Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)
🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:
- All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
- Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
- Pending report limits are increased for all
- It’s possible to earn up to $31,200 for high impact vulnerabilities!
Last week, there were 239 vulnerabilities disclosed in 209 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 58 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-757 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-758 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 146 |
Unpatched | 93 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 169 |
High Severity | 36 |
Critical Severity | 34 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 118 |
Missing Authorization | 38 |
Unrestricted Upload of File with Dangerous Type | 18 |
Authentication Bypass Using an Alternate Path or Channel | 13 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 9 |
Cross-Site Request Forgery (CSRF) | 8 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 8 |
Exposure of Sensitive Information to an Unauthorized Actor | 7 |
Improper Control of Generation of Code ('Code Injection') | 5 |
Deserialization of Untrusted Data | 3 |
Improper Authentication | 2 |
Improper Authorization | 2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 2 |
URL Redirection to Untrusted Site ('Open Redirect') | 2 |
Authorization Bypass Through User-Controlled Key | 1 |
Improper Restriction of XML External Entity Reference | 1 |
Incorrect Privilege Assignment | 1 |
Weak Password Recovery Mechanism for Forgotten Password | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
25 | |
23 | |
22 | |
22 | |
13 | |
11 | |
8 | |
8 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
1-Click Login: Passwordless Authentication | swoop-password-free-authentication |
10Web Social Post Feed | wd-facebook-feed |
3D Work In Progress | renee-work-in-progress |
Accept Stripe Donation and Payments – AidWP | wp-stripe-donation |
ACL Floating Cart for WooCommerce | acl-floating-cart-for-woocommerce |
Acnoo Flutter API | acnoo-flutter-api |
aDirectory – WordPress Directory Listing Plugin | adirectory |
Ads.txt & App-ads.txt Manager for WordPress | app-ads-txt |
Advanced Online Ordering and Delivery Platform | advanced-online-ordering-and-delivery-platform |
Advanced Sermons | advanced-sermons |
Affiliate Platform | smdp-affiliate-platform |
AffiliateX – Amazon Affiliate Plugin | affiliatex |
Agile Video Player Lite | agile-video-player |
AI Image Generator for Your Content & Featured Images – AI Postpix | ai-postpix |
Ajar in5 Embed | ajar-productions-in5-embed |
All-in-One WP Migration and Backup | all-in-one-wp-migration |
Amilia Store | amilia-store |
AMP for WP – Accelerated Mobile Pages | accelerated-mobile-pages |
Anchor Episodes Index (Spotify for Podcasters) | anchor-episodes-index |
App Builder – Create Native Android & iOS Apps On The Flight | app-builder |
AR for WordPress | ar-for-wordpress |
Astra Widgets | astra-widgets |
Auto Login using a secure tokenized url. Role wise login restriction. | token-login |
Automatic Translation | automatic-translation |
Awesome buttons | wp-awesome-buttons |
Backup and Staging by WP Time Capsule | wp-time-capsule |
Bamazoo – Button Generator | bamazoo-button-generator |
Banner Slider | banner-slider |
Beaver Builder – WordPress Page Builder | beaver-builder-lite-version |
Beek Widget Extention | beek-widget-extention |
Bet WC 2018 Russia | bet-wc-2018-russia |
Bold Page Builder | bold-page-builder |
Booking Plugin for Your WordPress Appointments – Time Slot | timeslot |
BP Member Type Manager | bp-member-type-manager |
Breeze – WordPress Cache Plugin | breeze |
Bstone Demo Importer | bstone-demo-importer |
BuddyPress | buddypress |
BuddyPress Greeting Message | bp-greeting-message |
Call / Chat / Contact Button | button-contact-vr |
Campus Explorer Widget | campus-explorer-widget |
Category and Taxonomy Image | wp-custom-taxonomy-image |
Category and Taxonomy Meta Fields | wp-custom-taxonomy-meta |
chatplusjp | chatplusjp |
Church Admin | church-admin |
Clever Addons for Elementor | cafe-lite |
Client Power Tools Portal | client-power-tools |
Code Generate | code-generator |
CodePen Embedded Pens Shortcode | codepen-embedded-pen-shortcode |
Comments – wpDiscuz | wpdiscuz |
Compact WP Audio Player | compact-wp-audio-player |
Conditional Fields for Contact Form 7 | cf7-conditional-fields |
Contact Form 7 + Telegram | cf7-telegram |
Contact Form 7 – Repeatable Fields | cf7-repeatable-fields |
Coub | coub |
Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks | cozy-addons |
Custom Icons for Elementor | custom-icons-for-elementor |
Custom Twitter Feeds – A Tweets Widget or X Feed Widget | custom-twitter-feeds |
CWD 3D Image Gallery | cwd-3d-image-gallery |
DarkMySite – Advanced Dark Mode Plugin for WordPress | darkmysite |
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer | 3d-flipbook-dflip-lite |
DocumentPress | documentpress-display-any-document-on-your-site |
Download Monitor | download-monitor |
Download Plugin | download-plugin |
Editor Custom Color Palette | editor-custom-color-palette |
Editorial Assistant by Sovrn | zemanta |
EKC Tournament Manager | ekc-tournament-manager |
ElementsKit Elementor addons | elementskit-lite |
EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents | embedpress |
Envo's Elementor Templates & Widgets for WooCommerce | envo-elementor-for-woocommerce |
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin | mage-eventpress |
EventPrime – Events Calendar, Bookings and Tickets | eventprime-event-calendar-management |
Exam Matrix | exam-matrix |
Extensions by HocWP Team | sb-core |
Extra Privacy for Elementor | extra-privacy-for-elementor |
Extra Product Options Builder for WooCommerce | additional-product-fields-for-woocommerce |
File Upload Types by WPForms | file-upload-types |
Firelight Lightbox | easy-fancybox |
FormFacade – WordPress plugin for Google Forms | formfacade |
Forminator Forms – Contact Form, Payment Form & Custom Form Builder | forminator |
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | mailchimp-wp |
Futurio Extra | futurio-extra |
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory | geodirectory |
Google Docs RSVP, WordPress Plugin | google-docs-rsvp-guestlist |
Great Restaurant Menu WP | best-restaurant-menu-by-pricelisto |
Greenshift – animation and page builder blocks | greenshift-animation-and-page-builder-blocks |
GRÜN spendino Spendenformular – Mehr Spenden! Weniger Arbeit! | spendino |
HD Quiz – Save Results Light | hd-quiz-save-results-light |
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | hurrytimer |
ID-SK Toolkit | idsk-toolkit |
Image Map Pro – Drag-and-drop Builder for Interactive Images | image-map-pro |
Import and export users and customers | import-users-from-csv-with-meta |
INK Official | ink-official |
Interactive World Map | interactive-world-map |
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates | kata-plus |
Kodex Posts likes | kodex-posts-likes |
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages | landing-page-cat |
LaTeX2HTML | latex2html |
League of Legends Shortcodes | league-of-legends-shortcodes |
leenk.me | leenkme |
Local Business Addons For Elementor (Formally Waze Map) | map-addons-for-elementor-waze-map |
MaanStore API | maanstore-api |
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | magazine-blocks |
Mapster WP Maps | mapster-wp-maps |
Marketing Automation by AZEXO | marketing-automation-by-azexo |
MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
Meetup | meetup |
Mega Elements – Addons for Elementor | mega-elements-addons-for-elementor |
Monitor.chat – Monitor WordPress with Instant Messages | monitor-chat |
Monkee-Boy Essentials | monkee-boy-wp-essentials |
Multi Purpose Mail Form | multi-purpose-mail-form |
Multi Step Form | multi-step-form |
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution | dc-woocommerce-multi-vendor |
My Wp Brand – Hide menu & Hide Plugin | my-wp-brand |
myCred Elementor | mycred-for-elementor |
Namaste! LMS | namaste-lms |
News Kit Elementor Addons | news-kit-elementor-addons |
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates | the-plus-addons-for-block-editor |
Order Notification for Telegram | order-notification-for-telegram |
PDF Generator Addon for Elementor Page Builder | pdf-generator-addon-for-elementor-page-builder |
PDF Invoices & Packing Slips for WooCommerce | woocommerce-pdf-invoices-packing-slips |
PegaPoll | pegapoll |
Photo Gallery, Images, Slider in Rbs Image Gallery | robo-gallery |
Plugin Name: iBryl Switch User | ibryl-switch-user |
Plugin Propagator | wp-propagator |
Poll Maker – Versus Polls, Anonymous Polls, Image Polls | poll-maker |
Portfolleo | portfolleo |
Post Grid and Gutenberg Blocks – ComboBlocks | post-grid |
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX | ultimate-post |
Premium SEO Pack – WP SEO Plugin | premium-seo-pack |
PriPre | pripre |
Product Filter by WBW | woo-product-filter |
ProfilePress Pro | profilepress-pro |
Qi Addons For Elementor | qi-addons-for-elementor |
Qi Blocks | qi-blocks |
Qode Essential Addons | qode-essential-addons |
Raptor Editor | wp-raptor |
Realty Workstation | realty-workstation |
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit | wp-marketing-automations |
Risk Warning Bar | risk-warning-bar |
Rover IDX | rover-idx |
Royal Elementor Addons and Templates | royal-elementor-addons |
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging | wp-rss-aggregator |
RSS Feed Widget | rss-feed-widget |
RSVP ME | rsvp-me |
Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
School Management System – WPSchoolPress | wpschoolpress |
Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin | scrollbar-by-webxapp |
Selection Lite | selection-lite |
SEOPress – On-site SEO | wp-seopress |
Shoutcast Icecast HTML5 Radio Player | shoutcast-icecast-html5-radio-player |
Signup Page | signup-page |
Simple Custom Admin | simple-custom-admin |
Simple Load More | simple-load-more |
Simple Membership | simple-membership |
Simple News | simple-news |
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) | sky-elementor-addons |
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder | stacks-mobile-app-builder |
Sudan Payment Gateway for WooCommerce | wc-sudan-payment-gateway |
Sunshine Photo Cart: Free Client Photo Galleries for Photographers | sunshine-photo-cart |
Survey Maker | survey-maker |
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity | surveyjs |
SVG Captcha | svg-captcha |
Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud! | templately |
TeploBot – Telegram Bot for WP | green-wp-telegram-bot-by-teplitsa |
Terms descriptions | terms-descriptions |
Textboxes | textboxes |
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) | the-pack-addon |
Themes4WP YouTube External Subtitles | themes4wp-youtube-external-subtitles |
Tida URL Screenshot | tida-url-screenshot |
Todo Custom Field | todo-custom-field |
Transients Manager | transients-manager |
Trip Plan | tripplan |
uCAT – Next Story | ucat-next-story |
Uix Shortcodes | uix-shortcodes |
Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) | header-footer-elementor |
UPS Shipping for WooCommerce – Live Rates and Access Point | flexible-shipping-ups |
User Toolkit | user-toolkit |
Verbalize WP | verbalize-wp |
WatchTowerHQ | watchtowerhq |
Web Bricks Addons for Elementor: Elite-Designed Elementor & eCommerce Widgets | webbricks-addons |
Whitelist | fifthsegment-whitelist |
WooCommerce Advanced Bulk Edit Products, Orders, Coupons, Any WordPress Post Type – Smart Manager | smart-manager-for-wp-e-commerce |
Woocommerce Custom Profile Picture | woo-custom-profile-picture |
WooCommerce Maintenance Mode (Free) | woocommerce-maintenance-mode |
WooCommerce Order Proposal | wooCommerce-order-proposal |
Woocommerce Product Design | woo-product-design |
Woocommerce Quote Calculator | woo-quote-calculator-order |
WordPress eCommerce – ScottCart | scottcart |
WordPress Post Grid Layouts with Pagination – Sogrid | sogrid |
WP Abstracts | wp-abstracts-manuscripts-manager |
WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer | adminify |
WP Awesome Login | wp-awesome-login |
WP Booking System – Booking Calendar | wp-booking-system |
WP Crowdfunding | wp-crowdfunding |
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting | erp |
WP Flow Plus | wp-imageflow2 |
WP Query Console | wp-query-console |
WP Recipe Maker | wp-recipe-maker |
WP Sessions Time Monitoring Full Automatic | activitytime |
WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
WP show more | wp-show-more |
Wp Social Login and Register Social Counter | wp-social |
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | wpvr |
WP-Members Membership Plugin | wp-members |
WPC Shop as a Customer for WooCommerce | wpc-shop-as-customer |
WPKoi Templates for Elementor | wpkoi-templates-for-elementor |
WPS Telegram Chat | wps-telegram-chat |
Wux Blog Editor | wux-blog-editor |
YITH WooCommerce Product Add-Ons | yith-woocommerce-product-add-ons |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Clean Retina | clean-retina |
Js Paper | js-paper |
Mags | mags |
Meta News | meta-news |
NewsCard | newscard |
Nioland - SaaS & Software Startup Tech WordPress Theme | nioland |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments