Wordfence Intelligence Weekly WordPress Vulnerability Report (June 10, 2024 to June 16, 2024)
📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers!Â
Last week, there were 74 vulnerabilities disclosed in 63 WordPress Plugins and no WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 16,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-706 – data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 63 |
| Unpatched | 11 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 52 |
| High Severity | 10 |
| Critical Severity | 11 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 38 |
| Missing Authorization | 9 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 5 |
| Cross-Site Request Forgery (CSRF) | 4 |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 4 |
| Deserialization of Untrusted Data | 2 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 2 |
| Authentication Bypass by Alternate Name | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Improper Authorization | 1 |
| Improper Control of Generation of Code ('Code Injection') | 1 |
| Incorrect Authorization | 1 |
| Information Exposure | 1 |
| Insecure Storage of Sensitive Information | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Use of Insufficiently Random Values | 1 |
| User Interface (UI) Misrepresentation of Critical Information | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 14 | |
| 7 | |
| 5 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advanced Contact form 7 DB | advanced-cf7-db |
| AI Infographic Maker | infographic-and-list-builder-ilist |
| Blog2Social: Social Media Auto Post & Scheduler | blog2social |
| BuddyPress | buddypress |
| Canto | canto |
| CoDesigner – The Most Compact and User-Friendly Elementor WooCommerce Builder | woolementor |
| Collapse-O-Matic | jquery-collapse-o-matic |
| Cooked – Recipe Management | cooked |
| Custom Field Suite | custom-field-suite |
| Custom Field Template | custom-field-template |
| Dashboard Widgets Suite | dashboard-widgets-suite |
| Divi Torque Lite – Divi Theme and Extra Theme | addons-for-divi |
| Dokan Pro | dokan-pro |
| Download Manager | download-manager |
| Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin | easy-wp-smtp |
| Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) | bdthemes-element-pack-lite |
| Elementor Addon Elements | addon-elements-for-elementor-page-builder |
| Elementor Header & Footer Builder | header-footer-elementor |
| ElementsKit Pro | elementskit |
| Elespare – News, Magazine and Blog Elements & Blog Addons for Elementor with Header Footer Builder. One Click Import: No Coding Required! | elespare |
| Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce | email-subscribers |
| EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor | embedpress |
| Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
| Events Addon for Elementor | events-addon-for-elementor |
| Events Manager – Calendar, Bookings, Tickets, and more! | events-manager |
| Folders Pro | folders-pro |
| Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | folders |
| FooEvents for WooCommerce | fooevents |
| FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel | foogallery |
| Futurio Extra | futurio-extra |
| Gutenberg Blocks with AI by Kadence WP – Page Builder Features | kadence-blocks |
| InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
| Jeg Elementor Kit | jeg-elementor-kit |
| LatePoint Plugin | LatePoint |
| MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | metform |
| Music Store – WordPress eCommerce | music-store |
| Newsletter - API v1 and v2 addon for Newsletter | newsletter-api |
| Ocean Extra | ocean-extra |
| Popup Builder – Create highly converting, mobile friendly marketing popups. | popup-builder |
| PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
| Premium Addons for Elementor | premium-addons-for-elementor |
| Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | seo-by-rank-math |
| Restaurant Menu – Food Ordering System – Table Reservation | menu-ordering-reservations |
| Schema App Structured Data | schema-app-structured-data-for-schemaorg |
| Shariff Wrapper | shariff |
| ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) | woolentor-addons |
| Simple Sitemap – Create a Responsive HTML Sitemap | simple-sitemap |
| SiteOrigin Widgets Bundle | so-widgets-bundle |
| sitetweet | sitetweet-tweets-user-behaviors-on-your-site-on-twitter |
| Slideshow Gallery LITE | slideshow-gallery |
| Stratum – Elementor Widgets | stratum |
| Video Gallery – YouTube Playlist, Channel Gallery by YotuWP | yotuwp-easy-youtube-embed |
| Where I Was, Where I Will Be | where-i-was-where-i-will-be |
| WooCommerce | woocommerce |
| WooCommerce - Social Login | woo-social-login |
| Woody code snippets – Insert Header Footer Code, AdSense Ads | insert-php |
| WordPress Header Builder Plugin – Pearl | pearl-header-builder |
| WordPress Online Booking and Scheduling Plugin – Bookly | bookly-responsive-appointment-booking-tool |
| WP Go Maps (formerly WP Google Maps) | wp-google-maps |
| WP STAGING Pro WordPress Backup Plugin | wp-staging-pro |
| WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin | timetics |
| WPBakery Visual Composer | js_composer |
| WPS Hide Login | wps-hide-login |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Blog2Social: Social Media Auto Post & Scheduler <= 7.4.1 - Authenticated (Subscriber+) SQL Injection
CVE-2024-3549
Patched
Jun 10, 2024
Blog2Social: Social Media Auto Post & Scheduler
CVE-2024-3105
Patched
Jun 14, 2024
Woody code snippets – Insert Header Footer Code, AdSense Ads
CVE-2024-4936
Unpatched
Jun 13, 2024
Canto
CVE-2024-4898
Patched
Jun 11, 2024
InstaWP Connect – 1-click WP Staging & Migration
CVE-2024-4258
Unpatched
Jun 14, 2024
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
CVE-2024-5577
Unpatched
Jun 13, 2024
Where I Was, Where I Will Be
CVE-2024-5871
Patched
Jun 14, 2024
WooCommerce - Social Login
CVE-2024-2472
Patched
Jun 13, 2024
LatePoint Plugin
CVE-2024-36082
Patched
Jun 10, 2024
Music Store – WordPress eCommerce
CVE-2024-4371
Patched
Jun 12, 2024
Folders Pro <= 3.0.2 - Authenticated(Author+) Arbitrary File Upload via handle_folders_file_upload
CVE-2024-2024
Patched
Jun 13, 2024
Folders Pro
CVE-2024-4845
Patched
Jun 11, 2024
CVE-2024-4404
Patched
Jun 13, 2024
ElementsKit Pro
CVE-2023-6696
Patched
Jun 14, 2024
CVE-2024-5543
Patched
Jun 11, 2024
Slideshow Gallery LITE
CVE-2024-2098
Patched
Jun 12, 2024
Download Manager
CVE-2024-5551
Patched
Jun 13, 2024
WP STAGING Pro WordPress Backup Plugin
CVE-2024-2544
Patched
Jun 14, 2024
CVE-2024-1094
Patched
Jun 13, 2024
CVE-2024-6000
Patched
Jun 14, 2024
FooEvents for WooCommerce
CVE-2024-5674
Patched
Jun 11, 2024
Newsletter - API v1 and v2 addon for Newsletter
CVE-2024-5868
Patched
Jun 14, 2024
WooCommerce - Social Login
CVE-2024-5468
Patched
Jun 11, 2024
WordPress Header Builder Plugin – Pearl
CVE-2024-4892
Patched
Jun 11, 2024
BuddyPress
CVE-2024-4564
Patched
Jun 11, 2024
Collapse-O-Matic <= 1.8.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-4095
Unpatched
Jun 14, 2024
Collapse-O-Matic
CVE-2024-37308
Patched
Jun 13, 2024
Cooked – Recipe Management
CVE-2024-3559
Unpatched
Jun 11, 2024
Custom Field Suite
CVE-2024-0627
Patched
Jun 10, 2024
Custom Field Template
CVE-2023-6745
Patched
Jun 10, 2024
Custom Field Template
CVE-2024-5892
Patched
Jun 11, 2024
Divi Torque Lite – Divi Theme and Extra Theme
CVE-2024-5266
Patched
Jun 11, 2024
Download Manager
CVE-2024-3925
Unpatched
Jun 11, 2024
CVE-2024-5757
Patched
Jun 12, 2024
Elementor Header & Footer Builder
CVE-2024-5263
Patched
Jun 14, 2024
ElementsKit Pro
CVE-2024-4615
Patched
Jun 12, 2024
EmbedPress <= 3.9.10 - Authenticated(Contributor+) Stored Cross-Site Scripting via PDF Widget URL
CVE-2024-1565
Patched
Jun 12, 2024
CVE-2024-5189
Patched
Jun 10, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
CVE-2024-4669
Patched
Jun 11, 2024
Events Addon for Elementor
CVE-2024-3492
Patched
Jun 11, 2024
Events Manager – Calendar, Bookings, Tickets, and more!
CVE-2024-2122
Patched
Jun 13, 2024
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
CVE-2024-5646
Patched
Jun 11, 2024
Futurio Extra
CVE-2024-4863
Patched
Jun 13, 2024
Gutenberg Blocks with AI by Kadence WP – Page Builder Features
CVE-2024-4479
Patched
Jun 14, 2024
Jeg Elementor Kit
Ocean Extra <= 2.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Flickr Widget
CVE-2024-5531
Patched
Jun 10, 2024
Ocean Extra
CVE-2024-5787
Patched
Jun 12, 2024
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
CVE-2024-1399
Patched
Jun 14, 2024
Restaurant Menu – Food Ordering System – Table Reservation
Shariff Wrapper <= 4.6.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-2695
Patched
Jun 14, 2024
Shariff Wrapper
CVE-2024-5530
Patched
Jun 10, 2024
CVE-2024-5090
Patched
Jun 10, 2024
SiteOrigin Widgets Bundle
CVE-2024-5611
Patched
Jun 14, 2024
Stratum – Elementor Widgets
CVE-2024-4551
Unpatched
Jun 14, 2024
Video Gallery – YouTube Playlist, Channel Gallery by YotuWP
CVE-2024-5584
Patched
Jun 10, 2024
WordPress Online Booking and Scheduling Plugin – Bookly
CVE-2024-5994
Patched
Jun 13, 2024
WP Go Maps (formerly WP Google Maps)
CVE-2024-5265
Patched
Jun 12, 2024
WPBakery Visual Composer
CVE-2024-0979
Patched
Jun 12, 2024
Dashboard Widgets Suite
CVE-2024-2092
Patched
Jun 11, 2024
Elementor Addon Elements
CVE-2024-4319
Unpatched
Jun 10, 2024
Advanced Contact form 7 DB
CVE-2024-3723
Unpatched
Jun 10, 2024
Advanced Contact form 7 DB
CVE-2024-4266
Patched
Jun 10, 2024
CVE-2024-2473
Patched
Jun 10, 2024
WPS Hide Login
CVE-2024-0653
Patched
Jun 10, 2024
Custom Field Template
CVE-2024-1766
Patched
Jun 11, 2024
Download Manager
CVE-2024-5553
Patched
Jun 11, 2024
Premium Addons for Elementor
CVE-2024-4627
Patched
Jun 11, 2024
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
CVE-2023-6748
Patched
Jun 10, 2024
Custom Field Template
CVE-2024-2023
Patched
Jun 13, 2024
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager
Folders Pro
CVE-2024-5858
Patched
Jun 14, 2024
AI Infographic Maker
CVE-2024-0892
Unpatched
Jun 13, 2024
Schema App Structured Data
CVE-2023-6492
Patched
Jun 13, 2024
Simple Sitemap – Create a Responsive HTML Sitemap
CVE-2024-3073
Patched
Jun 12, 2024
Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments