Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and 3 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 33 |
| Unpatched | 10 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 32 |
| High Severity | 10 |
| Critical Severity | 1 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 9 |
| Cross-Site Request Forgery (CSRF) | 8 |
| Missing Authorization | 8 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
| Authorization Bypass Through User-Controlled Key | 2 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 2 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
| Unrestricted Upload of File with Dangerous Type | 2 |
| Authentication Bypass Using an Alternate Path or Channel | 1 |
| Deserialization of Untrusted Data | 1 |
| Exposure of Sensitive Information to an Unauthorized Actor | 1 |
| External Control of File Name or Path | 1 |
| Improper Control of Generation of Code (‘Code Injection’) | 1 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
| Improper Restriction of Excessive Authentication Attempts | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Entrada | entrada |
| Leblix – Laboratory & Research WordPress Theme | leblix |
| Sydney | sydney |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Appointmind | appointmind |
| Blaze Demo Importer | blaze-demo-importer |
| Blocksy Companion | blocksy-companion |
| Browser Sniff | browser-sniff |
| Catch Dark Mode | catch-dark-mode |
| Chained Quiz | chained-quiz |
| ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages | clickwhale |
| Custom Login And Signup Widget | custom-login-and-signup-widget |
| Developer Loggers for Simple History | developer-loggers-for-simple-history |
| Download Manager | download-manager |
| Draft List | simple-draft-list |
| Embed PDF for WPForms | embed-pdf-wpforms |
| Falang multilanguage for WordPress | falang |
| Ghost Kit – Page Builder Blocks, Motion Effects & Extensions | ghostkit |
| Internal Links Manager | seo-automated-link-building |
| Kubio AI Page Builder | kubio |
| Media Player Addons for Elementor – Audio and Video Widgets for Elementor | media-player-addons-for-elementor |
| Memberlite Shortcodes | memberlite-shortcodes |
| Miniorange OTP Verification with Firebase | miniorange-firebase-sms-otp-verification |
| osTicket WP Bridge | osticket-wp-bridge |
| Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages | wplegalpages |
| Productive Style – Optimisations & Content Publishing Support | productive-style |
| Quantities and Units for WooCommerce | quantities-and-units-for-woocommerce |
| Quiz Maker | quiz-maker |
| Robcore Netatmo | robcore-netatmo |
| Secure Passkeys | secure-passkeys |
| Service Finder Bookings | sf-booking |
| Service Finder SMS System | aone-sms |
| Social Media Shortcodes | social-media-shortcodes |
| StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More | storeengine |
| SupportCandy – Helpdesk & Customer Support Ticket System | supportcandy |
| SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more | sureforms |
| The Events Calendar | the-events-calendar |
| The Hack Repair Guy’s Plugin Archiver | hackrepair-plugin-archiver |
| User Sync | user-sync |
| USS Upyun | uss-upyun |
| Wide Banner | wide-banner |
| WP Import – Ultimate CSV XML Importer for WordPress | wp-ultimate-csv-importer |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.