Last week, there were 123 vulnerabilities disclosed in 114 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 55 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-874 – Data redacted while we work with the vendor on a patch.
- Gravity Forms <= 2.9.21.1 – Unauthenticated Arbitrary File Upload via Legacy Chunked Upload
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 70 |
| Unpatched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 104 |
| High Severity | 15 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 44 |
| Missing Authorization | 27 |
| Cross-Site Request Forgery (CSRF) | 9 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 8 |
| Authorization Bypass Through User-Controlled Key | 7 |
| Exposure of Sensitive Information to an Unauthorized Actor | 4 |
| Improper Control of Generation of Code (‘Code Injection’) | 3 |
| Improper Privilege Management | 3 |
| Improper Authorization | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Client-Side Enforcement of Server-Side Security | 1 |
| Deserialization of Untrusted Data | 1 |
| Exposure of Private Personal Information to an Unauthorized Actor | 1 |
| External Control of File Name or Path | 1 |
| Improper Access Control | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
| Insecure Storage of Sensitive Information | 1 |
| Insertion of Sensitive Information into Externally-Accessible File or Directory | 1 |
| Missing Authentication for Critical Function | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
| Use of Insufficiently Random Values | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Angel – Fashion Model Agency WordPress CMS Theme | angel |
| Lobo – WordPress Portfolio for Freelancers & Agencies | lobo |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 0 Day Analytics | 0-day-analytics |
| Add Multiple Marker | add-multiple-marker |
| AI Engine | ai-engine |
| AI-Powered Project Management & Task Manager with Kanban Board & Gantt Chart – WP Project Manager | wedevs-project-manager |
| All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | all-in-one-seo-pack |
| Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images | alt-text-generator |
| Appointment Booking Calendar | appointment-booking-calendar |
| Asgaros Forum | asgaros-forum |
| Astra Security Suite – Firewall & Malware Scan | getastra |
| Authors List | authors-list |
| Auto Amazon Links – Amazon Associates Affiliate Plugin | amazon-auto-links |
| Blocksy Companion | blocksy-companion |
| Booking Calendar | booking |
| Booking Calendar | Appointment Booking | Bookit | bookit |
| Booking for Appointments and Events Calendar – Amelia | ameliabooking |
| Chart Expert | chart-expert |
| Chat Help – Click to Chat Button & Form | chat-help |
| Classified Listing – AI-Powered Classified ads & Business Directory Plugin | classified-listing |
| Comment Edit Core – Simple Comment Editing | simple-comment-editing |
| Contact Form Email | contact-form-to-email |
| Contest Gallery – Upload, Vote & Sell with PayPal and Stripe | contest-gallery |
| Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed | quicq |
| Coon Google Maps | coon-google-maps |
| Crypto Tool | crypto |
| CTL Arcade Lite | ctl-arcade-lite |
| Data Tables Generator by Supsystic | data-tables-generator-by-supsystic |
| db-access | db-access |
| Document Pro Elementor – Documentation & Knowledge Base | document-pro-elementor |
| donation | donation |
| Double the Donation – A workplace giving tool | double-the-donation |
| Easy Email Subscription | email-subscription-with-secure-captcha |
| Easy WordPress Funnel Builder To Collect Leads And Increase Sales – WPFunnels | wpfunnels |
| EasyCommerce – AI-Powered Ecommerce To Sell Physical & Digital Products | easycommerce |
| Elastic Theme Editor | elastic-theme-editor |
| Eventbee Ticketing Widget | eventbee-ticketing-widget |
| Featured Image | featured-image |
| Find Unused Images | find-unused-images |
| Five9 Live Chat | five9 |
| Fleet Manager | fleet |
| Flickr Show | wp-flickrshow |
| Gallery Plugin for WordPress – Envira Photo Gallery | envira-gallery-lite |
| GeoDirectory – WP Business Directory Plugin and Classified Listings Directory | geodirectory |
| Geopost | geopost |
| GitHub Gist Shortcode Plugin | github-gist-shortcode |
| Holiday class post calendar | holiday-class-post-calendar |
| Hydra Booking — Appointment Scheduling & Booking Calendar | hydra-booking |
| Image Gallery – Photo Grid & Video Gallery | modula-best-grid-gallery |
| Import any XML, CSV or Excel File to WordPress | wp-all-import |
| Include Fussball.de Widgets | include-fussball-de-widgets |
| Jeba Cute forkit | jeba-cute-forkit |
| LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes | lifterlms |
| Live Photos on WordPress | live-photos |
| Magazine Companion | bnm-blocks |
| MembershipWorks – Membership, Events & Directory | memberfindme |
| Mementor Core | mementor-core |
| My Geo Posts Free | my-geo-posts-free |
| Ninja Countdown | Fastest Countdown Builder | ninja-countdown |
| Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress | nonaki-email-template-customizer |
| Online Booking & Scheduling Calendar for WordPress by vcita | meeting-scheduler-by-vcita |
| Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
| Payment Plugins Braintree For WooCommerce | woo-payment-gateway |
| Paypal Donation Shortcode | paypal-donation-shortcode |
| PDF Builder for WooCommerce. Create invoices,packing slips and more | woo-pdf-invoice-builder |
| Poll Maker – Versus Polls, Anonymous Polls, Image Polls | poll-maker |
| Precise Columns | precise-columns |
| Preload Current Images | preload-current-images |
| Private Google Calendars | private-google-calendars |
| Progress Bar Blocks for Gutenberg | progressmatify-blocks |
| Qi Blocks | qi-blocks |
| RandomQuotr | randomquotr |
| Save as PDF Button | save-as-pdf |
| School Management System – WPSchoolPress | wpschoolpress |
| Select Core | select-core |
| Seriously Simple Podcasting | seriously-simple-podcasting |
| Share to Google Classroom | share-to-google-classroom |
| Shopkeeper Extender | shopkeeper-extender |
| Simple Donate | simple-donate |
| Skip to Timestamp | skip-to-timestamp |
| SKT Skill Bar | skt-skill-bar |
| Slippy Slider – Responsive Touch Navigation Slider | slippy-slider-responsive-touch-navigation-slider |
| SNORDIAN’s H5PxAPIkatchu | h5pxapikatchu |
| Specific Content For Mobile – Customize the mobile version without redirections | specific-content-for-mobile |
| Squirrels Auto Inventory | squirrels-auto-inventory |
| Stock Management for WooCommerce by Shelf Planner | shelf-planner |
| Stylish Cost Calculator – Quote Generator, Lead Gen & Price Estimator | stylish-cost-calculator |
| SureForms – Contact Form, Payment Form & Other Custom Form Builder | sureforms |
| Survey Maker | survey-maker |
| The Total Book Project | the-total-book-project |
| Theater for WordPress | theatre |
| Thumbnail Slider With Lightbox | wp-responsive-slider-with-lightbox |
| Timetable and Event Schedule by MotoPress | mp-timetable |
| TNC Toolbox: Web Performance | tnc-toolbox |
| Twitter Feed | ot-twitter-feed |
| Ungapped Widgets | ungapped-widgets |
| USB Qr Code Scanner For Woocommerce | usb-qr-code-scanner-for-woocommerce |
| Welcart e-Commerce | usc-e-shop |
| Wishlist and Save for later for Woocommerce | aco-wishlist-for-woocommerce |
| Wisly | wisly |
| Woffice Core | woffice-core |
| Woocommerce – Products By Custom Tax | woocommerce-products-by-custom-tax |
| WordPress Content Flipper | wp-flipper |
| WP BBCode | wp-bbcode |
| WP Bootstrap Tabs | wp-bootstrap-tabs |
| WP Count Down Timer | wp-count-down-timer |
| WP Custom Admin Login Page Logo | wp-custom-login-page-logo |
| WP Google Review Slider | wp-google-places-review-slider |
| WP Import – Ultimate CSV XML Importer for WordPress | wp-ultimate-csv-importer |
| WP Plugin Manager – Deactivate plugins per page | wp-plugin-manager |
| WP YouTube Lyte | wp-youtube-lyte |
| WP-Iconics | wp-iconics |
| WP-OAuth | wp-oauth |
| WP-Walla | wp-walla |
| WP移行専用プラグイン for CPI | cpi-wp-migration |
| YSlider | yslider |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.