Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)
Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 282 vulnerabilities disclosed in 220 WordPress Plugins and 22 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 220 |
Unpatched | 62 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 4 |
Medium Severity | 229 |
High Severity | 28 |
Critical Severity | 21 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 86 |
Missing Authorization | 82 |
Cross-Site Request Forgery (CSRF) | 24 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 12 |
Information Exposure | 12 |
Server-Side Request Forgery (SSRF) | 12 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 6 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 6 |
Information Exposure Through Log Files | 6 |
Unrestricted Upload of File with Dangerous Type | 5 |
Authorization Bypass Through User-Controlled Key | 4 |
Deserialization of Untrusted Data | 4 |
Improper Privilege Management | 4 |
External Control of Assumed-Immutable Web Parameter | 3 |
Use of Less Trusted Source | 3 |
Improper Control of Generation of Code ('Code Injection') | 2 |
Improper Input Validation | 2 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 2 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Guessable CAPTCHA | 1 |
Improper Access Control | 1 |
Improper Authorization | 1 |
Improper Neutralization of Alternate XSS Syntax | 1 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
URL Redirection to Untrusted Site ('Open Redirect') | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
29 | |
23 | |
17 | |
17 | |
13 | |
13 | |
12 | |
12 | |
10 | |
10 | |
7 | |
7 | |
7 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Academy LMS – eLearning and online course solution for WordPress | academy |
Accessibility Widget | accessibility-widget |
ActiveDEMAND | activedemand |
Admin and Customer Messages After Order for WooCommerce: OrderConvo | admin-and-client-message-after-order-for-woocommerce |
Admin Bar Editor – Hide Toolbar by User Roles | admin-bar |
Advanced Floating Content Lite | advanced-floating-content-lite |
Advanced Local Pickup for WooCommerce | advanced-local-pickup-for-woocommerce |
Advanced Most Recent Posts Mod | advanced-most-recent-posts-mod |
Advanced Post List | advanced-post-list |
Advanced Testimonial Carousel for Elementor | advanced-testimonial-carousel-for-elementor |
AGCA – Custom Dashboard & Login Page | ag-custom-admin |
All-in-one Like Widget | all-in-one-facebook-like-widget |
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) | wp-analytify |
Annual Archive | anual-archive |
Appointment Hour Booking – WordPress Booking Plugin | appointment-hour-booking |
AppPresser – Mobile App Framework | apppresser |
Arconix FAQ | arconix-faq |
Arconix Shortcodes | arconix-shortcodes |
ARforms | arforms |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Assistant – Every Day Productivity Apps | assistant |
Auto Featured Image (Auto Post Thumbnail) | auto-post-thumbnail |
BackUpWordPress | backupwordpress |
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
Better Elementor Addons | better-elementor-addons |
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss | bp-better-messages |
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. | print-google-cloud-print-gcp-woocommerce |
Blog2Social: Social Media Auto Post & Scheduler | blog2social |
Booking Ultra Pro Appointments Booking Calendar Plugin | booking-ultra-pro |
Brevo for WooCommerce | woocommerce-sendinblue-newsletter-subscription |
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg | 5-stars-rating-funnel |
Car Dealer (Dealership) and Vehicle sales | cardealer |
CF7 File Download – File Download for CF7 | cf7-file-download |
ChatBot Conversational Forms | conversational-forms |
Classified Listing – Classified ads & Business Directory Plugin | classified-listing |
ClickCease Click Fraud Protection | clickcease-click-fraud-protection |
Client Dash | client-dash |
CM Tooltip Glossary | enhanced-tooltipglossary |
Colibri Page Builder | colibri-page-builder |
Collapse-O-Matic | jquery-collapse-o-matic |
Comments – wpDiscuz | wpdiscuz |
Contact Form 7 Database Addon – CFDB7 | contact-form-cfdb7 |
Contact Form 7 Extension For Mailchimp | contact-form-7-mailchimp-extension |
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder | arforms-form-builder |
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) | content-views-query-and-display-post-page |
Cookie Information | Free GDPR Consent Solution | wp-gdpr-compliance |
CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance) | cookiehub |
Cornerstone | cornerstone |
Coupon & Discount Code Reveal Button | coupon-reveal-button |
Crelly Slider | crelly-slider |
Culqi | culqi-checkout |
Custom field finder | custom-field-finder |
Customify Site Library | customify-sites |
Data Tables Generator by Supsystic | data-tables-generator-by-supsystic |
Database for Contact Form 7, WPforms, Elementor forms | contact-form-entries |
Easy Accept Payments via PayPal | wordpress-easy-paypal-payment-or-donation-accept-plugin |
Easy Property Listings | easy-property-listings |
Easy Set Favicon | easy-set-favicon |
Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin | bdthemes-element-pack |
ElementsKit Elementor addons and Templates Library | elementskit-lite |
ElementsKit Pro | elementskit |
Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required! | elespare |
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder | email-customizer-for-woocommerce |
Embed Google Photos album | embed-google-photos-album-easily |
ENL Newsletter | enl-newsletter |
EPROLO Dropshipping | eprolo-dropshipping |
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media | evergreen-content-poster |
Exclusive Addons for Elementor | exclusive-addons-for-elementor |
Export and Import Users and Customers | users-customers-import-export-for-wp-woocommerce |
FameTheme Demo Importer | famethemes-demo-importer |
Fan Page Widget by ThemeNcode | facebook-fan-page-widget |
Fancy Product Designer | fancy-product-designer |
FG Joomla to WordPress | fg-joomla-to-wordpress |
FileOrganizer – Manage WordPress and Website Files | fileorganizer |
Filterable Portfolio | jungbillig-portfolio-gallery |
Five Star Restaurant Reservations – WordPress Booking Plugin | restaurant-reservations |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
FOX – Currency Switcher Professional for WooCommerce | woocommerce-currency-switcher |
Frontend Dashboard | frontend-dashboard |
FV Flowplayer Video Player | fv-wordpress-flowplayer |
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory | geodirectory |
Getwid – Gutenberg Blocks | getwid |
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers | rafflepress |
Happy Addons for Elementor | happy-elementor-addons |
Header Footer Code Manager Pro | 99robots-header-footer-code-manager-pro |
Headline Analyzer | headline-analyzer |
Hide Dashboard Notifications | wp-hide-backed-notices |
HT Mega – Absolute Addons For Elementor | ht-mega-for-elementor |
Hummingbird – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | hummingbird-performance |
Image Optimizer, Resizer and CDN – Sirv | sirv |
Image Slider | image-slider-widget |
Import and export users and customers | import-users-from-csv-with-meta |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site | integrate-google-drive |
Interactive World Maps | interactive-world-maps |
Jeg Elementor Kit | jeg-elementor-kit |
KB Support – WordPress Help Desk and Knowledge Base | kb-support |
Knowledge Base documentation & wiki plugin – BasePress Docs | basepress |
Leaky Paywall | leaky-paywall |
List Custom Taxonomy Widget | list-custom-taxonomy-widget |
Login with phone number | login-with-phone-number |
Maintenance Mode | hkdev-maintenance-mode |
MainWP Child Reports | mainwp-child-reports |
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor | master-addons |
Max Addons Pro for Bricks | max-addons-pro-bricks |
MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
Meks Smart Social Widget | meks-smart-social-widget |
Meks ThemeForest Smart Widget | meks-themeforest-smart-widget |
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | metform |
MF Gig Calendar | mf-gig-calendar |
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin | mycred |
Newsletters | newsletters-lite |
Opal Widgets For Elementor | opal-widgets-for-elementor |
Page Builder: Live Composer | live-composer-page-builder |
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
Payment Gateway Based Fees and Discounts for WooCommerce | checkout-fees-for-woocommerce |
PDF Invoices & Packing Slips for WooCommerce | woocommerce-pdf-invoices-packing-slips |
Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery | gt3-photo-video-gallery |
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Competition Plugin for WordPress | contest-gallery |
Piotnet Addons For Elementor | piotnet-addons-for-elementor |
Piotnet Addons For Elementor Pro | piotnet-addons-for-elementor-pro |
Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
Poll | Vote | Contest – Best Poll Plugin for WordPress | totalpoll-lite |
Popup Box – Best WordPress Popup Plugin | ays-popup-box |
Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation | optinmonster |
PopupAlly | popupally |
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | buddyforms |
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX | ultimate-post |
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks | post-grid |
Premium Addons for Elementor | premium-addons-for-elementor |
Pretty Google Calendar | pretty-google-calendar |
Pricing Table by Supsystic | pricing-table-by-supsystic |
Print Invoice & Delivery Notes for WooCommerce | woocommerce-delivery-notes |
Product Addons & Fields for WooCommerce | woocommerce-product-addon |
ProfileGrid – User Profiles, Memberships, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
PropertyHive | propertyhive |
Qi Addons For Elementor | qi-addons-for-elementor |
Quick Featured Images | quick-featured-images |
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress | radio-player |
Radio Station by netmix® – Manage and play your Show Schedule in WordPress! | radio-station |
Rank Math SEO with AI Best SEO Tools | seo-by-rank-math |
Rate My Post – Star Rating Plugin by FeedbackWP | rate-my-post |
Recencio Book Reviews | recencio-book-reviews |
Reviews Plus | reviews-plus |
RomethemeForm For Elementor | romethemeform |
RomethemeKit For Elementor | rometheme-for-elementor |
Royal Elementor Addons and Templates | royal-elementor-addons |
rtMedia for WordPress, BuddyPress and bbPress | buddypress-media |
Salon booking system | salon-booking-system |
Save as PDF Plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share | wp-scheduled-posts |
Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
Secure Copy Content Protection and Content Locking | secure-copy-content-protection |
Seers | GDPR & CCPA Cookie Consent & Compliance | seers-cookie-consent-banner-privacy-policy |
Send PDF for Contact Form 7 | send-pdf-for-contact-form-7 |
Serious Slider | cryout-serious-slider |
SharkDropship and Affiliate for AliExpress, eBay, Amazon, Etsy | woo-aliexpress-dropshipping |
ShortPixel Critical CSS | shortpixel-critical-css |
Simple Membership | simple-membership |
Simply Static | simply-static |
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) | sina-extension-for-elementor |
Slash Admin | slash-admin |
Smart Forms – when you need more than just a contact form | smart-forms |
Smart Maintenance Mode | smart-maintenance-mode |
Smart Recent Posts Widget | smart-recent-posts-widget |
Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap | socialsnap |
Social Sharing Plugin – Social Warfare | social-warfare |
Solid Affiliate | solid-affiliate |
Spectra – WordPress Gutenberg Blocks | ultimate-addons-for-gutenberg |
SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin | wp-s3-smart-upload |
Sticky Anything | toast-stick-anything |
StreamWeasels Twitch Integration | streamweasels-twitch-integration |
Table Rate Shipping Method for WooCommerce by Flexible Shipping | flexible-shipping |
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) | the-pack-addon |
The Plus Addons for Elementor | the-plus-addons-for-elementor-page-builder |
The Plus Blocks for Block Editor | Gutenberg | the-plus-addons-for-block-editor |
Timetable and Event Schedule by MotoPress | mp-timetable |
Tutor LMS – eLearning and online course solution | tutor |
Ultimate 410 Gone Status Code | ultimate-410 |
User Meta – User Profile Builder and User management plugin | user-meta |
USPS Shipping for WooCommerce – Live Rates | flexible-shipping-usps |
Video Conferencing with Zoom | video-conferencing-with-zoom-api |
VikRentCar Car Rental Management System | vikrentcar |
Vision – Image Map Builder | vision |
Vitepos – Point of sale (POS) plugin for WooCommerce | vitepos-lite |
VK Block Patterns | vk-block-patterns |
VOD Infomaniak | vod-infomaniak |
Wallet for WooCommerce – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds | woo-wallet |
Widget Post Slider | widget-post-slider |
WooCommerce Amazon Affiliates – WordPress Plugin | woozone |
WooCommerce Shipping Label | shipping-labels-for-woo |
WordPress Ad Widget | ad-widget |
WordPress Backup & Migration | wp-migration-duplicator |
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress | wp-ada-compliance-check-basic |
WP Club Manager – WordPress Sports Club Plugin | wp-club-manager |
WP Datepicker | wp-datepicker |
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress | wp-fusion-lite |
WP GoToWebinar | wp-gotowebinar |
WP LinkedIn Auto Publish | wp-linkedin-auto-publish |
WP Masquerade | wp-masquerade |
WP Media Category Management | wp-media-category-management |
WP Page Post Widget Clone | wp-page-post-widget-clone |
WP SMTP | wp-smtp |
WP STAGING Pro WordPress Backup Plugin | wp-staging-pro |
WP STAGING WordPress Backup Plugin – Migration Backup Restore | wp-staging |
WP Time Slots Booking Form | wp-time-slots-booking-form |
WP Travel Engine – Best Travel Booking WordPress Plugin | wp-travel-engine |
WP ULike – Most Advanced WordPress Marketing Toolkit | wp-ulike |
WP-Lister Lite for eBay | wp-lister-for-ebay |
WP-Members Membership Plugin | wp-members |
WP-Recall – Registration, Profile, Commerce & More | wp-recall |
WPC Composite Products for WooCommerce | wpc-composite-products |
WPCal.io – Easy Meeting Scheduler | wpcal |
WPPizza – A Restaurant Plugin | wppizza |
WPZOOM Addons for Elementor (Templates, Widgets) | wpzoom-elementor-addons |
XforWooCommerce | xforwoocommerce |
XStore Core | et-core-plugin |
YITH WooCommerce Compare | yith-woocommerce-compare |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Accountra | accountra |
Althea WP | althea-wp |
Blocksy | blocksy |
Brite | brite |
Colibri WP | colibri-wp |
ColorNews | colornews |
Elevate WP | elevate-wp |
Financio | financio |
Hugo WP | hugo-wp |
Intrace | intrace |
Pathway | pathway |
Photology | photology |
Royal Elementor Kit | royal-elementor-kit |
Startupzy | startupzy |
Teluro | teluro |
Travey | travey |
uDesign – Responsive WordPress Theme | u-design |
Vertice | vertice |
Virtue | virtue |
WP Portfolio | wp-portfolio |
XStore | xstore |
Zeever | zeever |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024) appeared first on Wordfence.