Last week, there were 166 vulnerabilities disclosed in 132 WordPress Plugins and 19 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 51 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-866 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-867 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-868 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 102 |
| Unpatched | 64 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 124 |
| High Severity | 35 |
| Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Missing Authorization | 43 |
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 38 |
| Cross-Site Request Forgery (CSRF) | 18 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 14 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 9 |
| Unrestricted Upload of File with Dangerous Type | 8 |
| Exposure of Sensitive Information to an Unauthorized Actor | 7 |
| Authorization Bypass Through User-Controlled Key | 6 |
| Authentication Bypass Using an Alternate Path or Channel | 2 |
| Improper Authorization | 2 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
| Incorrect Privilege Assignment | 2 |
| Server-Side Request Forgery (SSRF) | 2 |
| Acceptance of Extraneous Untrusted Data With Trusted Data | 1 |
| Deserialization of Untrusted Data | 1 |
| External Control of File Name or Path | 1 |
| Improper Authentication | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Neutralization of Alternate XSS Syntax | 1 |
| Improper Privilege Management | 1 |
| Insertion of Sensitive Information into Log File | 1 |
| Insertion of Sensitive Information Into Sent Data | 1 |
| Missing Authentication for Critical Function | 1 |
| Use of Hard-coded Credentials | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| academist | academist |
| Blogmatic | blogmatic |
| ClassifiedPro – reCommerce WordPress Theme | classified-pro |
| Construction Light | construction-light |
| Eduma | eduma |
| Felan Framework | felan-framework |
| GoStore – Elementor WooCommerce WordPress Theme | gostore |
| HiStudy – Online Courses & Education Template | histudy |
| HomeLancer | homelancer |
| Houzez | houzez |
| KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme | kallyas |
| News Event | news-event |
| REHub – Price Comparison, Multi Vendor Marketplace WordPress Theme | rehub-theme |
| Revolution – Creative Multipurpose WordPress Theme | revolution |
| Salient | Creative Multipurpose & WooCommerce Theme | salient |
| Savory – Restaurant WordPress Theme | savory |
| Sparkle FSE | sparkle-fse |
| Woodmart | woodmart |
| XStore | xstore |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Acknowledgify | acknowledgify |
| Admin Management Xtended | admin-management-xtended |
| Advanced Coupons – WooCommerce Coupons & Store Credit | advanced-coupons-for-woocommerce-free |
| AI ChatBot – WPBot for Live Support and Lead Generation | chatbot |
| Ally – Web Accessibility & Usability | pojo-accessibility |
| Attesa Extra | attesa-extra |
| Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
| Binary MLM Plan | binary-mlm-plan |
| Block Country | block-country |
| BlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block Editor | blockspare |
| Business Directory Plugin – Easy Listing Directories for WordPress | business-directory-plugin |
| Case Addons | case-addons |
| CloudSearch | cloud-search |
| Content Writer | content-writer |
| Cost Calculator Builder | cost-calculator-builder |
| Demo Import Kit | demo-import-kit |
| Dhivehi Text | dhivehi-text |
| Digiseller | digiseller |
| DirectoryPress – Business Directory And Classified Ad Listing | directorypress |
| DocoDoco Store Locator | docodoco-store-locator |
| Duplicate Page, Hide Title, Custom CSS & JS, Exclude Search, Template Info – Pagely | current-template-name |
| Dynamically Display Posts | dynamically-display-posts |
| E2Pdf – Export Pdf Tool for WordPress | e2pdf |
| Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress | easy-post-submission |
| Estatik Real Estate Plugin | estatik |
| Event post | event-post |
| Event Tickets and Registration | event-tickets |
| Events Calendar Made Simple – Pie Calendar | pie-calendar |
| External Login | external-login |
| FileBird – WordPress Media Library Folders & File Manager | filebird |
| Find And Replace content for WordPress | find-and-replace-content |
| Flex QR Code Generator | flex-qr-code-generator |
| Free Follow-Up Emails & Marketing Automation for WooCommerce – ShopMagic | shopmagic-for-woocommerce |
| Front End Users | front-end-only-users |
| FunKItools | funkitools |
| GoCache | gocache-cdn |
| GSpeech TTS – WordPress Text To Speech Plugin | gspeech |
| Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns | essential-blocks |
| Headline Analyzer | headline-analyzer |
| Houzez Theme – Functionality | houzez-theme-functionality |
| Interactive Content – H5P | h5p |
| Keyy Two Factor Authentication (like Clef) | keyy |
| Kognetiks Chatbot | chatbot-chatgpt |
| LearnPress – WordPress LMS Plugin | learnpress |
| Library Management System | library-management-system |
| Link Whisper Free | link-whisper |
| Lisfinity Core – Lisfinity Core plugin used for pebas® Lisfinity WordPress theme | lisfinity-core |
| Login with YourMembership – YM SSO Login | login-with-yourmembership |
| MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
| MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
| Media Library Assistant | media-library-assistant |
| MeetingHub for Zoom Meeting, Google Meet, Jitsi Meet, Webex, & Microsoft Teams | The All-in-One Webinar & Video Conference Solution | meetinghub |
| Memberlite Shortcodes | memberlite-shortcodes |
| NextMove Lite – Thank You Page for WooCommerce | woo-thank-you-page-nextmove-lite |
| NikanWP WooCommerce Reporting | wc-reports-lite |
| Oceanpayment CreditCard Gateway | oceanpayment-creditcard-gateway |
| One Page Express Companion | one-page-express-companion |
| onOffice for WP-Websites | onoffice-for-wp-websites |
| Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | optimole-wp |
| Orion SMS OTP Verification | orion-sms-otp-verification |
| Outdoor | outdoor |
| Ova Advent | ova-advent |
| OwnID Passwordless Login | ownid-passwordless-login |
| Paid Videochat Turnkey Site – HTML5 PPV Live Webcams | ppv-live-webcams |
| Penci Bookmark & Follow | penci-bookmark-follow |
| Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) | buddyforms |
| PowerBI Embed Reports | embed-power-bi-reports |
| PPOM – Product Addons & Custom Fields for WooCommerce | woocommerce-product-addon |
| Product Catalog Simple | post-type-x |
| Product Table For WooCommerce | product-table-for-woocommerce |
| Quick Featured Images | quick-featured-images |
| Quick Social Login | quick-login |
| Raychat | raychat |
| Redirection for Contact Form 7 | wpcf7-redirect |
| Related Posts Lite | related-posts-lite |
| Reloadly Plugin | reloadly-topup-widget |
| replyMail | replymail |
| Reviews Widgets for Google & 45+ platforms by Repuso | social-testimonials-and-reviews-widget |
| Revive Social – Social Media Auto Post and Scheduling Automation Plugin | tweet-old-post |
| Rich Snippet Site Report | easysnippet |
| RTMKit | rometheme-for-elementor |
| Sendle Shipping Plugin | official-sendle-shipping-method |
| SEO合集(支持百度/Google/Bing/头条推送) | baiduseo |
| Shortcode Button | shortcode-button |
| ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | shortpixel-image-optimiser |
| Simple Content Templates for Blog Posts & Pages | simple-post-template |
| Simple Job Board | simple-job-board |
| Simple Stripe | simple-stripe |
| Slick Google Map | slick-google-map |
| SmartCrawl SEO checker, analyzer & optimizer | smartcrawl-seo |
| SUMO Memberships for WooCommerce | sumomemberships |
| SureForms – Contact Form, Custom Form Builder, Calculator & More | sureforms |
| SureRank SEO – Smart Assistant with Meta Tags, Social Preview, XML Sitemap, and Schema | surerank |
| Tab Ultimate | tabs-pro |
| tagDiv Cloud Library | td-cloud-library |
| tagDiv Composer | td-composer |
| TARIFFUXX | tariffuxx |
| Task Scheduler | task-scheduler |
| TheGem Demo Import (for WPBakery) | thegem-importer |
| TheGem Theme Elements (for WPBakery) | thegem-elements |
| Theme Editor | theme-editor |
| Theme Importer | theme-importer |
| TopBar | topbar |
| Truelysell Core | truelysell-core |
| u-design-core | u-design-core |
| UiChemy — Figma Converter for Elementor, Gutenberg and Bricks | uichemy |
| UPC/EAN/GTIN Barcode Generator/Importer | upc-ean-barcode-generator |
| URLYar URL Shortner | urlyar |
| Voice Feedback – Voice Recorder for Audio Feedback | voice-feedback |
| WebinarPress – Webinar System for WordPress | wp-webinarsystem |
| Welcart e-Commerce | usc-e-shop |
| WhyDonate – FREE Donate button – Crowdfunding – Fundraising | wp-whydonate |
| Woocommerce Category and Products Accordion Panel | accordion-panel-for-category-and-products |
| WowRevenue – Product Bundles & Bulk Discounts | revenue |
| WP BookWidgets | wp-bookwidgets |
| WP Dashboard Chat | wp-dashboard-chat |
| WP Go Maps (formerly WP Google Maps) | wp-google-maps |
| WP Google Map Plugin | wp-google-map |
| WP jQuery Pager | wp-jquery-pdf-paged |
| WP Last Modified Info | wp-last-modified-info |
| WP SMS – Ultimate SMS & MMS Notifications, OTP, 2FA, and WooCommerce & Forms Integrations | wp-sms |
| Wp tabber widget | wp-tabber-widget |
| WP Travel Gutenberg Blocks | wp-travel-blocks |
| WP ViewSTL | wp-viewstl |
| WPBakery Page Builder | js_composer |
| WPBifröst – Instant Passwordless Temporary Login Links | create-temporary-login |
| WPC Smart Quick View for WooCommerce | woo-smart-quick-view |
| WPC Smart Wishlist for WooCommerce | woo-smart-wishlist |
| WPCasa | wpcasa |
| wpNamedUsers | wpnamedusers |
| XX2WP Integration Tools | fb2wp-integration-tools |
| Zip Attachments | zip-attachments |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.