Last week, there were 76 vulnerabilities disclosed in 62 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-871 – Data redacted while we work with the vendor on a patch.
- Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 – Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation (Extended Coverage)
- WAF-RULE-873 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 71 |
| Unpatched | 5 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 48 |
| High Severity | 23 |
| Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 21 |
| Missing Authorization | 17 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 7 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
| Exposure of Sensitive Information to an Unauthorized Actor | 3 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Cross-Site Request Forgery (CSRF) | 2 |
| Improper Authorization | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
| Improper Privilege Management | 2 |
| Absolute Path Traversal | 1 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Client-Side Enforcement of Server-Side Security | 1 |
| Deserialization of Untrusted Data | 1 |
| External Control of File Name or Path | 1 |
| Improper Output Neutralization for Logs | 1 |
| Incorrect Authorization | 1 |
| Protection Mechanism Failure | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Consulting | consulting |
| KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme | kallyas |
| kleo | kleo |
| Masterstudy – Education WordPress Theme | masterstudy |
| Noo JobMonster | noo-jobmonster |
| Sahifa | sahifa |
| SmartMag – Newspaper Magazine & News WordPress | smart-mag |
| WpResidence | wpresidence |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advanced Ads – Ad Manager & AdSense | advanced-ads |
| Analytify Pro | wp-analytify-pro |
| Anti-Malware Security and Brute-Force Firewall | gotmls |
| AppPresser – Mobile App Framework | apppresser |
| Auto Featured Image (Auto Post Thumbnail) | auto-post-thumbnail |
| Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment | booking-and-rental-manager-for-woocommerce |
| Call Now Button – The #1 Click to Call Button for WordPress | call-now-button |
| Community Events | community-events |
| Consulting Elementor Widgets | consulting-elementor-widgets |
| CSS & JavaScript Toolbox | css-javascript-toolbox |
| Doccure Core | doccure |
| Document Library Lite | document-library-lite |
| Easy Testimonial Slider and Form | easy-testimonial-rotator |
| Employee Spotlight – Team Member Showcase & Meet the Team Plugin | employee-spotlight |
| ERI File Library | eri-file-library |
| Facebook for WooCommerce | facebook-for-woocommerce |
| Flying Images: Optimize and Lazy Load Images for Faster Page Speed | nazy-load |
| Folderly | folderly |
| FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | fusewp |
| Groundhogg — CRM, Newsletters, and Marketing Automation | groundhogg |
| HUSKY – Products Filter Professional for WooCommerce | woocommerce-products-filter |
| IDonate – Blood Donation, Request And Donor Management System | idonate |
| Import WP – Export and Import CSV and XML files to WordPress | jc-importer |
| Inactive Logout | inactive-logout |
| Insert PHP Code Snippet | insert-php-code-snippet |
| Jannah – Extensions | jannah-extensions |
| K Elements | k-elements |
| King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor | king-addons |
| List category posts | list-category-posts |
| LiteSpeed Cache | litespeed-cache |
| NS Maintenance Mode for WP | ns-maintenance-mode-for-wp |
| OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | oopspam-anti-spam |
| Polylang | polylang |
| Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel | depicter |
| Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | ays-popup-box |
| Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App | post-smtp |
| Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages | wplegalpages |
| Qi Blocks | qi-blocks |
| Qzzr Shortcode Plugin | qzzr-shortcode |
| Range Slider Addon for Gravity Forms | range-slider-addon-for-gravity-forms |
| RESTful Content Syndication | restful-syndication |
| Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
| Schema Scalpel | schema-scalpel |
| Service Finder Bookings | sf-booking |
| Simple Payment | simple-payment |
| Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue | site-checkup |
| SiteSEO – SEO Simplified | siteseo |
| Smart Coupons For WooCommerce Coupons | wt-smart-coupons-for-woocommerce |
| Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | tablesome |
| The Events Calendar | the-events-calendar |
| Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
| Translate WordPress and go Multilingual – Weglot | weglot |
| Web Accessibility by accessiBe | accessibe |
| WooCommerce | woocommerce |
| WooCommerce Designer Pro | wc-designer-pro |
| WordPress User Extra Fields | wp-user-extra-fields |
| WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) | delicious-recipes |
| WP Discourse | wp-discourse |
| WPC Name Your Price for WooCommerce | wpc-name-your-price |
| WPCOM Member | wpcom-member |
| wpForo Forum | wpforo |
| Zombify | zombify |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.