Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024)
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 221 vulnerabilities disclosed in 210 WordPress Plugins, 22 WordPress Themes, and one in WordPress Core that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
- WordPress Core < 6.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block
- WAF-RULE-690 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 190 |
Unpatched | 31 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 197 |
High Severity | 11 |
Critical Severity | 13 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Cross-Site Request Forgery (CSRF) | 103 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 62 |
Missing Authorization | 24 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 14 |
Deserialization of Untrusted Data | 3 |
Exposure of Sensitive Information to an Unauthorized Actor | 3 |
Server-Side Request Forgery (SSRF) | 3 |
Improper Authorization | 2 |
Improper Input Validation | 2 |
Unrestricted Upload of File with Dangerous Type | 2 |
URL Redirection to Untrusted Site ('Open Redirect') | 2 |
Improper Access Control | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
53 | |
12 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Account Engagement | pardot |
ActiveCampaign – Forms, Site Tracking, Live Chat | activecampaign-subscription-forms |
Ads.txt Admin | ads-txt-admin |
Advanced Cron Manager – debug & control | advanced-cron-manager |
Advanced iFrame | advanced-iframe |
Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress | advanced-page-visit-counter |
Advanced Post Block- Great solution for displaying Posts | advanced-post-block |
AffiEasy | affieasy |
AIKit - WordPress AI Automatic Writer, Chatbot, Writing Assistant & Content Repurposer / OpenAI GPT | aikit-wordpress-ai-writing-assistant-using-gpt3 |
All-in-One Addons for Elementor – WidgetKit | widgetkit-for-elementor |
Appointment Bookings for Zoom GoogleMeet and more – Wappointment | wappointment |
AppPresser – Mobile App Framework | apppresser |
Asgaros Forum | asgaros-forum |
Aspose.Words – Import and Export word documents | aspose-doc-exporter |
BA Book Everything | ba-book-everything |
Backup Migration | backup-backup |
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | woo-bulk-editor |
Before And After: Lead Capture Forms For WordPress | before-and-after |
Benchmark Email Lite | benchmark-email-lite |
Better Chat Support via WhatsApp – WhatsApp Chat Bubble and Chat Button with Gutenberg, Elementor and Shortcode | chat-help |
BizCalendar Web | bizcalendar-web |
Blocksy Companion | blocksy-companion |
Bold Page Builder | bold-page-builder |
Booking for Appointments and Events Calendar – Amelia | ameliabooking |
Boostify Header Footer Builder for Elementor | boostify-header-footer-builder |
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg | 5-stars-rating-funnel |
bunny.net – WordPress CDN Plugin | bunnycdn |
Button Generator – easily Button Builder | button-generation |
BWL Advanced FAQ Manager | bwl-advanced-faq-manager |
Calendarista Basic Edition – WordPress appointment booking system | calendarista-basic-edition |
Carousel Slider | carousel-slider |
Carousel, Slider, Gallery by WP Carousel – Image Carousel with Lightbox & Photo Gallery, Video Slider, Post Carousel & Post Grid, Product Carousel & Product Grid | wp-carousel-free |
CBX Bookmark & Favorite | cbxwpbookmark |
Church Admin | church-admin |
Church Content – Sermons, Events and More | church-theme-content |
Citadela Directory | citadela-directory |
Clone | wp-clone-by-wp-academy |
Contact Form Plugin | contact-form-lite |
Convert Post Types | convert-post-types |
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site | counter-box |
Crony Cronjob Manager | crony |
Currency per Product for WooCommerce | currency-per-product-for-woocommerce |
Customily Product Personalizer | customily-v2 |
Dashboard To-Do List | dashboard-to-do-list |
Dashboard Welcome for Elementor | dashboard-welcome-for-elementor |
Disable Comments | WPZest | disable-comments-wpz |
Download Manager | downloadmanager |
Duplicate Post | copy-delete-posts |
E2Pdf – Export Pdf Tool for WordPress | e2pdf |
Easy Logo | easylogo |
eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) | bdthemes-element-pack-lite |
Elementor Addons by Livemesh | addons-for-elementor |
ELEX WooCommerce Dynamic Pricing and Discounts | elex-woocommerce-dynamic-pricing-and-discounts |
Email Marketing for WooCommerce by Omnisend | omnisend-connect |
Enhanced Text Widget | enhanced-text-widget |
eRoom – Zoom Meetings & Webinars | eroom-zoom-meetings-webinar |
Essential Grid Gallery WordPress Plugin | essential-grid |
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin | mage-eventpress |
EWWW Image Optimizer | ewww-image-optimizer |
Exclusive Addons for Elementor | exclusive-addons-for-elementor |
Extra Product Options Builder for WooCommerce | additional-product-fields-for-woocommerce |
EZ Form Calculator | ez-form-calculator |
F4 Improvements | f4-improvements |
Favicon by RealFaviconGenerator | favicon-by-realfavicongenerator |
Filter Custom Fields & Taxonomies Light | filter-custom-fields-taxonomies-light |
Finale Lite – Sales Countdown Timer & Discount for WooCommerce | finale-woocommerce-sales-countdown-timer-discount |
Find Duplicates | find-duplicates |
Float menu – awesome floating side menu | float-menu |
Forminator Forms – Contact Form, Payment Form & Custom Form Builder | forminator |
Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook | forms-to-zapier |
Freshdesk (official) | freshdesk-support |
FV Flowplayer Video Player | fv-wordpress-flowplayer |
Gallery Box | gallery-box |
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress | gamipress |
GEO my WP | geo-my-wp |
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) | gift-voucher |
GiveWP – Donation Plugin and Fundraising Platform | give |
GP Unique ID | gp-unique-id |
Gutenberg | gutenberg |
Gutenberg Blocks with AI by Kadence WP – Page Builder Features | kadence-blocks |
Gutenverse – Ultimate Block Addons and Page Builder for Site Editor | gutenverse |
Happy WooCommerce FAQs & AI FAQ Generator (Formarly XPlainer) | faq-for-woocommerce |
Import any XML or CSV File to WordPress | wp-all-import |
Import Users from CSV | import-users-from-csv |
Inline Related Posts | intelly-related-posts |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
Intagrate Lite | instagrate-to-wordpress |
IP2Location Country Blocker | ip2location-country-blocker |
Ivory Search – WordPress Search Plugin | add-search-to-menu |
Jobs for WordPress | job-postings |
Kattene | kattene |
Kimili Flash Embed | kimili-flash-embed |
Language Translate Widget for WP – ConveyThis | conveythis-translate |
Leadinfo | leadinfo |
Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) | leaflet-maps-marker |
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator | legal-pages |
Libsyn Publisher Hub | libsyn-podcasting |
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes | lifterlms |
Link Whisper Free | link-whisper |
Live Composer – Free WordPress Website Builder | live-composer-page-builder |
Load More Anything | ajax-load-more-anything |
Login With Ajax – Fast Logins, 2FA, Redirects | login-with-ajax |
Login with phone number | login-with-phone-number |
Login | Login Page | Login Logo | Rename Login Page | Custom Login Page | Temporary Users | Rebrand Login | Login Captcha | feather-login-page |
Mail logging – WP Mail Catcher | wp-mail-catcher |
MailChimp Forms by MailMunch | mailchimp-forms-by-mailmunch |
Marker.io – Visual Website Feedback | marker-io |
Matterport Shortcode | shortcode-gallery-for-matterport-showcase |
Membership Plugin – Restrict Content | restrict-content |
Migration, Backup, Staging – WPvivid Backup & Migration | wpvivid-backuprestore |
MihanPanel – User Login , Registration and Dashboard | mihanpanel-lite |
Modal Window – create popup modal window | modal-window |
MultiParcels Shipping For WooCommerce | multiparcels-shipping-for-woocommerce |
MWW Disclaimer Buttons | mww-disclaimer-buttons |
Newsletter – Send awesome emails from WordPress | newsletter |
NextMove Lite – Thank You Page for WooCommerce | woo-thank-you-page-nextmove-lite |
Ninja Forms – The Contact Form Builder That Grows With You | ninja-forms |
No-Bot Registration | no-bot-registration |
Novelist | novelist |
Ocean Extra | ocean-extra |
Order Delivery Date for WooCommerce | order-delivery-date-for-woocommerce |
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | otter-blocks |
Ovic Addon Toolkit | ovic-addon-toolkit |
Pagely [Show Current Template Info] | current-template-name |
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
POEditor | poeditor |
Pop-up | pop-up-pop-up |
Popup Box: Create Popups Easily | popup-box |
Popup by Supsystic | popup-by-supsystic |
Popup Like box – Page Plugin | ays-facebook-popup-likebox |
Post Type Builder | themify-ptb |
Premium Addons for Elementor | premium-addons-for-elementor |
Premmerce Product Filter for WooCommerce | premmerce-woocommerce-product-filter |
Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More | purple-xmls-google-product-feed-for-woocommerce |
Product Input Fields for WooCommerce | product-input-fields-for-woocommerce |
ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Realtyna Organic IDX plugin + WPL Real Estate | real-estate-listing-realtyna-wpl |
ReDi Restaurant Reservation | redi-restaurant-reservation |
Redirection | redirect-redirection |
Remove Footer Credit | remove-footer-credit |
Responsive Contact Form Builder & Lead Generation Plugin | lead-form-builder |
Responsive Slider – Sangar Slider | sangar-slider-lite |
RestroPress – Online Food Ordering System | restropress |
RSS Redirect & Feedburner Alternative | feedburner-alternative-and-rss-redirect |
Save as Image Plugin by Pdfcrowd | save-as-image-by-pdfcrowd |
Save as PDF Plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
Search Keyword Redirect | wp-search-keyword-redirect |
SEO Booster | seo-booster |
Sheets to WP Table Live Sync | Google Sheets Table Plugin for WordPress with Spreadsheet Integration – FlexTable | sheets-to-wp-table-live-sync |
Shopkeeper Extender | shopkeeper-extender |
Shopping Cart & eCommerce Store | wp-easycart |
Short URL | shorten-url |
Side Menu Lite – add sticky fixed buttons | side-menu-lite |
Simple Post Notes | simple-post-notes |
Siteimprove | siteimprove |
Slider Revolution | revslider |
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider | ml-slider |
Smart Forms – when you need more than just a contact form | smart-forms |
Smart Slider 3 | smart-slider-3 |
Smash Balloon Social Post Feed – Simple Social Feeds for WordPress | custom-facebook-feed |
Social Media Social Share Icon | add-social-share |
Social Proof Popups & Real-Time Notifications – Herd Effects | mwp-herd-effect |
Social Share Icons & Social Share Buttons | ultimate-social-media-plus |
Spotlight Social Feeds – Block, Shortcode, and Widget | spotlight-social-photo-feeds |
SSL Mixed Content Fix | http-https-remover |
Sticky Buttons – floating buttons builder | sticky-buttons |
Subscribe2 – Form, Email Subscribers & Newsletters | subscribe2 |
Sync Post With Other Site | sync-post-with-other-site |
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | tablesome |
The Events Calendar | the-events-calendar |
Top Bar | top-bar |
TOP Table Of Contents | top-table-of-contents |
TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys | visitor-analytics-io |
Ultimate Before After Image Slider & Gallery – BEAF | beaf-before-and-after-gallery |
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | ultimate-member |
Ultimate Posts Widget | ultimate-posts-widget |
Ultimate Product Catalog | ultimate-product-catalogue |
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider | ultimate-store-kit |
Unlimited Elementor Inner Sections By BoomDevs | unlimited-elementor-inner-sections-by-boomdevs |
User Activity Log Pro | user-activity-log-pro |
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | userswp |
USPS Shipping for WooCommerce – Live Rates | flexible-shipping-usps |
Wallet System for WooCommerce – Wallet, Secure Online Payments, Cashback, Refunds, Partial Payment, Wallet Restriction, WooCommerce Payment | wallet-system-for-woocommerce |
Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition | webinar-ignition |
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode | coming-soon |
Welcart e-Commerce | usc-e-shop |
WOLF – WordPress Posts Bulk Editor and Manager Professional | bulk-editor |
WooCommerce UPS Shipping – Live Rates and Access Points | flexible-shipping-ups |
WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds | another-wordpress-classifieds-plugin |
WordPress Flipbook by Supsystic | digital-publications-by-supsystic |
WordPress Hosting Benchmark tool | wpbenchmark |
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly | tour-booking-manager |
Wow Skype Buttons | mwp-skype |
WP Accessibility Helper (WAH) | wp-accessibility-helper |
WP Activity Log Premium | wp-security-audit-log-premium |
WP Client Reports | wp-client-reports |
WP Compress – Instant Performance & Speed Optimization | wp-compress-image-optimizer |
WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, Security+ | wp-letsencrypt-ssl |
WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress | wp-event-aggregator |
WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics | wp-google-analytics-events |
WP Login and Logout Redirect | wp-login-and-logout-redirect |
WP Radio – Worldwide Online Radio Stations Directory for WordPress | wp-radio |
WP Synchro – WordPress Migration Plugin for Database & Files | wpsynchro |
WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden | wp2leads |
WPBakery Visual Composer | js_composer |
WPC Smart Quick View for WooCommerce | woo-smart-quick-view |
WPZOOM Social Feed Widget & Block | instagram-widget-by-wpzoom |
Zoho Campaigns | zoho-campaigns |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Blocksy | blocksy |
CityLogic | citylogic |
Decode | decode |
Default Mag | default-mag |
Emmet Lite | emmet-lite |
Gridsby | gridsby |
HappenStance | happenstance |
i-excel | i-excel |
i-max | i-max |
Lightning | lightning |
Namaha | namaha |
NewsXpress | newsxpress |
Panoramic | panoramic |
PopularFX | popularfx |
Sarada Lite | sarada-lite |
Sensible WP | sensible-wp |
Shopstar! | shopstar |
Sliding Door | sliding-door |
Soledad | soledad |
Spa and Salon | spa-and-salon |
The Conference | the-conference |
X-T9 | x-t9 |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments