Last week, there were 120 vulnerabilities disclosed in 111 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-869 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-870 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 77 |
| Unpatched | 43 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 2 |
| Medium Severity | 101 |
| High Severity | 13 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 49 |
| Missing Authorization | 20 |
| Cross-Site Request Forgery (CSRF) | 9 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8 |
| Server-Side Request Forgery (SSRF) | 6 |
| Improper Authorization | 5 |
| Exposure of Sensitive Information to an Unauthorized Actor | 3 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
| Deserialization of Untrusted Data | 1 |
| Improper Access Control | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
| Improper Input Validation | 1 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
| Improper Neutralization of Formula Elements in a CSV File | 1 |
| Improper Privilege Management | 1 |
| Incorrect Authorization | 1 |
| Incorrect Privilege Assignment | 1 |
| Insertion of Sensitive Information into Log File | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Bard – A Theatre and Performing Arts WordPress Theme | bardwp |
| Listeo – Directory & Listings With Booking – WordPress Theme | listeo |
| Open Source Genesis Framework | genesis |
| The7 — Website and eCommerce Builder for WordPress | dt-the7 |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Academy LMS Pro | academy-pro |
| ACF to REST API | acf-to-rest-api |
| Advanced Database Cleaner | advanced-database-cleaner |
| AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant | chatbot-ai-free-models |
| AIO Forms – Craft Complex Forms Easily | all-in-one-forms |
| Ajax Search Lite – Live Search & Filter | ajax-search-lite |
| All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier | aio-time-clock-lite |
| BackWPup – WordPress Backup & Restore Plugin | backwpup |
| Beaver Builder Plugin (Starter Version) | bb-plugin |
| Bg Book Publisher | bg-book-publisher |
| Bold Page Builder | bold-page-builder |
| Builderall for WordPress | builderall-cheetah-for-wp |
| Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | charitable |
| Check Plagiarism | check-plagiarism |
| Cinza Grid | cinza-grid |
| Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress | sprout-invoices |
| Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings | directorist |
| Disable Content Editor For Specific Template | disable-contect-editor-for-specific-template |
| Discussion Board – WordPress Forum Plugin | wp-discussion-board |
| Dynamic User Directory | dynamic-user-directory |
| Easy Social Share Buttons for WordPress | easy-social-share-buttons3 |
| Element Pack Addons for Elementor | bdthemes-element-pack-lite |
| Email Subscription Popup | email-subscribe |
| Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails | email-tracker |
| eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams | eroom-zoom-meetings-webinar |
| FanBridge signup | fanbridge-signup |
| Fast Velocity Minify | fast-velocity-minify |
| Flexible Refund and Return Order for WooCommerce | flexible-refund-and-return-order-for-woocommerce |
| FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | fusewp |
| GenerateBlocks | generateblocks |
| Gutenberg | gutenberg |
| Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks | advanced-gutenberg |
| HAPPY – Helpdesk Support Ticket System | happy-helpdesk-support-ticket-system |
| IndieAuth | indieauth |
| JB News Ticker | jb-news-ticker |
| King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor | king-addons |
| KiotViet Sync | kiotvietsync |
| LLM Hubspot Blog Import | llm-hubspot-blog-import |
| MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
| Material Design Iconic Font Integration | material-design-iconic-font-integration |
| MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
| Microsoft Azure Storage for WordPress | windows-azure-storage |
| Mixlr Shortcode | mixlr-shortcode |
| Multi Item Responsive Slider | mislider |
| MxChat – AI Chatbot for WordPress | mxchat-basic |
| Name: Print Button Shortcode | print-button-shortcode |
| NGINX Cache Optimizer | nginx-cache-optimizer |
| NS Maintenance Mode for WP | ns-maintenance-mode-for-wp |
| Oboxmedia Ads | oboxmedia-ads |
| Originality.ai AI Checker | originality-ai |
| Password Policy Manager | Password Manager | password-policy-manager |
| Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content | password-protected |
| Persian Admnin Fonts | persian-admin-fonts |
| Photographers galleries | photographers-galleries |
| PixelYourSite – Your smart PIXEL (TAG) & API Manager | pixelyoursite |
| Playerzbr | playerzbr |
| Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | popup-builder-block |
| Posts By Tag | posts-by-tag |
| PowerPress Podcasting plugin by Blubrry | powerpress |
| Product Filter by WBW | woo-product-filter |
| qnotsquiz | qnotsquiz |
| Quickcreator – AI Blog Writer | quickcreator |
| RapidResult | rapidresult |
| Real Cookie Banner: GDPR & ePrivacy Cookie Consent | real-cookie-banner |
| Responsive iframe GoogleMap | responsive-iframe-googlemap |
| Responsive Progress Bar | responsive-progress-bar |
| RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | feedzy-rss-feeds |
| ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution | shopengine |
| ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) | woolentor-addons |
| Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website | simple-banner |
| Simple Business Data | simple-business-data |
| Simple Excel Pricelist for WooCommerce | simple-excel-pricelist-for-woocommerce |
| Simple Pull Quote | simple-pull-quote |
| Simple Registration for WooCommerce | woocommerce-simple-registration |
| Simple Tableau Viz | simple-tableau-viz |
| Simple Youtube Shortcode | simple-youtube-shortcode |
| Slider Templates | slider-templates |
| SM CountDown Widget | smcountdown |
| Social Feed Gallery | insta-gallery |
| SpendeOnline.org | spendeonline |
| ST Categories Widget | st-category-wp |
| Stockie Extra | stockie-extra |
| Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions | wp-full-stripe-free |
| Supervisor | supervisor |
| Testimonial Carousel For Elementor | testimonials-carousel-elementor |
| This-or-That | this-or-that |
| Time Clock – A WordPress Employee & Volunteer Time Clock Plugin | time-clock |
| Tutor LMS Pro | tutor-pro |
| Tutor LMS – eLearning and online course solution | tutor |
| URL Shortener Plugin For WordPress | exact-links |
| User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | userfeedback-lite |
| VikBooking Hotel Booking Engine & PMS | vikbooking |
| VNPAY Payment gateway | vnpay-for-woocommerce |
| Watu Quiz | watu |
| Welcart e-Commerce | usc-e-shop |
| WhyDonate – FREE Donate button – Crowdfunding – Fundraising | wp-whydonate |
| Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | widget-options |
| WooCommerce Designer Pro | wc-designer-pro |
| WP AD Gallery | wp-ad-gallery |
| WP AdCenter – Ad Manager & Adsense Ads | wpadcenter |
| WP Gravity Forms Zoho CRM and Bigin | gf-zoho |
| WP Responsive Meet The Team | wp-responsive-meet-the-team |
| WP Restaurant Listings | wp-restaurant-listings |
| WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | wpvr |
| WP-Force Images Download | wp-force-images-download |
| WP-Thumbnail | wp-thumbnail |
| WPC Countdown Timer for WooCommerce | wpc-countdown-timer |
| WPComplete | wpcomplete |
| wpForo Forum | wpforo |
| WPMobile.App | wpappninja |
| ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns | zoloblocks |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.