Last week, there were 168 vulnerabilities disclosed in 142 WordPress Plugins and 11 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 81 |
| Unpatched | 87 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 133 |
| High Severity | 27 |
| Critical Severity | 7 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 64 |
| Missing Authorization | 26 |
| Cross-Site Request Forgery (CSRF) | 22 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 9 |
| Exposure of Sensitive Information to an Unauthorized Actor | 7 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 7 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 7 |
| Improper Control of Generation of Code (‘Code Injection’) | 5 |
| Unrestricted Upload of File with Dangerous Type | 5 |
| Deserialization of Untrusted Data | 4 |
| Server-Side Request Forgery (SSRF) | 3 |
| Improper Input Validation | 2 |
| Authorization Bypass Through User-Controlled Key | 1 |
| Client-Side Enforcement of Server-Side Security | 1 |
| Improper Authorization | 1 |
| Improper Neutralization of Formula Elements in a CSV File | 1 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
| Improper Privilege Management | 1 |
| Relative Path Traversal | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| App, SaaS & Software Startup Tech Theme – Stratus | stratus |
| Blocksy | blocksy |
| Findgo – Directory Listing WordPress Theme | findgo |
| Kalium 3 | Creative WordPress & WooCommerce Theme | kalium |
| Makeaholic – Beauty Cosmetics WordPress Theme | makeaholic |
| Modernize – Flexibility of WordPress | modernize |
| OceanWP | oceanwp |
| Savoy | savoy |
| Soledad | soledad |
| unicamp | unicamp |
| WP Rentals – Booking Accommodation WordPress Theme | wprentals |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 12 Step Meeting List | 12-step-meeting-list |
| Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript | add-custom-codes |
| Add User Meta | add-user-meta |
| Advanced File Manager – Ultimate WP File Manager And Document Library Solution | file-manager-advanced |
| Advanced iFrame | advanced-iframe |
| AL Pack | alpack |
| Alobaidi Captcha | alobaidi-captcha |
| Anber Elementor Addon | anber-elementor-addon |
| AnWP Football Leagues | football-leagues-by-anwppro |
| Appointment Booking & Scheduling Plugin — Webba Booking Calendar | webba-booking-lite |
| Assistant for NextGEN Gallery | assistant-for-nextgen-gallery |
| Authentication and xmlrpc log writer | authentication-and-xmlrpc-log-writer |
| Awesome Support – WordPress HelpDesk & Support Plugin | awesome-support |
| AWStats Script | awstats-script |
| B Blocks – Essential Gutenberg Blocks & Patterns Collection | b-blocks |
| B Slider – Responsive Image Slider | b-slider |
| Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
| BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers | betterdocs |
| Billplz Addon for Contact Form 7 | billplz-for-contact-form-7 |
| Bit Form – Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder | bit-form |
| BizCalendar Web | bizcalendar-web |
| Blog Designer PRO for WordPress | blog-designer-pro |
| Build App Online | build-app-online |
| CF7 Spreadsheets | cf7-spreadsheets |
| CM Search And Replace – Optimize content edits with a powerful search and replace tool | cm-on-demand-search-and-replace |
| CodeablePress: Simple Frontend Profile Picture Upload | codeablepress-simple-frontend-profile-picture-upload |
| Contact Info Widget | simple-contact-info-widget |
| Custom Comment | customcomment |
| Custom Menu | custom-menu |
| Database for Contact Form 7, WPforms, Elementor forms | contact-form-entries |
| DigitalOcean Spaces Sync | do-spaces-sync |
| Drag and Drop Multiple File Upload for Contact Form 7 | drag-and-drop-multiple-file-upload-contact-form-7 |
| Dropshix | dropshipping-xox |
| Dynamic Pricing With Discount Rules for WooCommerce | aco-woo-dynamic-pricing |
| E-cab Taxi Booking Manager for Woocommerce | ecab-taxi-booking-manager |
| Earnware Connect | earnware-connect |
| Easy Elementor Addons | easy-elementor-addons |
| Easy restaurant menu manager | easy-pdf-restaurant-menu-upload |
| Elementor Website Builder – More Than Just a Page Builder | elementor |
| elink – Embed Content | elink-embed-content |
| Elizaibots | elizaibot-chatbots |
| Embed Bokun | embed-bokun |
| Embedder for Google Reviews | embedder-for-google-reviews |
| Essential Addons for Elementor – Popular Elementor Templates & Widgets | essential-addons-for-elementor-lite |
| Eventin – AI Powered Event Manager, Events Calendar, Booking and Tickets Plugin | wp-event-solution |
| EventON – Events Calendar | eventon-lite |
| File Manager Pro | wp-file-manager-pro |
| File Manager Pro – Filester | filester |
| flexo-social-gallery | flexo-social-gallery |
| Forms | forms-by-made-it |
| Frontend Admin by DynamiApps | acf-frontend-form-element |
| Gestion de tarifs | gestion-tarifs |
| GMap Generator | gmap-venturit |
| Graphina – Elementor Charts and Graphs | graphina-elementor-charts-and-graphs |
| Hide Text Shortcode | hide-text-shortcode |
| Icons Factory | icons-factory |
| Infility Global | infility-global |
| Inline Stock Quotes | inline-stock-quotes |
| Inpersttion For Theme | err-our-team |
| Inspectlet – User Session Recording and Heatmaps | inspectlet-heatmaps-and-user-session-recording |
| Intl DateTime Calendar | intl-datetime-calendar |
| JetElements | jet-elements |
| JetProductGallery | jet-woo-product-gallery |
| JobSearch WP Job Board | wp-jobsearch |
| Kadence WooCommerce Email Designer | kadence-woocommerce-email-designer |
| Laposta WooCommerce | laposta-woocommerce |
| Last.fm Recent Album Artwork | lastfm-recent-album-artwork |
| LatestCheckins | latestcheckins |
| Linux Promotional Plugin | linux-promotional-plugin |
| Master Addons – Elementor Addons with White Label, Free Widgets | master-addons |
| Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping | membership-for-woocommerce |
| Mosaic Generator | mosaic-generator |
| Neon Channel Product Customizer Free | neon-channel-product-customizer-free |
| Netease Music | netease-music |
| NetInsight Analytics Implementation Plugin | netinsight-analytics-implementation-plugin |
| Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates | the-plus-addons-for-block-editor |
| oik | oik |
| Online Booking & Scheduling Calendar for WordPress by vcita | meeting-scheduler-by-vcita |
| Order Tip for WooCommerce | order-tip-woo |
| OTP Login With Phone Number, OTP Verification | login-with-phone-number |
| Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress | wp-user-avatar |
| Pending Order Bot | pending-order-bot |
| Plugin README Parser | wp-readme-parser |
| Poll Maker – Versus Polls, Anonymous Polls, Image Polls | poll-maker |
| Premium Addons for KingComposer | premium-addons-for-kingcomposer |
| Premium Packages – Sell Digital Products Securely | wpdm-premium-packages |
| Primer MyData for Woocommerce | primer-mydata |
| Print My Blog – Print, PDF, & eBook Converter WordPress Plugin | print-my-blog |
| Project Cost Calculator | project-cost-calculator |
| Project Management, Bug and Issue Tracking Plugin – Software Issue Manager | software-issue-manager |
| Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker | quiz-master-next |
| Quttera Web Malware Scanner | quttera-web-malware-scanner |
| Radius Blocks – WordPress Gutenberg Blocks | radius-blocks |
| Real Estate Manager Pro | real-estate-manager-pro |
| Responsive Posts Carousel WordPress Plugin | responsive-posts-carousel-pro |
| RSS Feed Pro | rss-feed-pro |
| RT Easy Builder – Advanced addons for Elementor | rt-easy-builder-advanced-addons-for-elementor |
| School Management System for WordPress | school-management |
| ServerBuddy by PluginBuddy.com | serverbuddy-by-pluginbuddy |
| Shortcode Redirect | shortcode-redirect |
| Simple Local Avatars | simple-local-avatars |
| Simple Login Log | simple-login-log |
| Simple Poll | simple-poll |
| Simple Responsive Slider | addi-simple-slider |
| Simplified Plugin | simplified |
| SoundSt SEO Search | soundst-seo-search |
| StoryChief | story-chief |
| Surbma | Recent Comments Shortcode | surbma-recent-comments-shortcode |
| Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI | simple-tags |
| Templatera | templatera |
| Thank You Page Customizer for WooCommerce – Increase Your Sales | woo-thank-you-page-customizer |
| The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce | the-plus-addons-for-elementor-page-builder |
| Thim Core | thim-core |
| Time Sheets | time-sheets |
| Translate This gTranslate Shortcode | translate-this-google-translate-web-element-shortcode |
| Tutor LMS Pro | tutor-pro |
| UiCore Elements – Free Elementor widgets and templates | uicore-elements |
| Ultimate Video Player WordPress & WooCommerce Plugin | fwduvp |
| User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor | profile-builder |
| Vertical scroll slideshow gallery v2 | vertical-scroll-slideshow-gallery-v2 |
| Video Expander | video-expander |
| Visual Composer Website Builder | visualcomposer |
| weichuncai(WP伪春菜) | weichuncai |
| Welcart e-Commerce | usc-e-shop |
| Woocommerce Blocks – Woolook | woolook |
| WooCommerce Purchase Orders | wc-purchase-orders |
| WordLift – AI powered SEO – Schema | wordlift |
| WordPress Event Manager, Event Calendar and Booking Plugin | eventin-pro |
| WordPress StoryMap Plugin | wp-storymap |
| WP Airdrop Manager | airdrop |
| Wp chart generator | wp-chart-generator |
| WP Discord Post Plus – Supports Unlimited Channels | wp-discord-post-plus |
| WP Dynamic Links | wp-dynamic-links |
| WP Emmet | wp-emmet |
| WP Membership | wp-membership |
| WP Pipes | wp-pipes |
| WP Private Content Plus | wp-private-content-plus |
| WP Statistics – Simple, privacy-friendly Google Analytics alternative | wp-statistics |
| WP Table Builder – Drag & Drop Table Builder | wp-table-builder |
| WP Voting | wp-voting |
| WP-Database-Optimizer-Tools | wp-database-optimizer-tools |
| WPGYM – WordPress Gym Management System | gym-management |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.