Wordfence Intelligence Weekly WordPress Vulnerability Report (July 8, 2024 to July 14, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. 

Last week, there were 225 vulnerabilities disclosed in 186 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 62 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.1.5 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update and Arbitrary File Upload
BookingPress Appointment Booking <= 1.1.5 – Authenticated (Subscriber+) Arbitrary File Read to Arbitrary File Creation

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Patched
93

Unpatched
132

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Low Severity
1

Medium Severity
173

High Severity
32

Critical Severity
19

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
94

Missing Authorization
39

Cross-Site Request Forgery (CSRF)
29

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
12

Information Exposure
11

Unrestricted Upload of File with Dangerous Type
8

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
6

Information Exposure Through Log Files
5

Server-Side Request Forgery (SSRF)
5

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
4

Improper Privilege Management
3

Authentication Bypass Using an Alternate Path or Channel
2

Improper Control of Generation of Code (‘Code Injection’)
2

Authorization Bypass Through User-Controlled Key
1

Deserialization of Untrusted Data
1

File and Directory Information Exposure
1

Use of Hard-coded Credentials
1

Use of Less Trusted Source
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

18

15

14

13

13

12

10

9

7

7

6

6

6

5

4

4

4

4

4

3

3

3

3

3

3

3

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Academy LMS – eLearning and online course solution for WordPress

academy

Admin Dashboard RSS Feed

admin-dashboard-rss-feed

AdPush

adsense-plugin

Advanced AJAX Page Loader

advanced-ajax-page-loader

Advanced File Manager Shortcodes

file-manager-advanced-shortcode

Advanced post slider

advanced-post-slider

Amazing Hover Effects

amazing-hover-effects

Animated Typed JS Shortcode

animated-typed-js-shortcode

Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps

appmaker-woocommerce-mobile-app-manager

Arkhe Blocks

arkhe-blocks

Attachment File Icons (AF Icons)

attachment-file-icons

Auto Featured Image (Auto Post Thumbnail)

auto-post-thumbnail

Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

barcode-scanner-lite-pos-to-manage-products-inventory-and-orders

BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript

searchpro

Blog, Posts and Category Filter for Elementor

blog-posts-and-category-for-elementor

Booking Ultra Pro Appointments Booking Calendar Plugin

booking-ultra-pro

Bradmax Player

bradmax-player

Branda – White Label WordPress, Custom Login Page Customizer

branda-white-labeling

Calendar.online / Kalender.digital – Plugin

kalender-digital

Caxton – Create Pro page layouts in Gutenberg

caxton

Change From Email

wp-from-email

Cliengo – Chatbot

cliengo

codoc

codoc

Coming Soon Page – Responsive Coming Soon & Maintenance Mode

responsive-coming-soon-page

Comment Images Reloaded

comment-images-reloaded

ConeBlog – Elementor Blog Widgets

coneblog-widgets

Contact Form 7 Summary and Print

cf7-summary-and-print

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

bit-form

Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder

arforms-form-builder

Default Thumbnail Plus

default-thumbnail-plus

DirectoryPress – Business Directory And Classified Ad Listing

directorypress

Download Button for Elementor

download-button-for-elementor

Duplicator – Migration & Backup Plugin

duplicator

Dynamic Word Spinner: CSS3 Animated Rotation

css3-rotating-words

Easy Pixels

easy-pixels-by-jevnet

EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

eazydocs

EleForms – All In One Form Integration including DB for Elementor

all-contact-form-integration-for-elementor

ElementInvader Addons for Elementor

elementinvader-addons-for-elementor

EmbedPress – Embed PDF, PDF 3D FlipBook, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor

embedpress

Event post

event-post

Event Tickets and Registration

event-tickets

EventON

eventon-lite

Events Calendar for Google

events-calendar-for-google

ExS Widgets

exs-widgets

Extensions for Elementor

extensions-for-elementor

FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor

post-block

Featured Image Generator

featured-image-generator

Feeds for YouTube (YouTube video, channel, and gallery plugin)

feeds-for-youtube

Form Vibes – Database Manager for Forms

form-vibes

FormFlow: WhatsApp & Social Form Builder for Leads

simple-form

FULL – Cliente

full-customer

Fusion Page Builder

fusion

GD Rating System

gd-rating-system

Generate PDF using Contact Form 7

generate-pdf-using-contact-form-7

Genesis Blocks

genesis-blocks

Get Use APIs – JSON Content Importer

json-content-importer

Goftino

goftino

Google Adsense & Banner Ads by AdsforWP

ads-for-wp

Gravity Forms: Multiple Form Instances

gravity-forms-multiple-form-instances

Gum Elementor Addon

gum-elementor-addon

Gutenberg Forms – WordPress Form Builder Plugin

forms-gutenberg

GutSlider – All in One Block Slider

slider-blocks

HitPay Payment Gateway for WooCommerce

hitpay-payment-gateway

Houzez CRM

houzez-crm

Houzez Theme – Functionality

houzez-theme-functionality

HT Mega – Absolute Addons For Elementor

ht-mega-for-elementor

Image Optimizer, Resizer and CDN – Sirv

sirv

Import Spreadsheets from Microsoft Excel

import-spreadsheets-from-microsoft-excel

InstaWP Connect – 1-click WP Staging & Migration

instawp-connect

Internal Link Juicer: SEO Auto Linker for WordPress

internal-links

iPanorama 360 – WordPress Virtual Tour Builder

ipanorama-360-virtual-tour-builder-lite

IQ Testimonials

iq-testimonials

Job Board Manager

job-board-manager

JSON API User

json-api-user

Just Custom Fields

just-custom-fields

Laposta

laposta

LearnDash LMS – Reports

wisdm-reports-for-learndash

Light Poll

light-poll

Link Library

link-library

Login by Auth0

auth0

Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

magical-addons-for-elementor

Magical Posts Display – Elementor Advanced Posts widgets

magical-posts-display

MakeStories (for Google Web Stories)

makestories-helper

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor

master-addons

Master Popups

master-popups-lite

Matomo Analytics – Ethical Stats. Powerful Insights.

matomo

MBE eShip

mail-boxes-etc

Media Hygiene: Remove or Delete Unused Images and More!

media-hygiene

Meks Smart Author Widget

meks-smart-author-widget

Meks Video Importer

meks-video-importer

Metorik – Reports & Email Automation for WooCommerce

metorik-helper

Modern Events Calendar

modern-events-calendar

Modern Events Calendar Lite

modern-events-calendar-lite

Moloni

moloni

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

mp3-music-player-by-sonaar

MStore API – Create Native Android & iOS Apps On The Cloud

mstore-api

oik

oik

Olive One Click Demo Import

olive-one-click-demo-import

Openpos – WooCommerce Point Of Sale(POS)

woocommerce-openpos

OSM – OpenStreetMap

osm

Packlink PRO shipping module

packlink-pro-shipping

Panda Video

pandavideo

Payflex Payment Gateway

payflex-payment-gateway

PayPlus Payment Gateway

payplus-payment-gateway

Plugin Name: CodePen Embedded Pens Shortcode

codepen-embedded-pen-shortcode

Plugin Notes Plus

plugin-notes-plus

Plum: Spin Wheel & Email Pop-up

qodeblock

Post Layouts for Gutenberg

post-layouts

Power BI Embedded for WordPress

embed-power-bi

PowerPress Podcasting plugin by Blubrry

powerpress

Predictive Search for WooCommerce

woocommerce-predictive-search

Premium Addons for Elementor

premium-addons-for-elementor

Pricing Table

elfsight-pricing-table

Product Delivery Date for WooCommerce – Lite

product-delivery-date-for-woocommerce-lite

Product Designer

product-designer

Product Table by WBW

woo-product-tables

ProfileGrid – User Profiles, Groups and Communities

profilegrid-user-profiles-groups-and-communities

Qi Blocks

qi-blocks

Realtyna Organic IDX plugin + WPL Real Estate

real-estate-listing-realtyna-wpl

ReCaptcha Integration for WordPress

wp-recaptcha-integration

Recipe Cards For Your Food Blog from Zip Recipes

zip-recipes

ReDi Restaurant Reservation

redi-restaurant-reservation

Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction

pie-register

REVIEWS.io WooCommerce Plugin

reviewscouk-for-woocommerce

ScrollTo Bottom

scrollto-bottom

ScrollTo Top

scrollto-top

SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue

happy-scss-compiler

Search & Replace

search-and-replace

Send Users Email

send-users-email

Seraphinite Accelerator Pro

seraphinite-accelerator-ext

Seraphinite Post .DOCX Source

seraphinite-post-docx-source

Simple Alert Boxes

simple-alert-boxes

Simple Popup Plugin

simple-popup-plugin

Simple Post Notes

simple-post-notes

Simple Responsive Slider

simple-responsive-slider

SKT Addons for Elementor

skt-addons-for-elementor

SKT Skill Bar

skt-skill-bar

Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)

sky-elementor-addons

SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)

slingblocks

SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer

smartcrawl-seo

Social Sharing Plugin – Kiwi

kiwi-social-share

Spiffy Calendar

spiffy-calendar

Squelch Tabs and Accordions Shortcodes

squelch-tabs-and-accordions-shortcodes

Tabs For WPBakery Page Builder (formerly Visual Composer)

tabs-for-visual-composer

Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics

taggbox-widget

Team Manager – WordPress Showcase Team Members

wp-team-manager

Team Members

team-members

Timeline Module for Beaver Builder

timeline-for-beaver-builder

Titan Anti-spam & Security

anti-spam

TOCHAT.BE

tochat-be

Tutor LMS – eLearning and online course solution

tutor

Typebot | Create advanced chat experiences without coding

typebot

Ultimate Classified Listings

ultimate-classified-listings

UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)

ultraaddons-elementor-lite

Uncanny Automator Pro

uncanny-automator-pro

Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

unlimited-elements-for-elementor

User Activity Log Pro

user-activity-log-pro

User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

userfeedback-lite

VK All in One Expansion Unit

vk-all-in-one-expansion-unit

Wallet for WooCommerce

woo-wallet

Wallet System for WooCommerce – Wallet, Digital Wallet, Cashback, Recharge User Wallets, Partial Payments, Wallet restriction, Refunds

wallet-system-for-woocommerce

WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute

wapppress-builds-android-app-for-website

Webico Slider Flatsome Addons

webico-slider-flatsome-addons

Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More

woocommerce-wholesale-prices

WooCommerce Report

ithemelandco-woo-report

WordPress Multisite Content Copier/Updater

wp-multisite-content-copier

WP Accessibility Helper (WAH)

wp-accessibility-helper

WP Announcement | Dynamic Announcement, Banner, & Countdown Timer for Effective Promotions

sp-announcement

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

erp

WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress

wp-event-aggregator

WP Fast Total Search – The Power of Indexed Search

fulltext-search

WP GoToWebinar

wp-gotowebinar

WP Links Page

wp-links-page

WP Photo Album Plus

wp-photo-album-plus

WP Popups – WordPress Popup builder

wp-popups-lite

WP Total Branding – Complete branding solution for WordPress

wp-total-branding

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

WP User Switch

wp-user-switch

WP2Speed Faster – Optimize PageSpeed Insights Score 90-100

wp2speed

WPBITS Addons For Elementor Page Builder

wpbits-addons-for-elementor

WPCS – WordPress Currency Switcher Professional

currency-switcher

XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin]

faq-for-woocommerce

YITH WooCommerce Ajax Product Filter

yith-woocommerce-ajax-navigation

Zephyr Project Manager

zephyr-project-manager

Zoho Campaigns

zoho-campaigns

Zoho CRM Lead Magnet

zoho-crm-forms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

BuddyBoss Theme

buddyboss-theme

Counterpoint

counterpoint

i-amaze

i-amaze

i-transform

i-transform

Noo JobMonster

noo-jobmonster

Oceanic

oceanic

OnePress

onepress

Patricia Blog

patricia-blog

Patricia Lite

patricia-lite

Point

point

Popularis Verse

popularis-verse

Responsive Mobile

responsive-mobile

SmartMag

smartmag-responsive-retina-wordpress-magazine

SociallyViral

sociallyviral

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (July 8, 2024 to July 14, 2024) appeared first on Wordfence.