Last week, there were 114 vulnerabilities disclosed in 84 WordPress Plugins and 16 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-865 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 75 |
| Unpatched | 39 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 81 |
| High Severity | 24 |
| Critical Severity | 8 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35 |
| Missing Authorization | 19 |
| Cross-Site Request Forgery (CSRF) | 11 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 10 |
| Exposure of Sensitive Information to an Unauthorized Actor | 8 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 7 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
| Improper Privilege Management | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Deserialization of Untrusted Data | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| External Control of File Name or Path | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Neutralization of Formula Elements in a CSV File | 1 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
| Incorrect Authorization | 1 |
| Incorrect Privilege Assignment | 1 |
| Insertion of Sensitive Information into Log File | 1 |
| Missing Authentication for Critical Function | 1 |
| Protection Mechanism Failure | 1 |
| Relative Path Traversal | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Betheme | betheme |
| Enzy – Multipurpose WooCommerce WordPress Theme | enzy |
| Grevo – Electric Vehicle Charging WordPress Theme | grevo |
| HomerRofer | homeroofer |
| Joly – Hairdresser & Beauty Salon WordPress Theme | joly |
| Karzo | karzo |
| Neuronet – AI Business & Startup WordPress Theme | neuronet |
| Newsup | newsup |
| Noisa | noisa |
| Search & Go – Directory WordPress Theme | search-and-go |
| Sonaar | sonaar |
| TheGem – Creative Multi-Purpose & WooCommerce WordPress Theme | thegem-elementor |
| Togo – Travel & Tour Booking WordPress Theme | togo |
| Woodmart | woodmart |
| Xcare – Medical and Health Care WordPress Theme | xcare |
| xSmart – App Landing Page WordPress Theme in Tech Presentation, Promo Marketing & Advertising Agency | xsmart |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Activity Plus Reloaded for BuddyPress | bp-activity-plus-reloaded |
| Advanced Scrollbar – Custom Scrollbar Styling and Behavior | advanced-scrollbar |
| AI ChatBot with ChatGPT and Content Generator by AYS | ays-chatgpt-assistant |
| All In One Login — WP Admin Login Page Security and Customization with Google reCAPTCHA, Social Login, Limit Login Attempt, 2FA, and more. | change-wp-admin-login |
| AnyComment | anycomment |
| APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps | appexperts |
| Awesome Testimonials | awesome-testimonials |
| Blocksy Companion | blocksy-companion |
| Blox Lite | blox-lite |
| Chartify – WordPress Chart Plugin | chart-builder |
| CM Registration – Tailored tool for seamless login and invitation-based registrations | cm-invitation-codes |
| Code Quality Control Tool | code-quality-control-tool |
| Colibri Page Builder | colibri-page-builder |
| Community Events | community-events |
| Contest Gallery – Upload, Vote & Sell with PayPal and Stripe | contest-gallery |
| Cookie Notice & Consent | cookie-notice-consent |
| Course Redirects for Learndash Plugin | course-redirects-for-learndash |
| Custom 404 Pro | custom-404-pro |
| Custom CSS | custom-css-editor |
| Date counter | date-counter |
| Did Prestashop Display – Show Prestashop products in your WordPress | did-prestashop-display |
| Doppler Forms | doppler-form |
| Draft List | simple-draft-list |
| Easy Plugin Stats | easy-plugin-stats |
| Emails Catch All | emails-catch-all |
| Enable Media Replace | enable-media-replace |
| Error Log Viewer by BestWebSoft | error-log-viewer |
| Events Maker by dFactory | events-maker |
| Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | everest-backup |
| Featured Image from URL (FIFU) | featured-image-from-url |
| Fix Multiple Redirects | fix-multiple-redirects |
| GSheetConnector For Gravity Forms | gsheetconnector-gravity-forms |
| Lisfinity Core – Lisfinity Core plugin used for pebas® Lisfinity WordPress theme | lisfinity-core |
| MapSVG – Vector maps, Image maps, Google Maps | mapsvg-lite-interactive-vector-maps |
| Masterstudy Elementor Widgets | masterstudy-elementor-widgets |
| MasterStudy LMS Pro | masterstudy-lms-learning-management-system-pro |
| MeetingHub for Zoom Meeting, Google Meet, Jitsi Meet, Webex, & Microsoft Teams | The All-in-One Webinar & Video Conference Solution | meetinghub |
| Motors – Car Dealership & Classified Listings Plugin | motors-car-dealership-classified-listings |
| MSN Partner Hub | microsoft-start |
| MSTW CSV EXPORTER | mstw-csv-exporter |
| My auctions allegro | my-auctions-allegro-free-edition |
| NEX-Forms – Ultimate Forms Plugin for WordPress | nex-forms-express-wp-form-builder |
| Next Page, Not Next Post | next-page-not-next-post |
| Open Close Store for WooCommerce – Business Hours Schedules Manager | woc-open-close |
| Open Currency Converter | artiss-currency-converter |
| Ovatheme Events Manager | ova-events-manager |
| Page Blocks | page-blocks |
| Password only login | password-only-login |
| Plugin Name: WP Business Hours | wp-business-hours |
| Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | popup-builder-block |
| Post List Featured Image | post-list-featured-image |
| Progress Planner | progress-planner |
| Publitio | publitio |
| RealPress – Real Estate Plugin | realpress |
| RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
| Reoon Email Verifier | reoon-email-verifier |
| Search & Filter | search-filter |
| Simple Finance Calculator | simple-finance-calculator |
| Slider Revolution | revslider |
| Smash Balloon Social Post Feed – Simple Social Feeds for WordPress | custom-facebook-feed |
| Stock History & Reports Manager for WooCommerce | stock-snapshot-for-woocommerce |
| Survey Maker | survey-maker |
| Table Block by RioVizual – Comparison Table, Pricing Table, and Pros & Cons Box for Gutenberg | riovizual |
| tagDiv Composer | td-composer |
| Trinity Audio – Text to Speech AI audio player to convert content into audio | trinity-audio |
| Ultimate Addons for WPBakery | Ultimate_VC_Addons |
| Web Accessibility by accessiBe | accessibe |
| Welcart e-Commerce | usc-e-shop |
| WidgetPack Comment System | widgetpack-comment-system |
| WooCommerce Designer Pro | wc-designer-pro |
| WordPress Live Webcam Widget & Shortcode | wp-webcam-widget-shortcode |
| WP Easy Toggles | wp-easy-toggles |
| WP Freeio | wp-freeio |
| WP Gmail SMTP | wp-gmail-smtp |
| WP Go Maps (formerly WP Google Maps) | wp-google-maps |
| WP JobHunt | wp-jobhunt |
| WP Links Page | wp-links-page |
| WP Mapbox GL JS Maps | wp-mapbox-gl-js |
| WP Reset | wp-reset |
| WP Scraper | wp-scraper |
| WP Travel Engine – Tour Booking Plugin – Tour Operator Software | wp-travel-engine |
| WPC Smart Wishlist for WooCommerce | woo-smart-wishlist |
| WSAnalytics – Google Analytics And Dashboards | wsanalytics-google-analytics-and-dashboards |
| YOP Poll | yop-poll |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.