Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 309 vulnerabilities disclosed in 234 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 65 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 256 |
Unpatched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 4 |
Medium Severity | 251 |
High Severity | 32 |
Critical Severity | 22 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 98 |
Missing Authorization | 82 |
Cross-Site Request Forgery (CSRF) | 34 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 13 |
Exposure of Sensitive Information to an Unauthorized Actor | 12 |
Server-Side Request Forgery (SSRF) | 12 |
Authorization Bypass Through User-Controlled Key | 6 |
Deserialization of Untrusted Data | 6 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 6 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 6 |
Insertion of Sensitive Information into Log File | 6 |
Unrestricted Upload of File with Dangerous Type | 5 |
Improper Privilege Management | 4 |
Use of Less Trusted Source | 4 |
External Control of Assumed-Immutable Web Parameter | 3 |
Improper Control of Generation of Code ('Code Injection') | 2 |
Improper Input Validation | 2 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 2 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Guessable CAPTCHA | 1 |
Improper Access Control | 1 |
Improper Authorization | 1 |
Improper Neutralization of Alternate XSS Syntax | 1 |
URL Redirection to Untrusted Site ('Open Redirect') | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
30 | |
23 | |
18 | |
17 | |
17 | |
14 | |
13 | |
13 | |
13 | |
10 | |
10 | |
8 | |
7 | |
7 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution | academy |
Accessibility Widget | accessibility-widget |
ActiveDEMAND | activedemand |
Admin and Customer Messages After Order for WooCommerce: OrderConvo | admin-and-client-message-after-order-for-woocommerce |
Admin Bar Editor – Hide Toolbar by User Roles | admin-bar |
Advanced Floating Content Lite | advanced-floating-content-lite |
Advanced Local Pickup for WooCommerce | advanced-local-pickup-for-woocommerce |
Advanced Most Recent Posts Mod | advanced-most-recent-posts-mod |
Advanced Post List | advanced-post-list |
Advanced Testimonial Carousel for Elementor | advanced-testimonial-carousel-for-elementor |
AGCA – Custom Dashboard & Login Page | ag-custom-admin |
All-in-one Like Widget | all-in-one-facebook-like-widget |
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) | wp-analytify |
Annual Archive | anual-archive |
Appointment Hour Booking – WordPress Booking Plugin | appointment-hour-booking |
AppPresser – Mobile App Framework | apppresser |
Arconix FAQ | arconix-faq |
Arconix Shortcodes | arconix-shortcodes |
ARforms | arforms |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Assistant – Every Day Productivity Apps | assistant |
Auto Featured Image (Auto Post Thumbnail) | auto-post-thumbnail |
BackUpWordPress | backupwordpress |
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
Base64 Encoder/Decoder | base64-encoderdecoder |
Better Elementor Addons | better-elementor-addons |
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss | bp-better-messages |
Blog2Social: Social Media Auto Post & Scheduler | blog2social |
Booking Ultra Pro Appointments Booking Calendar Plugin | booking-ultra-pro |
Brevo for WooCommerce | woocommerce-sendinblue-newsletter-subscription |
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free | RRatingg | 5-stars-rating-funnel |
Car Dealer (Dealership) and Vehicle sales | cardealer |
CF7 File Download – File Download for CF7 | cf7-file-download |
ChatBot Conversational Forms | conversational-forms |
Classified Listing – Classified ads & Business Directory Plugin | classified-listing |
ClickCease Click Fraud Protection | clickcease-click-fraud-protection |
Client Dash | client-dash |
CM Tooltip Glossary | enhanced-tooltipglossary |
Colibri Page Builder | colibri-page-builder |
Collapse-O-Matic | jquery-collapse-o-matic |
Comments – wpDiscuz | wpdiscuz |
Contact Form 7 Database Addon – CFDB7 | contact-form-cfdb7 |
Contact Form 7 Extension For Mailchimp | contact-form-7-mailchimp-extension |
Contact Form, Survey, Quiz & Popup Form Builder – ARForms | arforms-form-builder |
Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets) | content-views-query-and-display-post-page |
Cookie Information | Free GDPR Consent Solution | wp-gdpr-compliance |
CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance) | cookiehub |
Cornerstone | cornerstone |
Coupon & Discount Code Reveal Button | coupon-reveal-button |
Crelly Slider | crelly-slider |
Culqi | culqi-checkout |
Custom field finder | custom-field-finder |
Customify Site Library | customify-sites |
Data Tables Generator by Supsystic | data-tables-generator-by-supsystic |
Database for Contact Form 7, WPforms, Elementor forms | contact-form-entries |
Easy Accept Payments via PayPal | wordpress-easy-paypal-payment-or-donation-accept-plugin |
Easy Property Listings | easy-property-listings |
Easy Set Favicon | easy-set-favicon |
Element Pack Pro - Addon for Elementor Page Builder WordPress Plugin | bdthemes-element-pack |
ElementsKit Elementor addons | elementskit-lite |
ElementsKit Pro | elementskit |
EleSpare: Elementor Newspaper, Magazine and Blog Addons – 35+ Post Grid, Slider, Carousel, List & Tile, 350+ Templates, Drag & Drop Header/Footer and Page Builder, 1-Click Import – No Coding Hassle! | elespare |
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder | email-customizer-for-woocommerce |
Embed Google Photos album | embed-google-photos-album-easily |
ENL Newsletter | enl-newsletter |
EPROLO Dropshipping | eprolo-dropshipping |
Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media | evergreen-content-poster |
Exclusive Addons for Elementor | exclusive-addons-for-elementor |
Export and Import Users and Customers | users-customers-import-export-for-wp-woocommerce |
FameTheme Demo Importer | famethemes-demo-importer |
Fan Page Widget by ThemeNcode | facebook-fan-page-widget |
Fancy Product Designer | fancy-product-designer |
FG Joomla to WordPress | fg-joomla-to-wordpress |
FileOrganizer – Manage WordPress and Website Files | fileorganizer |
Filterable Portfolio | jungbillig-portfolio-gallery |
Five Star Restaurant Reservations – WordPress Booking Plugin | restaurant-reservations |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
FOX – Currency Switcher Professional for WooCommerce | woocommerce-currency-switcher |
Frontend Dashboard | frontend-dashboard |
FV Flowplayer Video Player | fv-wordpress-flowplayer |
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory | geodirectory |
Getwid – Gutenberg Blocks | getwid |
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers | rafflepress |
GiveWP – Donation Plugin and Fundraising Platform | give |
Happy Addons for Elementor | happy-elementor-addons |
Header Footer Code Manager Pro | 99robots-header-footer-code-manager-pro |
Headline Analyzer | headline-analyzer |
Hide Dashboard Notifications | wp-hide-backed-notices |
HL Twitter | hl-twitter |
HT Mega – Absolute Addons For Elementor | ht-mega-for-elementor |
Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN | hummingbird-performance |
Image Optimizer, Resizer and CDN – Sirv | sirv |
Image Slider | image-slider-widget |
Import and export users and customers | import-users-from-csv-with-meta |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
Integrate Google Drive | integrate-google-drive |
Interactive World Maps | interactive-world-maps |
Jeg Elementor Kit | jeg-elementor-kit |
KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin | kb-support |
Knowledge Base documentation & wiki plugin – BasePress Docs | basepress |
Leaky Paywall | leaky-paywall |
List Custom Taxonomy Widget | list-custom-taxonomy-widget |
Live Composer – Free WordPress Website Builder | live-composer-page-builder |
Login with phone number | login-with-phone-number |
Maintenance Mode | hkdev-maintenance-mode |
MainWP Child Reports | mainwp-child-reports |
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations | master-addons |
Max Addons Pro for Bricks | max-addons-pro-bricks |
MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
Meks Smart Social Widget | meks-smart-social-widget |
Meks ThemeForest Smart Widget | meks-themeforest-smart-widget |
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | metform |
MF Gig Calendar | mf-gig-calendar |
month name translation benaceur | month-name-translation-benaceur |
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. | mycred |
Newsletter Popup | newsletter-popup |
Newsletters | newsletters-lite |
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates | the-plus-addons-for-block-editor |
Opal Widgets For Elementor | opal-widgets-for-elementor |
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Payment Gateway Based Fees and Discounts for WooCommerce | checkout-fees-for-woocommerce |
PDF Invoices & Packing Slips for WooCommerce | woocommerce-pdf-invoices-packing-slips |
Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery | gt3-photo-video-gallery |
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery | nextgen-gallery |
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons | contest-gallery |
Piotnet Addons For Elementor | piotnet-addons-for-elementor |
Piotnet Addons For Elementor Pro | piotnet-addons-for-elementor-pro |
Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
Poll | Vote | Contest – Best Poll Plugin for WordPress | totalpoll-lite |
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | ays-popup-box |
Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation | optinmonster |
Popup4Phone | popup4phone |
PopupAlly | popupally |
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | buddyforms |
Post Grid and Gutenberg Blocks – ComboBlocks | post-grid |
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX | ultimate-post |
PPOM – Product Addons & Custom Fields for WooCommerce | woocommerce-product-addon |
Premium Addons for Elementor | premium-addons-for-elementor |
Pretty Google Calendar | pretty-google-calendar |
Pricing Table by Supsystic | pricing-table-by-supsystic |
Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More. | print-google-cloud-print-gcp-woocommerce |
Print Invoice & Delivery Notes for WooCommerce | woocommerce-delivery-notes |
ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Property Hive | propertyhive |
Qi Addons For Elementor | qi-addons-for-elementor |
Quick Featured Images | quick-featured-images |
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress | radio-player |
Radio Station by netmix® – Manage and play your Show Schedule in WordPress! | radio-station |
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | seo-by-rank-math |
Rate My Post – Star Rating Plugin by FeedbackWP | rate-my-post |
Recencio Book Reviews | recencio-book-reviews |
Reviews Plus | reviews-plus |
RomethemeForm For Elementor | romethemeform |
RomethemeKit For Elementor | rometheme-for-elementor |
Royal Elementor Addons and Templates | royal-elementor-addons |
rtMedia for WordPress, BuddyPress and bbPress | buddypress-media |
Salon Booking System | salon-booking-system |
Save as PDF Plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher | wp-scheduled-posts |
Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
Secure Copy Content Protection and Content Locking | secure-copy-content-protection |
Seers | GDPR & CCPA Cookie Consent & Compliance | seers-cookie-consent-banner-privacy-policy |
Send PDF for Contact Form 7 | send-pdf-for-contact-form-7 |
Serious Slider | cryout-serious-slider |
SharkDropship and Affiliate for AliExpress, Temu, eBay, Amazon and Etsy to woocommerce | woo-aliexpress-dropshipping |
ShortPixel Critical CSS | shortpixel-critical-css |
Simple Membership | simple-membership |
Simply Static – The WordPress Static Site Generator | simply-static |
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) | sina-extension-for-elementor |
Slash Admin | slash-admin |
Smart Forms – when you need more than just a contact form | smart-forms |
Smart Maintenance Mode | smart-maintenance-mode |
Smart Recent Posts Widget | smart-recent-posts-widget |
Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap | socialsnap |
Social Sharing Plugin – Social Warfare | social-warfare |
Solid Affiliate | solid-affiliate |
Solid Mail – SMTP email and logging made by SolidWP | wp-smtp |
SP Project & Document Manager | sp-client-document-manager |
Spectra – WordPress Gutenberg Blocks | ultimate-addons-for-gutenberg |
SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin | wp-s3-smart-upload |
Sticky Anything | toast-stick-anything |
StreamWeasels Twitch Integration | streamweasels-twitch-integration |
Survey Maker | survey-maker |
Table Rate Shipping Method for WooCommerce by Flexible Shipping | flexible-shipping |
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) | the-pack-addon |
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce | the-plus-addons-for-elementor-page-builder |
Timetable and Event Schedule by MotoPress | mp-timetable |
Tutor LMS – eLearning and online course solution | tutor |
Ultimate 410 Gone Status Code | ultimate-410 |
Ultimate Blocks – WordPress Blocks Plugin | ultimate-blocks |
User Meta – User Profile Builder and User management plugin | user-meta |
USPS Shipping for WooCommerce – Live Rates | flexible-shipping-usps |
Video Conferencing with Zoom | video-conferencing-with-zoom-api |
VikRentCar Car Rental Management System | vikrentcar |
Vision – Interactive Image Map Builder | vision |
Vitepos – Point of sale (POS) plugin for WooCommerce | vitepos-lite |
VK Block Patterns | vk-block-patterns |
VOD Infomaniak | vod-infomaniak |
Wallet for WooCommerce | woo-wallet |
WebToffee WP Backup and Migration | wp-migration-duplicator |
Widget Post Slider | widget-post-slider |
WooCommerce Amazon Affiliates - Wordpress Plugin | woozone |
WooCommerce Shipping Label | shipping-labels-for-woo |
WordPress Ad Widget | ad-widget |
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress | wp-ada-compliance-check-basic |
WP Club Manager – WordPress Sports Club Plugin | wp-club-manager |
WP Datepicker | wp-datepicker |
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress | wp-fusion-lite |
WP GoToWebinar | wp-gotowebinar |
WP LinkedIn Auto Publish | wp-linkedin-auto-publish |
WP Masquerade | wp-masquerade |
WP Media Category Management | wp-media-category-management |
WP Migrate Pro | wp-migrate-db-pro |
WP Page Post Widget Clone | wp-page-post-widget-clone |
WP Prayer | wp-prayer |
WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
WP STAGING Pro WordPress Backup Plugin | wp-staging-pro |
WP STAGING WordPress Backup Plugin – Migration Backup Restore | wp-staging |
WP Time Slots Booking Form | wp-time-slots-booking-form |
WP Travel Engine – Tour Booking Plugin – Tour Operator Software | wp-travel-engine |
WP ULike – All-in-One Engagement Toolkit | wp-ulike |
WP-Lister Lite for eBay | wp-lister-for-ebay |
WP-Members Membership Plugin | wp-members |
WP-Recall – Registration, Profile, Commerce & More | wp-recall |
WPC Composite Products for WooCommerce | wpc-composite-products |
WPCal.io – Easy Meeting Scheduler | wpcal |
WPPizza – A Restaurant Plugin | wppizza |
WPZOOM Addons for Elementor (Templates, Widgets) | wpzoom-elementor-addons |
XforWooCommerce | xforwoocommerce |
XStore Core | et-core-plugin |
YITH WooCommerce Compare | yith-woocommerce-compare |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Accountra | accountra |
Althea WP | althea-wp |
Blocksy | blocksy |
Brite | brite |
Calliope | calliope |
Colibri WP | colibri-wp |
ColorNews | colornews |
Elevate WP | elevate-wp |
Financio | financio |
Hugo WP | hugo-wp |
Intrace | intrace |
Pathway | pathway |
Photology | photology |
Royal Elementor Kit | royal-elementor-kit |
Startupzy | startupzy |
Teluro | teluro |
Travey | travey |
uDesign - Responsive WordPress Theme | u-design |
Vertice | vertice |
Virtue | virtue |
WP Portfolio | wp-portfolio |
XStore | xstore |
Zeever | zeever |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments