Last week, there were 93 vulnerabilities disclosed in 83 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 27 |
| Unpatched | 66 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Low Severity | 1 |
| Medium Severity | 73 |
| High Severity | 11 |
| Critical Severity | 8 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 42 |
| Cross-Site Request Forgery (CSRF) | 17 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 6 |
| Missing Authorization | 5 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 3 |
| Unrestricted Upload of File with Dangerous Type | 3 |
| Authentication Bypass Using an Alternate Path or Channel | 2 |
| Exposure of Sensitive Information to an Unauthorized Actor | 2 |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
| External Control of File Name or Path | 1 |
| Improper Access Control | 1 |
| Improper Authorization | 1 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
| Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’) | 1 |
| Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 1 |
| Improper Verification of Cryptographic Signature | 1 |
| Missing Authentication for Critical Function | 1 |
| Server-Side Request Forgery (SSRF) | 1 |
| Unverified Password Change | 1 |
| Use of Hard-coded Cryptographic Key | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Constructor | constructor |
| Customify | customify |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| A Simple Multilanguage Plugin | a-simple-multilanguage |
| AffiliateWP | affiliate-wp |
| All in One Music Player | all-in-one-music-player |
| All Social Share Options | all-social-share-options |
| Any News Ticker | any-news-ticker |
| AP Background | ap-background |
| Appy Pie Connect for WooCommerce | appy-pie-connect-for-woocommerce |
| Auto Bulb Finder for WordPress | auto-bulb-finder-for-wp-wc |
| Backup Bolt | backup-bolt |
| Bei Fen – WordPress Backup Plugin | bei-fen |
| Big Post Shipping for WooCommerce | woo-bigpost-shipping |
| Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App | yournewsapp |
| Block For Mailchimp – Easy Mailchimp Form Integration | block-for-mailchimp |
| BP Direct Menus | bp-direct-menus |
| Chat by Chatwee | chatwee |
| Comment Info Detector | comment-info-detector |
| ContentMX Content Publisher | contentmx-content-publisher |
| Contest Gallery – Upload, Vote & Sell with PayPal and Stripe | contest-gallery |
| Copypress Rest API | copypress-rest-api |
| Cost Calculator Builder | cost-calculator-builder |
| dbview | dbview |
| Easy Elementor Addons – Addons Pack for Elementor Page Builder | easy-elementor-addons |
| Epic Bootstrap Buttons | epic-bootstrap-buttons |
| Eulerpool Research Systems | alleaktien-quantitativ |
| Event Tickets, RSVPs, Calendar | ticket-spot |
| FancyTabs | fancytabs |
| File Manager, Code Editor, and Backup by Managefy | softdiscover-db-file-manager |
| Fintelligence Calculator | fintelligence-calculator |
| Flexi – Guest Submit | flexi |
| Generic Elements | generic-elements-for-elementor |
| GiveWP – Donation Plugin and Fundraising Platform | give |
| GutenBee – Gutenberg Blocks | gutenbee |
| Integrate Dynamics 365 CRM | integrate-dynamics-365-crm |
| Interactive Human Anatomy with Clickable Body Parts | interactive-medical-drawing-of-human-body |
| Ird Slider | ird-slider |
| JoomSport – for Sports: Team & League, Football, Hockey & more | joomsport-sports-league-results-management |
| LatePoint – Calendar Booking Plugin for Appointments and Events | latepoint |
| Layers | layers |
| LockerPress – WordPress Security Plugin | lockerpress-wordpress-security |
| Majestic Before After Image | majestic-before-after-image |
| Meks Easy Maps | meks-easy-maps |
| Mihdan: Elementor Yandex Maps | mihdan-elementor-yandex-maps |
| Mobile Site Redirect | mobile-site-redirect |
| MPWizard – Create Mercado Pago Payment Links | mpwizard |
| My AskAI | my-askai |
| Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | nexa-blocks |
| Notification Bar | simple-bar |
| OAuth Single Sign On – SSO (OAuth Client) | miniorange-login-with-eve-online-google-facebook |
| Optimize More! – CSS | optimize-more-css |
| PayPal Forms | paypal-forms |
| planetcalc | planetcalc |
| Post By Email | post-by-email |
| Qyrr – simply and modern QR-Code creation | qyrr-code |
| Restrict User Registration | restrict-user-registration |
| RestroPress – Online Food Ordering System | restropress |
| Schema Plugin For Divi, Gutenberg & Shortcodes | wp-structured-data-schema |
| SiteAlert (Formerly WP Health) | my-wp-health-check |
| Smart Docs | smart-docs |
| SmartCrawl SEO checker, analyzer & optimizer | smartcrawl-seo |
| Spirit Framework | spirit-framework |
| Survey Anyplace | surveyanyplace |
| TableGen – Data Table Generator | table-creator |
| TextBuilder | textbuilder |
| The Pack Elementor addon | the-pack-addon |
| Tiny Bootstrap Elements Light | tiny-bootstrap-elements-light |
| Trinity Audio – Text to Speech AI audio player to convert content into audio | trinity-audio |
| Ultimate Multi Design Video Carousel | ultimate-multi-design-video-carousel |
| Ultimate Viral Quiz | ultimate-viral-quiz |
| Ultra Addons Lite for Elementor | ut-elementor-addons-lite |
| Unify | unify |
| WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder | wdesignkit |
| WeedMaps Menu for WordPress | weedmaps-menu-embed |
| Woo superb slideshow transition gallery with random effect | woo-superb-slideshow-transition-gallery-with-random-effect |
| Wp cycle text announcement | wp-cycle-text-announcement |
| WP Dispatcher | wp-dispatcher |
| WP Photo Album Plus | wp-photo-album-plus |
| WP Photo Effects | wp-photo-effects |
| WP SinoType | wp-sinotype |
| WPRecovery | wprecovery |
| X Addons for Elementor | x-addons-elementor |
| Yoast SEO Premium | wordpress-seo-premium |
| Yoga Schedule Momoyoga | momoyoga-integration |
| ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns | zoloblocks |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.