Wordfence Intelligence Weekly WordPress Vulnerability Report (November 18, 2024 to November 24, 2024)
🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024:
- All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
- All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
- Minimum bounty of $5 for all valid in-scope submissions.
- All researchers earn automatic bonuses of between 5% to 180% for valid submissions
- Pending report limits are increased for all
- It’s possible to earn up to $31,200 for high impact vulnerabilities!
Last week, there were 236 vulnerabilities disclosed in 216 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 54 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 20,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- AppPresser – Mobile App Framework <= 4.4.6 – Unauthenticated Privilege Escalation via Password Reset
- WAF-RULE-770 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-772 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 126 |
Unpatched | 110 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 186 |
High Severity | 35 |
Critical Severity | 15 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 124 |
Cross-Site Request Forgery (CSRF) | 31 |
Missing Authorization | 29 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 11 |
Deserialization of Untrusted Data | 8 |
Authorization Bypass Through User-Controlled Key | 7 |
Exposure of Sensitive Information to an Unauthorized Actor | 6 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 5 |
Unrestricted Upload of File with Dangerous Type | 5 |
Improper Control of Generation of Code ('Code Injection') | 4 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 2 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Improper Access Control | 1 |
Improper Privilege Management | 1 |
Protection Mechanism Failure | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
43 | |
24 | |
22 | |
17 | |
15 | |
15 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
404 Solution | 404-solution |
Absolute Addons For Elementor | absolute-addons |
Activity Log – Monitor & Record User Changes | aryo-activity-log |
Advanced Event Manager | advanced-event-manager |
affiliate-toolkit – WP Affiliate Plugin with Amazon | affiliate-toolkit-starter |
Ahmeti Wp Güzel Sözler | ahmeti-wp-guzel-sozler |
AI Quiz | Quiz Maker | ai-quiz |
AI Responsive Gallery Album | ai-responsive-gallery-album |
Ajax Search Lite – Live Search & Filter | ajax-search-lite |
amr shortcodes | amr-shortcodes |
Announcement & Notification Banner – Bulletin | bulletin-announcements |
Anonymous Restricted Content | anonymous-restricted-content |
April's Call Posts | aprils-call-posts |
AtaraPay WooCommerce Payment Gateway | atarapay-woocommerce |
AutoListicle: Automatically Update Numbered List Articles | autolisticle-automatically-update-numbered-list-articles |
Awesome Studio | awesome-studio |
Banner System | banner-system |
Bard Extra | bard-extra |
Beds24 Online Booking | beds24-online-booking |
Blizzard Quotes | blizzard-quotes |
Booster for WooCommerce | woocommerce-jetpack |
Branda – Branda – White Label & Branding, Custom Login Page Customizer | branda-white-labeling |
Button Block – Get fully customizable & multi-functional buttons | button-block |
Buying Buddy IDX CRM | buying-buddy-idx-crm |
Chameleoni Jobs | chameleon-jobs |
Checkout with Cash App on WooCommerce | wc-cashapp |
Chessgame Shizzle | chessgame-shizzle |
Classified Listing – Classified ads & Business Directory Plugin | classified-listing |
Clone | wp-clone-by-wp-academy |
Co-marquage service-public.fr | co-marquage-service-public |
Community by PeepSo – Download from PeepSo.com | peepso-core |
Contact Form 7 Email Add on | cf7-email-add-on |
Contact Page With Google Map | contact-page-with-google-map |
Continue Shopping From Cart | continue-shopping-from-cart-page |
Control horas | control-horas |
Crypto and DeFi Widgets – Web3 Cryptocurrency Shortcodes | security-force |
Custom CSS, JS & PHP | custom-css |
Custom Shortcode Sidebars | custom-shortcode-sidebars |
de:branding | debranding |
DeBounce Email Validator | debounce-io-email-validator |
Dino Game – Embed Google Chrome Dinosaur Game in your website | dino-game |
Distance Based Shipping Calculator | distance-based-shipping-calculator |
Document & Data Automation | document-data-automation |
Dynamic "To Top" Plugin | dynamic-to-top |
Dynamic URL SEO | dynamic-url-seo |
Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels | wpfunnels |
Easy Liveblogs | easy-liveblogs |
Elementor Portfolio Builder | portfolio-builder-elementor |
Elfsight Telegram Chat CC | elfsight-telegram-chat-cc |
Email Subscription Popup | email-subscribe |
Enter Addons – Ultimate Template Builder for Elementor | enteraddons |
Explara Events | explara-events |
Extensions for Elementor | extensions-for-elementor |
F4 Improvements | f4-improvements |
Favicon My Blog | favicon-my-blog |
Fediverse Embeds | fediverse-embeds |
Feeds For Twitter | easy-twitter-feeds |
Fence URL wp-login.php | fence-url |
Fintelligence Calculator | fintelligence-calculator |
FireCask’s Twitter Follow Button | twitter-follow |
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | fluentform |
FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | fluent-smtp |
Footer Flyout Widget | footer-flyout-widget |
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | formidable |
Friendly Functions for Welcart | friendly-functions-for-welcart |
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery | simply-gallery-block |
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | gamipress |
GD bbPress Attachments | gd-bbpress-attachments |
GD Rating System | gd-rating-system |
Generic Elements | generic-elements-for-elementor |
Geolocator | geolocator |
Getwid – Gutenberg Blocks | getwid |
Google for WooCommerce | google-listings-and-ads |
Google Plus Share and +1 Button | google-plus-share-and-plusone-button |
GoQMieruca | goqmieruca |
GoQSmile | goqsmile |
Grey Owl Lightbox | grey-owl-lightbox |
Grid View Gallery | grid-view-gallery |
Gutenberg Blocks with AI by Kadence WP – Page Builder Features | kadence-blocks |
HIPAA Compliant Forms with Drag’n’Drop HIPAA Form Builder. Sign HIPAA documents | hipaatizer |
Hotlink2Watermark | hotlink2watermark |
HTML5 Lyrics Karaoke Player | html5-lyrics-karaoke-player |
HUSKY – Products Filter Professional for WooCommerce | woocommerce-products-filter |
IceStats | icestats |
Idealien Category Enhancements | idealien-category-enhancements |
If-So Dynamic Content Personalization | if-so |
Image horizontal reel scroll slideshow | image-horizontal-reel-scroll-slideshow |
Image Optimizer, Resizer and CDN – Sirv | sirv |
Image Widget | image-widget |
ImbaChat | imbachat-widget |
Include Mastodon Feed | include-mastodon-feed |
Infinite Slider | infinite-slider |
iPhone Webclip Manager | iphone-webclip-manager |
ITERAS | iteras |
JobBoardWP – Job Board Listings and Submissions | jobboardwp |
Kevin's Plugin | kevins-plugin |
LA-Studio Element Kit for Elementor | lastudio-element-kit |
Lazy load videos and sticky control | lazy-load-videos-and-sticky-control |
LeadBoxer | leadboxer |
LeanPress | leanpress |
LearnPress – WordPress LMS Plugin | learnpress |
LGPD Framework By Data443 | lgpd-framework |
Library Bookshelves | library-bookshelves |
LinkLaunder SEO | linklaunder-seo-plugin |
Lock User Account | lock-user-account |
LSX Tour Operator | tour-operator |
MailChimp Forms by MailMunch | mailchimp-forms-by-mailmunch |
MailMunch – Grow your Email List | mailmunch |
MaxUploader – Increase Media Upload File Size | Increase Execution Time | wp-maximum-upload-file-size |
Memberlite Shortcodes | memberlite-shortcodes |
Meteor Slides | meteor-slides |
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar | mp3-music-player-by-sonaar |
MP3 Sticky Player | fwdmsp |
MStore API – Create Native Android & iOS Apps On The Cloud | mstore-api |
Multi Feed Reader | multi-feed-reader |
My Contador lesr | my-contador-wp |
nBlocks – Responsive Gutenberg News Blocks | nblocks |
Office Locator | office-locator |
Opal Woo Custom Product Variation | opal-woo-custom-product-variation |
Open edX LMS and WordPress integrator (LITE) | edunext-openedx-integrator |
Ortto | autopilot |
Page Parts | page-parts |
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
Parallax Image | parallax-image |
Pathomation | pathomation |
Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net | peachpay-for-woocommerce |
PDF Invoices & Packing Slips Generator for WooCommerce | pdf-invoicing-for-woocommerce |
Popup Builder – Create highly converting, mobile friendly marketing popups. | popup-builder |
Post By Email | post-by-email |
Post Hits Counter | hits-counter |
Post Ideas | post-ideas |
Premium Packages – Sell Digital Products Securely | wpdm-premium-packages |
Pricing table addon for elementor | pricing-table-addon-for-elementor |
Product Designer | product-designer |
Product Table for WooCommerce by CodeAstrology (wooproducttable.com) | woo-product-table |
ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Protect Your Content | protect-your-content |
PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes | revisionary |
Pure CSS Circle Progress bar | pure-css-circle-progress-bar |
QRMenu Restaurant QR Menu Lite | qrmenu-lite |
Quick Learn | quick-learn |
Quotes llama | quotes-llama |
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | seo-by-rank-math |
RealtyCandy IDX Broker Extended | realtycandy-idx-broker-extended |
RecipePress Reloaded | recipepress-reloaded |
Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation | get-a-quote-button-for-woocommerce |
Rescue Shortcodes | rescue-shortcodes |
Restaurant Menu – Food Ordering System – Table Reservation | menu-ordering-reservations |
Run Contests, Raffles, and Giveaways with ContestsWP | contest-code-checker |
salavat counter Plugin | salavat-counter |
Save as PDF Plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
School Management System for Wordpress | school-management |
Shine PDF Embeder | shine-pdf |
Shopready – Elementor addons for WooCommerce Page Builder | shopready-elementor-addon |
Silverlight Video Player | smooth-streaming-player |
Simple Membership | simple-membership |
Simple Travel Map | simple-travel-map |
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) | sky-elementor-addons |
Slick Sitemap | slick-sitemap |
Slotti Ajanvaraus | slotti-ajanvaraus |
Social Login | oa-social-login |
SP Blog Designer | sp-blog-designer |
Sticky Social Icons | sticky-social-icons |
Stratum – Elementor Widgets | stratum |
StreamWeasels Online Status Bar | stream-status-for-twitch |
Subaccounts for WooCommerce | subaccounts-for-woocommerce |
SuevaFree Essential Kit | suevafree-essential-kit |
Sugar Calendar – Event Calendar, Event Tickets, and Event Management Platform | sugar-calendar-lite |
SVG Block | svg-block |
System Dashboard | system-dashboard |
Tailored Tools | tailored-tools |
Team Rosters | team-rosters |
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce | the-plus-addons-for-elementor-page-builder |
Theater for WordPress | theatre |
Theme Builder For Elementor | theme-builder-for-elementor |
TM Islamic Helper | tm-islamic-helper |
Tribute Testimonials – WordPress Testimonial Grid/Slider | tribute-testimonial-gridslider |
Tutor LMS – eLearning and online course solution | tutor |
Ultimate Blocks – WordPress Blocks Plugin | ultimate-blocks |
Ultimate Classified Listings | ultimate-classified-listings |
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | ultimate-member |
Ultimate YouTube Video & Shorts Player With Vimeo | ultimate-youtube-video-player |
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) | ultraaddons-elementor-lite |
User registration & user profile – UserPlus | userplus |
Wawp OTP Verification, Order Notifications, and Country Code Selector for WooCommerce | automation-web-platform |
Wc Recently viewed products | wc-recently-viewed-products |
Weather Atlas Widget | weather-atlas |
What Would Seth Godin Do | what-would-seth-godin-do |
WIP Incoming Lite | wip-incoming-lite |
Wishlist for WooCommerce: Multi Wishlists Per Customer PRO | wish-list-for-woocommerce-pro |
WooCommerce Price Alert | price-alert-woocommerce |
WooCommerce Product Table Lite | wc-product-table-lite |
WordPress Bootscraper | wp-bootscraper |
WordPress Brute Force Protection – Stop Brute Force Attacks | guardgiant |
wp auto top | wp-auto-top |
WP e-Commerce Style Email | wp-e-commerce-style-email |
WP Mailster | wp-mailster |
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts | wedevs-project-manager |
WP Travel Engine – Tour Booking Plugin – Tour Operator Software | wp-travel-engine |
WP User Manager – User Profile Builder & Membership | wp-user-manager |
WP-ISPConfig 3 | wp-ispconfig3 |
WP-Orphanage Extended | wp-orphanage-extended |
WPAdverts – Classifieds Plugin | wpadverts |
WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup | wpb-popup-for-contact-form-7 |
WPBakery Visual Composer WHMCS Elements | void-visual-whmcs-element |
WPDash Notes | wpdash-notes |
WPGYM - Wordpress Gym Management System | gym-management |
Xpresslane Fast Checkout | xpresslane-integration-for-woocommerce |
Yaad Sarig Payment Gateway For WC | yaad-sarig-payment-gateway-for-wc |
Youneeq Recommendations | youneeq-panel |
yPHPlista | yphplista |
Zajax – Ajax Navigation | zajax-ajax-navigation |
Экспресс Платежи платежный модуль | express-pay |
우커머스 네이버페이 | mshop-npay |
워드프레스 결제 심플페이 – 우커머스 결제 플러그인 | pgall-for-woocommerce |
코드엠샵 소셜톡 | mshop-naver-talktalk |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
AccessPress Staple | accesspress-staple |
Ashe | ashe |
Bard | bard |
ForumEngine | forumengine |
Gaga Lite | gaga-lite |
Grip | grip |
jobify | jobify |
One Paze | one-paze |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments