Last week, there were 197 vulnerabilities disclosed in 161 WordPress Plugins and 33 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 48 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 – Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
- WAF-RULE-854 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-855 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-857 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 58 |
| Unpatched | 139 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 138 |
| High Severity | 49 |
| Critical Severity | 10 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 76 |
| Cross-Site Request Forgery (CSRF) | 36 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 32 |
| Missing Authorization | 19 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 9 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 6 |
| Deserialization of Untrusted Data | 4 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Exposure of Sensitive Information to an Unauthorized Actor | 3 |
| Absolute Path Traversal | 2 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Privilege Management | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Unverified Password Change | 1 |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Amely – Fashion Shop WordPress Theme for WooCommerce | amely |
| Blogbyte | blogbyte |
| Blogmine | blogmine |
| Blogprise | blogprise |
| Blogty | blogty |
| Blogvy | blogvy |
| CityGov – City Government & Municipal WordPress Theme | citygov |
| Constructor | constructor |
| Domnoo – Pizza & Restaurant WordPress Theme | domnoo |
| DWT – Directory & Listing WordPress Theme | dwt-listing |
| Elessi – WooCommerce AJAX WordPress Theme – RTL support | elessi-theme |
| GreenMart – Organic & Food WooCommerce WordPress Theme | greenmart |
| Homey | homey |
| Katerio – Magazine & Blog WordPress Theme | katerio |
| LMS – Education WordPress Theme | lms |
| MagOne | magone |
| Magty | magty |
| Magways | magways |
| Magze | magze |
| MBStore – Digital WooCommerce WordPress Theme | mbstore |
| Nuss – Hotel Booking WordPress | nuss |
| Pressroom – News Magazine WordPress Theme | pressroom |
| PrintXtore – Printing Services & Design Online WordPress WooCommerce Theme | bw-printxtore |
| Puca – Optimized Mobile WooCommerce Theme | puca |
| RealtyElite – Real Estate & Property Sales WordPress Theme | realtyelite |
| Red Art | Artist Portfolio WordPress | redart |
| Sala – Startup & SaaS WordPress Theme | sala |
| Samex – Clean, Minimal Shop WooCommerce WordPress Theme | samex |
| Seven Stars – Modern Responsive MultiPurpose Theme | sevenstars |
| SNS Vicky – Cosmetic WooCommerce WordPress Theme | snsvicky |
| Sofass – Elementor WooCommerce WordPress Theme | sofass |
| Zenny – Jewelry, Watches & Glasses Elementor WooCommerce WordPress Theme | bw-zenny |
| Zita | zita |
| Software Name | Software Slug |
|---|---|
| Fitness Park | fitness-park |
| Hello FSE Blog | hello-fse-blog |
| HYDRO – One Page Portfolio WordPress Theme | hydro |
| OceanWP | oceanwp |
| Spark Multipurpose | spark-multipurpose |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| A/B Testing for WordPress | ab-testing-for-wp |
| Abandoned Contact Form 7 | abandoned-contact-form-7 |
| Accept Authorize.NET Payments Using Contact Form 7 | accept-authorize-net-payments-using-contact-form-7 |
| Accept Stripe Payments Using Contact Form 7 | accept-stripe-payments-using-contact-form-7 |
| Add & Replace Affiliate Links for Amazon | add-replace-affiliate-links-for-amazon |
| Additional Order Filters for WooCommerce | additional-order-filters-for-woocommerce |
| Address Autocomplete via Google for Gravity Forms | gf-google-address-autocomplete |
| AI ChatBot for WordPress – WPBot | chatbot |
| Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit | aiomatic-automatic-ai-content-writer |
| Aioseo Multibyte Descriptions | aioseo-multibyte-descriptions |
| Amazon Products to WooCommerce | import-products-to-wc |
| Audio Editor & Recorder | audio-editor-recorder |
| Beauty Contact Popup Form | beauty-contact-popup-form |
| BeeTeam368 Extensions | beeteam368-extensions |
| BeeTeam368 Extensions Pro | beeteam368-extensions-pro |
| BRW – Booking Rental Plugin WooCommerce | ova-brw |
| Burst Statistics – Privacy-Friendly Analytics for WordPress | burst-statistics |
| Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | charitable |
| CMS Blocks | cms-blocks |
| Conference Scheduler | conference-scheduler |
| Contact Form – 7 : Hide Success Message | contact-form-7-hide-success-message |
| Content Manager Light | content-manager-light |
| Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached. | content-no-cache |
| Cron Logger | cron-logger |
| CTUsers | ctuser |
| Cyrlitera – transliteration of links and file names | cyrlitera |
| Dashboard Widget Sidebar | dashboard-widget-sidebar |
| Davenport – Versatile Blog and Magazine WordPress Theme | davenport |
| Devnex Addons For Elementor | devnex-addons-for-elementor |
| DirectIQ Email Marketing | directiq-wp |
| Download Manager and Payment Form WordPress Plugin – WP SmartPay | smartpay |
| Drive Folder Embedder | drive-folder-embeder |
| e.nigma buttons | enigma-buttons |
| EC Stars Rating | ec-stars-rating |
| Evangelische Termine | evangtermine |
| Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin | wp-event-solution |
| Event RSVP and Simple Event Management Plugin | wp-easy-events |
| Everest Forms Pro | everest-forms-pro |
| EZ SQL Reports Shortcode Widget and DB Backup | elisqlreports |
| File Manager Plugin For WordPress | file-manager-plugin-for-wordpress |
| FL3R Accessibility Suite | fl3r-accessibility-suite |
| Flexo Counter | flexo-countdown |
| Football Pool | football-pool |
| Free Downloads EDD | free-downloads-edd |
| Frontend Admin by DynamiApps | acf-frontend-form-element |
| FW Food Menu – Responsive food menu with ordering & delivery solutions | fw-food-menu |
| FW Gallery – Photo, video, audio media presentation and management system with players and slideshow | fw-gallery |
| Game Users Share Buttons | game-users-share-buttons |
| GC Social Wall | gc-social-wall |
| GG Bought Together for WooCommerce | gg-bought-together |
| Gmedia Photo Gallery | grand-media |
| Guest posting / Frontend Posting / Front Editor – WP Front User Submit | front-editor |
| Hide Admin Bar From Front End | hide-admin-bar-from-front-end |
| HidePost | hidepost |
| Homerunner | homerunner-smartcheckout |
| Hotel Booking | nd-booking |
| Hover Effects – easily create any hover effect | hover-effects |
| HT Mega – Absolute Addons for WPBakery Page Builder | ht-mega-for-wpbakery |
| HT Slider For Elementor | ht-slider-for-elementor |
| HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | hurrytimer |
| iCount Payment Gateway | icount |
| Image Cleanup | image-cleanup |
| Image Editor by Pixo | image-editor-by-pixo |
| Image Shadow | image-shadow |
| Image slider with description | image-slider-with-description |
| Import external attachments | import-external-attachments |
| Infility Global | infility-global |
| IS-theme-companion | weblizar-companion |
| isMobile() Shortcode for WordPress | ismobile |
| JetEngine | jet-engine |
| JobSearch WP Job Board | wp-jobsearch |
| Leyka | leyka |
| MDJM Event Management | mobile-dj-manager |
| MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet | paid-membership |
| Modern Design Library | mdl-shortcodes |
| Mollie Payments for WooCommerce | mollie-payments-for-woocommerce |
| My Resume Builder | my-resume-builder |
| My Wp Brand – Hide menu & Hide Plugin | my-wp-brand |
| Namasha By Mdesign | namasha-by-mdesign |
| National Weather Service Alerts | national-weather-service-alerts |
| Navayan Subscribe | navayan-subscribe |
| Ninja Forms – The Contact Form Builder That Grows With You | ninja-forms |
| Ninja Tables – Easy Data Table Builder | ninja-tables |
| Off-Canvas Sidebars & Menus (Slidebars) | off-canvas-sidebars |
| Omnipress | omnipress |
| ONet Regenerate Thumbnails | onet-regenerate-thumbnails |
| OnionBuzz | onionbuzz-viral-quiz |
| Osom Blocks | osomblocks |
| Owl carousel responsive | responsive-owl-carousel |
| PDF Builder for WooCommerce. Create invoices,packing slips and more | woo-pdf-invoice-builder |
| Photo Express for Google | photo-express-for-google |
| PlatiOnline Payments | plationline |
| Plugin Inspector | plugin-inspector |
| Podcast Feed Player Widget and Shortcode | podcast-feed-player-widget |
| Popup addon for Ninja Forms | popup-addon-for-ninja-forms |
| Post Carousel Slider for Elementor | post-carousel-slider-for-elementor |
| Post Rating and Review | post-rating-and-review |
| Pre-Publish Post Checklist | pre-publish-post-checklist |
| PT Project Notebooks – Take Meeting minutes, create budgets, track task management, and more | project-notebooks |
| Qi Addons For Elementor | qi-addons-for-elementor |
| Quick Favicon | quick-favicon |
| Raise The Money | raise-the-money |
| Rankie – WordPress Rank Tracker Plugin | valvepress-rankie |
| re.place | replace |
| Relocate Upload | relocate-upload |
| Responsive Blocks – WordPress Gutenberg Blocks | responsive-block-editor-addons |
| Responsive Food and Drink Menu | responsive-food-and-drink-menu |
| Royal Elementor Addons and Templates | royal-elementor-addons |
| RSS Digest | rss-digest |
| SB Breadcrumbs | sb-breadcrumbs |
| SERPed.net | serped-net |
| Simple Link Directory Pro | qc-simple-link-directory |
| Simple Payment | simple-payment |
| Simple User Registration | wp-registration |
| SiteOrigin Widgets Bundle | so-widgets-bundle |
| Slickstream: Engagement and Conversions | slick-engagement |
| SmartAgenda – Prise de rendez-vous en ligne | smart-agenda-prise-de-rendez-vous-en-ligne |
| Społecznościowa 6 PL 2013 | spolecznosciowa-6-pl-2013 |
| Team Showcase | team-showcase-cm |
| The Countdown – Block Countdown Timer | the-countdown |
| The Pack Elementor addon | the-pack-addon |
| Theme Junkie Team Content | theme-junkie-team-content |
| Thumbnail Editor | thumbnail-editor |
| TimeZoneCalculator | timezonecalculator |
| Tournament Bracket Generator | tournament-bracket-generator |
| Track Everything | track-everything |
| Trusty Whistleblowing Solution | trusty-whistleblowing-solution |
| Twitch TV Embed Suite | twitch-tv-embed-suite |
| Ultra Addons for Contact Form 7 | ultimate-addons-for-contact-form-7 |
| Usercentrics Cookiebot – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode | cookiebot |
| VG WORT METIS | vgw-metis |
| Video List Manager | video-list-manager |
| Virusdie – One-click website security | virusdie |
| VR Calendar | vr-calendar-sync |
| web-cam | web-cam |
| WP AdCenter – Ad Manager & Adsense Ads | wpadcenter |
| WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons | easy-sticky-sidebar |
| WP DataTable | wp-datatable |
| WP DB Booster | wp-db-booster |
| WP Edit | wp-edit |
| WP Forum Server | forum-server |
| WP Masonry & Infinite Scroll | wp-masonry-infinite-scroll |
| WP Optimize By xTraffic | wp-optimize-by-xtraffic |
| WP Optimizer | wp-optimizer |
| WP Permalink Translator | wp-permalink-translator |
| WP SoundSystem | wp-soundsystem |
| WP Visual Sitemap | wp-visual-sitemap |
| WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | wpvr |
| WP Wall | wp-wall |
| WP YouTube Live | wp-youtube-live |
| wp-gdpr-cookie-consen | wp-gdpr-cookie-consen |
| WP-PhotoNav | wp-photonav |
| WP-Recall – Registration, Profile, Commerce & More | wp-recall |
| WPB Category Slider for WooCommerce – Product Categories Carousel Slider & Grid with Icon and Images | wpb-woocommerce-category-slider |
| WPCRM – CRM for Contact form CF7 & WooCommerce | wpcrm |
| WPKit For Elementor | wpkit-elementor |
| WPShapere Lite | wpshapere-lite |
| Writesonic | writesonic |
| xili-dictionary | xili-dictionary |
| YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service | yaysmtp |
| Zikzag Core | zikzag-core |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.