Last week, there were 88 vulnerabilities disclosed in 61 WordPress Plugins and 13 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- None
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 49 |
| Unpatched | 39 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 55 |
| High Severity | 25 |
| Critical Severity | 8 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 29 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 15 |
| Missing Authorization | 12 |
| Deserialization of Untrusted Data | 8 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 4 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 3 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Improper Privilege Management | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Authorization Bypass Through User-Controlled Key | 1 |
| External Control of File Name or Path | 1 |
| Improper Neutralization of Formula Elements in a CSV File | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Unverified Password Change | 1 |
| Use of Hard-coded Credentials | 1 |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| electrician | electrician |
| fwdevp | fwdevp |
| Hillter – Responsive Hotel Booking for WordPress | hillter |
| Invico – WordPress Consulting Business Theme | invico |
| ListingEasy – Directory Listing WordPress Theme | listingeasy |
| Noisa | noisa |
| Nokri – Job Board WordPress Theme | nokri |
| Nuss – Hotel Booking WordPress | nuss |
| Ofiz – WordPress Business Consulting Theme | ofiz |
| Sala – Startup & SaaS WordPress Theme | sala |
| Travel Booking WordPress Theme | traveler |
| Woodmart | woodmart |
| Yogi – Health Beauty & Yoga WordPress Theme | yogi |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI Engine | ai-engine |
| Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) | azon-addon-js-composer |
| BeeTeam368 Extensions | beeteam368-extensions |
| Broken Link Notifier | broken-link-notifier |
| Contact Form 7 Editor Button | cf7-editor-button |
| CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online | coschool |
| CSS3 Compare Pricing Tables for WordPress | css3_web_pricing_tables_grids |
| Dot html,php,xml etc pages | dot-htmlphpxml-etc-pages |
| Essential Addons for Elementor – Popular Elementor Templates & Widgets | essential-addons-for-elementor-lite |
| Events Manager – Calendar, Bookings, Tickets, and more! | events-manager |
| FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel | foogallery |
| Friends | friends |
| FunnelKit – Funnel Builder for WooCommerce Checkout | funnel-builder |
| GB Forms DB | gb-forms-db |
| Guest Support – Complete customer support ticket system for WordPress | guest-support |
| Gutenberg Blocks with AI by Kadence WP – Page Builder Features | kadence-blocks |
| Gwolle Guestbook | gwolle-gb |
| HTML5 Radio Player – WPBakery Page Builder Addon | lbg-cleverbakery |
| Infility Global | infility-global |
| Internal Linking of Related Contents | internal-linking-of-related-contents |
| Lana Downloads Manager | lana-downloads-manager |
| Lightbox & Modal Popup WordPress Plugin – FooBox | foobox-image-lightbox |
| LoginWP – Pro | loginwp-pro |
| Media Folder | media-folder |
| Modern Events Calendar Lite | modern-events-calendar-lite |
| Multi-language Responsive Contact Form | responsive-contact-form |
| Pakke Envíos | pakke |
| Pay with Contact Form 7 | pay-with-contact-form-7 |
| Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI | contest-gallery |
| Premium Age Verification / Restriction for WordPress | age-restriction |
| Premium SEO Pack – WP SEO Plugin | premium-seo-pack |
| Pro Bulk Watermark Plugin for WordPress | pro-watermark |
| Product XML Feed Manager for WooCommerce – Google Shopping, Social Sites, Skroutz & More | product-xml-feeds-for-woocommerce |
| ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
| Profiler – What Slowing Down Your WP | profiler-what-slowing-down |
| PW WooCommerce On Sale! | pw-woocommerce-on-sale |
| RSFirewall! | rsfirewall |
| Simple Featured Image | simple-featured-image |
| Site Chat on Telegram | site-chat-on-telegram |
| SmartSEO | SEO & Marketing Services WordPress Theme | smartseo |
| SMu Manual DoFollow | manuall-dofollow |
| Super Store Finder | superstorefinder-wp |
| Support Board | supportboard |
| SureForms – Drag and Drop Form Builder for WordPress | sureforms |
| Tennis Court Bookings | tennis-court-bookings |
| The E-Commerce ERP: Purchasing, Inventory, Fulfillment, Manufacturing, BOM, Accounting, Sales Analysis | profitori |
| Torod – The smart shipping and delivery portal for e-shops and retailers | torod |
| Ultimate Push Notifications ( Mobile / Desktop ), Receive Notification From WooCommerce, BuddyPress, WordPress Default Events & Many More | ultimate-push-notifications |
| URL Shortener Plugin For WordPress | exact-links |
| WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible | wc-frontend-manager |
| Widget for Google Reviews | business-reviews-wp |
| Wishlist for WooCommerce: Multi Wishlists Per Customer | wish-list-for-woocommerce |
| WordPress Auto Spinner | wp-auto-spinner |
| wordpress-flat-countdown | wordpress-flat-countdown |
| WP Pipes | wp-pipes |
| WP Register Profile With Shortcode | wp-register-profile-with-shortcode |
| WP-BusinessDirectory – Business directory plugin for WordPress | wp-businessdirectory |
| WPBookit | wpbookit |
| WPC Smart Compare for WooCommerce | woo-smart-compare |
| wpForo Forum | wpforo |
| WPGYM – WordPress Gym Management System | gym-management |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.