Last week, there were 52 vulnerabilities disclosed in 47 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-862 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-863 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 39 |
| Unpatched | 13 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 32 |
| High Severity | 17 |
| Critical Severity | 3 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 23 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 6 |
| Missing Authorization | 6 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Deserialization of Untrusted Data | 2 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Exposure of Sensitive Information to an Unauthorized Actor | 1 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
| Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) | 1 |
| Improper Privilege Management | 1 |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Betheme | betheme |
| Shopo | shopo |
| The7 — Website and eCommerce Builder for WordPress | dt-the7 |
| Urna – All-in-one WooCommerce WordPress Theme | urna |
| Xinterio – Interior Design WordPress Theme + RTL | xinterio |
| Zakra | zakra |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| BaiduXZH Submit(百度熊掌号) | i3geek-baiduxzh |
| Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress | campus-directory |
| CleverReach® WP | cleverreach-wp |
| Code Engine | code-engine |
| Cost Calculator | ql-cost-calculator |
| Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage |
| Customer Support Ticket System & Helpdesk Plugin for WordPress | wp-ticket |
| Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler | cf7-styler |
| Download Counter | download-counter |
| Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder | easy-form-builder |
| Element Pack Elementor Addons and Templates | bdthemes-element-pack-lite |
| Employee Directory – Staff Listing & Team Directory Plugin for WordPress | employee-directory |
| esri-map-view | esri-map-view |
| Eventer – WordPress Event & Booking Manager Plugin | eventer |
| Eventin – Event Manager, Events Calendar, Booking, Tickets and Registration | wp-event-solution |
| Exclusive Addons for Elementor | exclusive-addons-for-elementor |
| FileBird – WordPress Media Library Folders & File Manager | filebird |
| Flex Guten – Multile Blocks | flex-guten |
| Form Block | form-block |
| FundEngine – Donation and Crowdfunding Platform | wp-fundraising-donation |
| GiveWP – Donation Plugin and Fundraising Platform | give |
| Global Gallery – WordPress Responsive Gallery | global-gallery |
| GravityWP – Merge Tags | gravitywp-merge-tags |
| Groundhogg — CRM, Newsletters, and Marketing Automation | groundhogg |
| Gutenverse – Ultimate Block Addons and Page Builder for Site Editor | gutenverse |
| IDonatePro – Blood Donation, Request And Donor Management WordPress Plugin | idonate-pro |
| MapSVG | mapsvg |
| Multimedia Playlist Slider Addon for WPBakery Page Builder | lbg_vp_youtube_vimeo_addon_visual_composer |
| Porn Videos Embed | porn-videos-embed |
| Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry | post-grid |
| Prevent files / folders access | prevent-file-access |
| Project Management, Bug and Issue Tracking Plugin – Software Issue Manager | software-issue-manager |
| RentSyst – CRM solution for fleet management | rentsyst |
| Request a Quote Form Plugin – Price Quote Request Management Made Easy | request-a-quote |
| Reveal Listing | reveal-listing |
| Simple Contact Form Plugin for WordPress – WP Easy Contact | wp-easy-contact |
| SMM API | smm-api |
| Use-your-Drive | Google Drive plugin for WordPress | use-your-drive |
| User Language Switch | user-language-switch |
| Visit Counter | visit-counter |
| WP Import Export Lite | wp-import-export-lite |
| WP Lead Capturing Pages – WordPress Plugin | leadcapture |
| WP Tournament Registration | wp-tournament-registration |
| WP-jScrollPane | wp-jscrollpane |
| WPBakery Page Builder | js_composer |
| ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns | zoloblocks |
| 多说社会化评论框 | duoshuo |
Have ServiceNow & WordPress? Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.