Last week, there were 116 vulnerabilities disclosed in 102 WordPress Plugins and 13 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 50 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 75 |
| Unpatched | 41 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 86 |
| High Severity | 28 |
| Critical Severity | 2 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 42 |
| Cross-Site Request Forgery (CSRF) | 14 |
| Missing Authorization | 13 |
| Deserialization of Untrusted Data | 8 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 8 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 8 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 6 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Improper Privilege Management | 2 |
| Server-Side Request Forgery (SSRF) | 2 |
| Improper Authentication | 1 |
| Improper Authorization | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Handling of Insufficient Permissions or Privileges | 1 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
| Incorrect Authorization | 1 |
| URL Redirection to Untrusted Site (‘Open Redirect’) | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| AI Hub – Startup & Technology WordPress Theme | aihub |
| ArcHub – Architecture and Interior Design WordPress Theme | archub |
| Cars4Rent | Auto Rental & Taxi WordPress Theme + RTL | cars4rent |
| Golo – City Travel Guide WordPress Theme | golo |
| Houzez | houzez |
| Hub – Responsive Multi-Purpose WordPress Theme | hub |
| Ireca – Car Rental Boat, Bike, Vehicle, Calendar WordPress Theme | ireca |
| Jannah – Newspaper Magazine News BuddyPress AMP | jannah |
| Magazine Saga | magazine-saga |
| Makeaholic – Beauty Cosmetics WordPress Theme | makeaholic |
| Neresa – Elementor WordPress Theme | neresa-wp |
| Nuss – Hotel Booking WordPress | nuss |
| Pin = Pinterest Style / Personal Masonry Blog / Front-end Submission | pin-wp |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 140+ Widgets | Xpro Addons For Elementor – FREE | xpro-elementor-addons |
| Add Code To Head | add-code-to-head |
| AfterShip Tracking – All-In-One WooCommerce Order Tracking (Free plan available) | aftership-woocommerce-tracking |
| Ajax Search Lite – Live Search & Filter | ajax-search-lite |
| All Bootstrap Blocks | all-bootstrap-blocks |
| All-in-One WP Migration and Backup | all-in-one-wp-migration |
| Amministrazione Trasparente | amministrazione-trasparente |
| B Slider – Responsive Image Slider | b-slider |
| Beaver Builder – WordPress Page Builder | beaver-builder-lite-version |
| BetPress | betpress |
| bidorbuy Store Integrator | bidorbuystoreintegrator |
| Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection | stopbadbots |
| Bold Page Builder | bold-page-builder |
| Booking Calendar | booking |
| Booking System Trafft | booking-system-trafft |
| Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools | woocommerce-jetpack |
| Captcha.eu | captcha-eu |
| Chartbeat | chartbeat |
| Chatbox Manager | wa-chatbox-manager |
| Customer Support Ticket System & Helpdesk Plugin for WordPress | wp-ticket |
| Dokan Pro | dokan-pro |
| Drag and Drop File Upload for Elementor Forms | drag-and-drop-file-upload-for-elementor-forms |
| Dynamic AJAX Product Filters for WooCommerce | dynamic-ajax-product-filters-for-woocommerce |
| ElementInvader Addons for Elementor | elementinvader-addons-for-elementor |
| Employee Directory – Staff Listing & Team Directory Plugin for WordPress | employee-directory |
| Employee Spotlight – Team Member Showcase & Meet the Team Plugin | employee-spotlight |
| Epeken All Kurir Plugin for Woocommerce Full Version | epeken-all-kurir |
| Event Booking Manager for WooCommerce – WpEvently | mage-eventpress |
| Event List | eventlist |
| Events Addon for Elementor | events-addon-for-elementor |
| Exertio Framework | exertio-framework |
| Feeds For TikTok – Show TikTok Videos in Grid or Feed Layout | b-tiktok-feed |
| File Manager, Code Editor, and Backup by Managefy | softdiscover-db-file-manager |
| Goal Tracker for Patreon | goal-tracker-for-patreon |
| Google XML News Sitemap plugin | gn-xml-sitemap |
| Gutenify – Visual Site Builder Blocks & Site Templates. | gutenify |
| Houzez CRM | houzez-crm |
| iATS Online Forms | iats-online-forms |
| Instant Breaking News | instant-breaking-news |
| Invisible Optin | invisible-optin |
| JS Archive List | jquery-archive-list-widget |
| Lazy Load for Videos | lazy-load-for-videos |
| Link View | link-view |
| List Subpages | list-sub-pages |
| LWSCache | lwscache |
| Nest Addons | nest-addons |
| Newsletter subscription optin module | newsletter-subscription-widget-for-sendblaster |
| NextGEN Gallery Search | nextgen-gallery-search-galleries |
| Ocean Extra | ocean-extra |
| OSM Map Widget for Elementor | osm-map-elementor |
| Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | otter-blocks |
| Page Manager for Elementor | page-manager-for-elementor |
| PDF for Elementor Forms + Drag And Drop Template Builder | pdf-for-elementor-forms |
| Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
| Poll, Survey & Quiz Maker Plugin by Opinion Stage | social-polls-by-opinionstage |
| Post Type Converter | post-type-converter |
| PPWP – Password Protect WordPress | #1 Most-Reviewed Password Plugin | password-protect-page |
| Premium Age Verification / Restriction for WordPress | age-restriction |
| Printeers Print & Ship | invition-print-ship |
| Pro Bulk Watermark Plugin for WordPress | pro-watermark |
| Pronamic Google Maps | pronamic-google-maps |
| Related Posts Lite | related-posts-lite |
| Responsive Mobile-Friendly Tooltip | responsive-mobile-friendly-tooltip |
| Responsive YouTube Video Gallery Plugin for WordPress – YouTube Showcase | youtube-showcase |
| RingCentral Communications Plugin – FREE | rccp-free |
| Savyour Affiliate Partner | savyour-affiliate-partner |
| SEO For Images | seo-for-images |
| Simple Contact Form Plugin for WordPress – WP Easy Contact | wp-easy-contact |
| Simple Download Monitor | simple-download-monitor |
| Simple Page Access Restriction | simple-page-access-restriction |
| SiteSEO – SEO Simplified | siteseo |
| Slider Revolution | revslider |
| Small Package Quotes – USPS Edition | small-package-quotes-usps-edition |
| Solace Extra | solace-extra |
| Table Editor | wp-table-editor |
| TablePress – Tables in WordPress made easy | tablepress |
| Theme Blvd Widget Areas | theme-blvd-widget-areas |
| Theme Switcher Reloaded | theme-switcher-reloaded |
| Transcoder | transcoder |
| Tripadvisor Shortcode | tripadvisor-shortcode |
| UiCore Elements – Free Elementor widgets and templates | uicore-elements |
| Ultimate Tag Warrior Importer | utw-importer |
| Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin | uncanny-automator |
| Unlimited Elements For Elementor | unlimited-elements-for-elementor |
| UPC/EAN/GTIN Code Generator | upc-ean-barcode-generator |
| UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP | userswp |
| Vibes | vibes |
| Video Share VOD – Turnkey Video Site Builder Script | video-share-vod |
| WooCommerce csv import export | extendons-eo-wooimport-export |
| WooCommerce Payment Gateway for Saferpay | woocommerce-payment-gateway-for-saferpay |
| WordPress Automatic Plugin | wp-automatic |
| WordPress HTML | custom-html-bodyhead |
| WP Bulk Delete | wp-bulk-delete |
| WP Thumbtack Review Slider | wp-thumbtack-review-slider |
| WP ULike Pro | wp-ulike-pro |
| WPAvatar | wpavatar |
| Xagio SEO – AI Powered SEO | xagio-seo |
| XM-Backup | xm-backup |
| XmasB Quotes | xmasb-quotes |
| Xpro Theme Builder For Elementor – FREE | xpro-theme-builder |
| Yahoo! WebPlayer | yahoo-media-player |
| Zephyr Project Manager | zephyr-project-manager |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.