WordPress Vulnerability Report – July 19, 2023

>>> Shared from Original Post iThemes

Since last week, 80 total vulnerabilities emerged in public disclosure. They may affect over 5 million WordPress sites. There are 55 plugin vulnerabilities with security patches available, so run those updates!

Additionally, there are 23 plugin vulnerabilities and two theme vulnerabilities with no patch available yet. If you discover you are using an unpatched plugin or theme, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable software has been marked “closed” and dropped from the official WordPress theme and plugin repositories, you should consider deactivation and removal in favor of alternative solutions.

Solid Security: The Next Chapter in WordPress Protection

As you know, we’re rebranding publicly, and iThemes is becoming SolidWP. This transition includes new and enhanced features plus a complete interface redesign for our products. In this webinar, our lead developer, Timothy Jacobs, demonstrates the new features coming to Solid Security — formerly known as iThemes Security.

In the video, you’ll get a tour of:

the improved dashboard
passkeys and the passwordless login experience
the all-new firewall
virtual patches that protect you when you need them most

Nathan Ingram hosted this sneak preview of the all-new Solid Security. He fielded many terrific questions from the live audience for Timothy and Matt Cromwell, our Senior Director of Customer Experience at StellarWP, so check out that discussion in the last 30 minutes.

News From WordPress

WordPress 6.3 RC1 is ready for download and testing. Because this version is under development, do not install, run, or test this version on production or mission-critical websites. Instead, evaluate RC1 on a test server and site.

WordPress Core Vulnerabilities — Patched

No new WordPress core vulnerabilities were disclosed this week.

WordPress core is very secure when it’s properly configured and maintained. Vulnerable plugins that have not been updated by site owners are the most common vector for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, powered by Patchstack, covers new WordPress plugin, theme, and core vulnerabilities that have emerged since last week’s report. Our goal is to spread awareness of emerging security threats and help you decide what to do if you are using vulnerable software on your website. For a deeper analysis of recent trends in WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

These reports are published every Wednesday and include all active vulnerabilities tracked by Patchstack as of Monday since the previous report. This leaves a 48-hour window for the newest emerging vulnerabilities to be patched before full public disclosure. iThemes Security Pro users have access to vulnerability alerts emerging within this window.

Get the weekly WordPress Vulnerability Report delivered to your inbox each Wednesday.

WordPress Plugin Vulnerabilities — Patched

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. Please apply the updates if you are affected!

These vulnerabilities have been disclosed and scored for their severity, thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

Rank Math SEO

$Product image for Rank Math SEO.$

Plugin: Rank Math SEO
Plugin Slug: seo-by-rank-math
Installations: 2,000,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.0.119.1
Severity Score: Medium
CVE: 2023-32600

All In One WP Security

Plugin: All-In-One Security (AIOS) – Security and Firewall
Plugin Slug: all-in-one-wp-security-and-firewall
Installations: 1,000,000+
Vulnerability: Sensitive Data Exposure of Plaintext Credentials
Patched in Version: 5.2.0
Severity Score: Medium

Spectra

Plugin: Spectra – WordPress Gutenberg Blocks
Plugin Slug: ultimate-addons-for-gutenberg
Installations: 500,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 2.6.7
Severity Score: High
CVE: 2023-36679

Spectra

Plugin: Spectra – WordPress Gutenberg Blocks
Plugin Slug: ultimate-addons-for-gutenberg
Installations: 500,000+
Vulnerability: Broken Access Control
Patched in Version: 2.6.7
Severity Score: Medium
CVE: 2023-36676

FluentForm

Plugin: Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms
Plugin Slug: fluentform
Installations: 300,000+
Vulnerability: SQL Injection
Patched in Version: 5.0.0
Severity Score: Medium
CVE: 2023-24410

Post SMTP

Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Installations: 300,000+
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email
Patched in Version: 2.5.8
Severity Score: High
CVE: 2023-3082

HT Mega Absolute Addons for Elementor

Plugin: HT Mega – Absolute Addons For Elementor
Plugin Slug: ht-mega-for-elementor
Installations: 100,000+
Vulnerability: Unauthenticated Privilege Escalation
Patched in Version: 2.2.1
Severity Score: Critical
CVE: 2023-37999

ARPP – Yet Another Related Posts Plugin

Plugin: YARPP – Yet Another Related Posts Plugin
Plugin Slug: yet-another-related-posts-plugin
Installations: 100,000+
Vulnerability: Authenticated (Contributor+) Stored Cross Site Scripting (XSS)
Patched in Version: 5.30.4
Severity Score: Medium
CVE: 2023-2433

kk Star Ratings

Plugin: kk Star Ratings
Plugin Slug: kk-star-ratings
Installations: 90,000+
Vulnerability: Rate Manipulation due to IP Spoofing
Patched in Version: 5.4.4
Severity Score: Medium
CVE: 2023-36528

Media Library Assistant

Plugin: Media Library Assistant
Plugin Slug: media-library-assistant
Installations: 70,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.0.8
Severity Score: Medium
CVE: 2023-34010

Advanced AJAX Product Filters

Plugin: Advanced AJAX Product Filters
Plugin Slug: woocommerce-ajax-filters
Installations: 60,000+
Vulnerability: Broken Access Control
Patched in Version: 1.6.3.4
Severity Score: Medium
CVE: 2022-45813

HTTP Headers

Plugin: HTTP Headers
Plugin Slug: http-headers
Installations: 40,000+
Vulnerability: Server Side Request Forgery (SSRF)
Patched in Version: 1.19.0
Severity Score: Medium
CVE: 2023-37978

HTTP Headers

Plugin: HTTP Headers
Plugin Slug: http-headers
Installations: 40,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.19.0
Severity Score: Medium
CVE: 2023-37874

Quiz And Survey Master

Plugin: Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
Plugin Slug: quiz-master-next
Installations: 40,000+
Vulnerability: Broken Access Control
Patched in Version: 8.1.11
Severity Score: Medium
CVE: 2023-37984

Super Socializer

Plugin: Social Share, Social Login and Social Comments Plugin – Super Socializer
Plugin Slug: super-socializer
Installations: 40,000+
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Patched in Version: 7.13.54
Severity Score: Medium

JetFormBuilder

Plugin: JetFormBuilder — Dynamic Blocks Form Builder
Plugin Slug: jetformbuilder
Installations: 30,000+
Vulnerability: Authenticated Privilege Escalation
Patched in Version: 3.0.9
Severity Score: High
CVE: 2023-37866

IP2Location Country Blocker

Plugin: IP2Location Country Blocker
Plugin Slug: ip2location-country-blocker
Installations: 20,000+
Vulnerability: IP Bypass Vulnerability
Patched in Version: 2.29.2
Severity Score: Medium
CVE: 2023-37865

Yasr – Yet Another Stars Rating

Plugin: Yasr – Yet Another Stars Rating
Plugin Slug: yet-another-stars-rating
Installations: 20,000+
Vulnerability: Race Condition
Patched in Version: 3.3.9
Severity Score: Low
CVE: 2023-37867

Booking Package SAASPROJECT

Plugin: Booking Package
Plugin Slug: booking-package
Installations: 10,000+
Vulnerability: Unathenticated Privilege Escalation
Patched in Version: 1.5.99
Severity Score: High
CVE: 2023-37389

User Activity Log

Plugin: User Activity Log
Plugin Slug: user-activity-log
Installations: 10,000+
Vulnerability: SQL Injection
Patched in Version: 1.6.3
Severity Score: High
CVE: 2023-37966

Variation Swatches for WooCommerce

Plugin: Variation Swatches for WooCommerce
Plugin Slug: woo-product-variation-swatches
Installations: 10,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.3.8
Severity Score: High
CVE: 2023-37975

Zippy

Plugin: Zippy
Plugin Slug: zippy
Installations: 10,000+
Vulnerability: Broken Access Control
Patched in Version: 1.6.3
Severity Score: Medium
CVE: 2023-34381

Restaurant Menu and Food Ordering by Five Star

Plugin: Restaurant Menu and Food Ordering by Five Star Plugins
Plugin Slug: food-and-drink-menu
Installations: 8,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 2.4.7
Severity Score: Medium
CVE: 2023-37985

Variation Images Gallery for WooCommerce

Plugin: Variation Images Gallery for WooCommerce
Plugin Slug: woo-product-variation-gallery
Installations: 8,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.3.4
Severity Score: High
CVE: 2023-37894

BookingPress

Plugin: BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin
Plugin Slug: bookingpress-appointment-booking
Installations: 7,000+
Vulnerability: Unauth. Server Information Disclosure
Patched in Version: 1.0.65
Severity Score: Medium
CVE: 2023-36507

Buy Me a Coffee – Button and Widget Plugin

Plugin: Buy Me a Coffee – Button and Widget Plugin
Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-2079

Buy Me a Coffee – Button and Widget Plugin

Plugin: Buy Me a Coffee – Button and Widget Plugin
Plugin Slug: buymeacoffee
Installations: 6,000+
Vulnerability: Broken Access Control
Patched in Version: 3.8
Severity Score: Medium
CVE: 2023-2078

WooCommerce Product Stock Alert

Plugin: WooCommerce Product Stock Alert
Plugin Slug: woocommerce-product-stock-alert
Installations: 6,000+
Vulnerability: Sensitive Data Exposure
Patched in Version: 2.0.2
Severity Score: Medium
CVE: 2023-37972

WooCommerce Product Stock Alert

Plugin: WooCommerce Product Stock Alert
Plugin Slug: woocommerce-product-stock-alert
Installations: 6,000+
Vulnerability: Settings Change
Patched in Version: 2.0.2
Severity Score: Medium
CVE: 2023-37971

AnsPress – Question and answer

Plugin: AnsPress – Question and answer
Plugin Slug: anspress-question-answer
Installations: 5,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 4.3.2
Severity Score: Medium
CVE: 2023-34374

WPFunnels

Plugin: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels
Plugin Slug: wpfunnels
Installations: 5,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 2.7.17
Severity Score: High
CVE: 2023-37977

WPFunnels

Plugin: Drag & Drop Sales Funnel Builder for WordPress – WPFunnels
Plugin Slug: wpfunnels
Installations: 5,000+
Vulnerability: Insecure Direct Object References (IDOR)
Patched in Version: 2.7.16
Severity Score: Medium

Integrate Google Drive

Plugin: Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site
Plugin Slug: integrate-google-drive
Installations: 3,000+
Vulnerability: Unauthenticated Broken Access Control
Patched in Version: 1.2.0
Severity Score: Critical
CVE: 2023-32117

ARMember

Plugin: ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
Plugin Slug: armember-membership
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.0.6
Severity Score: Medium
CVE: 2022-47424

Authors List

Plugin: Authors List
Plugin Slug: authors-list
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 2.0.3
Severity Score: High
CVE: 2023-37981

Integration for Contact Form 7 and Salesforce

Plugin: Integration for Contact Form 7 and Salesforce
Plugin Slug: cf7-salesforce
Installations: 2,000+
Vulnerability: Open Redirection
Patched in Version: 1.3.4
Severity Score: Medium
CVE: 2023-37982

Gift Cards

Plugin: Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Plugin Slug: gift-voucher
Installations: 2,000+
Vulnerability: Cross-Site Request Forgery in new_voucher_template.php
Patched in Version: 4.3.6
Severity Score: Medium

KB Support – WordPress Help Desk

Plugin: KB Support – WordPress Help Desk
Plugin Slug: kb-support
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 1.5.89
Severity Score: Medium
CVE: 2023-37890

Short URL

Plugin: Short URL
Plugin Slug: shorten-url
Installations: 2,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.6.5
Severity Score: Medium
CVE: 2023-3130

BuddyBuilder BuddyPress Builder for Elementor

Plugin: BuddyPress Builder for Elementor – BuddyBuilder
Plugin Slug: stax-buddy-builder
Installations: 2,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.7.4
Severity Score: Medium

Checkout with Zelle on Woocommerce

Plugin: Checkout with Zelle on Woocommerce
Plugin Slug: wc-zelle
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: 3.1.1
Severity Score: Medium
CVE: 2023-37969

Custom Field For WP Job Manager

Plugin: Custom Field For WP Job Manager
Plugin Slug: custom-field-for-wp-job-manager
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2
Severity Score: Medium
CVE: 2023-37980

DirectoryPress

Plugin: DirectoryPress – Business Directory And Classified Ad Listing
Plugin Slug: directorypress
Installations: 1,000+
Vulnerability: Broken Access Control
Patched in Version: 3.6.3
Severity Score: Medium
CVE: 2023-37967

Falang multilanguage

Plugin: Falang multilanguage for WordPress
Plugin Slug: falang
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 1.3.40
Severity Score: Medium
CVE: 2023-37968

MF Gig Calendar

Plugin: MF Gig Calendar
Plugin Slug: mf-gig-calendar
Installations: 1,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: 1.2.1
Severity Score: Medium
CVE: 2023-37970

WP Social AutoConnect

Plugin: WP Social AutoConnect
Plugin Slug: wp-fb-autoconnect
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: 4.6.2
Severity Score: Medium
CVE: 2023-37974

MailArchiver

Plugin: MailArchiver
Plugin Slug: mailarchiver
Installations: 100+
Vulnerability: Unauthenticated Stored Cross-Site Scripting via Email Subject
Patched in Version: 2.11.0
Severity Score: High
CVE: 2023-3136

CartFlows Pro

Plugin: CartFlows Pro
Plugin Slug: cartflows-pro
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 1.11.12
Severity Score: High
CVE: 2023-36686

Grid Kit Premium

Plugin: Grid Kit Premium
Plugin Slug: grid-kit-premium
Vulnerability: Multiple Reflected Cross Site Scripting (XSS)
Patched in Version: 2.2.0
Severity Score: High
CVE: 2023-3292

Premium Addons PRO

Plugin: Premium Addons PRO
Plugin Slug: premium-addons-pro
Vulnerability: Broken Access Control
Patched in Version: 2.9.1
Severity Score: Medium
CVE: 2023-37869

Premium Addons PRO

Plugin: Premium Addons PRO
Plugin Slug: premium-addons-pro
Vulnerability: Sensitive Data Exposure
Patched in Version: 2.9.1
Severity Score: Medium
CVE: 2023-37868

WooCommerce GoCardless Gateway

Plugin: WooCommerce GoCardless Gateway
Plugin Slug: woocommerce-gateway-gocardless
Vulnerability: Unauth. Insecure Direct Object References (IDOR)
Patched in Version: 2.5.7
Severity Score: High
CVE: 2023-37871

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: 3.8.6
Severity Score: High
CVE: 2023-37873

WooCommerce Ship to Multiple Addresses

Plugin: WooCommerce Ship to Multiple Addresses
Plugin Slug: woocommerce-shipping-multiple-addresses
Vulnerability: Broken Access Control
Patched in Version: 3.8.6
Severity Score: Medium
CVE: 2023-37872

WooCommerce Warranty Requests

Plugin: WooCommerce Warranty Requests
Plugin Slug: woocommerce-warranty
Vulnerability: Broken Access Control
Patched in Version: 2.2.0
Severity Score: High
CVE: 2023-37870

WordPress Plugin Vulnerabilities — Unpatched

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

Chat Button

Plugin: Chat Button by GetButton.io
Plugin Slug: whatshelp-chat-button
Installations: 50,000+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-32292

Coming Soon Chop Chop

Plugin: Coming Soon Chop Chop
Plugin Slug: cc-coming-soon
Installations: 4,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-37893

Slider a SlidersPack

Plugin: Slider a SlidersPack – Image Slider, Post Slider, ACF Gallery Slider
Plugin Slug: sliderspack-all-in-one-image-sliders
Installations: 4,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2022-46845

Exit Popups & Onsite Retargeting by OptiMonk

Plugin: OptiMonk: Popups, Personalization & A/B Testing
Plugin Slug: exit-intent-popups-by-optimonk
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37891

Social Media Icons Widget

Plugin: Social Media Icons Widget
Plugin Slug: spoontalk-social-media-icons-widget
Installations: 3,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25036

Easyship WooCommerce Shipping Rates

Plugin: Easyship WooCommerce Shipping Rates
Plugin Slug: easyship-woocommerce-shipping-rates
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37989

WPSchoolPress

Plugin: School Management System – WPSchoolPress
Plugin Slug: wpschoolpress
Installations: 2,000+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37887

WPAdmin AWS CDN

Plugin: WPAdmin AWS CDN
Plugin Slug: aws-cdn-by-wpadmin
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37889

Contact Form Generator

Plugin: Contact Form Generator : Creative form builder for WordPress
Plugin Slug: contact-form-generator
Installations: 1,000+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-37988

Contact Form to Any API

Plugin: Contact Form to Any API
Plugin Slug: contact-form-to-any-api
Installations: 1,000+
Vulnerability: SQL Injection
Patched in Version: No Fix
Severity Score: High
CVE: 2023-32741

Shortcode IMDB

Plugin: Shortcode IMDB
Plugin Slug: shortcode-imdb
Installations: 1,000+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37892

Radio Forge Muses Player with Skins

Plugin: Radio Forge Muses Player with Skins
Plugin Slug: radio-forge
Installations: 900+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-37976

Replace Word

Plugin: Replace Word
Plugin Slug: replace-word
Installations: 900+
Vulnerability: Cross Site Request Forgery (CSRF)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37973

Art Direction

Plugin: Art Direction
Plugin Slug: art-direction
Installations: 800+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37983

WPBulky

Plugin: WPBulky – WordPress Bulk Edit Post Types
Plugin Slug: wpbulky-wp-bulk-edit-post-types
Installations: 200+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-30482

ShopConstruct

Plugin: ShopConstruct – Product Catalog, Shopping Cart and eCommerce solution for Store
Plugin Slug: shopconstruct
Installations: 60+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-34011

Dovetail

Plugin: Dovetail
Plugin Slug: dovetail
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25984

YourMembership Single Sign On

Plugin: YourMembership Single Sign On – YM SSO Login
Plugin Slug: login-with-yourmembership
Installations: 10+
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37987

YourMembership Single Sign On

Plugin: YourMembership Single Sign On – YM SSO Login
Plugin Slug: login-with-yourmembership
Installations: 10+
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37986

Twittee Text Tweet

Plugin: Twittee Text Tweet
Plugin Slug: twittee-text-tweet
Installations: 10+
Vulnerability: Reflected Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: High
CVE: 2023-0602

Mail Control

Plugin: Mail Control
Plugin Slug: mail-control
Vulnerability: Unauthenticated Stored Cross Site Scripting (XSS) via Email Subject
Patched in Version: No Fix
Severity Score: High
CVE: 2023-3158

PDQ CSV

Plugin: PDQ CSV
Plugin Slug: pdq-csv
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-31221

WP Default Feature Image

Plugin: WP Default Feature Image
Plugin Slug: wp-default-feature-image
Vulnerability: Cross Site Scripting (XSS)
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-25488

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.

RealHomes

Theme: RealHomes
Theme Slug: realhomes
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37886

RealHomes

Theme: RealHomes
Theme Slug: realhomes
Vulnerability: Broken Access Control
Patched in Version: No Fix
Severity Score: Medium
CVE: 2023-37885

Never worry about running a vulnerable plugin or theme again.

As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.

Scans Your Website Twice a Day for Vulnerabilities

Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.

Automatically Updates if a Security Fix is Available

Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.

Emails You a Warning if Site Scan Detects a Vulnerability

You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.

The Best WordPress Security Plugin to Secure & Protect WordPress Sites

WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.

Buy iThemes Security Pro

The post WordPress Vulnerability Report – July 19, 2023 appeared first on iThemes.

>>> Read the Full Story at iThemes