Wordfence Intelligence Weekly WordPress Vulnerability Report (July 8, 2024 to July 14, 2024)
Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.Â
Last week, there were 225 vulnerabilities disclosed in 186 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 62 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.1.5 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload
- BookingPress Appointment Booking <= 1.1.5 – Authenticated (Subscriber+) Arbitrary File Read to Arbitrary File Creation
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 93 |
Unpatched | 132 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 1 |
Medium Severity | 173 |
High Severity | 32 |
Critical Severity | 19 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 94 |
Missing Authorization | 39 |
Cross-Site Request Forgery (CSRF) | 29 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 12 |
Information Exposure | 11 |
Unrestricted Upload of File with Dangerous Type | 8 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 6 |
Information Exposure Through Log Files | 5 |
Server-Side Request Forgery (SSRF) | 5 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 4 |
Improper Privilege Management | 3 |
Authentication Bypass Using an Alternate Path or Channel | 2 |
Improper Control of Generation of Code ('Code Injection') | 2 |
Authorization Bypass Through User-Controlled Key | 1 |
Deserialization of Untrusted Data | 1 |
File and Directory Information Exposure | 1 |
Use of Hard-coded Credentials | 1 |
Use of Less Trusted Source | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
18 | |
15 | |
14 | |
13 | |
13 | |
12 | |
10 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Academy LMS – eLearning and online course solution for WordPress | academy |
Admin Dashboard RSS Feed | admin-dashboard-rss-feed |
AdPush | adsense-plugin |
Advanced AJAX Page Loader | advanced-ajax-page-loader |
Advanced File Manager Shortcodes | file-manager-advanced-shortcode |
Advanced post slider | advanced-post-slider |
Amazing Hover Effects | amazing-hover-effects |
Animated Typed JS Shortcode | animated-typed-js-shortcode |
Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps | appmaker-woocommerce-mobile-app-manager |
Arkhe Blocks | arkhe-blocks |
Attachment File Icons (AF Icons) | attachment-file-icons |
Auto Featured Image (Auto Post Thumbnail) | auto-post-thumbnail |
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript | searchpro |
Blog, Posts and Category Filter for Elementor | blog-posts-and-category-for-elementor |
Booking Ultra Pro Appointments Booking Calendar Plugin | booking-ultra-pro |
Bradmax Player | bradmax-player |
Branda – White Label WordPress, Custom Login Page Customizer | branda-white-labeling |
Calendar.online / Kalender.digital – Plugin | kalender-digital |
Caxton – Create Pro page layouts in Gutenberg | caxton |
Change From Email | wp-from-email |
Cliengo – Chatbot | cliengo |
CodePen Embedded Pens Shortcode | codepen-embedded-pen-shortcode |
codoc | codoc |
Coming Soon Page – Responsive Coming Soon & Maintenance Mode | responsive-coming-soon-page |
Comment Images Reloaded | comment-images-reloaded |
ConeBlog – Elementor Blog Widgets | coneblog-widgets |
Contact Form 7 Summary and Print | cf7-summary-and-print |
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder | bit-form |
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder | arforms-form-builder |
Default Thumbnail Plus | default-thumbnail-plus |
DirectoryPress – Business Directory And Classified Ad Listing | directorypress |
Download Button for Elementor | download-button-for-elementor |
Duplicator – Migration & Backup Plugin | duplicator |
Dynamic Word Spinner: CSS3 Animated Rotation | css3-rotating-words |
Easy Pixels | easy-pixels-by-jevnet |
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin | eazydocs |
EleForms – All In One Form Integration including DB for Elementor | all-contact-form-integration-for-elementor |
ElementInvader Addons for Elementor | elementinvader-addons-for-elementor |
EmbedPress – Embed PDF, PDF 3D FlipBook, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor | embedpress |
Event post | event-post |
Event Tickets and Registration | event-tickets |
EventON | eventon-lite |
Events Calendar for Google | events-calendar-for-google |
ExS Widgets | exs-widgets |
Extensions for Elementor | extensions-for-elementor |
FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor | post-block |
Featured Image Generator | featured-image-generator |
Feeds for YouTube (YouTube video, channel, and gallery plugin) | feeds-for-youtube |
Form Vibes – Database Manager for Forms | form-vibes |
FormFlow: WhatsApp & Social Form Builder for Leads | simple-form |
FULL – Cliente | full-customer |
Fusion Page Builder | fusion |
GD Rating System | gd-rating-system |
Generate PDF using Contact Form 7 | generate-pdf-using-contact-form-7 |
Genesis Blocks | genesis-blocks |
Get Use APIs – JSON Content Importer | json-content-importer |
Goftino | goftino |
Google Adsense & Banner Ads by AdsforWP | ads-for-wp |
Gravity Forms: Multiple Form Instances | gravity-forms-multiple-form-instances |
Gum Elementor Addon | gum-elementor-addon |
Gutenberg Forms – WordPress Form Builder Plugin | forms-gutenberg |
HitPay Payment Gateway for WooCommerce | hitpay-payment-gateway |
Houzez CRM | houzez-crm |
Houzez Theme – Functionality | houzez-theme-functionality |
HT Mega – Absolute Addons For Elementor | ht-mega-for-elementor |
Image Optimizer, Resizer and CDN – Sirv | sirv |
Import Spreadsheets from Microsoft Excel | import-spreadsheets-from-microsoft-excel |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
Internal Link Juicer: SEO Auto Linker for WordPress | internal-links |
iPanorama 360 – WordPress Virtual Tour Builder | ipanorama-360-virtual-tour-builder-lite |
IQ Testimonials | iq-testimonials |
Job Board Manager | job-board-manager |
JSON API User | json-api-user |
Just Custom Fields | just-custom-fields |
Laposta | laposta |
LearnDash LMS – Reports | wisdm-reports-for-learndash |
Light Poll | light-poll |
Link Library | link-library |
Login by Auth0 | auth0 |
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | magical-addons-for-elementor |
Magical Posts Display – Elementor Advanced Posts widgets | magical-posts-display |
MakeStories (for Google Web Stories) | makestories-helper |
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor | master-addons |
Master Popups | master-popups-lite |
Matomo Analytics – Ethical Stats. Powerful Insights. | matomo |
MBE eShip | mail-boxes-etc |
Media Hygiene: Remove or Delete Unused Images and More! | media-hygiene |
Meks Smart Author Widget | meks-smart-author-widget |
Meks Video Importer | meks-video-importer |
Metorik – Reports & Email Automation for WooCommerce | metorik-helper |
Modern Events Calendar | modern-events-calendar |
Modern Events Calendar Lite | modern-events-calendar-lite |
Moloni | moloni |
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar | mp3-music-player-by-sonaar |
MStore API – Create Native Android & iOS Apps On The Cloud | mstore-api |
oik | oik |
Olive One Click Demo Import | olive-one-click-demo-import |
Openpos – WooCommerce Point Of Sale(POS) | woocommerce-openpos |
OSM – OpenStreetMap | osm |
Packlink PRO shipping module | packlink-pro-shipping |
Panda Video | pandavideo |
Payflex Payment Gateway | payflex-payment-gateway |
PayPlus Payment Gateway | payplus-payment-gateway |
Plugin Notes Plus | plugin-notes-plus |
Plum: Spin Wheel & Email Pop-up | qodeblock |
Post Layouts for Gutenberg | post-layouts |
Power BI Embedded for WordPress | embed-power-bi |
PowerPress Podcasting plugin by Blubrry | powerpress |
Predictive Search for WooCommerce | woocommerce-predictive-search |
Premium Addons for Elementor | premium-addons-for-elementor |
Pricing Table | elfsight-pricing-table |
Product Delivery Date for WooCommerce – Lite | product-delivery-date-for-woocommerce-lite |
Product Designer | product-designer |
Product Table by WBW | woo-product-tables |
ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Qi Blocks | qi-blocks |
Realtyna Organic IDX plugin + WPL Real Estate | real-estate-listing-realtyna-wpl |
ReCaptcha Integration for WordPress | wp-recaptcha-integration |
Recipe Cards For Your Food Blog from Zip Recipes | zip-recipes |
ReDi Restaurant Reservation | redi-restaurant-reservation |
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction | pie-register |
REVIEWS.io WooCommerce Plugin | reviewscouk-for-woocommerce |
ScrollTo Bottom | scrollto-bottom |
ScrollTo Top | scrollto-top |
SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue | happy-scss-compiler |
Search & Replace | search-and-replace |
Send Users Email | send-users-email |
Seraphinite Accelerator Pro | seraphinite-accelerator-ext |
Seraphinite Post .DOCX Source | seraphinite-post-docx-source |
Simple Alert Boxes | simple-alert-boxes |
Simple Popup Plugin | simple-popup-plugin |
Simple Post Notes | simple-post-notes |
Simple Responsive Slider | simple-responsive-slider |
SKT Addons for Elementor | skt-addons-for-elementor |
SKT Skill Bar | skt-skill-bar |
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs) | sky-elementor-addons |
Slider Blocks – All in One Block Slider | slider-blocks |
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) | slingblocks |
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer | smartcrawl-seo |
Social Sharing Plugin – Kiwi | kiwi-social-share |
Spiffy Calendar | spiffy-calendar |
Squelch Tabs and Accordions Shortcodes | squelch-tabs-and-accordions-shortcodes |
Tabs For WPBakery Page Builder (formerly Visual Composer) | tabs-for-visual-composer |
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics | taggbox-widget |
Team Manager – WordPress Showcase Team Members | wp-team-manager |
Team Members | team-members |
Timeline Module for Beaver Builder | timeline-for-beaver-builder |
Titan Anti-spam & Security | anti-spam |
TOCHAT.BE | tochat-be |
Tutor LMS – eLearning and online course solution | tutor |
Typebot | Create advanced chat experiences without coding | typebot |
Ultimate Classified Listings | ultimate-classified-listings |
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) | ultraaddons-elementor-lite |
Uncanny Automator Pro | uncanny-automator-pro |
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) | unlimited-elements-for-elementor |
User Activity Log Pro | user-activity-log-pro |
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | userfeedback-lite |
VK All in One Expansion Unit | vk-all-in-one-expansion-unit |
Wallet for WooCommerce | woo-wallet |
Wallet System for WooCommerce – Wallet, Digital Wallet, Cashback, Recharge User Wallets, Partial Payments, Wallet restriction, Refunds | wallet-system-for-woocommerce |
WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute | wapppress-builds-android-app-for-website |
Webico Slider Flatsome Addons | webico-slider-flatsome-addons |
Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More | woocommerce-wholesale-prices |
WooCommerce Report | ithemelandco-woo-report |
WordPress Multisite Content Copier/Updater | wp-multisite-content-copier |
WP Accessibility Helper (WAH) | wp-accessibility-helper |
WP Announcement | Dynamic Announcement, Banner, & Countdown Timer for Effective Promotions | sp-announcement |
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting | erp |
WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress | wp-event-aggregator |
WP Fast Total Search – The Power of Indexed Search | fulltext-search |
WP GoToWebinar | wp-gotowebinar |
WP Links Page | wp-links-page |
WP Photo Album Plus | wp-photo-album-plus |
WP Popups – WordPress Popup builder | wp-popups-lite |
WP Total Branding – Complete branding solution for WordPress | wp-total-branding |
WP Travel Engine – Tour Booking Plugin – Tour Operator Software | wp-travel-engine |
WP User Switch | wp-user-switch |
WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 | wp2speed |
WPBITS Addons For Elementor Page Builder | wpbits-addons-for-elementor |
WPCS – WordPress Currency Switcher Professional | currency-switcher |
XPlainer – Product FAQ for WooCommerce & AI FAQ Generator | faq-for-woocommerce |
YITH WooCommerce Ajax Product Filter | yith-woocommerce-ajax-navigation |
Zephyr Project Manager | zephyr-project-manager |
Zoho Campaigns | zoho-campaigns |
Zoho CRM Lead Magnet | zoho-crm-forms |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
BuddyBoss Theme | buddyboss-theme |
Counterpoint | counterpoint |
i-amaze | i-amaze |
i-transform | i-transform |
Noo JobMonster | noo-jobmonster |
Oceanic | oceanic |
OnePress | onepress |
Patricia Blog | patricia-blog |
Patricia Lite | patricia-lite |
Point | point |
Popularis Verse | popularis-verse |
Responsive Mobile | responsive-mobile |
SmartMag | smartmag-responsive-retina-wordpress-magazine |
SociallyViral | sociallyviral |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 8, 2024 to July 14, 2024) appeared first on Wordfence.