Last week, there were 191 vulnerabilities disclosed in 178 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 81 |
| Unpatched | 110 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 2 |
| Medium Severity | 172 |
| High Severity | 16 |
| Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 87 |
| Cross-Site Request Forgery (CSRF) | 37 |
| Missing Authorization | 27 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8 |
| Deserialization of Untrusted Data | 7 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 5 |
| Improper Control of Generation of Code (‘Code Injection’) | 4 |
| Exposure of Sensitive Information to an Unauthorized Actor | 3 |
| Server-Side Request Forgery (SSRF) | 3 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Absolute Path Traversal | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Improper Input Validation | 1 |
| Improper Output Neutralization for Logs | 1 |
| Missing Authentication for Critical Function | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AdForest | adforest |
| ConsultStreet | consultstreet |
| Miraculous – Multi Vendor Online Music Store Elementor WordPress Theme | miraculous |
| REHub – Price Comparison, Multi Vendor Marketplace WordPress Theme | rehub-theme |
| SaasLauncher | saaslauncher |
| Shk Corporate | shk-corporate |
| SoftMe | softme |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Add to Feedly | add-to-feedly |
| Admin Menu Editor | admin-menu-editor |
| Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One | ai-auto-tool |
| AI Engine | ai-engine |
| Aitasi Coming Soon | aitasi-coming-soon |
| AP HoneyPot WordPress Plugin | ap-honeypot |
| Aparat Video Shortcode | aparat-shortcode |
| ARI Fancy Lightbox – Popup for WordPress | ari-fancy-lightbox |
| Assistant – Every Day Productivity Apps | assistant |
| atec Debug | atec-debug |
| aThemes Addons for Elementor | athemes-addons-for-elementor-lite |
| Authors List | authors-list |
| Auto Last Youtube Video | auto-last-youtube-video |
| BCM Duplicate Menu | bcm-duplicate-menu |
| Biagiotti Core | biagiotti-core |
| Bonus for Woo | bonus-for-woo |
| Booking Ultra Pro Appointments Booking Calendar Plugin | booking-ultra-pro |
| Boxed Content | boxed-content |
| Brilliant Web-to-Lead for Salesforce | salesforce-wordpress-to-lead |
| Brizy – Page Builder | brizy |
| Bulk Featured Image | bulk-featured-image |
| Bulk Watermark | bulk-watermark |
| Carousel Ultimate | carousel |
| Classified Listing – AI-Powered Classified ads & Business Directory Plugin | classified-listing |
| Cloud SAML SSO – Single Sign On Login | cloud-sso-single-sign-on |
| Comment Form WP – Customize Default Comment Form | comment-form-wp |
| Compact Admin | compact-admin |
| connectDaily Events Calendar Plugin | connect-daily-web-calendar |
| Contact Form By Mega Forms – Drag and Drop Form Builder | mega-forms |
| Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets) | content-views-query-and-display-post-page |
| Cookie Notice & Consent Banner for GDPR & CCPA Compliance | cookie-notice-and-consent-banner |
| Course Booking Platform | course-booking-platform |
| Custom Team Manager | custom-team-manager |
| Custom WooCommerce Checkout Fields Editor | add-fields-to-checkout-page-woocommerce |
| Dadevarzan WordPress Common | dadevarzan-common |
| Database to Excel | database-to-excel |
| Developer Tools Blocker | swiftninjapro-inspect-element-console-blocker |
| Document Engine – Download Posts as PDF, PDF Embedder, Posts to PDF | document-engine |
| Donation Forms WP by Givecloud | donation-forms-by-givecloud |
| Easy Download Media Counter | easy-download-media-counter |
| Easy Flash Embed | easy-flash-embed |
| Easy Social Feed – Social Photos Gallery – Post Feed – Like Box | easy-facebook-likebox |
| Easy Timer | easy-timer |
| eDS Responsive Menu | eds-responsive-menu |
| Elementor Element Condition | ele-conditions |
| ELEX WooCommerce Google Shopping (Google Product Feed) | elex-woocommerce-google-product-feed-plugin-basic |
| Email Marketing, Email Automation, Newsletter & Cart Abandonment for WordPress and WooCommerce – Mail Mint | mail-mint |
| Enable Latex | enable-latex |
| Exchange Rates | exchange-rates |
| Exit Intent Popup | exitintentpopup |
| F4 Media Taxonomies | f4-media-taxonomies |
| Flatsome | flatsome |
| Floating Window Music Player | floating-window-music-player |
| Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | fluentform |
| Frisbii Pay | reepay-checkout-gateway |
| FW Anker | fw-anker |
| Gallery PhotoBlocks | photoblocks-grid-gallery |
| Get Cash | get-cash |
| GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership | gourl-bitcoin-payment-gateway-paid-downloads-membership |
| Great Restaurant Menu WP | best-restaurant-menu-by-pricelisto |
| Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor | gutentor |
| Hide Real Download Path | hide-real-download-path |
| Html Social share buttons | html-social-share-buttons |
| Ibtana – Ecommerce Product Addons | ibtana-ecommerce-product-addons |
| If-So Dynamic Content Personalization | if-so |
| immonex Kickstart | immonex-kickstart |
| InPost Gallery | inpost-gallery |
| Instant Locations | instant-locations |
| Invelity MyGLS connect | invelity-mygls-connect |
| IssueM | issuem |
| Job Board Manager | job-board-manager |
| Klarna Order Management for WooCommerce | klarna-order-management-for-woocommerce |
| LA-Studio Element Kit for Elementor | lastudio-element-kit |
| Latest Post Shortcode | latest-post-shortcode |
| License Manager for WooCommerce | license-manager-for-woocommerce |
| LTL Freight Quotes – Day & Ross Edition | ltl-freight-quotes-day-ross-edition |
| LTL Freight Quotes – Daylight Edition | ltl-freight-quotes-daylight-edition |
| LTL Freight Quotes – TQL Edition | ltl-freight-quotes-tql-edition |
| Make Connector | integromat-connector |
| Malcure Malware Scanner — #1 Toolset for Malware Removal | wp-malware-removal |
| Master Paper Collapse Toggle | master-paper-collapse-toggle |
| MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
| Media Author | media-author |
| MediaPress | mediapress |
| Mobile Contact Line | mobile-contact-line |
| MSTW League Manager | mstw-league-manager |
| Multi Step Form | multi-step-form |
| New Simple Gallery | new-simple-gallery |
| Ninja Charts – WordPress Charts and Graphs Plugin | ninja-charts |
| Notification for Telegram | notification-for-telegram |
| Optio Dentistry | optio-dentistry |
| Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | themeisle-companion |
| Order Delivery Date for WooCommerce | order-delivery-date-for-woocommerce |
| Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
| Parallax Scrolling Enllax.js | parallax-scrolling-enllax-js |
| Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net | peachpay-for-woocommerce |
| Payoneer Checkout | payoneer-checkout |
| PDF for WPForms + Drag and Drop Template Builder | pdf-for-wpforms |
| PopAd | popad |
| Popping Sidebars and Widgets Light | popping-sidebars-and-widgets-light |
| Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin | mailoptin |
| Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more | post-smtp |
| Posts Table with Search & Sort | posts-data-table |
| PrettyPhoto – Simple Lightbox Plugin | prettyphoto |
| Product Carousel Slider for Elementor | ecommerce-product-carousel-slider-for-elementor |
| Property Hive | propertyhive |
| Purge Varnish Cache | purge-varnish |
| Pushe Web Push Notification | pushe-webpush |
| PuzzleMe for WordPress | puzzleme |
| Quick Event Calendar | quick-event-calendar |
| Quick Paypal Payments | quick-paypal-payments |
| Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker | quiz-master-next |
| Ray Enterprise Translation | lingotek-translation |
| Recent Posts Widget Extended | recent-posts-widget-extended |
| Responder | responder |
| RumbleTalk Live Group Chat – HTML5 | rumbletalk-chat-a-chat-with-themes |
| Search by Google | search-google |
| Search Cloud One | search-cloud-one |
| SEO Auto Linker | wpa-seo-auto-linker |
| short.io | wp-shortcm |
| Show Eventbrite Events – Event Feed for Eventbrite | event-feed-for-eventbrite |
| Showpass WordPress Extension | showpass |
| SimaCookie | simasicher-dsgvo-cookie |
| Simple Link List Widget | simple-link-list-widget |
| Simple Matomo Tracking Code | simple-matomo-tracking-code |
| Simple Price Calculator | simple-price-calculator-basic |
| Simple Text Slider | simple-text-slider |
| Site Info | site-info-dashboard-widget |
| SKT Addons for Elementor | skt-addons-for-elementor |
| Smart Table Builder | smart-table-builder |
| Smooth Accordion | smooth-accordion |
| Social Sharing Plugin – Kiwi | kiwi-social-share |
| Spirit Framework | spirit-framework |
| SS Font Awesome Icon | ss-font-awesome-icon |
| StagTools | stagtools |
| StreamWeasels Kick Integration | streamweasels-kick-integration |
| Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions | wp-full-stripe-free |
| Support Genix – Helpdesk & Customer Support Ticket System | support-genix-lite |
| Surfer – WordPress Plugin | surferseo |
| Table of content | content-table |
| Themify Popup | themify-popup |
| Tickera – WordPress Event Ticketing | tickera-event-ticketing-system |
| Today’s Date Inserter | todays-date-inserter |
| Tooltipy (tooltips for WP) | bluet-keywords-tooltip-generator |
| Translate This gTranslate Shortcode | translate-this-google-translate-web-element-shortcode |
| TrustMate.io – WooCommerce integration | trustmate-io-integration-for-woocommerce |
| Ultimate AJAX Login | ultimate-ajax-login |
| Ultimate Client Dash | ulimate-client-dash |
| User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | user-registration |
| UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | userswp |
| Vayu Blocks – Website Builder for the Block Editor | vayu-blocks |
| vipdrv | vipdrv-vip-test-drive |
| Widgetize Pages Light | widgetize-pages-light |
| WN Flipbox Pro | wn-flipbox-pro |
| Woocommerce Gifts Product | woo-gift-product |
| Woocommerce Notify Updated Product | woocommerce-notify-updated-product |
| WooCommerce Single Page Checkout | woo-single-page-checkout |
| WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule | buffer-my-post |
| WordPress Error Monitoring by Bugsnag | bugsnag |
| WordPress Events Calendar Plugin – Pie Calendar | pie-calendar |
| WordPress Helpdesk Integration | wp-helpdesk-integration |
| WordPress StoryMap Plugin | wp-storymap |
| WP Bannerize Pro | wp-bannerize-pro |
| WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) | delicious-recipes |
| WP Email Template | wp-email-template |
| WP Flow Plus | wp-imageflow2 |
| WP Github Gist | wp-github-gist |
| WP likes | wp-likes |
| WP Mail | wp-mail |
| WP Notification Bell | wp-notification-bell |
| WP Publication Archive | wp-publication-archive |
| WP-GraphViz | wp-graphviz |
| WPB Elementor Addons | wpb-elementor-addons |
| WPB Image Widget | wpb-image-widget |
| wpForo Forum | wpforo |
| Zoomify embed for WP | zoom-image-shortcode |
| 金数据 | jinshuju |
| 코드엠샵 소셜톡 | mshop-naver-talktalk |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.