Wordfence Intelligence Weekly WordPress Vulnerability Report (June 17, 2024 to June 23, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! 

Last week, there were 183 vulnerabilities disclosed in 135 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-707 – data redacted while we work with the vendor on a patch.
WAF-RULE-708 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Patched
101

Unpatched
82

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Medium Severity
142

High Severity
24

Critical Severity
17

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
67

Cross-Site Request Forgery (CSRF)
31

Missing Authorization
29

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
9

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
7

Unrestricted Upload of File with Dangerous Type
6

Information Exposure
4

Deserialization of Untrusted Data
3

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
3

Server-Side Request Forgery (SSRF)
3

Authorization Bypass Through User-Controlled Key
2

Improper Control of Generation of Code (‘Code Injection’)
2

Improper Input Validation
2

Information Exposure Through Log Files
2

URL Redirection to Untrusted Site (‘Open Redirect’)
2

Use of Less Trusted Source
2

Authentication Bypass Using an Alternate Path or Channel
1

Improper Access Control
1

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
1

Improper Neutralization of Formula Elements in a CSV File
1

Incorrect Authorization
1

Incorrect Privilege Assignment
1

Protection Mechanism Failure
1

Uncontrolled Resource Consumption (‘Resource Exhaustion’)
1

Weak Password Recovery Mechanism for Forgotten Password
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

13

10

9

9

9

9

8

8

8

8

7

5

5

4

3

3

3

3

3

3

3

3

2

2

2

2

2

2

2

2

2

2

2

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

Academy LMS – eLearning and online course solution for WordPress

academy

Accordion – Multiple Accordion or FAQs Builder

accordions-or-faqs

affiliate-toolkit – WordPress Affiliate Plugin

affiliate-toolkit-starter

AliExpress Dropshipping with AliNext Lite

ali2woo-lite

ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

armember

Bible Text

bible-text

Blogmentor – Blog Layouts for Elementor

blogmentor

BlossomThemes Email Newsletter

blossomthemes-email-newsletter

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Branda – White Label WordPress, Custom Login Page Customizer

branda-white-labeling

Bricks Builder

bricksbuilder

Business Directory Plugin – Easy Listing Directories for WordPress

business-directory-plugin

CM Email Registration Blacklist and Whitelist

cm-email-blacklist

Consulting Elementor Widgets

consulting-elementor-widgets

ContentLock

contentlock

ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages

convertkit

Cost Calculator Builder PRO

cost-calculator-builder-pro

Custom Field Suite

custom-field-suite

Custom Product List Table

custom-product-list-table

Demo Awesome

demo-awesome

DImage 360

dimage-360

Easy Table of Contents

easy-table-of-contents

Elegant Themes Icons

elegant-themes-icons

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

email-subscribers

Embed Peertube Playlist

embed-peertube-playlist

EmbedSocial – Social Media Feeds, Reviews and Galleries

embedalbum-pro

Empty Cart Button for WooCommerce

empty-cart-button-for-woocommerce

Enhance Your Posts with the WP Post Author Box, Co-Authors, Guest Authors, and Post Rating System, including Registration Form Builder

wp-post-author

Event Monster – Event Management, Tickets Booking, Upcoming Event

event-monster

Export WP Page to Static HTML/CSS

export-wp-page-to-static-html

Falang multilanguage for WordPress

falang

FS Poster – WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest]

fs-poster

Gallery Plugin for WordPress – Envira Photo Gallery

envira-gallery-lite

Greenshift – animation and page builder blocks

greenshift-animation-and-page-builder-blocks

Hercules Core

hercules-core

Hide Dashboard Notifications

wp-hide-backed-notices

Ibtana – WordPress Website Builder

ibtana-visual-editor

Image Optimizer, Resizer and CDN – Sirv

sirv

Index WP MySQL For Speed

index-wp-mysql-for-speed

InstaWP Connect – 1-click WP Staging & Migration

instawp-connect

JetWidgets For Elementor

jetwidgets-for-elementor

Kanban Boards for WordPress

kanban

Kimili Flash Embed

kimili-flash-embed

Laybuy Payment Extension for WooCommerce

laybuy-gateway-for-woocommerce

License Manager for WooCommerce

license-manager-for-woocommerce

Lifeline Donation

lifeline-donation

Loco Translate

loco-translate

Login with phone number

login-with-phone-number

Master Slider – Responsive Touch Slider

master-slider

MasterStudy LMS WordPress Plugin – for Online Courses and Education

masterstudy-lms-learning-management-system

MaxGalleria

maxgalleria

Media Library Assistant

media-library-assistant

MIMO Woocommerce Order Tracking

mimo-woocommerce-order-tracking

My Favorites

my-favorites

Newsletters

newsletters-lite

Newspack Blocks

newspack-blocks

Newspack Newsletters

newspack-newsletters

Online Booking & Scheduling Calendar for WordPress by vcita

meeting-scheduler-by-vcita

OpenPGP Form Encryption for WordPress

openpgp-form-encryption

Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms

optinly

Orbit Fox by ThemeIsle

themeisle-companion

OSM Map Widget for Elementor

osm-map-elementor

Page Builder Sandwich – Front End WordPress Page Builder Plugin

page-builder-sandwich

Page Builder: Live Composer

live-composer-page-builder

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions

paid-memberships-pro

PDF Viewer for Elementor

pdf-viewer-for-elementor

Pexels: Free Stock Photos

wp-pexels-free-stock-photos

Photo Gallery, Images, Slider in Rbs Image Gallery

robo-gallery

Photo Video Gallery Master

photo-video-gallery-master

phpinfo() WP

phpinfo-wp

Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio

play-ht

Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer

promolayer-popup-builder

Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

ays-popup-box

PropertyHive

propertyhive

Replace Image

replace-image

Restaurant Reservations

nd-restaurant-reservations

Salon Booking System

salon-booking-system

Scheduling Plugin – Online Booking for WordPress

calendar-booking

SEOPress – On-site SEO

wp-seopress

Shariff Wrapper

shariff

Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension

shortcode-addons

Shortcodes by United Themes

ut-shortcodes

Shortcodes Ultimate Pro

shortcodes-ultimate-pro

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

sina-extension-for-elementor

SiteGuard WP Plugin

siteguard

Sketchfab Embed

sketchfab-oembed

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

depicter

Slideshow SE

slideshow-se

Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN

wp-smushit

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

SP Project & Document Manager

sp-client-document-manager

Sparkle Demo Importer

sparkle-demo-importer

Squeeze

squeeze

SULly

sully

Support SVG – Upload svg files in wordpress without hassle

support-svg

SVG Block

svg-block

Table Addons for Elementor

table-addons-for-elementor

Tabs – Responsive Tabs with WooCommerce Product Tab Extension

vc-tabs

The Plus Addons for Elementor Page Builder

theplus_elementor_addon

Themify – WooCommerce Product Filter

themify-wc-product-filter

Tickera – WordPress Event Ticketing

tickera-event-ticketing-system

Tournamatch

tournamatch

Transition Slider – Responsive Image Slider and Gallery

transition-slider-lite

Typing Text

typing-text

UberMenu

ubermenu

Ultimate Blocks – WordPress Blocks Plugin

ultimate-blocks

Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter

custom-add-to-cart-button-for-woocommerce

Universal Slider

fusion-slider

User Profile Picture

metronet-profile-picture

User Rights Access Manager

user-rights-access-manager

Vimeography: Vimeo Video Gallery WordPress Plugin

vimeography

Wheel of Life: Coaching and Assessment Tool for Life Coach

wheel-of-life

Wishlist Member

wishlist-member-x

WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce

cartflows

Woocommerce Customers Order History

woo-customers-order-history

Word Balloon

word-balloon

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

groundhogg

WordPress Picture / Portfolio / Media Gallery

nimble-portfolio

WP 2FA – Two-factor authentication for WordPress

wp-2fa

WP Blog Post Layouts

wp-blog-post-layouts

WP Child Theme Generator

wp-child-theme-generator

WP Hotel Booking

wp-hotel-booking

WP Job Manager – Resume Manager

wp-job-manager-resumes

WP Magazine Modules Lite

wp-magazine-modules-lite

WP Maintenance

wp-maintenance

WP QuickLaTeX

wp-quicklatex

WP Recipe Maker

wp-recipe-maker

WP Scraper

wp-scraper

WP Secure Maintenance

wp-secure-maintainance

WP SVG Images

wp-svg-images

WPAdverts – Classifieds Plugin

wpadverts

WPZOOM Addons for Elementor (Templates, Widgets)

wpzoom-elementor-addons

YARPP – Yet Another Related Posts Plugin

yet-another-related-posts-plugin

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

youzify

Zoho Marketing Automation

zoho-marketinghub

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Book Landing Page

book-landing-page

Chic Lite

chic-lite

Customizr

customizr

Digital Newspaper

digital-newspaper

Divi

Divi

Education Zone

education-zone

Enfold – Responsive Multi-Purpose Theme

enfold

Flatsome

flatsome

Grey Opaque

grey-opaque

Hueman

hueman

Materialis

materialis

Mosaic

mosaic

Sinatra

sinatra

Vilva

vilva

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 17, 2024 to June 23, 2024) appeared first on Wordfence.