Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
Last week, there were 214 vulnerabilities disclosed in 184 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 78 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 22,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-804 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 186 |
Unpatched | 28 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 4 |
Medium Severity | 181 |
High Severity | 23 |
Critical Severity | 6 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 84 |
Missing Authorization | 43 |
Cross-Site Request Forgery (CSRF) | 31 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 15 |
Server-Side Request Forgery (SSRF) | 7 |
Deserialization of Untrusted Data | 6 |
Exposure of Sensitive Information to an Unauthorized Actor | 5 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 5 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 4 |
Unrestricted Upload of File with Dangerous Type | 3 |
Improper Control of Generation of Code (‘Code Injection’) | 2 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 2 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Doubled Character XSS Manipulations | 1 |
Exposure of Sensitive Information Through Metadata | 1 |
Generation of Error Message Containing Sensitive Information | 1 |
Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) | 1 |
Improper Privilege Management | 1 |
Incorrect Privilege Assignment | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
20 | |
17 | |
14 | |
8 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
1003 Mortgage Application | 1003-mortgage-application |
12 Step Meeting List | 12-step-meeting-list |
ABC Notation | abc-notation |
Activity Plus Reloaded for BuddyPress | bp-activity-plus-reloaded |
aDirectory – WordPress Directory Listing Plugin | adirectory |
Admin and Site Enhancements (ASE) | admin-site-enhancements |
Admin and Site Enhancements (ASE) Pro | admin-site-enhancements-pro |
Advanced Notifications | advanced-notifications |
affiliate-toolkit – WP Affiliate Plugin with Amazon | affiliate-toolkit-starter |
AI Chatbot for WordPress – Hyve Lite | hyve-lite |
AI Power: Complete AI Pack | gpt3-ai-content-generator |
All Embed – Elementor Addons | all-embed-addons-for-elementor |
AnyRoad | anyguide |
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress | bookingpress-appointment-booking |
Ask Me Anything (Anonymously) | ask-me-anything-anonymously |
Auction Nudge – Your eBay on Your Site | auction-nudge |
Automate Hub Free by Sperse.IO | automate-hub-free-by-sperse-io |
Avada (Fusion) Builder | fusion-builder |
Bilingual Linker | bilingual-linker |
Blur Text | blur-text |
BMLT Meeting Map | bmlt-meeting-map |
Booking Calendar Contact Form | booking-calendar-contact-form |
Boom Fest | boom-fest |
Bridge Core | bridge-core |
Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP | videowhisper-live-streaming-integration |
Broadstreet | broadstreet |
brodos.net Onlineshop Plugin | brodos-net-onlineshop |
Bubble Menu – Sticky Navigation with Floating Button Menu Solution | bubble-menu |
Bug Library | bug-library |
Build Private Store For Woocommerce | build-private-store-for-woocommerce |
Button Generator – easily Button Builder | button-generation |
Caching Compatible Cookie Opt-In and JavaScript | caching-compatible-cookie-optin-and-javascript |
Call Now Button – The #1 Click to Call Button for WordPress | call-now-button |
Chained Quiz | chained-quiz |
Chalet-Montagne.com Tools | chalet-montagne-com-tools |
Cliptakes | cliptakes |
Comment Edit Core – Simple Comment Editing | simple-comment-editing |
Connections Business Directory | connections |
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks | ht-contactform |
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder | bit-form |
Contact Form Email | contact-form-to-email |
Countdown Timer – Widget Countdown | widget-countdown |
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site | counter-box |
Create with Code | create-with-code |
Custom Product Tabs Lite for WooCommerce | woocommerce-custom-product-tabs-lite |
Divi Carousel Maker | wow-carousel-for-divi-lite |
Easy Real Estate | easy-real-estate |
Easy YouTube Gallery | easy-youtube-gallery |
ElementInvader Addons for Elementor | elementinvader-addons-for-elementor |
Email Subscription Popup | email-subscribe |
Essential Real Estate | essential-real-estate |
Estatebud – Properties & Listings | estatebud-properties-listings |
Etsy Importer | etsy-importer |
Event post | event-post |
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) | google-analytics-dashboard-for-wp |
Export All Posts, Products, Orders, Refunds & Users | wp-ultimate-exporter |
Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | extensions-for-cf7 |
FAQ Builder AYS | faq-builder-ays |
FireCask Like & Share Button | facebook-like-send-button |
Flexmls® IDX Plugin | flexmls-idx |
FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | fluent-smtp |
Form Builder CP | cp-easy-form-builder |
FundPress – WordPress Donation Plugin | fundpress |
FV Thoughtful Comments | thoughtful-comments |
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | gamipress |
GDPR CCPA Compliance & Cookie Consent Banner | ninja-gdpr-compliance |
GoHero Store Customizer for WooCommerce | personalize-woocommerce-cart-page |
Gutenberg Blocks and Page Layouts – Attire Blocks | attire-blocks |
Gutenberg Blocks with AI by Kadence WP – Page Builder Features | kadence-blocks |
HelloAsso | helloasso |
Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA | icegram |
Import WP – Export and Import CSV and XML files to WordPress | jc-importer |
Internal Links Manager | seo-automated-link-building |
IP2Location Country Blocker | ip2location-country-blocker |
JetElements | jet-elements |
JSM Show Post Metadata | jsm-show-post-meta |
KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin | kb-support |
Ketchup Shortcodes | ketchup-shortcodes-pack |
LearnDash LMS | sfwd-lms |
LearnPress – WordPress LMS Plugin | learnpress |
Lifetime free Drag & Drop Contact Form Builder for WordPress VForm | v-form |
Linear | linear |
Link Library | link-library |
Listamester | listamester |
Magic the Gathering Card Tooltips | magic-the-gathering-card-tooltips |
Masy Gallery | masy-gallery |
MDTF – Meta Data and Taxonomies Filter | wp-meta-data-filter-and-taxonomy-filter |
Membership Plugin – Restrict Content | restrict-content |
Multiple Page Generator Plugin – MPG | multiple-pages-generator-by-porthas |
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution | dc-woocommerce-multi-vendor |
Nested Pages | wp-nested-pages |
NOTICE BOARD BY TOWKIR | notice-board-by-towkir |
Orbisius Simple Notice | orbisius-simple-notice |
Page Builder Gutenberg Blocks – CoBlocks | coblocks |
Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
Patreon WordPress | patreon-connect |
Paytium: Mollie payment forms & donations | paytium |
PDF Invoices for WooCommerce + Drag and Drop Template Builder | pdf-for-woocommerce |
People Lists | people-lists |
Picture Gallery – Frontend Image Uploads, AJAX Photo List | picture-gallery |
Plethora Plugins Tabs + Accordions | plethora-tabs-accordions |
Popup Box: Create Popups Easily | popup-box |
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder | popup-maker |
Post Duplicator | post-duplicator |
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder | ajax-filter-posts |
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget | post-grid-carousel-ultimate |
Power Ups for Elementor | power-ups-for-elementor |
PPO Call To Actions | ppo-call-to-actions |
PPOM – Product Addons & Custom Fields for WooCommerce | woocommerce-product-addon |
Precious Metals Charts and Widgets for WordPress | precious-metals-chart-and-widgets |
Premium Packages – Sell Digital Products Securely | wpdm-premium-packages |
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider) | bdthemes-prime-slider-lite |
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce | a4-barcode-generator |
Product Carousel Slider & Grid Ultimate for WooCommerce | woo-product-carousel-slider-and-grid-ultimate |
Product Size Charts Plugin for WooCommerce | woo-advanced-product-size-chart |
Product Table by WBW | woo-product-tables |
Quiz Maker Agency | quiz-maker |
Quiz Maker Business | quiz-maker |
Quiz Maker Developer | quiz-maker |
Radius Blocks – WordPress Gutenberg Blocks | radius-blocks |
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | really-simple-ssl |
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates | responsive-addons-for-elementor |
Restrict Anonymous Access | restrict-anonymous-access |
ReviewsTap | reviewstap |
Roi Calculator | roi-calculator |
RomethemeKit For Elementor | rometheme-for-elementor |
RSVP and Event Management | rsvp |
RSVPMaker | rsvpmaker |
Sensly Online Presence | sensly-online-presence |
SEO Blogger to WordPress Migration using 301 Redirection | seo-blogger-to-wordpress-301-redirector |
SERPed.net | serped-net |
ShMapper by Teplitsa | shmapper-by-teplitsa |
Show/Hide Shortcode | showhide-shortcode |
Side Menu Lite – add sticky fixed buttons | side-menu-lite |
Simple Download Monitor | simple-download-monitor |
Simple Downloads List | simple-downloads-list |
Simple Gallery with Filter | simple-gallery-with-filter |
Social Proof Popups & Real-Time Notifications – Herd Effects | mwp-herd-effect |
Social Share, Social Login and Social Comments Plugin – Super Socializer | super-socializer |
Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates | sastra-essential-addons-for-elementor |
Stackable – Page Builder Gutenberg Blocks | stackable-ultimate-gutenberg-blocks |
Starter Templates — Elementor, WordPress & Beaver Builder Templates | astra-sites |
Sticky Buttons – floating buttons builder | sticky-buttons |
String locator | string-locator |
Subscription DNA® | subscriptiondna |
Super block slider – Responsive image & content slider | super-block-slider |
Survey Maker | survey-maker |
Tainacan | tainacan |
Tamara Checkout | tamara-checkout |
Target Video Easy Publish | brid-video-easy-publish |
Taxonomy/Term and Role based Discounts for WooCommerce | taxonomy-discounts-woocommerce |
The Events Calendar | the-events-calendar |
ThemeREX Addons | trx_addons |
Themify Builder | themify-builder |
Thim Elementor Kit | thim-elementor-kit |
Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking | tourfic |
Ultimate Coming Soon & Maintenance | ultimate-coming-soon |
Variation Swatches for WooCommerce | th-variation-swatches |
VikBooking Hotel Booking Engine & PMS | vikbooking |
Visual Website Collaboration, Feedback & Project Management – Atarim | atarim-visual-collaboration |
WC Affiliate – A Complete WooCommerce Affiliate Plugin | wc-affiliate |
Wishlist for WooCommerce | wt-woocommerce-wishlist |
WooCommerce Cloak Affiliate Links | woocommerce-cloak-affiliate-links |
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | print-invoices-packing-slip-labels-for-woocommerce |
WooCommerce Product Table Lite | wc-product-table-lite |
WooCommerce Quick View | woo-quick-view |
WordPress SEO Friendly Accordion FAQ with AI assisted content generation | notice-faq |
WP Contact Form7 Email Spam Blocker | wp-contact-form7-email-spam-blocker |
WP Duplicate – WordPress Migration Plugin | local-sync |
WP Go Maps (formerly WP Google Maps) | wp-google-maps |
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO | wp-google-street-view |
WP Hotel Booking | wp-hotel-booking |
WP Panoramio | wp-panoramio |
WP Visitor Statistics (Real Time Traffic) | wp-stats-manager |
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | wpvr |
WP-BibTeX | wp-bibtex |
wp-greet | wp-greet |
WP-Polls | wp-polls |
WPBookit | wpbookit |
WPBot Pro WordPress Chatbot | wpbot-pro |
Xagio SEO – AI Powered Optimization | xagio-seo |
XML for Google Merchant Center | xml-for-google-merchant-center |
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | youzify |
Zarinpal Paid Download | zarinpal-paid-downloads |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
AdForest | adforest |
Avada | Website Builder For WordPress & WooCommerce | Avada |
Betheme | betheme |
Bootstrap Ultimate | bootstrap-ultimate |
Houzez | houzez |
jobify | jobify |
RealHomes | realhomes |
uDesign | Multipurpose WordPress Theme | udesign |
Zox News | zox-news |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 20, 2025 to January 26, 2025) appeared first on Wordfence.