In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
Last week, there were 230 vulnerabilities disclosed in 197 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 26,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- My Tickets – Accessible Event Ticketing <= 2.0.16 – Authenticated (Subscriber+) Privilege Escalation
- WAF-RULE-822 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-824 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 82 |
Unpatched | 148 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 170 |
High Severity | 35 |
Critical Severity | 25 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 91 |
Cross-Site Request Forgery (CSRF) | 42 |
Missing Authorization | 20 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 17 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 15 |
Deserialization of Untrusted Data | 10 |
Improper Control of Generation of Code (‘Code Injection’) | 6 |
Server-Side Request Forgery (SSRF) | 5 |
Unrestricted Upload of File with Dangerous Type | 5 |
Improper Privilege Management | 4 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 3 |
Unverified Password Change | 3 |
Exposure of Sensitive Information to an Unauthorized Actor | 2 |
External Control of Assumed-Immutable Web Parameter | 2 |
Authorization Bypass Through User-Controlled Key | 1 |
Improper Authentication | 1 |
Incorrect Authorization | 1 |
Incorrect Privilege Assignment | 1 |
Insertion of Sensitive Information Into Sent Data | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
49 | |
16 | |
15 | |
12 | |
10 | |
10 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
1 Decembrie 1918 | 1-decembrie-1918 |
360 View | 360-view |
Able Player, accessible HTML5 media player | ableplayer |
Absolute Links | absolute-links |
ACF: Google Font Selector | acf-google-font-selector-field |
Add custom page template | add-custom-page-template |
Add Google +1 (Plus one) social share Button | add-google-plus-one-social-share-button |
Advanced Accordion Gutenberg Block | advanced-accordion-block |
Advanced lazy load | advanced-lazy-load |
Advanced Linked Variations for Woocommerce | linked-variation |
Aeropage Sync for Airtable | aeropage-sync-for-airtable |
affiliate-toolkit – WP Affiliate Plugin with Amazon | affiliate-toolkit-starter |
Ajax Comment Form CST | ajax-comment-form-cst |
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier | aio-time-clock-lite |
Alt Text AI – Automatically generate image alt text for SEO and accessibility | alttext-ai |
AnalyticsWP | analyticswp |
Animate | animate |
Anps Theme plugin | anps_theme_plugin |
Anything Popup | anything-popup |
Appointment Booking Calendar | appointment-booking-calendar |
Appsero Helper | appsero-helper |
Author Box After Posts | author-box-after-posts |
Author Box Plugin With Different Description | author-box-with-different-description |
Availability Calendar | availability |
Awesome Wp Image Gallery | awesome-wp-image-gallery |
BBCode Deluxe | bbcode-deluxe |
BeerXML Shortcode | beerxml-shortcode |
Best Posts Summary | best-posts-summary |
Best Quiz Plugin for WordPress: WP Quiz | wp-quiz |
Blog Manager WP | blog-manager-wp |
BM Content Builder | bm-builder |
Breeze Display | wt-display-breeze |
Buddypress Force Password Change | buddy-press-force-password-change |
Bulk Assign Linked Products For WooCommerce | wc-bulk-assign-linked-products |
Business Contact Widget | business-contact-widget |
Call Now PHT Blog | call-now-coccoc-pht-blog |
Capturly | capturly-optimize-your-website |
Car Park Booking System for WordPress | car-park-booking-system-for-wordpress |
Carousel-of-post-images | carousel-of-post-images |
CheckBot | checkbot |
Checkout Field Visibility for WooCommerce | checkout-field-visibility-for-woocommerce |
CM Ad Changer – A simple tool to control and optimize your site’s banners | cm-ad-changer |
CM Answers – Easy-to-use forum to grow your WP community | cm-answers |
Configurator Theme Core | amz-configurator-core |
Confirm User Registration | confirm-user-registration |
Contact Form 7 Calendar | cf7-calendar |
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder | bit-form |
Control Listings – Classifieds Ads Directory Portal Manager | control-listings |
cookieBAR | cookiebar |
COVID-19 (Coronavirus) Update Your Customers | covid-19-alert |
Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress | abcsubmit |
Crossword Compiler Puzzles | crossword-compiler-puzzles |
Custom Admin-Bar Favorites | admin-bookmarks |
Custom Functions Plugin | custom-functions |
Custom Login and Registration | ms-registration |
Custom Related Posts | custom-related-posts |
Database Toolset | database-toolset |
Document Management System | dms |
Drop Caps | drop-caps |
Dropdown Content | dropdown-content |
Easy Child Theme Creator | easy-child-theme-creator |
eForm – WordPress Form Builder | wp-fsqm-pro |
Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder | bdthemes-element-pack-lite |
ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes | elex-bulk-edit-products-prices-attributes-for-woocommerce-basic |
Enhanced Paypal Shortcodes | enhanced-paypal-shortcodes |
Event post | event-post |
External Markdown | external-markdown |
Fable Extra | fable-extra |
FAT Services Booking | fat-services-booking |
Flickr Shortcode Importer | flickr-shortcode-importer |
Floating Social Bar | floating-social-bar |
Flynax Bridge | flynax-bridge |
Foodbakery Sticky Cart | foodbakery-sticky-cart |
Frontend Dashboard | frontend-dashboard |
Frontend Login and Registration Blocks | frontend-login-and-registration-blocks |
FuseDesk | fusedesk |
GNA Search Shortcode | gna-search-shortcode |
Google News | google-news |
Grand Conference | Event WordPress | grandconference |
Greenshift – animation and page builder blocks | greenshift-animation-and-page-builder-blocks |
GTDB Guitar Tuners | guitar-tuner |
GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor | gutenkit-blocks-addon |
Hacklog Remote Attachment | hacklog-remote-attachment |
Hospital Management System for WordPress | hospital-management |
HTML Forms – Simple WordPress Forms Plugin | html-forms |
iCafe Library | icafe-library |
Image Hover Effects For WPBakery Page Builder | image-hover-effects-for-visual-composer |
Image Optimizer, Resizer and CDN – Sirv | sirv |
Image Style Hover – Displays content when you hover on image | image-content-show-hover |
Inline Text Popup | inline-text-popup |
Integração entre Eduzz e Woocommerce | integracao-entre-eduzz-e-wc-powers |
JobSearch WP Job Board | wp-jobsearch |
Jupiter X Core | jupiterx-core |
Landing pages and Domain aliases for WordPress | landing-pages-and-domain-aliases |
Libro de Reclamaciones | libro-de-reclamaciones |
License For Envato | license-envato |
Lifetime free Drag & Drop Contact Form Builder for WordPress VForm | v-form |
Link Library | link-library |
List Last Changes | list-last-changes |
Loan Calculator | repayment-calculator |
Lottie Player- Great Lottie Player Solution | embed-lottie-player |
LSD Custom taxonomy and category meta | custom-taxonomy-category-and-term-fields |
Mad Mimi for WordPress | mad-mimi |
Mailing Group Listserv | wp-mailing-group |
Mang Board WP | mangboard |
Mayosis Core | mayosis-core |
Media Library Downloader | media-library-downloader |
Memberpress | memberpress |
Message Filter for Contact Form 7 | cf7-message-filter |
Milat jQuery Automatic Popup | milat-jquery-automatic-popup |
Mini twitter feed | mini-twitter-feed |
Mixcloud Embed | mixcloud-embed |
Modern Polls | modern-polls |
MPL-Publisher — Ebook & Audiobook Creator | mpl-publisher |
Multi-Column Taxonomy List | multi-column-taxonomy-list |
My Custom Widgets | mycustomwidget |
My Tickets – Accessible Event Ticketing | my-tickets |
Navegg Analytics | navegg |
Nepali Post Date | nepali-post-date |
occupancyplan | occupancyplan |
Ocean Extra | ocean-extra |
PayPal Express Checkout | paypal-express-checkout |
Peadig’s Google +1 Button | google-1 |
Peekaboo | peekaboo |
Plugin Central | plugin-central |
Popup Builder | easy-notify-lite |
Post in page for Elementor | post-in-page-for-elementor |
Posts for Page | posts-for-page |
PowerPress Podcasting plugin by Blubrry | powerpress |
Prevent Direct Access – Protect WordPress Files | prevent-direct-access |
Print Science Designer | print-science-designer |
Product Lister for eBay | product-lister-ebay |
RAphicon | raphicon |
Recover abandoned cart for WooCommerce | recover-wc-abandoned-cart |
Related Posts via Taxonomies | related-posts-via-taxonomies |
Revy | revy |
RRSSB | rrssb |
SCSS-Library | scss-library |
Send From | send-from |
Seriously Simple Podcasting | seriously-simple-podcasting |
Service Finder Bookings | sf-booking |
SEUR Oficial | seur |
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) | woolentor-addons |
Simple calendar for Elementor | simple-calendar-for-elementor |
Simple Download Counter | simple-download-counter |
Simple Google Photos Grid | simple-google-photos-grid |
SKT Blocks – Gutenberg based Page Builder | skt-blocks |
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) | sky-elementor-addons |
Smart Hashtags [#hashtagger] | hashtagger |
Social Counter | social-counter |
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | excel-like-price-change-for-woocommerce-and-wp-e-commerce-light |
SUMO Reward Points for WooCommerce | rewardsystem |
Tax Switch for WooCommerce | tax-switch-for-woocommerce |
Tayori Form Plugin | tayori |
Textmetrics | webtexttool |
The Pack Elementor addon | the-pack-addon |
Theme Switcha – Easily Switch Themes for Development and Testing | theme-switcha |
Time Based Greeting | time-based-greeting |
Twitter Card Generator | twitter-card-generator |
UiCore Elements – Free Elementor widgets and templates | uicore-elements |
Unsafe Mimetypes | unsafe-mimetypes |
Upsell Funnel Builder for WooCommerce | upsell-order-bump-offer-for-woocommerce |
User Registration & Membership – Custom Registration Form, Login Form, and User Profile | user-registration |
Vasaio QR Code | vasaio-qr-code |
Verification SMS with TargetSMS | verification-sms-targetsms |
VikRestaurants Table Reservations and Take-Away | vikrestaurants |
Visual Composer Website Builder | visualcomposer |
Watu Quiz | watu |
Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) | xc-woo-google-cloud-print |
WordPress Easy Guide | wp-easy-guide |
WordPress Events Calendar Registration & Tickets | wpeventplus |
WordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart |
WordPress Tabs | gt-tabs |
WordPress Tooltip | wp-tooltip |
WoWHead Tooltips | wowhead-tooltips |
WP AVCL Automation Helper (formerly WPFlyLeads) | woozap |
WP Cookie Consent | wp-cookie-consent |
Wp Custom CMS Block | wp-custom-cms-block |
WP Custom Post Popup | custom-post-popup |
WP Customize Login Page | wp-customize-login-page |
WP Filter Post Category | wp-filter-post-categories |
WP Foodbakery | wp-foodbakery |
WP HRM LITE | wp-hrm-lite-human-resource-management-system |
WP Import Export Lite | wp-import-export-lite |
WP Vegas | vegas-fullscreen-background-slider |
wp-cyr-cho | Конвертира кирилски символи в латиниски | wp-cyr-cho |
WP-reCAPTCHA-bp | wp-recaptcha-bp |
WPMasterToolKit (WPMTK) – All in one plugin | wpmastertoolkit |
WPVN – Username Changer | wpvn-username-changer |
WpZon – Amazon Affiliate Plugin | wpzon |
WS Force Login Page | ws-force-login-page |
WS Form LITE – Drag & Drop Contact Form Builder for WordPress | ws-form |
Xelion Webchat | xelion-webchat |
Xpert Tab | xpert-tab |
Xpro Elementor Addons – Pro | xpro-elementor-addons-pro |
Zalo Official Live Chat | zalo-official-live-chat |
Zoho Creator Forms | zohocreator |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Altair | altair |
Arrival | arrival |
bellevuex | bellevuex |
CiyaShop – Multipurpose WooCommerce Theme | ciyashop |
CWW Portfolio | cww-portfolio |
EduMall – Professional LMS Education Center WordPress Theme | edumall |
Grace Mag | grace-mag |
Grand Restaurant WordPress | grandrestaurant |
JNews – WordPress Newspaper Magazine Blog AMP Theme | jnews |
Opstore | opstore |
Reales WP – Real Estate WordPress Theme | reales-wp-real-estate-wordpress-theme |
Vikinger | vikinger |
wProject | wproject |
Xews Lite | xews-lite |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) appeared first on Wordfence.