Wordfence Intelligence Weekly WordPress Vulnerability Report (April 1, 2024 to April 7, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 173 vulnerabilities disclosed in 138 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 64 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Patched
157

Unpatched
16

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
141

High Severity
17

Critical Severity
14

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
53

Missing Authorization
33

Cross-Site Request Forgery (CSRF)
25

Information Exposure
12

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
8

Unrestricted Upload of File with Dangerous Type
7

Authorization Bypass Through User-Controlled Key
4

Deserialization of Untrusted Data
4

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
4

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
4

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2

Incorrect Privilege Assignment
2

URL Redirection to Untrusted Site (‘Open Redirect’)
2

Absolute Path Traversal
1

Exposure of Private Information (‘Privacy Violation’)
1

External Control of Assumed-Immutable Web Parameter
1

Guessable CAPTCHA
1

Improper Access Control
1

Improper Authorization
1

Improper Control of Generation of Code (‘Code Injection’)
1

Improper Neutralization of Alternate XSS Syntax
1

Improper Neutralization of Formula Elements in a CSV File
1

Incorrect Authorization
1

Information Exposure Through Log Files
1

Path Traversal: ‘…/…//’
1

Server-Side Request Forgery (SSRF)
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

14

9

9

8

8

7

7

7

6

5

4

4

4

4

4

4

3

3

3

3

3

3

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Advanced Local Pickup for WooCommerce

advanced-local-pickup-for-woocommerce

Advanced Order Export For WooCommerce

woo-order-export-lite

All-in-One Video Gallery

all-in-one-video-gallery

Announce from the Dashboard

announce-from-the-dashboard

Announcer – Sticky Message Banner, Notification Bar – Add to Top, Bottom of your Website

announcer

App Builder – Create Native Android & iOS Apps On The Flight

app-builder

AppPresser – Mobile App Framework

apppresser

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

armember-membership

Auto Poster

auto-poster

Bannerlid

bannerlid

Beaver Builder – WordPress Page Builder

beaver-builder-lite-version

Beaver Themer

beaver-themer

Best WordPress Gallery Plugin – FooGallery

foogallery

Bold Page Builder

bold-page-builder

BoldGrid Easy SEO – Simple and Effective SEO

boldgrid-easy-seo

BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin

bookingpress-appointment-booking

Bricksforge

bricksforge

Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms

captcha-bws

Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce

wp-carousel-free

CGC Maintenance Mode

cgc-maintenance-mode

Church Admin

church-admin

Classified Listing – Classified ads & Business Directory Plugin

classified-listing

CMB2

cmb2

Colibri Page Builder

colibri-page-builder

Contact Form Email

contact-form-to-email

Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder

arforms-form-builder

ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages

convertkit

Creative Addons for Elementor

creative-addons-for-elementor

Custom post types, Custom Fields & more

custom-post-types

Demo My WordPress

demo-my-wordpress

Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy)

easy-digital-downloads

Easy Login Styler – White Label Admin Login Page for WordPress

easy-login-styler

Easy Social Share Buttons for WordPress

easy-social-share-buttons3

Edwiser Bridge – WordPress Moodle LMS Integration

edwiser-bridge

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

bdthemes-element-pack-lite

Elementor Addons, Widgets and Enhancements – Stax

stax-addons-for-elementor

ElementsKit Elementor addons

elementskit-lite

ELEX WooCommerce Dynamic Pricing and Discounts

elex-woocommerce-dynamic-pricing-and-discounts

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

email-subscribers

EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

embedpress

EnvíaloSimple: Email Marketing y Newsletters

envialosimple-email-marketing-y-newsletters-gratis

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

essential-blocks

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

FancyBox for WordPress

fancybox-for-wordpress

FG Drupal to WordPress

fg-drupal-to-wp

File Manager

wp-file-manager

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

flexible-checkout-fields

Form to Chat App

form-to-chat

Formsite | Embed online forms to collect orders, registrations, leads, and surveys

formsite

Generate Child Theme

generate-child-theme

Genesis Blocks

genesis-blocks

Global Elementor Buttons

global-elementor-buttons

Gradient Text Widget for Elementor

gradient-text-widget-for-elementor

Gutenberg Blocks by Kadence Blocks – Page Builder Features

kadence-blocks

Happy Addons for Elementor

happy-elementor-addons

Image Watermark

image-watermark

Import XML and RSS Feeds

import-xml-feed

Jeg Elementor Kit

jeg-elementor-kit

JS Help Desk – Best Help Desk & Support Plugin

js-support-ticket

LayerSlider

LayerSlider

LearnPress Export Import – WordPress extension for LearnPress

learnpress-import-export

LearnPress – WordPress LMS Plugin

learnpress

Loan Repayment Calculator and Application Form

quick-interest-slider

MailMunch – Grow your Email List

mailmunch

Masteriyo LMS – eLearning and Online Course Builder for WordPress

learning-management-system

MasterStudy LMS WordPress Plugin – for Online Courses and Education

masterstudy-lms-learning-management-system

Media Library Folders

media-library-plus

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

metform

MM-email2image

mm-email2image

Modal Popup Box – Popup Builder, Show Offers And News in Popup

modal-popup-box

MP3 Audio Player for Music, Radio & Podcast by Sonaar

mp3-music-player-by-sonaar

Multiple Page Generator Plugin – MPG

multiple-pages-generator-by-porthas

MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution

dc-woocommerce-multi-vendor

Nudgify Social Proof, Sales Popup & FOMO – Best WordPress Social Proof Plugin

nudgify

Passster – Password Protect Pages and Content

content-protector

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

Post Grid Gutenberg Blocks and WordPress News Plugin – PostX

ultimate-post

Post Views Counter

post-views-counter

Powerkit – Supercharge your WordPress Site

powerkit

Premium Addons for Elementor

premium-addons-for-elementor

Product Designer

product-designer

Product Sort and Display for WooCommerce

woocommerce-product-sort-and-display

ProfileGrid – User Profiles, Memberships, Groups and Communities

profilegrid-user-profiles-groups-and-communities

RapidLoad 2.2 – Speed Monster in One Plugin

unusedcss

ReDi Restaurant Reservation

redi-restaurant-reservation

rehub-framework

rehub-framework

Relevanssi – A Better Search

relevanssi

Relevanssi – A Better Search (Pro)

relevanssi-premium

Responsive Lightbox & Gallery

responsive-lightbox

Royal Elementor Addons and Templates

royal-elementor-addons

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator

feedzy-rss-feeds

s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

s2member

SearchIQ – The Search Solution

searchiq

SecuPress Free — WordPress Security

secupress

Sharkdropship Dropshipping & Affiliate for for AliExpress

wooshark-aliexpress-importer

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

woolentor-addons

ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization

shortpixel-adaptive-images

Sign-up Sheets

sign-up-sheets

Slideshow Gallery LITE

slideshow-gallery

Smart Online Order for Clover

clover-online-orders

Spectra – WordPress Gutenberg Blocks

ultimate-addons-for-gutenberg

Squelch Tabs and Accordions Shortcodes

squelch-tabs-and-accordions-shortcodes

Subscribe To Comments Reloaded

subscribe-to-comments-reloaded

Sumo – Boost Conversion and Sales

sumome

Super Testimonials

super-testimonial

Sydney Toolbox

sydney-toolbox

Template Kit – Import

template-kit-import

Tracking Code Manager

tracking-code-manager

Transcoder

transcoder

Ultimate Bootstrap Elements for Elementor

ultimate-bootstrap-elements-for-elementor

Ultimate Maps by Supsystic

ultimate-maps-by-supsystic

User Activity Log

user-activity-log

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

profile-builder

User Spam Remover

user-spam-remover

Watu Quiz

watu

Wholesale For WooCommerce

woocommerce-wholesale-pricing

WooCommerce

woocommerce

WooCommerce Checkout Field Editor (Checkout Manager)

woo-checkout-regsiter-field-editor

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

print-invoices-packing-slip-labels-for-woocommerce

WordPress Backup & Migration

wp-migration-duplicator

WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds

another-wordpress-classifieds-plugin

WordPress Comments Import & Export

comments-import-export-woocommerce

WordPress Gallery Exporter – Export your NextGen, Envira and FooGallery galleries to your computer

wp-gallery-exporter

WordPress Gallery Plugin – NextGEN Gallery

nextgen-gallery

WordPress Tag and Category Manager – AI Autotagger

simple-tags

WordPress Tooltips

wordpress-tooltips

WordPress Webinar Plugin – WebinarPress

wp-webinarsystem

WP Directory Kit

wpdirectorykit

WP Import Export Lite

wp-import-export-lite

WP OAuth Server (OAuth Authentication)

oauth2-provider

WP Photo Album Plus

wp-photo-album-plus

WP Poll Maker – Best WordPress Poll Plugin for Voting Contest

epoll-wp-voting

WP Server Health Stats

wp-server-stats

WP Sort Order

wp-sort-order

WP-Members Membership Plugin

wp-members

WP-Stateless – Google Cloud Storage

wp-stateless

WPFront User Role Editor

wpfront-user-role-editor

WPvivid Backup for MainWP

wpvivid-backup-mainwp

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Hello Elementor

hello-elementor

rehub-theme

rehub-theme

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 1, 2024 to April 7, 2024) appeared first on Wordfence.