Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)

---

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000,  for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

---

Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-675 – data redacted while we work with the vendor on a patch.
• WAF-RULE-676 – data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	13
Patched	82

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	82
High Severity	7
Critical Severity	4

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	30
Cross-Site Request Forgery (CSRF)	21
Missing Authorization	18
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Information Exposure	3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	3
Deserialization of Untrusted Data	2
Authorization Bypass Through User-Controlled Key	2
Improper Access Control	2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Uncontrolled Resource Consumption (‘Resource Exhaustion’)	1
Server-Side Request Forgery (SSRF)	1
Insecure Storage of Sensitive Information	1
Incorrect Authorization	1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	1
Improper Authorization	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Francesco Carlucci	24
Lucio Sá	10
Dhabaleshwar Das	7
Webbernaut	6
Dimas Maulana	3
Ngô Thiên An (ancorn_)	3
Krzysztof Zając	3
beluga	2
Sh	2
Rhynorater	2
kodaichodai	2
Kyle Sanchez	2
Felipe Restrepo Rodriguez (pfelilpe)	2
István Márton (Wordfence Vulnerability Researcher)	2
Rafie Muhammad	2
Sean Murphy	2
stealthcopter	2
hir0ot	1
Dave Jong	1
Le Ngoc Anh	1
villu164	1
Colin Xu	1
Christian Angel	1
LVT-tholv2k	1
wesley (wcraft)	1
Dmitrii Ignatyev	1
Abu Hurayra (HurayraIIT)	1
Muhammad Hassham Nagori	1
Abdi Pranata	1
Skalucy	1
Pham Ho Anh Dung	1
Savphill	1
Scott Kingsley Clark	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
3D Tag Cloud	cardoza-3d-tag-cloud
AMP for WP – Accelerated Mobile Pages	accelerated-mobile-pages
Admin Menu Editor	admin-menu-editor
Advanced Forms for ACF	advanced-forms
All 404 Pages Redirect to Homepage	all-404-pages-redirect-to-homepage
All-In-One Security (AIOS) – Security and Firewall	all-in-one-wp-security-and-firewall
Apollo13 Framework Extensions	apollo13-framework-extensions
Awesome Support – WordPress HelpDesk & Support Plugin	awesome-support
Backuply – Backup, Restore, Migrate and Clone	backuply
Basic Log Viewer	wpsimpletools-log-viewer
Before After Image Slider WP	before-after-image-slider
Buttons Shortcode and Widget	buttons-shortcode-and-widget
Contact Form 7 Connector	ari-cf7-connector
Content Cards	content-cards
Coupon Referral Program	coupon-referral-program
Custom Twitter Feeds – A Tweets Widget or X Feed Widget	custom-twitter-feeds
Customer Reviews for WooCommerce	customer-reviews-woocommerce
Elementor Addon Elements	addon-elements-for-elementor-page-builder
Elementor Addons by Livemesh	addons-for-elementor
Elementor Website Builder – More than Just a Page Builder	elementor
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin	wp-event-solution
Honeypot for WP Comment	honeypot-for-wp-comment
ImageRecycle pdf & image compression	imagerecycle-pdf-image-compression
InfiniteWP Client	iwp-client
Insert PHP Code Snippet	insert-php-code-snippet
Internal Link Juicer: SEO Auto Linker for WordPress	internal-links
Link Library	link-library
Login Lockdown – Protect Login Form	login-lockdown
Matomo Analytics – Ethical Stats. Powerful Insights.	matomo
Meta Box – WordPress Custom Fields Framework	meta-box
Minimal Coming Soon – Coming Soon Page	minimal-coming-soon-maintenance-mode
My Calendar	my-calendar
NextMove Lite – Thank You Page for WooCommerce	woo-thank-you-page-nextmove-lite
PPWP – Password Protect Pages	password-protect-page
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
Passster – Password Protect Pages and Content	content-protector
Payment Forms for Paystack	payment-forms-for-paystack
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress	contest-gallery
Podlove Podcast Publisher	podlove-podcasting-plugin-for-wordpress
Podlove Subscribe button	podlove-subscribe-button
Polls CP	cp-polls
Portugal CTT Tracking for WooCommerce	portugal-ctt-tracking-woocommerce
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)	powerpack-lite-for-elementor
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider)	bdthemes-prime-slider-lite
Product Labels For Woocommerce (Sale Badges)	aco-product-labels-for-woocommerce
Quiz Maker	quiz-maker
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator	feedzy-rss-feeds
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging	wp-rss-aggregator
Royal Elementor Addons and Templates	royal-elementor-addons
Shariff Wrapper	shariff
Shield Security – Smart Bot Blocking & Intrusion Prevention Security	wp-simple-firewall
Simple Page Access Restriction	simple-page-access-restriction
Starbox – the Author Box for Humans	starbox
Themify Builder	themify-builder
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline)	timeline-widget-addon-for-elementor
VK Poster Group	vk-poster-group
WP 404 Auto Redirect to Similar Post	wp-404-auto-redirect-to-similar-post
WP Booking Calendar	booking
WP Club Manager – WordPress Sports Club Plugin	wp-club-manager
WP Contact Form	wp-contact-form
WP Recipe Maker	wp-recipe-maker
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc	wp-sms
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
Wonder Slider Lite	wonderplugin-slider-lite
Woocommerce Vietnam Checkout	woo-vietnam-checkout

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Blocksy	blocksy
Royal Elementor Kit	royal-elementor-kit
brooklyn	brooklyn

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion

---

Coupon Referral Program <= 1.7.2 – Unauthenticated PHP Object Injection

---

Booking Calendar <= 9.9 – Unauthenticated SQL Injection

---

Honeypot for WP Comment <= 2.2.3 – Directory Traversal to Unauthenticated Arbitrary File Deletion

---

Elementor <= 3.19.0 – Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization

---

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Authenticated (Subscriber+) SQL Injection

---

WP Recipe Maker <= 9.1.2 – Missing Authorization to Authenticated (Subscriber+) SQL Injecton

---

RSS Aggregator by Feedzy <= 4.4.2 – Authenticated(Contributor+) SQL Injection

---

Podlove Subscribe button <= 1.3.10 – Authenticated (Contributor+) SQL Injection

---

Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service

---

Brooklyn <= 4.9.7.6 – PHP Object Injection

---

NextMove Lite <= 2.17.0 – Missing Authorization to Authenticated(Subscriber+) Plugin Activation

---

RSS Aggregator by Feedzy <= 4.4.2 – Missing Authorization to Arbitrary Page Creation and Publication

---

AMP for WP <= 1.0.93.1 – Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

---

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

---

Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings

---

Royal Elementor Addons and Templates <= 1.3.87 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Meta Box – WordPress Custom Fields Framework <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Apollo13 Framework Extensions <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Content Cards <= 0.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

---

Elementor Website Builder – More than Just a Page Builder <= 3.18.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt

---

Elementor Addon Elements <= 1.12.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Elementor Addons by Livemesh <= 8.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Payment Forms for Paystack <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Before After Image Slider WP <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

---

My Calendar <= 3.4.23 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Buttons Shortcode and Widget <= 1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

---

VK Poster Group <= 2.0.3 – Reflected Cross-Site Scripting via vkp_repost

---

Matomo <= 4.15.3 – Reflected Cross-Site Scripting via idsite

---

WP SMS <= 6.5.2 – Reflected Cross-Site Scripting via ‘page’

---

WP 404 Auto Redirect to Similar Post <= 1.0.3 – Reflected Cross-Site Scripting via request

---

Wonder Slider Lite <= 13.9 – Reflected Cross-Site Scripting via ‘page’

---

Brooklyn <= 4.9.7.6 – Reflected Cross-Site Scripting

---

Link Library <= 7.5.13 – Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’

---

Portugal CTT Tracking for WooCommerce <= 2.1 – Reflected Cross-Site Scripting

---

All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 – Reflected Cross-Site Scripting

---

Honeypot for WP Comment <= 2.2.3 – Reflected Cross-Site Scripting via page

---

All 404 Pages Redirect to Homepage <= 1.9 – Unauthenticated Stored Cross-Site Scripting

---

InfiniteWP Client <= 1.12.3 – Unauthenticated Sensitive Information Exposure

---

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Basic Log Viewer <= 1.0.4 – Cross-Site Request Forgery via wpst_lw_viewer

---

Login Lockdown – Protect Login Form <= 2.08 – Missing Authorization

---

3D Tag Cloud <= 3.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

---

Prime Slider – Addons For Elementor <= 3.11.10 – Incorrect Authorization via bdt_duplicate_as_draft

---

Passster – Password Protect Pages and Content <= 4.2.6.2 – Missing Authorization to Sensitive Information Exposure

---

Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 – Missing Authorization to Unauthenticated Events Export

---

CP Polls <= 1.0.71 – Unauthenticated Poll Limit Bypass

---

Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Settings Import

---

PPWP – Password Protect Pages <= 1.8.9 – Protection Mechanism Bypass

---

Customer Reviews for WooCommerce <= 5.38.12 – Improper Authorization via submit_review

---

Quiz Maker <= 6.5.2.4 – Missing Authorization to Unauthenticated Quiz Data Retrieval

---

WP Club Manager – WordPress Sports Club Plugin <= 2.2.10 – Missing Authorization to Unauthenticated Event Permalink Update

---

Advanced Forms for ACF <= 1.9.3.2 – Missing Authorization to Unauthenticated Form Settings Export

---

Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Unauthenticated Data Export

---

Royal Elementor Addons and Templates <= 1.3.87 – Missing Authorization via wpr_update_form_action_meta

---

Simple Page Access Restriction <= 1.0.21 – Improper Access Control to Sensitive Information Exposure via REST API

---

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via editor_html()

---

CP Polls <= 1.0.71 – Unauthenticated Content Injection

---

Paid Memberships Pro <= 2.12.8 – Authenticated (Contributor+) User Meta Disclosure

---

Woocommerce Vietnam Checkout <= 2.0.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting

---

Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Product Labels For Woocommerce <= 1.5.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting

---

Internal Link Juicer <= 2.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Shariff Wrapper <= 4.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting

---

My Calendar <= 3.4.23 – Authenticated (Admin+) Stored Cross-Site Scripting via Events

---

Insert PHP Code Snippet <= 1.3.4 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting

---

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in enableOptimization

---

All In One WP Security <= 5.2.6 – Cross-Site Request Forgery to IP Blocking

---

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in enableOptimization

---

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 – Cross-Site Request Forgery to Plugin Options Update

---

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Plugin Data Removal in reinitialize

---

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Plugin Data Removal in reinitialize

---

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_wishlist

---

Admin Menu Editor <= 1.12 – Cross-Site Request Forgery via ajax_hide_hint()

---

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in stopOptimizeAll

---

Royal Elementor Kit <= 1.0.116 – Missing Authorization to Arbitrary Transient Update

---

Themify Builder <= 7.0.5 – Cross-Site Request Forgery

---

Quiz Maker <= 6.5.2.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification

---

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in optimizeAllOn

---

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_compare

---

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_compare

---

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_wishlist

---

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in disableOptimization

---

Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery

---

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via wpas_get_users()

---

WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage

---

ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in optimizeAllOn

---

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in disableOptimization

---

Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via wpr_update_form_action_meta

---

Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery

---

ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in stopOptimizeAll

---

Link Library <= 7.5.13 – Cross-Site Request Forgery via action_admin_init

---

WP RSS Aggregator <= 4.23.5 – Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source

---

Minimal Coming Soon – Coming Soon Page <= 2.37 – Unauthenticated Maintenance Mode Bypass

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.