Last week, there were 140 vulnerabilities disclosed in 120 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-859 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 106 |
| Unpatched | 34 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 112 |
| High Severity | 15 |
| Critical Severity | 13 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 55 |
| Missing Authorization | 24 |
| Cross-Site Request Forgery (CSRF) | 17 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11 |
| Exposure of Sensitive Information to an Unauthorized Actor | 9 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 6 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 5 |
| Deserialization of Untrusted Data | 4 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| External Control of File Name or Path | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Privilege Management | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Alone – Charity Multipurpose Non-profit WordPress Theme | alone |
| GymBase Theme Classes | gymbase_classes |
| Hestia | hestia |
| Houzez | houzez |
| Visual Art | Gallery WordPress Theme | visual-arts |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| aapanel WP Toolkit | aapanel-wp-toolkit |
| Affiliate Reviews | affiliate-reviews |
| Alike – WordPress Custom Post Comparison | alike |
| Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) | azon-addon-js-composer |
| Animator – Scroll Triggered Animations | scroll-triggered-animations |
| AntiSpam for Contact Form 7 | cf7-antispam |
| Apollo – Sticky Full Width HTML5 Audio Player | lbg-audio5-html5-shoutcast-sticky |
| Appointment Booking & Scheduling Plugin — Webba Booking Calendar | webba-booking-lite |
| Attachment Manager | attachment-manager |
| Avada (Fusion) Builder | fusion-builder |
| Avishi WP PayPal Payment Button | avishi-wp-paypal-payment-button |
| B1.lt | b1-accounting |
| Bears Backup | bears-backup |
| Block Editor Gallery Slider | block-editor-gallery-slider |
| Bold Page Builder | bold-page-builder |
| Brandfolder – Digital Asset Management Simplified. | brandfolder |
| Chatbox Manager | wa-chatbox-manager |
| Cloud SAML SSO – Single Sign On Login | cloud-sso-single-sign-on |
| CM Pop-Up – Create engaging popups to capture attention and boost interaction | cm-pop-up-banners |
| Companion Auto Update | companion-auto-update |
| Copymatic – AI Content Writer & Generator | copymatic |
| Cost Calculator | ql-cost-calculator |
| Counter live visitors for WooCommerce | counter-visitor-for-woocommerce |
| Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage |
| Crowdfunding for WooCommerce | crowdfunding-for-woocommerce |
| Custom API for WP | custom-api-for-wp |
| DB Backup | db-backup |
| Easy Elementor Addons | easy-elementor-addons |
| ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic) | elex-bulk-edit-products-prices-attributes-for-woocommerce-basic |
| EPay.bg Payments | epaybg-payments |
| FG Drupal to WordPress | fg-drupal-to-wp |
| FluentSnippets – The High-Performance file based Custom Code Snippets Plugin | easy-code-manager |
| FoodMenu – WP Creative Restaurant Menu Showcase WooCommerce | dzs-restaurantmenu |
| Formality | formality |
| Forminator Forms – Contact Form, Payment Form & Custom Form Builder | forminator |
| Ghost Kit – Page Builder Blocks, Motion Effects & Extensions | ghostkit |
| GSheetConnector for WC | wc-gsheetconnector |
| Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor | gutentor |
| HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. | ht-contactform |
| HTML5 Radio Player – WPBakery Page Builder Addon | lbg_radio_player_addon_visual_composer |
| IDonatePro – Blood Donation, Request And Donor Management WordPress Plugin | idonate-pro |
| Image Wall | image-wall |
| Import CDN-Remote Images | import-cdn-remote-images |
| Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | integration-for-contact-form-7-and-google-sheets |
| Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms | integration-for-contact-form-7-and-pipedrive |
| JetBlocks for Elementor | jet-blocks |
| JetElements | jet-elements |
| JetEngine | jet-engine |
| JetFormBuilder — Dynamic Blocks Form Builder | jetformbuilder |
| JetMenu | jet-menu |
| JetPopup | jet-popup |
| JetSearch | jet-search |
| JetSmartFilters | jet-smart-filters |
| JetTabs | jet-tabs |
| JetTricks | jet-tricks |
| JetWooBuilder | jet-woo-builder |
| Knowledge Base | knowledgebase |
| lbg-audio4-html5-shoutcast | lbg-audio4-html5-shoutcast |
| LightBox Block – Gutenberg block for creating fully functional lightbox | lightbox-block |
| Listly: Listicles For WordPress | listly |
| Live Stream Badger | live-stream-badger |
| LoginPress Pro | loginpress-pro |
| Madara – Core | madara-core |
| Malcure Malware Scanner — #1 Toolset for Malware Removal | wp-malware-removal |
| Map My Locations | map-my-locations |
| Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations | master-addons |
| MasterStudy LMS Pro | masterstudy-lms-learning-management-system-pro |
| Maya Business Plugin | paymaya-checkout-for-woocommerce |
| Media Library Assistant | media-library-assistant |
| Mediabay – WordPress Media Library Folders | mediabay |
| MORKVA Vchasno Kasa Integration | mrkv-vchasno-kasa |
| Multimedia Playlist Slider Addon for WPBakery Page Builder | lbg_vp_youtube_vimeo_addon_visual_composer |
| News Kit Elementor Addons | news-kit-elementor-addons |
| Newsletters | newsletters-lite |
| Partnerský systém Martinus | martinus-partnersky-system |
| Pinterest Automatic | wp-pinterest-automatic |
| Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship | biteship |
| ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
| Real Estate Property 2025 Create Your Own Fields and Search Bar | real-estate-right-now |
| Residential Address Detection | residential-address-detection |
| Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates | responsive-addons-for-elementor |
| Restaurant Menu and Food Ordering | mp-restaurant-menu |
| Restrict File Access | restrict-file-access |
| Revolution Video Player With Bottom Playlist WordPress Plugin – YouTube/Vimeo/Self-Hosted Support | revolution_video_player |
| Ruven Themes: Shortcodes | ruven-themes-shortcodes |
| School Management System for WordPress | school-management |
| SHOUT – HTML5 Radio Player With Ads – ShoutCast and IceCast Support | lbg-audio8-html5-radio-ads |
| Simple Link Directory Pro | qc-simple-link-directory |
| SMTP for Amazon SES – YaySMTP | smtp-amazon-ses |
| SMTP for SendGrid – YaySMTP | smtp-sendgrid |
| SMTP for Sendinblue – YaySMTP | smtp-sendinblue |
| SMTP2GO for WordPress – Email Made Easy | smtp2go |
| Stop and Block bots plugin Anti bots | antibots |
| Strong Testimonials | strong-testimonials |
| Temporarily Hidden Content | temporarily-hidden-content |
| Terms descriptions | terms-descriptions |
| Testimonial Post type | testimonial-post-type |
| The Plus Addons for Elementor Page Builder Pro | theplus_elementor_addon |
| Theme Builder For Elementor | theme-builder-for-elementor |
| ThemeREX Addons | trx_addons |
| Ultimate WP Mail | ultimate-wp-mail |
| Universal Video Player – Addon for WPBakery Page Builder | lbg-universal-video-player-addon-visual-composer |
| Universal Video Player – Addon for WPBakery Page Builder | lbg_universal_video_player_addon_visual_composer |
| URL Shortener Plugin For WordPress | exact-links |
| Useful Tab Block – Responsive & AMP-Compatible | useful-tab-block-responsive-amp-compatible |
| Vertical scroll image slideshow gallery | vertical-scroll-image-slideshow-gallery |
| Videopack | video-embed-thumbnail-generator |
| Wallet System for WooCommerce | wallet-system-for-woocommerce |
| Welcart e-Commerce | usc-e-shop |
| Widget for Google Reviews | business-reviews-wp |
| WooCommerce Refund And Exchange with RMA – Warranty Management, Refund Policy, Manage User Wallet | woocommerce-refund-and-exchange |
| WooCommerce Shop Page Builder | dzs-wootable |
| WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) | delicious-recipes |
| WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | wp-event-manager |
| WP Post Hide | wp-post-hide |
| WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
| WPAdverts – Classifieds Plugin | wpadverts |
| YayExtra – WooCommerce Extra Product Options | yayextra |
| Youtube Vimeo Video Player and Slider WP Plugin | video_player_youtube_vimeo |
| Zuppler Online Ordering | zuppler-online-ordering |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.