Wordfence Intelligence Weekly WordPress Vulnerability Report (July 15, 2024 to July 21, 2024)


📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. 


Last week, there were 96 vulnerabilities disclosed in 76 WordPress Plugins and 3 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 89
Unpatched 7


Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 76
High Severity 14
Critical Severity 5


Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 39
Missing Authorization 18
Cross-Site Request Forgery (CSRF) 14
Exposure of Sensitive Information to an Unauthorized Actor 6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2
Unrestricted Upload of File with Dangerous Type 2
Authentication Bypass by Primary Weakness 1
Authentication Bypass Using an Alternate Path or Channel 1
Authorization Bypass Through User-Controlled Key 1
Deserialization of Untrusted Data 1
External Control of File Name or Path 1
Improper Encoding or Escaping of Output 1
Improper Handling of Insufficient Permissions or Privileges 1
Storing Passwords in a Recoverable Format 1


Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
10
6
5
5
5
5
5
5
4
4
3
3
3
3
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Addonify – Quick View For WooCommerce addonify-quick-view
AForms — Form Builder for Price Calculator & Cost Estimation aforms-form-builder-for-price-calculator-cost-estimation
AI ChatBot for WordPress – WPBot chatbot
Ajax Search Lite – Live Search & Filter ajax-search-lite
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress bookingpress-appointment-booking
Arconix FAQ arconix-faq
Arconix Shortcodes arconix-shortcodes
Backup, Restore and Migrate your sites with XCloner xcloner-backup-and-restore
Booking Ultra Pro Appointments Booking Calendar Plugin booking-ultra-pro
Brizy – Page Builder brizy
BSK PDF Manager bsk-pdf-manager
Category Posts Widget category-posts
Chatbot for WordPress by Collect.chat ⚡️ collectchat
Community Events community-events
Conditional Fields for Contact Form 7 cf7-conditional-fields
Cooked – Recipe Management cooked
CopySafe Web Protection wp-copysafe-web
CTX Feed – WooCommerce Product Feed Manager webappick-product-feed-for-woocommerce
Ditty – Responsive News Tickers, Sliders, and Lists ditty-news-ticker
Duplica – Duplicate Posts, Pages, Custom Posts or Users duplica
Easy Table of Contents easy-table-of-contents
Easy Testimonials easy-testimonials
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) bdthemes-element-pack-lite
ElementsKit Elementor addons elementskit-lite
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce email-subscribers
Event Manager, Events Calendar, Tickets, Registrations – Eventin wp-event-solution
FormLift for Infusionsoft Web Forms formlift
FV Flowplayer Video Player fv-wordpress-flowplayer
Getwid – Gutenberg Blocks getwid
GiveWP – Donation Plugin and Fundraising Platform give
Glossary glossary-by-codeat
Gutenberg Blocks with AI by Kadence WP – Page Builder Features kadence-blocks
Gutenverse – Ultimate Block Addons and Page Builder for Site Editor gutenverse
House Manager – Easy Renter Management System for WordPress house-manager
HUSKY – Products Filter Professional for WooCommerce woocommerce-products-filter
Image Hover Effects – Elementor Addon image-hover-effects-addon-for-elementor
JetWidgets for Elementor and WooCommerce jetwoo-widgets-for-elementor
Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) leaflet-maps-marker
Light Poll light-poll
Livemesh Addons for Beaver Builder addons-for-beaver-builder
Meks Video Importer meks-video-importer
Mercado Pago payments for WooCommerce woocommerce-mercadopago
Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita
Pinpoint Booking System – #1 WordPress Booking Plugin booking-system
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor post-and-page-builder
Premium Portfolio Features for Phlox theme auxin-portfolio
RegLevel reglevel
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator
SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher wp-scheduled-posts
Schema & Structured Data for WP & AMP schema-and-structured-data-for-wp
Search & Filter Pro search-filter-pro
Security Optimizer – The All-In-One Protection Plugin sg-security
SEO Plugin by Squirrly SEO squirrly-seo
Shortcodes Ultimate Pro shortcodes-ultimate-pro
Smartsupp – live chat, chatbots, AI and lead generation smartsupp-live-chat
SVG Support svg-support
Telegram Bot & Channel telegram-bot
Terms and Category Based Posts Widget term-and-category-based-posts-widget
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) the-pack-addon
Timeline Event History timeline-event-history
UiPress lite | Effortless custom dashboards, admin themes and pages uipress-lite
Ultimate Addons for WPBakery Ultimate_VC_Addons
VikRentCar Car Rental Management System vikrentcar
Visual Website Collaboration, Feedback & Project Management – Atarim atarim-visual-collaboration
Web and WooCommerce Addons for WPBakery Builder vc-addons-by-bit14
WooCommerce - Social Login woo-social-login
WordPress File Upload wp-file-upload
Wp EMember wp-emember
WP eStore wp-cart-for-digital-products
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce wp-event-manager
WP Fast Total Search – The Power of Indexed Search fulltext-search
WP GoToWebinar wp-gotowebinar
WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin wp-mail-smtp
WPForms User Registration wpforms-user-registration
YITH Essential Kit for WooCommerce #1 yith-essential-kit-for-woocommerce-1
简数采集器 keydatas


WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
CoziPress cozipress
Himer - Social Questions and Answers WordPress Theme himer
Zenon Lite zenon-lite


Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

CVSS Rating
Critical (10.0)
CVE-ID
CVE-2024-38773
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-6457
Patch Status
Patched
Published
Jul 15, 2024
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-6636
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WooCommerce - Social Login
Researcher
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-6220
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
简数采集器
Researcher
CVSS Rating
Critical (9.1)
CVE-ID
CVE-2024-38788
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-3242
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Brizy – Page Builder
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-6338
Patch Status
Patched
Published
Jul 18, 2024
Affected Software
FV Flowplayer Video Player
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-6497
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
SEO Plugin by Squirrly SEO
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-5726
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Timeline Event History
Researcher
CVSS Rating
High (8.0)
CVE-ID
CVE-2023-52209
Patch Status
Patched
Published
Jul 18, 2024
Affected Software
WPForms User Registration
Researcher
CVSS Rating
High (7.3)
CVE-ID
CVE-2024-6635
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WooCommerce - Social Login
Researcher
CVSS Rating
High (7.3)
CVE-ID
CVE-2024-6637
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WooCommerce - Social Login
Researcher
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-38775
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-6494
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
WordPress File Upload
CVSS Rating
High (7.1)
CVE-ID
CVE-2024-1937
Patch Status
Patched
Published
Jul 15, 2024
Affected Software
Brizy – Page Builder
Researcher
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-3934
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-38767
Patch Status
Patched
Published
Jul 15, 2024
Affected Software
BSK PDF Manager
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-38786
Patch Status
Unpatched
Published
Jul 19, 2024
Affected Software
CoziPress
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2337
Patch Status
Unpatched
Published
Jul 19, 2024
Affected Software
Easy Testimonials
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-38785
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-38782
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5582
Patch Status
Patched
Published
Jul 16, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-6766
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Shortcodes Ultimate Pro
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5254
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Ultimate Addons for WPBakery
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5253
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Ultimate Addons for WPBakery
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5251
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Ultimate Addons for WPBakery
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5252
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Ultimate Addons for WPBakery
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5255
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Ultimate Addons for WPBakery
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5964
Patch Status
Unpatched
Published
Jul 17, 2024
Affected Software
Zenon Lite
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-38781
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
CopySafe Web Protection
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-3973
Patch Status
Unpatched
Published
Jul 16, 2024
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-6651
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
WordPress File Upload
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-5081
Patch Status
Patched
Published
Jul 15, 2024
Affected Software
Wp EMember
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-6133
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WP eStore
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-6134
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WP eStore
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-38776
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WP GoToWebinar
Researcher
CVSS Rating
Medium (5.8)
CVE-ID
CVE-2024-2232
Patch Status
Patched
Published
Jul 15, 2024
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-6669
Patch Status
Patched
Published
Jul 16, 2024
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-7084
Patch Status
Patched
Published
Jul 16, 2024
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-6705
Patch Status
Unpatched
Published
Jul 17, 2024
Affected Software
RegLevel
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-6175
Patch Status
Patched
Published
Jul 17, 2024
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-39681
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Cooked – Recipe Management
Researcher
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2023-6708
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
SVG Support
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-6560
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-6565
Patch Status
Patched
Published
Jul 15, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-38783
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
Arconix FAQ
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-38769
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
Arconix Shortcodes
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-38771
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-6455
Patch Status
Patched
Published
Jul 18, 2024
Affected Software
ElementsKit Elementor addons
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-6489
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
Getwid – Gutenberg Blocks
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-6570
Patch Status
Patched
Published
Jul 15, 2024
Affected Software
Glossary
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-6559
Patch Status
Patched
Published
Jul 15, 2024
CVSS Rating
Medium (5.0)
CVE-ID
CVE-2024-39682
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Cooked – Recipe Management
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-6158
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-6270
Patch Status
Patched
Published
Jul 15, 2024
Affected Software
Community Events
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-7082
Patch Status
Patched
Published
Jul 16, 2024
Affected Software
Easy Table of Contents
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-38784
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-3636
Patch Status
Patched
Published
Jul 15, 2024
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-6481
Patch Status
Patched
Published
Jul 18, 2024
Affected Software
Search & Filter Pro
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-5804
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-39680
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Cooked – Recipe Management
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-39679
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Cooked – Recipe Management
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-39678
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Cooked – Recipe Management
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-5997
Patch Status
Patched
Published
Jul 18, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-6491
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
Getwid – Gutenberg Blocks
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-6720
Patch Status
Unpatched
Published
Jul 15, 2024
Affected Software
Light Poll
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-6599
Patch Status
Patched
Published
Jul 17, 2024
Affected Software
Meks Video Importer
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-38774
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-38790
Patch Status
Patched
Published
Jul 20, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-38789
Patch Status
Unpatched
Published
Jul 20, 2024
Affected Software
Telegram Bot & Channel
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-1845
Patch Status
Patched
Published
Jul 20, 2024
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-5852
Patch Status
Patched
Published
Jul 15, 2024
Affected Software
WordPress File Upload
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-6136
Patch Status
Patched
Published
Jul 19, 2024
Affected Software
WP eStore
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-38778
Patch Status
Patched
Published
Jul 19, 2024
CVSS Rating
Low (2.7)
CVE-ID
CVE-2024-6694
Patch Status
Patched
Published
Jul 19, 2024


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments