WordPress Vulnerability Report – October 4, 2023

Since last week, 97 new vulnerabilities have emerged in public disclosures. They may affect over two million WordPress sites. This includes 50 plugin vulnerabilities with security patches, so run those updates!

Additionally, there are 47 plugin vulnerabilities with no patch available yet. If you use an unpatched plugin or theme, check their vendors’ intentions and progress toward a security release. If no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme or plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

WordPress Core Vulnerabilities — Patched

  • No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins not updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new vulnerabilities that have emerged in plugins, themes, and/or WordPress core since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you find vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, representing the largest target for attackers.

Table of Contents Plus

Product image for Table of Contents Plus.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 2309.

iframe

Product image for iframe.

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-4919
The vulnerability has been patched, so you should update to version 4.7.

Advanced Custom Fields: Extended

Product image for Advanced Custom Fields: Extended.

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-5292
The vulnerability has been patched, so you should update to version 0.8.9.4.

Astra Bulk Edit

Product image for Astra Bulk Edit.

The vulnerability has been patched, so you should update to version 1.2.8.

flowpaper

Product image for flowpaper.

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-5200
The vulnerability has been patched, so you should update to version 2.0.4.

Inactive Logout

Product image for Inactive Logout.

The vulnerability has been patched, so you should update to version 3.2.3.

Options for Twenty Seventeen

Product image for Options for Twenty Seventeen.

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-5162
The vulnerability has been patched, so you should update to version 2.5.1.

bbp style pack

Product image for bbp style pack.

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 5.6.8.

AI ChatBot

Product image for AI ChatBot.

Plugin
AI ChatBot
Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 4.7.9.

ActivityPub for WordPress

Product image for ActivityPub.

Plugin
ActivityPub
Vulnerability
Cross Site Scripting (XSS)
CVE
2023-3746
The vulnerability has been patched, so you should update to version 1.0.0.

ActivityPub for WordPress

Product image for ActivityPub.

Plugin
ActivityPub
CVE
2023-3706
The vulnerability has been patched, so you should update to version 1.0.0.

ActivityPub for WordPress

Product image for ActivityPub.

Plugin
ActivityPub
Vulnerability
Cross Site Scripting (XSS)
CVE
2023-5057
The vulnerability has been patched, so you should update to version 1.0.0.

ActivityPub for WordPress

Product image for ActivityPub.

Plugin
ActivityPub
CVE
2023-3707
The vulnerability has been patched, so you should update to version 1.0.0.

Checkfront Online Booking System

Product image for Checkfront Online Booking System.

Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 3.7.

DoLogin Security

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-4549
The vulnerability has been patched, so you should update to version 3.7.

Import XML and RSS Feeds

Product image for Import XML and RSS Feeds.

Vulnerability
Remote Code Execution (RCE)
CVE
2023-4521
The vulnerability has been patched, so you should update to version 2.1.5.

Track The Click

Product image for Track The Click.

CVE
2023-5041
The vulnerability has been patched, so you should update to version 0.3.12.

Instant CSS

Product image for Instant CSS.

Plugin
Instant CSS
Vulnerability
Cross Site Request Forgery (CSRF)
The vulnerability has been patched, so you should update to version 1.2.2.

Pretty Google Calendar

Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 1.6.0.

OpenHook

Product image for OpenHook.

Plugin
OpenHook
Vulnerability
Remote Code Execution (RCE)
CVE
2023-5201
The vulnerability has been patched, so you should update to version 4.3.1.

BuddyMeet

Product image for BuddyMeet.

Plugin
BuddyMeet
Vulnerability
Cross Site Scripting (XSS)
The vulnerability has been patched, so you should update to version 2.3.0.

User Avatar – Reloaded

Product image for User Avatar – Reloaded.

Vulnerability
Cross Site Scripting (XSS)
CVE
2023-4798
The vulnerability has been patched, so you should update to version 1.2.2.

Modern Events Calendar lite

Plugin
Modern Events Calendar Lite
Vulnerability
Cross Site Scripting (XSS)
CVE
2023-4021
The vulnerability has been patched, so you should update to version 7.1.0.

User Activity Log Pro

Plugin
User Activity Log Pro
Vulnerability
Cross Site Scripting (XSS)
CVE
2023-5167
The vulnerability has been patched, so you should update to version 2.3.4.

User Activity Log Pro

Plugin
User Activity Log Pro
CVE
2023-5133
The vulnerability has been patched, so you should update to version 2.3.4.

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Unyson

Product image for Unyson.

Plugin
Unyson
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Media Library Assistant

Product image for Media Library Assistant.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Timthumb Vulnerability Scanner

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Mang Board WP

Product image for Mang Board WP.

Plugin
Mang Board WP
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Mediavine Control Panel

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Block Plugin Update

Product image for Block Plugin Update.

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Simple File List

Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Blocks

Product image for Blocks.

Plugin
Blocks
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Contact Form

Product image for Contact Form.

Plugin
Contact Form
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Timely Booking Button

Product image for Timely Booking Button.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Tiny Carousel Horizontal Slider

Product image for Tiny Carousel Horizontal Slider.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Woocommerce ESTO

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

WP Hide Pages

Plugin
WP Hide Pages
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Popup contact form

Product image for Popup contact form.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Popup contact form

Product image for Popup contact form.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Social Metrics

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

The Awesome Feed – Custom Feed

Product image for The Awesome Feed – Custom Feed.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Onclick Show Popup

Product image for Onclick show popup.

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched. You should deactivate the plugin.

Slideshow, Image Slider by 2J

Plugin
Images Slideshow by 2J
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Add Shortcodes Actions And Filters

Plugin
Add Shortcodes Actions And Filters
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Contractor Contact Form Website to Workflow Tool

Plugin
Contractor Contact Form Website to Workflow Tool
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Cooked

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

CopyRightPro

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5295
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Font Awesome Integration

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5233
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5232
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Contact form Form For All

Plugin
Contact form Form For All
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5337
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Keap Landing Pages

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Backend Localization

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Kv TinyMCE Editor Add Fonts

Plugin
Kv TinyMCE Editor Add Fonts
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Magic Action Box

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5231
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Remove slug from custom post type

Plugin
Remove slug from custom post type
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Responsive header image slider

Plugin
WP Responsive header image slide
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5334
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Events Rich Snippets for Google

Plugin
Events Rich Snippets for Google
Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Shockingly Simple Favicon

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

TM WooCommerce Compare & Wishlist

Plugin
TM WooCommerce Compare & Wishlist
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
CVE
2023-5230
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

Vrm 360 3D Model Viewer

Plugin
Vrm 360 3D Model Viewer
Patched in Version
No Fix
CVE
2023-5177
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Captcha

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Captcha

Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP GPX Maps

Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Jump Menu

Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WP Site Protector

Vulnerability
Cross Site Request Forgery (CSRF)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

WWM Social Share On Image Hover

Plugin
WWM Social Share On Image Hover
Vulnerability
Cross Site Scripting (XSS)
Patched in Version
No Fix
The vulnerability has not been patched and the plugin is closed. You should uninstall and delete the plugin.

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information we provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you must find an alternative theme. Deactivate and delete persistently unpatched themes and those marked “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, delete it.

  • No new WordPress theme vulnerabilities were disclosed this week.

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

The post WordPress Vulnerability Report – October 4, 2023 appeared first on iThemes.

This content was originally published here.