Last week, there were 99 vulnerabilities disclosed in 89 WordPress Plugins and 12 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 41 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Table of Contents
- New Firewalls
- Total Patched & Unpatched
- Total Vulnerabilities By CVSS
- Total Vulnerabilities By CWE
- WordPress Themes Vulnerabilities Reported
- WordPress Plugins Vulnerabilities Reported
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 46 |
| Unpatched | 53 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 78 |
| High Severity | 17 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 34 |
| Cross-Site Request Forgery (CSRF) | 19 |
| Missing Authorization | 16 |
| Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 11 |
| Unrestricted Upload of File with Dangerous Type | 4 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Improper Control of Generation of Code (‘Code Injection’) | 3 |
| Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
| Server-Side Request Forgery (SSRF) | 2 |
| Absolute Path Traversal | 1 |
| Exposure of Sensitive Information to an Unauthorized Actor | 1 |
| External Control of File Name or Path | 1 |
| Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
| Use of Hard-coded Credentials | 1 |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| ButterBelly | butterbelly |
| Cloriato Lite | cloriato-lite |
| ColorWay | colorway |
| Compass | compass |
| Doccure | doccure |
| Dzonia Lite | dzonia-lite |
| Goza – Nonprofit Charity WordPress Theme | goza-theme |
| Mow | mow |
| Poloray | poloray |
| Rethink | rethink |
| Road Fighter | road-fighter |
| Themia Lite | themia-lite |
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Additional Custom Product Tabs for WooCommerce | product-tabs-for-woocommerce |
| Admin in English with Switch | admin-in-english-with-switch |
| Advanced Settings 3 | advanced-settings |
| All in one Minifier | all-in-one-minifier |
| Analytics Reduce Bounce Rate | analytics-unbounce |
| Auto Save Remote Images (Drafts) | auto-save-remote-images-drafts |
| AutoCatSet | autocatset |
| AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress | automatorwp |
| azurecurve BBCode | azurecurve-bbcode |
| BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript | searchpro |
| BeyondCart Connector | beyondcart |
| Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid | blog-designer-for-elementor |
| Catalog Importer, Scraper & Crawler | intelligent-importer |
| Categorify – WordPress Media Library Category & File Manager | categorify |
| CatFolders – Tame Your WordPress Media Library by Category | catfolders |
| CBX Map for Google Map & OpenStreetMap | cbxgooglemap |
| Certifica WP | certifica-wp |
| Countdown Timer for Elementor | countdown-timer-for-elementor |
| Coupon API | couponapi |
| Digital Events Calendar | digital-events-calendar |
| Duplicate Page and Post | duplicate-wp-page-post |
| Dynamic Text Field For Contact Form 7 | dynamic-text-field-for-contact-form-7 |
| eID Easy | smart-id |
| Elements Plus! | elements-plus |
| Embed Google Datastudio | embed-google-data-studio |
| Enhanced BibliPlug | enhanced-bibliplug |
| Equalize Digital Accessibility Checker – Audit Your Website for WCAG, ADA, and Section 508 Accessibility Errors | accessibility-checker |
| Evenium | evenium |
| Export WP Page to Static HTML & PDF | export-wp-page-to-static-html |
| Football Pool | football-pool |
| Fortnox for WooCommerce | woocommerce-fortnox-integration |
| Heateor Login – Social Login Plugin | heateor-login |
| Import any XML, CSV or Excel File to WordPress | wp-all-import |
| Include Me | include-me |
| Jobify | jobify |
| LH Signing | lh-signing |
| LWS Cleaner | lws-cleaner |
| Maspik – Ultimate Spam Protection | contact-forms-anti-spam |
| Mikado Core | mikado-core |
| Mitfahrgelegenheit | mitfahrgelegenheit |
| Mixtape | mixtape |
| My Tickets – Accessible Event Ticketing | my-tickets |
| My WP Translate | my-wp-translate |
| MyBrain Utilities | mybrain-utilities |
| NitroPack – Caching & Speed Optimization for Core Web Vitals, Defer CSS & JS, Lazy load Images and CDN | nitropack |
| PagBank / PagSeguro Connect para WooCommerce | pagbank-connect |
| Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net | peachpay-for-woocommerce |
| PDF Generator for WordPress | pdf-generator-for-wp |
| PhpList Subber | phpls |
| Pixeline’s Email Protector | pixelines-email-protector |
| Plugin updates blocker | plugin-update-blocker |
| PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
| Propovoice: All-in-One Client Management System | propovoice |
| Publish approval | publish-approval |
| Resideo Plugin for Resideo – Real Estate WordPress Theme | resideo-plugin |
| Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates | responsive-addons-for-elementor |
| Responsive Filterable Portfolio | responsive-filterable-portfolio |
| Run Log | run-log |
| Salon Booking System – Free Version | salon-booking-system |
| Seo Monster | seo-monster |
| ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) | woolentor-addons |
| Side Slide Responsive Menu | side-slide-responsive-menu |
| Smartcat Translator for WPML | smartcat-wpml |
| Spotify Embed Creator | spotify-embed-creator |
| Testimonial | indianic-testimonial |
| The Events Calendar | the-events-calendar |
| The Hack Repair Guy’s Plugin Archiver | hackrepair-plugin-archiver |
| The integration of the AMO.CRM | leads-for-amo-crm |
| ThemeLoom Widgets | themeloom-widgets |
| Time Tracker | time-tracker |
| Tutor LMS – eLearning and online course solution | tutor |
| Ultimate Blogroll | ultimate-blogroll |
| Ultimate Classified Listings | ultimate-classified-listings |
| User Meta – User Profile Builder and User management plugin | user-meta |
| Welcart e-Commerce | usc-e-shop |
| Wilmer Core | wilmer-core |
| WooCommerce Booking Bundle Hours | woo-booking-bundle-hours |
| Workable Api | wrapper-for-workable-api |
| WP Blast | SEO & Performance Booster | wpblast |
| WP Easy FAQs | wp-easy-faqs |
| WP eBay Product Feeds | ebay-feeds-for-wordpress |
| WP Import – Ultimate CSV XML Importer for WordPress | wp-ultimate-csv-importer |
| WP Mailgun SMTP | wp-mailgun-smtp |
| WP Scriptcase | wp-scriptcase |
| WP SendGrid SMTP | wp-sendgrid-smtp |
| WP-Members Membership Plugin | wp-members |
| WPGYM – WordPress Gym Management System | gym-management |
| ZIP Code Based Content Protection | zip-code-based-content-protection |
| Zoho Flow – Integrate 100+ plugins with 1000+ business apps, no-code workflow automation | zoho-flow |
Have ServiceNow & WordPress?
Purchase ServicePress Core and get ServicePress: Wordfence Security (add-on) for Free.