790 wpForo Forum Plugin Slug: wpforo Installations: 20,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47870 wpForo Forum Plugin Slug: wpforo Installations: 20,000+ Vulnerability: Content Injection Patched in Version: No Fix Severity Score: Medium CVE: 2023-47869 Multi Step Form Plugin: Multi Step Form Plugin Slug: multi-step-form Installations: 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47758 myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin Plugin Slug: mycred Installations: 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47853 Welcome Email Editor Plugin: Welcome Email Editor Plugin Slug: welcome-email-editor Installations: 10,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47756 WP Child Theme Generator Plugin: WP Child Theme Generator Plugin Slug: wp-child-theme-generator Installations: 10,000+ Vulnerability: Arbitrary File Upload Patched in Version: No Fix Severity Score: Critical CVE: 2023-47873 Footer Putter Plugin: Footer Putter Plugin Slug: footer-putter Installations: 9,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-47768 WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation Plugin: WPCafe – Restaurant Menu, Online Ordering for WooCommerce, Pickup / Delivery and Table Reservation Plugin Slug: wp-cafe Installations: 7,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47805 Acme Fix Images Plugin: Acme Fix Images Plugin Slug: acme-fix-images Installations: 6,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47793 EasyAzon – Amazon Associates Affiliate Plugin Plugin Slug: easyazon Installations: 5,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47780 Disable User Login Plugin: Disable User Login Plugin Slug: disable-user-login Installations: 3,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47806 Parallax Image Plugin: Parallax Image Plugin Slug: parallax-image Installations: 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47854 Permalinks Customizer Plugin: Permalinks Customizer Plugin Slug: permalinks-customizer Installations: 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-47773 Contact Form to Any API Plugin: Contact Form to Any API Plugin Slug: contact-form-to-any-api Installations: 2,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47871 CodeBard’s Patron Button and Widgets for Patreon Plugin Slug: patron-button-and-widgets-by-codebard Installations: 2,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47765 SearchIQ – The Search Solution Plugin Slug: searchiq Installations: 2,000+ Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47832 Bootstrap Shortcodes Ultimate Plugin Slug: bs-shortcode-ultimate Installations: 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47851 Interactive World Map Plugin: Interactive World Map Plugin Slug: interactive-world-map Installations: 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-47767 Theater for WordPress Plugin: Theater for WordPress Plugin Slug: theatre Installations: 700+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47833 Simply Excerpts Plugin: Simply Excerpts Plugin Slug: simply-excerpts Installations: 400+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-5137 wpMandrill Plugin: wpMandrill Plugin Slug: wpmandrill Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47828 WP Not Login Hide Plugin: WP Not Login Hide Plugin Slug: wp-not-login-hide-wpnlh Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-5940 WP Like Button Plugin: WP Like Button Plugin Slug: wp-like-button Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47820 WP Githuber MD Plugin: WP Githuber MD Plugin Slug: wp-githuber-md Vulnerability: Arbitrary File Upload Patched in Version: No Fix Severity Score: Critical CVE: 2023-47846 10WebAnalytics Plugin: 10WebAnalytics Plugin Slug: wd-google-analytics Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47807 Tainacan Plugin: Tainacan Plugin Slug: tainacan Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-47848 Grab & Save Plugin: Grab & Save Plugin Slug: save-grab Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-47844 Grab & Save Plugin: Grab & Save Plugin Slug: save-grab Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47845 Quick Call Button Plugin: Quick Call Button Plugin Slug: quick-call-button Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47829 WooCommerce Product Carousel Slider Plugin: WooCommerce Product Carousel Slider Plugin Slug: product-carousel-slider-for-woocommerce Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47755 PayTR Taksit Tablosu Plugin: PayTR Taksit Tablosu Plugin Slug: paytr-taksit-tablosu-woocommerce Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47847 LuckyWP Scripts Control Plugin: LuckyWP Scripts Control Plugin Slug: luckywp-scripts-contro Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47778 Leadster Plugin: Leadster Plugin Slug: leadster-marketing-conversaciona Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47791 ElementsKit Pro Plugin: ElementsKit Pro Plugin Slug: elementskit Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-39993 Easy Call Now by ThikShare Plugin: Easy Call Now by ThikShare Plugin Slug: easy-call-now Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47819 DrawIt (draw.io) Plugin: DrawIt (draw.io) Plugin Slug: drawit Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47831 Live Preview for Contact Form 7 Plugin: Live Preview for Contact Form 7 Plugin Slug: cf7-live-preview Vulnerability: Broken Access Control Patched in Version: No Fix Severity Score: Medium CVE: 2023-47830 Integration for Contact Form 7 and Constant Contact Plugin: Integration for Contact Form 7 and Constant Contact Plugin Slug: cf7-constant-contact Vulnerability: Open Redirection Patched in Version: No Fix Severity Score: Medium CVE: 2023-47779 CataBlog Plugin: CataBlog Plugin Slug: catablog Vulnerability: Arbitrary File Upload Patched in Version: No Fix Severity Score: Critical CVE: 2023-47842 CataBlog Plugin: CataBlog Plugin Slug: catablog Vulnerability: Arbitrary File Deletion Patched in Version: No Fix Severity Score: High CVE: 2023-47843 BSK Contact Form 7 Blacklist Plugin: BSK Contact Form 7 Blacklist Plugin Slug: bsk-contact-form-7-blacklist Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-5141 BP Profile Shortcodes Extra Plugin: BP Profile Shortcodes Extra Plugin Slug: bp-profile-shortcodes-extra Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47815 BMI Calculator Plugin Plugin: BMI Calculator Plugin Plugin Slug: bmi-calculator-shortcode Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47814 Better RSS Widget Plugin: Better RSS Widget Plugin Slug: better-rss-widget Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47813 Bamboo Columns Plugin: Bamboo Columns Plugin Slug: bamboo-columns Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47812 Phlox Shop Plugin: Phlox Shop Plugin Slug: auxin-shop Vulnerability: Local File Inclusion Patched in Version: No Fix Severity Score: High CVE: 2023-39163 Audio Merchant Plugin: Audio Merchant Plugin Slug: audio-merchant Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: High CVE: 2023-6196 Audio Merchant Plugin: Audio Merchant Plugin Slug: audio-merchant Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: No Fix Severity Score: Medium CVE: 2023-6197 Anywhere Flash Embed Plugin: Anywhere Flash Embed Plugin Slug: anywhere-flash-embed Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47811 AMP+ Plus Plugin: AMP+ Plus Plugin Slug: amp-plus Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: High CVE: 2023-5210 Ajax Domain Checker Plugin: Ajax Domain Checker Plugin Slug: ajax-domain-checker Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47810 Add Widgets to Page Plugin: Add Widgets to Page Plugin Slug: add-widgets-to-page Vulnerability: Cross Site Scripting (XSS) Patched in Version: No Fix Severity Score: Medium CVE: 2023-47808 Jetpack – WP Security, Backup, Speed, & Growth Plugin Slug: jetpack Installations: 5,000,000+ Vulnerability: Broken Access Control Patched in Version: 12.7 Severity Score: Medium CVE: 2023-47788 Jetpack – WP Security, Backup, Speed, & Growth Plugin Slug: jetpack Installations: 5,000,000+ Vulnerability: Clickjacking Patched in Version: 12.7 Severity Score: Medium CVE: 2023-47774 Jetpack – WP Security, Backup, Speed, & Growth Plugin Slug: jetpack Installations: 5,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 12.8-a.3 Severity Score: Medium CVE: 2023-45050 WooCommerce Plugin: WooCommerce Plugin Slug: woocommerce Installations: 5,000,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 8.2.0 Severity Score: Medium CVE: 2023-47777 EWWW Image Optimizer Plugin: EWWW Image Optimizer Plugin Slug: ewww-image-optimizer Installations: 1,000,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 7.2.1 Severity Score: Medium CVE: 2023-40600 WP Fastest Cache Plugin: WP Fastest Cache Plugin Slug: wp-fastest-cache Installations: 1,000,000+ Vulnerability: SQL Injection Patched in Version: 1.2.2 Severity Score: Critical CVE: 2023-6063 Forminator – Contact Form, Payment Form & Custom Form Builder Plugin Slug: forminator Installations: 400,000+ Vulnerability: Arbitrary File Upload Patched in Version: 1.28.0 Severity Score: Medium CVE: 2023-6133 Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Plugin: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty Plugin Slug: chaty Installations: 200,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.1.3 Severity Score: Medium CVE: 2023-47759 Simple 301 Redirects by BetterLinks Plugin Slug: simple-301-redirects Installations: 200,000+ Vulnerability: Broken Access Control Patched in Version: 2.0.8 Severity Score: Medium CVE: 2023-47761 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations: 100,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.12.8 Severity Score: Medium CVE: 2023-4689 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations: 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.12.8 Severity Score: Medium CVE: 2023-5381 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations: 100,000+ Vulnerability: Broken Access Control Patched in Version: 1.12.8 Severity Score: Medium CVE: 2023-4723 Elementor Addon Elements Plugin Slug: addon-elements-for-elementor-page-builder Installations: 100,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.12.8 Severity Score: Medium CVE: 2023-4690 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates Plugin Slug: essential-blocks Installations: 100,000+ Vulnerability: Broken Access Control Patched in Version: 4.2.1 Severity Score: Medium CVE: 2023-47760 Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) Plugin Slug: mailin Installations: 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.1.61 Severity Score: High CVE: 2023-2472 WooCommerce Blocks Plugin: WooCommerce Blocks Plugin Slug: woo-gutenberg-products-block Installations: 100,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 11.1.2 Severity Score: Medium CVE: 2023-47777 WP Meta and Date Remover Plugin: WP Meta and Date Remover Plugin Slug: wp-meta-and-date-remover Installations: 100,000+ Vulnerability: Broken Access Control Patched in Version: 2.3.1 Severity Score: Medium CVE: 2023-47836 Email Encoder – Protect Email Addresses and Phone Numbers Plugin Slug: email-encoder-bundle Installations: 80,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.1.9 Severity Score: Medium CVE: 2023-47821 EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor Plugin: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor Plugin Slug: embedpress Installations: 80,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.9.2 Severity Score: High Big File Uploads – Increase Maximum File Upload Size Plugin Slug: tuxedo-big-file-uploads Installations: 80,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.1.2 Severity Score: Medium CVE: 2023-47792 Comments – wpDiscuz Plugin: Comments – wpDiscuz Plugin Slug: wpdiscuz Installations: 80,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 7.6.12 Severity Score: Medium CVE: 2023-47775 Ultimate Dashboard – Custom WordPress Dashboard Plugin Slug: ultimate-dashboard Installations: 60,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.7.8 Severity Score: Medium CVE: 2023-4726 Ditty – Responsive News Tickers, Sliders, and Lists Plugin Slug: ditty-news-ticker Installations: 40,000+ Vulnerability: Broken Access Control Patched in Version: 3.1.25 Severity Score: Medium CVE: 2023-47764 Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress Plugin Slug: quiz-master-next Installations: 40,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 8.1.14 Severity Score: Medium CVE: 2023-47834 Slider – Ultimate Responsive Image Slider Plugin Slug: ultimate-responsive-image-slider Installations: 40,000+ Vulnerability: Broken Access Control Patched in Version: 3.5.12 Severity Score: Medium Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) Plugin Slug: wp-analytify Installations: 40,000+ Vulnerability: Broken Access Control Patched in Version: 5.2.0 Severity Score: Medium CVE: 2023-47841 WP Maintenance Plugin: WP Maintenance Plugin Slug: wp-maintenance Installations: 40,000+ Vulnerability: Bypass Vulnerability Patched in Version: 6.1.4 Severity Score: Low CVE: 2023-47769 BetterDocs – Best Documentation & Knowledge Base Plugin Plugin Slug: betterdocs Installations: 30,000+ Vulnerability: Broken Access Control Patched in Version: 2.5.3 Severity Score: Medium CVE: 2023-47762 BlossomThemes Email Newsletter Plugin Slug: blossomthemes-email-newsletter Installations: 30,000+ Vulnerability: Broken Access Control Patched in Version: 2.2.5 Severity Score: Medium CVE: 2023-47849 Link Whisper Free Plugin: Link Whisper Free Plugin Slug: link-whisper Installations: 30,000+ Vulnerability: SQL Injection Patched in Version: 0.6.6 Severity Score: High CVE: 2023-47852 Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic Plugin Slug: shareaholic Installations: 30,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 9.7.9 Severity Score: Medium CVE: 2023-4889 WP Custom Admin Interface Plugin: WP Custom Admin Interface Plugin Slug: wp-custom-admin-interface Installations: 30,000+ Vulnerability: Broken Access Control Patched in Version: 7.32 Severity Score: Medium CVE: 2023-47763 Delete Duplicate Posts Plugin: Delete Duplicate Posts Plugin Slug: delete-duplicate-posts Installations: 20,000+ Vulnerability: Broken Access Control Patched in Version: 4.9 Severity Score: Medium CVE: 2023-47754 MP3 Audio Player for Music, Radio & Podcast by Sonaar Plugin Slug: mp3-music-player-by-sonaar Installations: 20,000+ Vulnerability: Broken Access Control Patched in Version: 4.10.1 Severity Score: Medium CVE: 2023-47822 Welcart e-Commerce Plugin: Welcart e-Commerce Plugin Slug: usc-e-shop Installations: 20,000+ Vulnerability: PHP Object Injection Patched in Version: 2.9.6 Severity Score: Medium Welcart e-Commerce Plugin: Welcart e-Commerce Plugin Slug: usc-e-shop Installations: 20,000+ Vulnerability: Arbitrary File Upload Patched in Version: 2.9.5 Severity Score: High wpForo Forum Plugin Slug: wpforo Installations: 20,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.2.4 Severity Score: Medium CVE: 2023-47872 wpForo Forum Plugin Slug: wpforo Installations: 20,000+ Vulnerability: Privilege Escalation Patched in Version: 2.2.4 Severity Score: High CVE: 2023-47868 AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth Plugin: AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth Plugin Slug: aweber-web-form-widget Installations: 10,000+ Vulnerability: Broken Access Control Patched in Version: 7.3.10 Severity Score: Medium CVE: 2023-47757 Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress Plugin Slug: charitable Installations: 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.7.0.14 Severity Score: Medium CVE: 2023-47816 eCommerce Product Catalog Plugin for WordPress Plugin Slug: ecommerce-product-catalog Installations: 10,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 3.3.27 Severity Score: Medium CVE: 2023-47839 eCommerce Product Catalog Plugin for WordPress Plugin Slug: ecommerce-product-catalog Installations: 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 3.3.26 Severity Score: Medium Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator Plugin Slug: legal-pages Installations: 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.3.9 Severity Score: Medium CVE: 2023-47824 LWS Hide Login Plugin: LWS Hide Login Plugin Slug: lws-hide-login Installations: 10,000+ Vulnerability: Bypass Vulnerability Patched in Version: 2.1.9 Severity Score: Low CVE: 2023-47818 WP EXtra Plugin: WP EXtra Plugin Slug: wp-extra Installations: 10,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 6.5 Severity Score: Medium CVE: 2023-47825 WP Mail Log Plugin: WP Mail Log Plugin Slug: wp-mail-log Installations: 10,000+ Vulnerability: SQL Injection Patched in Version: 1.1.3 Severity Score: High YOP Poll Events Addon for Elementor Plugin: Events Addon for Elementor Plugin Slug: events-addon-for-elementor Installations: 8,000+ Vulnerability: Broken Access Control Patched in Version: 2.1.4 Severity Score: Medium CVE: 2023-47827 Drop Shadow Boxes Plugin: Drop Shadow Boxes Plugin Slug: drop-shadow-boxes Installations: 6,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.7.14 Severity Score: Medium CVE: 2023-5469 Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification Plugin: Email Verification / SMS Verification / OTP Verification / OTP Authentication / WooCommerce Notification Plugin Slug: miniorange-otp-verification Installations: 6,000+ Vulnerability: Broken Access Control Patched in Version: 4.2.2 Severity Score: Medium CVE: 2023-47776 ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup Plugin Slug: armember-membership Installations: 5,000+ Vulnerability: Bypass Vulnerability Patched in Version: 4.0.11 Severity Score: High CVE: 2023-47837 Auto Affiliate Links Plugin: Auto Affiliate Links Plugin Slug: wp-auto-affiliate-links Installations: 5,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 6.4.2.6 Severity Score: Medium FormCraft – Contact Form Builder for WordPress Plugin Slug: formcraft-form-builder Installations: 4,000+ Vulnerability: Broken Access Control Patched in Version: 1.2.8 Severity Score: Medium CVE: 2023-47823 Community by PeepSo – Social Network, Membership, Registration, User Profiles Plugin Slug: peepso-core Installations: 4,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 6.2.3.0 Severity Score: Medium CVE: 2023-47850 Community by PeepSo – Social Network, Membership, Registration, User Profiles Plugin Slug: peepso-core Installations: 4,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 6.2.0.0 Severity Score: Medium CVE: 2023-39925 ARI Stream Quiz – WordPress Quizzes Builder Plugin Slug: ari-stream-quiz Installations: 3,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.0 Severity Score: Medium CVE: 2023-47835 Hreflang Manager Plugin: Hreflang Manager Plugin Slug: hreflang-manager-lite Installations: 3,000+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.0.7 Severity Score: Medium Accordion Plugin: Accordion Plugin Slug: accordions-wp Installations: 2,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.7 Severity Score: Medium CVE: 2023-47809 Restaurant & Cafe Addon for Elementor Plugin Slug: restaurant-cafe-addon-for-elementor Installations: 2,000+ Vulnerability: Broken Access Control Patched in Version: 1.5.4 Severity Score: Medium CVE: 2023-47826 Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress Plugin Slug: sprout-invoices Installations: 2,000+ Vulnerability: Sensitive Data Exposure Patched in Version: 20.5.4 Severity Score: Medium avalex – Automatisch sichere Rechtstexte Plugin Slug: avalex Installations: 1,000+ Vulnerability: Broken Access Control Patched in Version: 3.0.9 Severity Score: Medium Daily Prayer Time Plugin: Daily Prayer Time Plugin Slug: daily-prayer-time-for-mosques Installations: 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2023.10.21 Severity Score: Medium CVE: 2023-47817 Frontend File Manager Plugin Plugin: Frontend File Manager Plugin Plugin Slug: nmedia-user-file-uploader Installations: 1,000+ Vulnerability: Arbitrary File Download Patched in Version: 22.6 Severity Score: Critical CVE: 2023-5105 Website Optimization – Plerdy Plugin Slug: plerdy-heatmap Installations: 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.3.3 Severity Score: Medium CVE: 2023-5715 Post Status Notifier Lite Plugin: Post Status Notifier Lite Plugin Slug: post-status-notifier-lite Installations: 1,000+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 1.11.1 Severity Score: High CVE: 2023-47766 Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin Plugin Slug: bus-ticket-booking-with-seat-reservation Installations: 900+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 5.2.6 Severity Score: High CVE: 2023-30496 Post Meta Data Manager Plugin: Post Meta Data Manager Plugin Slug: post-meta-data-manager Installations: 700+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 1.2.2 Severity Score: Medium CVE: 2023-5776 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Plugin Slug: wp-courses Installations: 700+ Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 3.2.4 Severity Score: Medium WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Plugin Slug: wp-courses Installations: 700+ Vulnerability: Broken Access Control Patched in Version: 3.2.4 Severity Score: Medium WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Plugin: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses Plugin Slug: wp-courses Installations: 700+ Vulnerability: Broken Access Control Patched in Version: 3.2.4 Severity Score: High Namaste! LMS Plugin: Namaste! LMS Plugin Slug: namaste-lms Installations: 600+ Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.6.1.2 Severity Score: High CVE: 2023-4602 Image Compressor & Optimizer – iLoveIMG Plugin Slug: iloveimg Installations: 100+ Vulnerability: PHP Object Injection Patched in Version: 1.0.6 Severity Score: Medium WooCommerce Canada Post Shipping Plugin: WooCommerce Canada Post Shipping Plugin Slug: woocommerce-shipping-canada-post Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.8.4 Severity Score: Medium CVE: 2023-47789 WooCommerce Bookings Plugin: WooCommerce Bookings Plugin Slug: woocommerce-bookings Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.0.4 Severity Score: Medium CVE: 2023-47787 Star CloudPRNT for WooCommerce Plugin: Star CloudPRNT for WooCommerce Plugin Slug: star-cloudprnt-for-woocommerce Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.0.4 Severity Score: High CVE: 2023-4603 Slider Revolution Plugin: Slider Revolution Plugin Slug: revslider Vulnerability: Cross Site Scripting (XSS) Patched in Version: 6.6.15 Severity Score: Medium CVE: 2023-47772 Slider Revolution Plugin: Slider Revolution Plugin Slug: revslider Vulnerability: Arbitrary File Upload Patched in Version: 6.6.16 Severity Score: High CVE: 2023-47784 Perfmatters Plugin: Perfmatters Plugin Slug: perfmatters Vulnerability: Broken Access Control Patched in Version: 2.1.7 Severity Score: Medium CVE: 2023-47874 Perfmatters Plugin: Perfmatters Plugin Slug: perfmatters Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 2.1.7 Severity Score: Medium CVE: 2023-47875 Perfmatters Plugin: Perfmatters Plugin Slug: perfmatters Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.1.7 Severity Score: High CVE: 2023-47876 Perfmatters Plugin: Perfmatters Plugin Slug: perfmatters Vulnerability: Cross Site Scripting (XSS) Patched in Version: 2.2.0 Severity Score: Medium CVE: 2023-47877 LayerSlider Plugin: LayerSlider Plugin Slug: layerslider Vulnerability: Cross Site Request Forgery (CSRF) Patched in Version: 7.7.10 Severity Score: High CVE: 2023-47785 LayerSlider Plugin: LayerSlider Plugin Slug: layerslider Vulnerability: Cross Site Scripting (XSS) Patched in Version: 7.7.10 Severity Score: Medium CVE: 2023-47786 Essential Grid Plugin: Essential Grid Plugin Slug: essential-grid Vulnerability: Broken Access Control Patched in Version: 3.0.19 Severity Score: High CVE: 2023-47771 WordPress Themes — 0 Patched / 0 Unpatched Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up now — Get SolidWP updates and valuable content straight to your inbox Sign up Get started with confidence — risk free, guaranteed

This content was originally published here.