WordPress Vulnerabilities September 2019 Edition

There were vulnerabilities discovered in all three categories this month. WordPress core had many vulnerabilities (that were patched quickly!) and so did plugins and themes.

Read on to learn more about what happened and why it’s so important you continue to maintain and update your website either yourself or with a reputable WordPress maintenance service.

WordPress Plugin Vulnerabilities

Easy Fancybox

This plugin had a vulnerability that was patched in version 1.8.18 and has 300,000+ active installations.

Photo Gallery by 10Web

This plugin has 300,000+ active installations and had a vulnerability in versions lower than but not including version 1.5.35.

Formidable Form

This vulnerability touches potentially up to 200,000+ active installations up to and including version 4.02.01 as reported on both the Wordfence blog and Plugin Vulnerabilities.

Woody Ad Snippets

With 90,000+ active installations, this plugin had a vulnerability in version 2.2.8 and below but has since been fixed. Patch up!


This plugin with 70,000+ active installations had a vulnerability that has since been patched in version 2.5.5. You can read up on the vulnerability on the Wordfence blog or on WPVulnDB.


This plugin with 40,000+ active installations had two vulnerabilities that were patched in version 3.3.1. You can read up on the Blind SSRF and Stored XSS vulnerability.

Event Tickets

The 30,000+ active installations of this plugin were vulnerable in version and earlier but with a fix in version

Theme Editor

This plugin has 30,000+ active installations and a vulnerability in version 2.1 and lower. It was fixed in version 2.2.

Motors Car Dealer & Classified Ads

This vulnerability is in anything below version 1.4.1 in this plugin that has 10,000+ active installations.

Advanced AJAX Product Filters

This plugin had a vulnerability in all versions below 1.3.7 but has been fixed with 10,000+ active installations.


This plugin had a vulnerability in version 3.34.5 and earlier that potentially affected up to the 9,000+ active installations.


This plugin has 1,000+ active installations and the vulnerability was reported in version 2.1.7. It has been reported that the issue has been fixed in version 2.1.9 which is available on the WordPress repository.


Any version 1.1.5 or lower should be patched immediately. This vulnerability affects up to 800+ active installations and you can learn more about it here.

Qwiz Online Quizzes and Flashcards

This plugin has 300+ active installations with a vulnerability in version 3.36 and earlier. The issue has been resolved as of version 3.37, update now.

Rich Reviews

This plugin hasn’t been updated in over 2 years which means you should stay away from it. It has also been removed from the WordPress resposibitory and has no report of active installations. The vulnerability was reported but will likely never be fixed because it’s no longer maintained. The issue is in version 1.7.3 and likely all other versions.


This plugin has been closed on the WordPress repository and should be removed from your site immediately. There are two vulnerabilities in version from 5 years ago and they still remain. If you’re using this plugin remove it immediately.

Here are the links to information about each vulnerability.



Ellipsis Human Presence Technology

This plugin had a vulnerability in version 2.0.8 and lower. It was recently updated to version 2.0.9 but has been removed from the WordPress repository.

WordPress Theme Vulnerabilities

Nexos – Real Estate

This is a Themeforest theme so there are no installation numbers but there was a vulnerability in version 1.6 and lower which has been fixed in version 1.6.1.

Selio – Real Estate Directory

Another Themeforest theme with no installation numbers. The vulnerability was in version 1.1 and lower but with a fix released in version 1.1.1.

WordPress Core Vulnerabilities

WordPress core was on a winning streak for no vulnerabilities since March. The streak is over with several vulnerabilities in the latest version of WordPress and one that goes back to 5.2.2 and to prior version too.

This isn’t a bad thing, though. It means WordPress has a lot of eyes on it so even the smallest vulnerability will get found eventually. That’s the beauty with open source. If there’s an issue, someone will find it because everyeone can see the code.

Proprietary software is exactly the opposite. If someone finds a vulnerability there’s a good chance they’re malicious. The only one who can find it and fix it is a small group who have access to the code.

Enough of that, now it’s time to cover some of the issues found in a recent version of WordPress core.

Up to and including WordPress 5.2.2

The following linked vulnerability is in WordPress version 5.2.2 and all prior versions of WordPress. That means no matter what version you’re on, make sure you update to either the most recent version or a version in your line of installation with the fix.

For example, if you’re using 4.8.5 then update to version 4.8.10 if that has the fix. This is a theoretical example, though, and you should consult all the WordPress versions and fixed if you’re using anything but the most recent version.


WordPress 5.2.2

There were several vulnerabilities discovered in version 5.2.2 which makes it essential that you update as soon as possible to version 5.2.3 or newer.

These links go over all the vulnerabilities discovered and in what version they were patched.











That’s it for this month! WordPress lost its long-running record for no vulnerabilities but they were patched quick. That’s why WordPress is one of the most secure platforms on the internet.

Even though WordPress is extremely secure on its own, updates and maintenance are essential which is why it’s important to continue using a reputable WordPress maintenance service.