Last week, there were 137 vulnerabilities disclosed in 101 WordPress Plugins and 32 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- PayU CommercePro Plugin <= 3.8.5 – Authentication Bypass
- WAF-RULE-845 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-846 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-847 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-848 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-852 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 74 |
| Unpatched | 63 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 72 |
| High Severity | 30 |
| Critical Severity | 35 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 42 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 29 |
| Cross-Site Request Forgery (CSRF) | 12 |
| Missing Authorization | 11 |
| Unrestricted Upload of File with Dangerous Type | 11 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 10 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 6 |
| Deserialization of Untrusted Data | 5 |
| Improper Privilege Management | 4 |
| Absolute Path Traversal | 1 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Exposure of Sensitive Information to an Unauthorized Actor | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Incorrect Authorization | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
WordPress Themes with Reported Vulnerabilities Last Week
| Aora – Home & Lifestyle Elementor WooCommerce Theme | aora |
| Besa – Elementor Marketplace WooCommerce Theme | besa |
| BodyCenter – Gym, Fitness WooCommerce WordPress Theme | bodycenter |
| CozyStay – Hotel Booking WordPress Theme | cozystay |
| CraftXtore – Handmade, Ceramics and Pottery Shop WooCommerce Theme | bw-craftxtore |
| Diza – Pharmacy Store Elementor WooCommerce Theme | diza |
| edmin | edmin |
| Evon – Bag Store WooCommerce WordPress Theme | snsevon |
| Fana – Fashion Shop WordPress Theme | fana |
| Fitrush – Fitness and Health Supplements WordPress Theme | bw-fitrush |
| Flozen – WooCommerce AJAX WordPress RTL Theme | flozen-theme |
| GiftXtore – Luxury Jewelry & Gift Store Elementor WooCommerce WordPress Theme | bw-giftxtore |
| GrandPrix – Motorcycle WordPress Theme | grandprix |
| Hara – Beauty and Cosmetics Shop WooCommerce Theme | hara |
| Inset – Digital Agency & IT Services WordPress Theme | inset |
| Lasa – Creative Minimal WooCommerce WordPress Theme | lasa |
| Maia – Jewelry Shop WordPress Theme | maia |
| MediClinic – Medical Healthcare WordPress Theme | mediclinic |
| Nika – Medical Elementor WooCommerce Theme | nika |
| Nitan – Fashion WooCommerce WordPress Theme | snsnitan |
| Petito – Animals and Pets Store WooCommerce Theme | bw-petito |
| Photography | photography |
| RH – Real Estate WordPress Theme | realhomes |
| Ruza – Beauty Cosmetics Shop WordPress Theme | ruza |
| Sapa – Product Landing Page WooCommerce Theme | sapa |
| Simen – MultiPurpose WooCommerce WordPress Theme | snssimen |
| SNS Anton – Furniture WooCommerce WordPress Theme | snsanton |
| Spare – Ultimate MultiPurpose LESS Theme | spare |
| TinySalt – Personal Food Blog WordPress Theme | tinysalt |
| Valen – Sport, Fashion WooCommerce WordPress Theme | valen |
| Zagg – Electronics & Accessories WooCommerce WordPress Theme | bw-zagg |
| Zota – Elementor Multi-Purpose WooCommerce Theme | zota |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Abandoned Cart Pro for WooCommerce | woocommerce-abandon-cart-pro |
| ACF Onyx Poll | acf-onyx-poll |
| Advanced Sermons | advanced-sermons |
| Advanced Settings 3 | advanced-settings |
| Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery | aeroscroll-gallery |
| AFS Analytics | addfreestats |
| AI Image Lab – Free AI Image Generator | ai-image-generator-lab |
| Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | simply-schedule-appointments |
| Arconix FAQ | arconix-faq |
| Arconix Shortcodes | arconix-shortcodes |
| Auto Attachments | auto-attachments |
| AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress | automatorwp |
| Axle Demo Importer | axle-demo-importer |
| Bunny’s Print CSS | bunnys-print-css |
| CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – WordPress Plugin | lbg-audio11-html5-shoutcast_history |
| Click to Chat – HoliThemes | click-to-chat-for-whatsapp |
| Color Palette | color-palette |
| Contact Us Page – Contact People | contact-us-page-contact-people |
| CubeWP Forms – All-in-One Form Builder | cubewp-forms |
| CubeWP – All-in-One Dynamic Content Framework | cubewp-framework |
| Digital Marketing and Agency Templates Addons for Elementor | digital-marketing-agency-templates-for-elementor |
| DIOT SCADA with MQTT | ecava-diot-scada |
| Easy Flashcards | easy-flashcards |
| Ebook Store | ebook-store |
| eForm – WordPress Form Builder | wp-fsqm-pro |
| Elementor Website Builder Pro | elementor-pro |
| Elite Video Player | elite-video-player |
| File Manager Pro – Filester | filester |
| FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | wp-marketing-automations |
| FW Food Menu – Responsive food menu with ordering & delivery solutions | fw-food-menu |
| FW Gallery – Photo, video, audio media presentation and management system with players and slideshow | fw-gallery |
| Game Review Block | game-review-block |
| If-So Dynamic Content Personalization | if-so |
| Image Resizer On The Fly | image-resizer-on-the-fly |
| IndieBlocks | indieblocks |
| IRM Newsroom | irm-newsroom |
| Kama Click Counter | kama-clic-counter |
| kk Youtube Video | kk-youtube-video |
| Link Shield | link-shield |
| Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | majestic-support |
| Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal | wp-malware-removal |
| MapSVG | mapsvg |
| Meks Flexible Shortcodes | meks-flexible-shortcodes |
| Membership For WooCommerce | membership-for-woocommerce |
| myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. | mycred |
| Nasa Core | nasa-core |
| One-Login | one-login |
| Ovatheme Events Manager | ova-events-manager |
| PostaPanduri | postapanduri |
| Premium Addons for Elementor | premium-addons-for-elementor |
| ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
| ReFormer – Multichannel Contact Form for Elementor | reformer-elementor |
| Responsive Blocks – WordPress Gutenberg Blocks | responsive-block-editor-addons |
| Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. | responsive-add-ons |
| REST API | Custom API Generator For Cross Platform And Import Export In WP | import-export-with-custom-rest-api |
| Restrict File Access | restrict-file-access |
| School Management System for WordPress | school-management |
| Simple Newsletter Plugin – Noptin | newsletter-optin-box |
| Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider | ml-slider |
| Slim SEO – Fast & Automated WordPress SEO Plugin | slim-seo |
| Smart Notification WordPress Plugin. Web & Mobile Push, FB Messenger, FB Notifications & Newsletter. | smio-push-notification |
| Smash Balloon Social Post Feed – Simple Social Feeds for WordPress | custom-facebook-feed |
| StreamWeasels Kick Integration | streamweasels-kick-integration |
| Telegram for WP | telegram-for-wp |
| The Events Calendar | the-events-calendar |
| TicketBAI Facturas para WooCommerce | wp-ticketbai |
| Track, Analyze & Optimize by WP Tao | wp-tao |
| Traffic Monitor | traffic-monitor |
| Ultimate Blocks – WordPress Blocks Plugin | ultimate-blocks |
| Ultimate Reviews | ultimate-reviews |
| UserPro – Community and User Profile WordPress Plugin | userpro |
| Widget Logic | widget-logic |
| WidgetKit Pro | widgetkit-pro |
| Woocommerce Partial Shipment | wc-partial-shipment |
| WordPress Automatic Plugin | wp-automatic |
| WordPress Single Sign-On (SSO) – Multisite All-Inclusive | miniorange-oauth-oidc-single-sign-on |
| WordPress Single Sign-On (SSO) – Multisite Enterprise | miniorange-oauth-oidc-single-sign-on |
| WordPress Single Sign-On (SSO) – Multisite Premium | miniorange-oauth-oidc-single-sign-on |
| WordPress Single Sign-On (SSO) – Single Site All-Inclusive | miniorange-oauth-oidc-single-sign-on |
| WordPress Single Sign-On (SSO) – Single Site Enterprise | miniorange-oauth-oidc-single-sign-on |
| WordPress Single Sign-On (SSO) – Single Site Premium | miniorange-oauth-oidc-single-sign-on |
| WordPress Single Sign-On (SSO) – Single Site Standard | miniorange-oauth-oidc-single-sign-on |
| Workreap | workreap |
| WP Employee Attendance System | wp-employee-attendance-system |
| WP Job Portal – A Complete Recruitment System for Company or Job Board website | wp-job-portal |
| WP Sliding Login/Dashboard Panel | wp-sliding-logindashboard-panel |
| WP Travel Engine – Tour Booking Plugin – Tour Operator Software | wp-travel-engine |
| WP URL Shortener | wp-url-shortener |
| WP Views Counter | wpecounter |
| WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | wpvr |
| WP-DownloadManager | wp-downloadmanager |
| WP2HTML | wp2html |
| WPAdverts – Classifieds Plugin | wpadverts |
| WPCRM – CRM for Contact form CF7 & WooCommerce | wpcrm |
| WPGYM – WordPress Gym Management System | gym-management |
| Xagio SEO – AI Powered SEO | xagio-seo |
| XiSearch bar | xisearch-bar |
| YITH WooCommerce Wishlist | yith-woocommerce-wishlist |
| Yougler Blogger Profile Page | yougler-blogger-profile-page |
| Zen Sticky Social | zen-social-sticky |
| Zotpress | zotpress |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.