Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024:
- All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
- All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
- Minimum bounty of $5 for all valid in-scope submissions.
- All researchers earn automatic bonuses of between 5% to 180% for valid submissions
- Pending report limits are increased for all
- It’s possible to earn up to $31,200 for high impact vulnerabilities!
Last week, there were 163 vulnerabilities disclosed in 148 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 49 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 20,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WordPress GDPR <= 2.0.2 – Missing Authorization to Unauthenticated Arbitrary User Deletion
- WAF-RULE-766 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-767 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-768 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-769 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 82 |
Unpatched | 81 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Low Severity | 2 |
Medium Severity | 90 |
High Severity | 41 |
Critical Severity | 30 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 52 |
Missing Authorization | 25 |
Unrestricted Upload of File with Dangerous Type | 24 |
Cross-Site Request Forgery (CSRF) | 12 |
Deserialization of Untrusted Data | 11 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 7 |
Authorization Bypass Through User-Controlled Key | 5 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 5 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
Authentication Bypass Using an Alternate Path or Channel | 4 |
Improper Control of Generation of Code (‘Code Injection’) | 4 |
Exposure of Sensitive Information to an Unauthorized Actor | 2 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2 |
Dependency on Vulnerable Third-Party Component | 1 |
Exposure of Data Element to Wrong Session | 1 |
External Control of File Name or Path | 1 |
Improper Neutralization of Special Elements Used in a Template Engine | 1 |
Improper Privilege Management | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
22 | |
17 | |
14 | |
8 | |
7 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
404 Error Monitor | 404-error-monitor |
404 Solution | 404-solution |
Admin and Site Enhancements (ASE) | admin-site-enhancements |
Ads Booster by Ads Pro | free-wp-booster-by-ads-pro |
Advanced Order Export For WooCommerce | woo-order-export-lite |
Advanced Personalization | personalization-by-flowcraft |
AFI – The Easiest Integration Plugin | advanced-form-integration |
Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One | ai-auto-tool |
AJAX Login and Registration modal popup + inline form | ajax-login-and-registration-modal-popup |
AJAX Random Posts | ajax-random-posts |
Aqua SVG Sprite | aqua-svg-sprite |
B-Banner Slider | b-banner-slider |
Backup and Staging by WP Time Capsule | wp-time-capsule |
Blogger 301 Redirect | blogger-301-redirect |
Boat Rental Plugin for WordPress | boat-rental-system |
Boostify Header Footer Builder for Elementor | boostify-header-footer-builder |
Bounce Handler MailPoet 3 | bounce-handler-mailpoet |
BuddyPress Builder for Elementor – BuddyBuilder | stax-buddy-builder |
BulkPress | bulkpress |
Buy one click WooCommerce | buy-one-click-woocommerce |
CDI – Collect and Deliver Interface for Woocommerce | collect-and-deliver-interface-for-woocommerce |
CF7 Reply Manager | cf7-reply-manager |
Chartify – WordPress Chart Plugin | chart-builder |
Classified Listing – Classified ads & Business Directory Plugin | classified-listing |
Constant Contact Forms by MailMunch | constant-contact-forms-by-mailmunch |
Contact Form 7 Redirect & Thank You Page | cf7-redirect-thank-you-page |
Convert Docx2post | convert-docx2post |
ConvertCalculator for WordPress | convertcalculator |
Copy Anything to Clipboard | copy-the-code |
CSV to html | csv-to-html |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
CYAN Backup | cyan-backup |
Datasets Manager by Arttia Creative | datasets-manager-by-arttia-creative |
Devexhub Gallery | devexhub-gallery |
DigiPass | digipass |
Disable Admin Notices individually | disable-admin-notices |
Do That Task | do-that-task |
Drop Shadow Boxes | drop-shadow-boxes |
Drozd – Addons for Elementor | drozd-addons-for-elementor |
Easy CSV Importer BETA | easy-csv-importer |
EleForms – All In One Form Integration including DB for Elementor | all-contact-form-integration-for-elementor |
Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
Event Tickets with Ticket Scanner | event-tickets-with-ticket-scanner |
Exclusive Content Password Protect | exclusive-content-password-protect |
Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme | exclusive-divi |
External Database Based Actions | external-database-based-actions |
Floating Buttons for WooCommerce | shop-assistant-for-woocommerce-jarvis |
Futurio Extra | futurio-extra |
Gallerio | gallerio |
Gallery Manager | fancy-gallery |
Global Gateway e4 | Payeezy Gateway | | globe-gateway-e4 |
GPX Viewer | gpx-viewer |
Hacklog DownloadManager | hacklog-downloadmanager |
Happy Addons for Elementor | happy-elementor-addons |
Hash Elements | hash-elements |
Hebrew Dates | hebrewdates |
Hide Links | hide-links |
Hide My WP Ghost – Security & Firewall | hide-my-wp |
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress | hive-support |
Instant Image Generator (One Click Image Uploads from Pixabay, Pexels and OpenAI) | ai-image |
JetWidgets For Elementor | jetwidgets-for-elementor |
KBucket: Your Curated Content in WordPress | kbucket |
kineticPay for WooCommerce | kineticpay-for-woocommerce |
Kognetiks Chatbot for WordPress | chatbot-chatgpt |
LearnPress Export Import – WordPress extension for LearnPress | learnpress-import-export |
Linear | linear |
Lis Video Gallery | lis-video-gallery |
Login using WordPress Users ( WP as SAML IDP ) | miniorange-wp-as-saml-idp |
LUNA RADIO PLAYER | lu-radioplayer |
Mapster WP Maps | mapster-wp-maps |
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations | master-addons |
Matix Popup Builder | medma-matix |
Migration, Backup, Staging – WPvivid Backup & Migration | wpvivid-backuprestore |
MultiManager WP – Manage All Your WordPress Sites Easily | multimanager-wp |
Multiple Page Generator Plugin – MPG | multiple-pages-generator-by-porthas |
Music Player for Elementor – Audio Player & Podcast Player | music-player-for-elementor |
My Geo Posts Free | my-geo-posts-free |
NiceJob | nicejob |
NIX Anti-Spam Light | nix-anti-spam-light |
PDF Generator Addon for Elementor Page Builder | pdf-generator-addon-for-elementor-page-builder |
PeproDev WooCommerce Receipt Uploader | pepro-bacs-receipt-upload-for-woocommerce |
Picsmize | picsmize |
Pie Register Premium | pie-register-premium |
PJW Mime Config | pjw-mime-config |
Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
Popularis Extra | popularis-extra |
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | ays-popup-box |
Popup by Supsystic | popup-by-supsystic |
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX | ultimate-post |
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more | post-smtp |
Premium Packages – Sell Digital Products Securely | wpdm-premium-packages |
Print PDF Generator and Publisher | nopeamedia |
Product Delivery Date for WooCommerce – Lite | product-delivery-date-for-woocommerce-lite |
Push Notifications for WordPress by PushAssist | push-notification-for-wp-by-pushassist |
Razorpay Payment Button Elementor Plugin | razorpay-payment-button-elementor |
Razorpay Payment Button Plugin | razorpay-payment-button |
Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder | real3d-flipbook-lite |
Really Simple Security Pro | really-simple-ssl-pro |
Really Simple Security Pro multisite | really-simple-ssl-pro-multisite |
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | really-simple-ssl |
Referrer Detector | referrer-detector |
Relais 2FA | relais-2fa |
Royal Elementor Addons and Templates | royal-elementor-addons |
Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation | ai-content-generator |
Simple Local Avatars | simple-local-avatars |
Simple Pricing Table | simple-pricing-table |
Simple Side Tab | simple-side-tab |
SimpleForm Contact Form Submissions | simpleform-contact-form-submissions |
SimpleForm – Contact form made simple | simpleform |
SK WP Settings Backup | sk-wp-settings-backup |
Slickstream: Engagement and Conversions | slick-engagement |
Social Proof (Testimonial) Slider | social-proof-testimonials-slider |
Steel | steel |
Styler for Ninja Forms | styler-for-ninja-forms-lite |
SVG Case Study | case-study |
SVGPlus | svgplus |
Team Member – Multi Language Supported Team Plugin | team-showcase-supreme |
Themify Builder | themify-builder |
Tutor LMS Elementor Addons | tutor-lms-elementor-addons |
Twigify | twigify |
Uix Slideshow | uix-slideshow |
User Management | user-management |
W3SPEEDSTER | w3speedster-wp |
WDES Responsive Mobile Menu | wdes-responsive-mobile-menu |
WOLF – WordPress Posts Bulk Editor and Manager Professional | bulk-editor |
WooCommerce Upload Files | woocommerce-upload-files |
WordPress BasePress Migration Tools | basepress-migration-tools |
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto | tripetto |
WordPress GDPR | wordpress-gdpr |
WordPress User Extra Fields | wp-user-extra-fields |
WordPress Video Robot – The Ultimate Video Importer | wp-video-robot |
WP Activity Log | wp-security-audit-log |
WP AdCenter – Ad Manager & Adsense Ads | wpadcenter |
WP Chat App | wp-whatsapp |
WP Githuber MD – WordPress Markdown Editor | wp-githuber-md |
WP Job Portal – A Complete Recruitment System for Company or Job Board website | wp-job-portal |
WP Log Viewer | wp-log-viewer |
WP Popup Window Maker | easy-popup-lightbox-maker |
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts | wedevs-project-manager |
WP Quick Setup | wp-quick-setup |
wp-login customizer | wp-login-customizer |
WP-Strava | wp-strava |
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | wpforms-lite |
Writer Helper | writer-helper |
xili-tidy-tags | xili-tidy-tags |
Yotpo: Product & Photo Reviews for WooCommerce | yotpo-social-reviews-for-woocommerce |
ZIJ KART | zij-kart |
胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 | fat-rat-collect |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Airin Blog | airin-blog |
Gameplan – Event and Gym Fitness WordPress Theme | gameplan |
reconstruction | reconstruction |
Xin | xin |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (November 11, 2024 to November 17, 2024) appeared first on Wordfence.