Last week, there were 102 vulnerabilities disclosed in 90 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 35,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Total Unpatched & Patched Vulnerabilities Last Week
| Patch Status | Number of Vulnerabilities |
|---|---|
| Patched | 78 |
| Unpatched | 24 |
Total Vulnerabilities by CVSS Severity Last Week
| Severity Rating | Number of Vulnerabilities |
|---|---|
| Medium Severity | 62 |
| High Severity | 36 |
| Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
| Vulnerability Type by CWE | Number of Vulnerabilities |
|---|---|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 35 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 13 |
| Exposure of Sensitive Information to an Unauthorized Actor | 12 |
| Cross-Site Request Forgery (CSRF) | 8 |
| Missing Authorization | 8 |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 5 |
| Deserialization of Untrusted Data | 4 |
| Authorization Bypass Through User-Controlled Key | 3 |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 3 |
| Incorrect Privilege Assignment | 3 |
| Improper Privilege Management | 2 |
| Server-Side Request Forgery (SSRF) | 2 |
| Access of Resource Using Incompatible Type ('Type Confusion') | 1 |
| Improper Verification of Cryptographic Signature | 1 |
| Incorrect Authorization | 1 |
| Unrestricted Upload of File with Dangerous Type | 1 |
Researchers That Contributed to WordPress Security Last Week
| Researcher Name | Number of Vulnerabilities |
|---|---|
| 6 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| 6Storage Rentals | 6storage-rentals |
| ABC Crypto Checkout | payerurl-crypto-currency-payment-gateway-for-woocommerce |
| Accordions | accordions |
| Advanced 301 and 302 Redirect | advanced-301-and-302-redirect |
| Affiliates Manager | affiliates-manager |
| Ajax Load More – Infinite Scroll, Load More, & Lazy Load | ajax-load-more |
| AJAX Report Comments | report-comments |
| Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates | animation-addons-for-elementor |
| aThemes Addons for Elementor | athemes-addons-for-elementor-lite |
| Booking (Reservation & Appointment) | directorist-booking |
| BookPro - Appointment Booking WordPress Plugin | ovabookpro |
| Canvas | canvas |
| CleanTalk Anti-Spam. Spam Firewall & Bot protection | cleantalk-spam-protect |
| Conekta Payment Gateway | conekta-payment-gateway |
| Coupon Affiliates – Affiliate Plugin for WooCommerce | woo-coupon-usage |
| Custom Block Builder – Lazy Blocks | lazy-blocks |
| Customer Support Ticket System & Helpdesk | wp-ticket |
| Decent Comments | decent-comments |
| Digital Signature Add-on for WooCommerce | woocommerce-digital-signature |
| Doctreat Core | doctreat_core |
| Easy Image Collage | easy-image-collage |
| eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
| Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
| Enable Media Replace | enable-media-replace |
| Events Calendar for GeoDirectory | events-for-geodirectory |
| Extra Settings for RocketChat | extra-settings-for-rocketchat |
| FastDup – Fastest WordPress Migration & Duplicator | fastdup |
| FastPicker, an order picker and order management system (oms) for WooCommerce on steroids | fastpicker |
| Faust.js | faustwp |
| Fediverse Embeds | fediverse-embeds |
| Feeds for YouTube (YouTube video, channel, and gallery plugin) | feeds-for-youtube |
| Fortis for WooCommerce | fortis-for-woocommerce |
| FV Flowplayer Video Player | fv-wordpress-flowplayer |
| Global Body Mass Index Calculator | global-body-mass-index-calculator |
| GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites | gptranslate |
| Hash Elements | hash-elements |
| Helpfulcrowd Product Reviews | helpfulcrowd-product-reviews |
| Hippoo Mobile App for WooCommerce | hippoo |
| JetBlog | jet-blog |
| JetEngine | jet-engine |
| jQuery Hover Footnotes | jquery-hover-footnotes |
| kk blog card | kk-blog-card |
| Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more | knit-pay |
| Listdom: AI-powered Business Directory with Classifieds Ads Listings | listdom |
| LoginPress Pro | loginpress-pro |
| LWS Optimize – All-in-One Speed Booster & Cache Tools | lws-optimize |
| MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | mailerpress |
| Masteriyo LMS – LMS Course Builder, Quizzes & Certificates | learning-management-system |
| Meow Gallery | meow-gallery |
| MW WP Form | mw-wp-form |
| Newsletters | newsletters-lite |
| Online Scheduling and Appointment Booking System – Bookly | bookly-responsive-appointment-booking-tool |
| Open User Map PRO | open-user-map-pro |
| Page Builder: Pagelayer – Drag and Drop website builder | pagelayer |
| Payment forms, Buy now buttons, and Invoicing System | GetPaid | invoicing |
| Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel | foogallery |
| Plugin Name: ePaperFlip Publisher | epaperflip-publisher |
| Presto Player | presto-player |
| Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages | unlimited-elementor-inner-sections-by-boomdevs |
| Product Filter Widget for Elementor | product-filter-widget-for-elementor |
| PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | pushengage |
| Recover Exit For WooCommerce | recoverexit-for-woocommerce |
| RomanCart Ecommerce | romancart-ecommerce |
| Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
| SEO Redirection Plugin – 301 Redirect Manager | seo-redirection |
| Slider Revolution | revslider |
| Store Locator WordPress | agile-store-locator |
| Taskbuilder – Project Management & Task Management Tool With Kanban Board | taskbuilder |
| The Events Calendar | the-events-calendar |
| TinyMCE shortcode Addon | 360crest-themeone-tinymce-shortcodes |
| UpdraftPlus Premium | updraftplus |
| UpdraftPlus: WP Backup & Migration Plugin | updraftplus |
| User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | wp-user-frontend |
| VikRentCar Car Rental Management System | vikrentcar |
| WCMultiShipping — Mondial Relay, Inpost & Chronopost for WooCommerce | wc-multishipping |
| WooCommerce Anti-Fraud | woocommerce-anti-fraud |
| WooCommerce Dropshipping Premium | woocommerce-dropshipping |
| WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. | wp_scraper |
| WP ApplicantStack Jobs Display | wp-applicantstack-jobs-display |
| WP Emoticon Rating | wp-emoticon-rating |
| WP GDPR Cookie Consent | wp-gdpr-cookie-consent |
| WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters | wp-google-map-plugin |
| WP Meta Sort Posts | wp-meta-sort-posts |
| WP Migrate Lite – Migration Made Easy | wp-migrate-db |
| WP Photo Album Plus | wp-photo-album-plus |
| WP-Ultimate-Map | wp-ultimate-map |
| WPC Product Options for WooCommerce | wpc-product-options |
| wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | wpdatatables |
| WpMobi | wp-mobi |
| WPZOOM Portfolio Lite – Filterable Portfolio Plugin | wpzoom-portfolio |
WordPress Themes with Reported Vulnerabilities Last Week
| Software Name | Software Slug |
|---|---|
| Blocksy | blocksy |
| EventPress | eventpress |
| Kastell - WordPress Theme for Single Properties and Apartments | kastell |
| nifty | nifty |
| XStore | xstore |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.