Last week, there were 134 vulnerabilities disclosed in 110 WordPress Plugins and 16 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 66 |
| Unpatched | 68 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 97 |
| High Severity | 26 |
| Critical Severity | 11 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 46 |
| Cross-Site Request Forgery (CSRF) | 26 |
| Missing Authorization | 16 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 9 |
| Deserialization of Untrusted Data | 7 |
| Authentication Bypass Using an Alternate Path or Channel | 4 |
| Exposure of Sensitive Information to an Unauthorized Actor | 4 |
| Incorrect Privilege Assignment | 4 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
| Server-Side Request Forgery (SSRF) | 3 |
| Improper Control of Generation of Code (‘Code Injection’) | 2 |
| Improper Privilege Management | 2 |
| Authorization Bypass Through User-Controlled Key | 1 |
| External Control of File Name or Path | 1 |
| Improper Authorization | 1 |
| Insertion of Sensitive Information into Log File | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| BlogMarks | blogmarks |
| ColorMag | colormag |
| Eximious Magazine | eximious-magazine |
| Glamer | glamer |
| Houzez | houzez |
| Inspiro | inspiro |
| JobZilla – Job Board WordPress Theme | jobzilla |
| Kalium 3 | Creative WordPress & WooCommerce Theme | kalium |
| Kipso – Education LMS WordPress Theme | kipso |
| Kitring – A Beauty & Hair Salon WordPress Theme | kitring |
| Magazine Elite | magazine-elite |
| Noo JobMonster | noo-jobmonster |
| organic-beauty | organic-beauty |
| Real Spaces – WordPress Properties Directory Theme | real-spaces |
| Sala – Startup & SaaS WordPress Theme | sala |
| Spacious | spacious |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Admin Menu Groups | admin-menu-groups |
| ads.txt Guru Connect | adstxt-guru-connect |
| Advance Food Menu | advance-food-menu |
| ATT YouTube Widget | att-youtube |
| AutoWP – AI Content Writer & Rewriter | autowp-ai-content-writer-rewriter |
| Backup Bolt | backup-bolt |
| Better Post & Filter Widgets for Elementor | better-post-filter-widgets-for-elementor |
| Bible SuperSearch | biblesupersearch |
| Bravis User | bravis-user |
| bxSlider integration for WordPress | bxslider-integration |
| Case Theme User | case-theme-user |
| Century ToolKit | century-toolkit |
| Church Admin | church-admin |
| Clickbank WordPress Plugin (Niche Storefront) | clickbank-niche-storefronts |
| Cloudflare Image Resizing – Optimize & Accelerate Your Images | cf-image-resizing |
| Comments Capcha Box | comments-capcha-box |
| Contact Manager | contact-manager |
| Cookie Warning | cookie-warning |
| CubeWP – All-in-One Dynamic Content Framework | cubewp-framework |
| Custom Comment | customcomment |
| Custom Query Shortcode | custom-query-shortcode |
| e-Boekhouden.nl | e-boekhoudennl-connector |
| Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | easy-digital-downloads |
| Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors | accessibility-checker |
| Essential Doo Components for Visual Composer | animated-icon-banner-for-visual-composer |
| Eventin – AI Powered Event Manager, Events Calendar, Booking and Tickets Plugin | wp-event-solution |
| Flexible Map | wp-flexible-map |
| Fluent Support – Helpdesk & Customer Support Ticket System | fluent-support |
| FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | wp-marketing-automations |
| FunnelKit – Funnel Builder for WooCommerce Checkout | funnel-builder |
| GiveWP – Donation Plugin and Fundraising Platform | give |
| Global DNS | global-dns |
| Greenshift – animation and page builder blocks | greenshift-animation-and-page-builder-blocks |
| Hesabfa Accounting | hesabfa-accounting |
| iFrame Block | iframe-block |
| iframe Wrapper | iframe-wrapper |
| JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin | jobwp |
| JS Archive List | jquery-archive-list-widget |
| Kanpress | kanpress |
| Kento Splash Screen | kento-splash-screen |
| LifePress | lifepress |
| Link View | link-view |
| Listeo-Core – Directory Plugin by Purethemes | listeo-core |
| Markup Markdown | markup-markdown |
| MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
| Media Library Assistant | media-library-assistant |
| Mesa Mesa Reservation Widget | mesa-mesa-reservation-widget |
| miraculouscore | miraculouscore |
| NEX-Forms – Ultimate Forms Plugin for WordPress | nex-forms-express-wp-form-builder |
| Nexter Gutenberg Blocks – Website Builder & 1000+ Starter Templates | the-plus-addons-for-block-editor |
| Ni WooCommerce Customer Product Report | ni-woocommerce-customer-product-report |
| Notice Bar | notice-bar |
| Ogulo – 360° Tour | ogulo-360-tour |
| Ovatheme Events | ova-events |
| Page Transition | page-transition |
| Popup for CF7 with Sweet Alert | cf7-sweet-alert-popup |
| Portfolio Manager Pro – WordPress Responsive Portfolio & Gallery | otw-portfolio-manager |
| PressApps Knowledge Base Contextual Sidebar Addon | pressapps-knowledge-base |
| ProveSource Social Proof | provesource |
| rajce | rajce |
| Raptive Ads | adthrive-ads |
| Recurring PayPal Donations | recurring-donation |
| Redirection for Contact Form 7 | wpcf7-redirect |
| Restore Permanently delete Post or Page Data | restore-permanently-delete-post-or-page-data |
| Risk Free Cash On Delivery (COD) – WooCommerce | risk-free-cash-on-delivery-cod-woocommerce |
| SensorPress | sensorpress-uptime-monitoring |
| Sertifier Certificate & Badge Maker for WordPress – Tutor LMS | sertifier-certificates-open-badges |
| Sessions | sessions |
| ShortcodeHub – MultiPurpose Shortcode Builder | shortcodehub |
| Sign-up Sheets | sign-up-sheets |
| Silencesoft RSS Reader | external-rss-reader |
| Simple Business Directory Pro | simple-business-directory-pro |
| Simple Statistics for Feeds | simple-feed-stats |
| Simpler Checkout | simpler-checkout |
| Site Offline Or Coming Soon Or Maintenance Mode | site-offline |
| SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) | slingblocks |
| Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates | sastra-essential-addons-for-elementor |
| Statify Widget | statify-widget |
| Super Store Finder | superstorefinder-wp |
| Support Ticket | support-ticket |
| TC Testimonials | tc-testimonial |
| Templately – Elementor & Gutenberg Template Library: 5500+ Free & Pro Ready Templates And Cloud! | templately |
| Terms of Service & Privacy Policy Generator | terms-of-service-and-privacy-policy |
| ThemeMakers Visual Content Composer | tmm_content_composer |
| Themify Audio Dock | themify-audio-dock |
| Themify Builder | themify-builder |
| Themify Icons | themify-icons |
| tli.tl auto Twitter poster | tlitl-auto-twitter-poster |
| Ultimate twitter profile widget | ultimate-twitter-profile-widget |
| Varnish/Nginx Proxy Caching | vcaching |
| Video Gallery – Vimeo and YouTube Gallery | smart-grid-gallery |
| WC Plus | wc-plus |
| WP Admin Theme | wp-admin-theme |
| WP Colorbox | wp-colorbox |
| WP Crontrol | wp-crontrol |
| WP Fast Total Search – The Power of Indexed Search | fulltext-search |
| WP Filter & Combine RSS Feeds | wp-filter-combine-rss-feeds |
| WP Funnel Manager | wp-funnel-manager |
| WP Mailgun SMTP | wp-mailgun-smtp |
| WP Visitor Statistics (Real Time Traffic) | wp-stats-manager |
| WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress | wp-webhooks |
| WPC Smart Compare for WooCommerce | woo-smart-compare |
| WPC Smart Quick View for WooCommerce | woo-smart-quick-view |
| WPMU Ldap Authentication | wpmuldap |
| WPPizza – A Restaurant Plugin | wppizza |
| Wptobe-memberships | wptobe-memberships |
| WS Theme Addons | ws-theme-addons |
| Яндекс.ПДС Пингер / Yandex Site search pinger | yandex-pinger |
| 多说社会化评论框 | duoshuo |
| 百度分享按钮 | baidushare-wp |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.