Last week, there were 140 vulnerabilities disclosed in 120 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- AI Engine 2.9.3 – 2.9.4 – Authenticated (Subscriber+) Arbitrary File Upload
- Post SMTP <= 3.2.0 – Missing Authorization to Authenticated (Subscriber+) Account Takeover via Email Log Exposure
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 46 |
| Unpatched | 42 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 59 |
| High Severity | 23 |
| Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35 |
| Missing Authorization | 14 |
| Cross-Site Request Forgery (CSRF) | 8 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 8 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 4 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
| Authentication Bypass Using an Alternate Path or Channel | 2 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Improper Input Validation | 2 |
| Absolute Path Traversal | 1 |
| Dependency on Vulnerable Third-Party Component | 1 |
| External Control of Assumed-Immutable Web Parameter | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Least Privilege Violation | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Caliris – Responsive One Page WordPress Theme | caliris-wp |
| cena | cena |
| Educenter | educenter |
| KALLYAS – Creative eCommerce Multi-Purpose WordPress Theme | kallyas |
| MinimogWP – The High Converting eCommerce WordPress Theme | minimog |
| Noo JobMonster | noo-jobmonster |
| VidMov – Video WordPress Theme | vidmov |
| Woodmart | woodmart |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Advanced iFrame | advanced-iframe |
| Affiliate Plus | affiliate-plus |
| AI Engine | ai-engine |
| AI Tools – Chatbot, ChatGPT, Content Generator, Image Generator, Artificial Intelligence GPT | artificial-intelligence-auto-content-generator |
| Birth Chart Compatibility | birth-chart-compatibility |
| bSecure – Your Universal Checkout | bsecure |
| CaptionPix | captionpix |
| CM Map Locations – Visualize and share your locations in a few clicks | cm-map-locations |
| CRM and Lead Management by vcita | crm-customer-relationship-management-by-vcita |
| CSS & JavaScript Toolbox | css-javascript-toolbox |
| Dataverse Integration | integration-cds |
| Droip | droip |
| Ebook Store | ebook-store |
| ElementsKit Elementor Addons and Templates | elementskit-lite |
| Elite Video Player | elite-video-player |
| Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | extensions-for-cf7 |
| Featured Image Plus – Quick & Bulk Edit with Unsplash | featured-image-plus |
| Fleetwire Fleet Management | fleetwire-fleet-management |
| Frontend File Manager Plugin | nmedia-user-file-uploader |
| FunnelCockpit | funnelcockpit |
| Get Youtube Subs | get-youtube-subs |
| hiWeb Export Posts | hiweb-export-posts |
| iThoughts Advanced Code Editor | ithoughts-advanced-code-editor |
| Latest Post Accordian Slider | latest-post-accordian-slider |
| Like & Share My Site | like-share-my-site |
| LoginWP – Pro | loginwp-pro |
| Melapress Login Security | melapress-login-security |
| Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions | wp-memory |
| muse.ai video embedding | muse-ai |
| Nginx Cache Purge Preload | fastcgi-cache-purge-and-preload-nginx |
| Omnishop – Mobile shop apps complementing your WooCommerce webshop | omnishop |
| ONLYOFFICE Docs | onlyoffice |
| Orion Login with SMS | orion-login-with-sms |
| Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery | pixel-gallery |
| Post and Page Builder by BoldGrid – Visual Drag and Drop Editor | post-and-page-builder |
| Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder | ajax-filter-posts |
| Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more | post-smtp |
| ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
| ReachShip WooCommerce Multi-Carrier & Conditional Shipping | elex-reachship-multi-carrier-conditional-shipping |
| Realty Portal – Agent | realty-portal-agent |
| Responsive HTML5 Audio Player PRO With Playlist | lbg-audio2-html5 |
| Security Ninja – WordPress Security Plugin & Firewall | security-ninja |
| SEOPress for MainWP | seopress-for-mainwp |
| Simple Business Directory Pro | simple-business-directory-pro |
| Social Streams | social-streams |
| Station Pro – Advanced Audio Streaming & Player for WordPress | station-pro |
| Structured Content (JSON-LD) #wpsc | structured-content |
| Support Board | supportboard |
| Supreme Addons for Beaver Builder – | supreme-addons-for-beaver-builder-lite |
| Tablesome Table Premium | tablesome-premium |
| Taeggie Feed | taeggie-feed |
| The E-Commerce ERP: Purchasing, Inventory, Fulfillment, Manufacturing, BOM, Accounting, Sales Analysis | profitori |
| Timber | timber-library |
| Universal Video Player – Addon for WPBakery Page Builder | lbg-universal-video-player-addon-visual-composer |
| User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | user-registration |
| Valuation Calculator | commercial-real-estate-valuation-calculator |
| Video and Audio Player for WordPress – Mine CloudVod LMS | mine-cloudvod |
| Video Blogster Lite | video-blogster-lite |
| video-player-youtube-vimeo | video-player-youtube-vimeo |
| Voltax Video Player | voltax-video-player |
| Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition | webinar-ignition |
| Wonder Slider | wonderplugin-slider |
| Wonder Slider Lite | wonderplugin-slider-lite |
| WooCommerce Point Of Sale (POS) | woo-point-of-salepos |
| WP Applink | wp-applink |
| WP Get The Table | wp-get-the-table |
| WP JobHunt | wp-jobhunt |
| WP Links Page | wp-links-page |
| WP Pipes | wp-pipes |
| WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
| WP Wallcreeper | wp-wallcreeper |
| WP-Members Membership Plugin | wp-members |
| WPBakery Page Builder | js_composer |
| WPBookit | wpbookit |
| WPeMatico RSS Feed Fetcher | wpematico |
| YANewsflash | yanewsflash |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.