Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024)

Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
Pending report limits are increased for all
It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status
Number of Vulnerabilities

Patched
127

Unpatched
34

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating
Number of Vulnerabilities

Medium Severity
141

High Severity
15

Critical Severity
5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE
Number of Vulnerabilities

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
121

Missing Authorization
9

Deserialization of Untrusted Data
5

Cross-Site Request Forgery (CSRF)
4

Unrestricted Upload of File with Dangerous Type
4

URL Redirection to Untrusted Site (‘Open Redirect’)
4

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
3

Authentication Bypass Using an Alternate Path or Channel
2

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
2

Improper Control of Generation of Code (‘Code Injection’)
2

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
2

Improper Neutralization of Alternate XSS Syntax
1

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
1

Improper Privilege Management
1

Researchers That Contributed to WordPress Security Last Week

Researcher Name
Number of Vulnerabilities

22

21

12

8

6

6

5

5

4

4

4

4

4

3

3

3

3

3

3

3

2

2

2

2

2

2

2

2

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name
Software Slug

123.chat – Video Chat

123-chat-videochat

Advanced Woo Labels – Product Labels for WooCommerce

advanced-woo-labels

Affiliate Program Suite — SliceWP Affiliates

slicewp

Aggregator Advanced Settings

aggregator-advanced-settings

Author Avatars List/Block

author-avatars

Auto Amazon Links – Amazon Associates Affiliate Plugin

amazon-auto-links

Auto Featured Image from Title

auto-featured-image-from-title

Automatically Hierarchic Categories in Menu

automatically-hierarchic-categories-in-menu

AVIF Uploader

avif-support

BA Book Everything

ba-book-everything

BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript

searchpro

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

file-manager

BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

blockspare

Bold Page Builder

bold-page-builder

Broken Link Checker

broken-link-checker

BSK Forms Blacklist

bsk-gravityforms-blacklist

CartBounty – Save and recover abandoned carts for WooCommerce

woo-save-abandoned-carts

Checkout Field Editor (Checkout Manager) for WooCommerce

woo-checkout-field-editor-pro

Clio Grow Form

clio-grow-form

Code Embed

simple-embed-code

Confetti Fall Animation

confetti-fall-animation

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder

fluentform

Copyscape Premium

copyscape-premium

Cozy Blocks – Page Builder for Gutenberg & Site Editor, Post Blocks, WooCommerce Blocks, Magazine Blocks, WordPress Gutenberg Blocks, Patterns and Templates Library

cozy-addons

Custom Banners

custom-banners

Demo Importer Plus

demo-importer-plus

DethemeKit For Elementor

dethemekit-for-elementor

Display Medium Posts

display-medium-posts

DK PDF

dk-pdf

Easy Demo Importer – A Modern One-Click Demo Import Solution

easy-demo-importer

Easy Load More

easy-load-more

Easy WordPress Subscribe – Optin Hound

opt-in-hound

Echo RSS Feed Post Generator

rss-feed-post-generator-echo

Elastik Page Builder

elastik-page-builder

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

bdthemes-element-pack-lite

ElementInvader Addons for Elementor

elementinvader-addons-for-elementor

Elementor Addon Elements

addon-elements-for-elementor-page-builder

ElementsReady Addons for Elementor

element-ready-lite

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

email-subscribers

Enter Addons – Ultimate Template Builder for Elementor

enteraddons

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

essential-blocks

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

FAQ / Accordion / Docs / KB – Helpie WordPress FAQ Accordion plugin

helpie-faq

Fish and Ships – Most flexible shipping table rate. A WooCommerce shipping rate

fish-and-ships

Form plugin for WordPress – Zoho Forms

zoho-forms

Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials

stars-testimonials-with-slider-and-masonry-grid

Gallery Lightbox

gallery-lightbox-slider

Geo Mashup

geo-mashup

Gravity Forms Toolbar

gravity-forms-toolbar

Guten Post Layout – An Advanced Post Grid Collection

guten-post-layout

Happy Addons for Elementor

happy-elementor-addons

Hash Form – Drag & Drop Form Builder

hash-form

Hello World

hello-world

Ibtana – WordPress Website Builder

ibtana-visual-editor

Iconize

iconize

Include Fussball.de Widgets

include-fussball-de-widgets

Jeg Elementor Kit

jeg-elementor-kit

JobSearch WP Job Board

wp-jobsearch

KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin

kb-support

Keap Official Opt-in Forms

infusionsoft-official-opt-in-forms

LA-Studio Element Kit for Elementor

lastudio-element-kit

LH Copy Media File

lh-copy-media-file

LiteSpeed Cache

litespeed-cache

LocateAndFilter

locateandfilter

Loggedin – Limit Active Logins

loggedin

Login Logout Shortcode

login-logout-shortcode

Logo Carousel – Clients logo carousel for WP

responsive-client-logo-carousel-slider

Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

magazine-blocks

MaxSlider

maxslider

MC4WP: Mailchimp Top Bar

mailchimp-top-bar

Memberful – Membership Plugin

memberful-wp

Move Addons for Elementor

move-addons

NEX-Forms – Ultimate Form Builder – Contact forms and much more

nex-forms-express-wp-form-builder

Online Booking & Scheduling Calendar for WordPress by vcita

meeting-scheduler-by-vcita

Page-list

page-list

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

paid-member-subscriptions

Payflex Payment Gateway

payflex-payment-gateway

PDF Image Generator

pdf-image-generator

Popularis Extra

popularis-extra

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

buddyforms

Premium Blocks – Gutenberg Blocks for WordPress

premium-blocks-for-gutenberg

Product Delivery Date for WooCommerce – Lite

product-delivery-date-for-woocommerce-lite

PWA — easy way to Progressive Web App

iworks-pwa

QS Dark Mode Plugin

qs-dark-mode

Quantity Dynamic Pricing & Bulk Discounts for WooCommerce

wholesale-pricing-woocommerce

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

quillforms

R Animated Icon Plugin

r-animated-icon

RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more

rabbit-loader

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

seo-by-rank-math

Re:WP

rewp

Relogo

relogo

Robokassa payment gateway for Woocommerce

robokassa

RomethemeKit For Elementor

rometheme-for-elementor

RumbleTalk Live Group Chat – HTML5

rumbletalk-chat-a-chat-with-themes

Search Analytics for WP

search-analytics

Search Atlas SEO – Best SEO Plugin for One-Click WP Publishing & Integrated AI Optimization

metasync

SEOPress – On-site SEO

wp-seopress

ShiftController Employee Shift Scheduling

shiftcontroller

Shortcodes and extra features for Phlox theme

auxin-elements

Simple Membership After Login Redirection

simple-membership-after-login-redirection

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

depicter

Slider Revolution

revslider

Slideshow Gallery LITE

slideshow-gallery

Smart Custom 404 Error Page

404page

Social Auto Poster

social-auto-poster

Social Web Suite – Social Media Auto Post, Social Media Auto Publish

social-web-suite

Soumettre.fr

soumettre-fr

Spice Starter Sites

spice-starter-sites

Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More

woocommerce-exporter

Strong Testimonials

strong-testimonials

SVG Complete

svg-complete

The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)

the-pack-addon

The Ultimate WordPress Toolkit – WP Extended

wpextended

Themify Builder

themify-builder

TinyPNG – JPEG, PNG & WebP image compression

tiny-compress-images

TNC PDF viewer

pdf-viewer-by-themencode

Top Bar – PopUps – by WPOptin

wpoptin

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member

Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider

ultimate-store-kit

Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

unlimited-elements-for-elementor

VdoCipher: Secure Video Player and Hosting

vdocipher

Visual CSS Style Editor

yellow-pencil-visual-theme-customizer

Web Directory Free

web-directory-free

Wechat Social login 微信QQ钉钉登录插件

wechat-social-login

WordPress & WooCommerce Affiliate Program

wp-wc-affiliate-program

WordPress Captcha Plugin by Captcha Bank

captcha-bank

WordPress Infinite Scroll – Ajax Load More

ajax-load-more

WP Blocks Hub

wp-blocks-hub

WP Booking Calendar

booking

WP Bulk Delete

wp-bulk-delete

WP Cleanup and Basic Functions

wp-cleanup-and-basic-functions

WP Compress – Instant Performance & Speed Optimization

wp-compress-image-optimizer

WP Easy Gallery – WordPress Gallery Plugin

wp-easy-gallery

WP Hotel Booking

wp-hotel-booking

WP MyLinks

wp-mylinks

WP Travel Gutenberg Blocks

wp-travel-blocks

WP-Lister Lite for eBay

wp-lister-for-ebay

WP-WebAuthn

wp-webauthn

WPCOM Member

wpcom-member

WPMobile.App — Android and iOS Mobile Application

wpappninja

XLTab – Accordions and Tabs for Elementor Page Builder

xl-tab

XO Slider

xo-liteslider

YITH WooCommerce Ajax Search

yith-woocommerce-ajax-search

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

YML for Yandex Market

yml-for-yandex-market

Zotpress

zotpress

WordPress Themes with Reported Vulnerabilities Last Week

Software Name
Software Slug

Create

create

Empowerment

empowerment

Full Frame

full-frame

UltraPress

ultrapress

Unseen Blog

unseen-blog

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) appeared first on Wordfence.