Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2024 to January 7, 2024)

🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!

Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.6 – Authorization Bypass via type connect-app API
• Astra Pro <= 4.3.1 – Authenticated(Contributor+) Remote Code Execution via Metabox
• Generic Object Injection
• Generic XSS in Custom Meta

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	33
Patched	52

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	67
High Severity	13
Critical Severity	4

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	27
Missing Authorization	18
Cross-Site Request Forgery (CSRF)	13
Deserialization of Untrusted Data	7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Authorization Bypass Through User-Controlled Key	3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	3
Improper Input Validation	2
Information Exposure	2
Argument Injection or Modification	1
Use of Less Trusted Source	1
Improper Access Control	1
Storing Passwords in a Recoverable Format	1
Path Traversal: ‘../filedir’	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	11
Ngô Thiên An (ancorn_)	9
Lucio Sá	6
Dave Jong	5
Webbernaut	4
Daniel Ruf	4
Francesco Carlucci	4
Ulyses Saicha	3
Le Ngoc Anh	3
Krzysztof Zając	3
hir0ot	2
Nex Team	2
Mika	2
Abu Hurayra (HurayraIIT)	2
Abdi Pranata	2
Colin Xu	2
Kang SeoHee	1
Huynh Tien Si	1
xEHLE	1
Bob Matyas	1
lttn	1
Akbar Kustirama	1
Joshua Chan	1
drop	1
emad	1
Matan Berson (matanber)	1
Sean Murphy	1
Pedro Cuco (illex)	1
Friday	1
Angelo Delicato	1
Dimas Maulana	1
Arvandy	1
István Márton	1
Rafshanzani Suhada	1
Debangshu Kundu	1
Arpeet Rathi	1
Dhabaleshwar Das	1
Dmitrii Ignatyev	1
Nguyen Xuan Chien	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
3D FlipBook – PDF Flipbook WordPress	interactive-3d-flipbook-powered-physics-engine
ActivityPub	activitypub
Ads Invalid Click Protection	ads-invalid-click-protection
Ajax Search Lite	ajax-search-lite
Autotitle for WordPress	autotitle-for-wordpress
Booster Elite for WooCommerce	booster-elite-for-woocommerce
Booster Plus for WooCommerce	booster-plus-for-woocommerce
CPT Bootstrap Carousel	cpt-bootstrap-carousel
Complianz – GDPR/CCPA Cookie Consent	complianz-gdpr
Constant Contact Forms	constant-contact-forms
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder	arforms-form-builder
Coupon Referral Program	coupon-referral-program
Depicter Slider – Responsive Image Slider, Video Slider & Post Slider	depicter
Easy SVG Allow	easy-svg-image-allow
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box	easy-facebook-likebox
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor	embedpress
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)	mystickymenu
FooGallery Premium	foogallery-premium
Gecka Terms Thumbnails	gecka-terms-thumbnails
HTML5 MP3 Player with Folder Feedburner Playlist Free	html5-mp3-player-with-mp3-folder-feedburner-playlist
HTML5 MP3 Player with Playlist Free	html5-mp3-player-with-playlist
HTML5 SoundCloud Player with Playlist Free	html5-soundcloud-player-with-playlist
Happy Addons for Elementor	happy-elementor-addons
Happy Addons for Elementor Pro	happy-elementor-addons-pro
Hostinger	hostinger
Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building	icegram
Ideal Interactive Map	ideal-interactive-map
Infogram – Add charts, maps and infographics	infogram
JS & CSS Script Optimizer	js-css-script-optimizer
Keap Official Opt-in Forms	infusionsoft-official-opt-in-forms
Laybuy Payment Extension for WooCommerce	laybuy-gateway-for-woocommerce
LearnPress – WordPress LMS Plugin	learnpress
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder	wp-maintenance-mode
MapPress Maps for WordPress	mappress-google-maps-for-wordpress
Mapster WP Maps	mapster-wp-maps
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)	google-analytics-for-wordpress
OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.	host-webfonts-local
Orbit Fox by ThemeIsle	themeisle-companion
Oxygen Builder	oxygenbuilder
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications	post-smtp
Page Builder: Live Composer	live-composer-page-builder
Page Builder: Pagelayer – Drag and Drop website builder	pagelayer
Posts to Page	posts-to-page
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)	powerpack-lite-for-elementor
Private Google Calendars	private-google-calendars
Product Delivery Date for WooCommerce – Lite	product-delivery-date-for-woocommerce-lite
Product Expiry for WooCommerce	product-expiry-for-woocommerce
Quiz Maker	quiz-maker
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator	feedzy-rss-feeds
Randomize	randomize
Rate Star Review – AJAX Reviews for Content, with Star Ratings	rate-star-review
Site Notes	site-notes
TJ Shortcodes	theme-junkie-shortcodes
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics	taggbox-widget
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	profile-builder
Void Contact Form 7 Widget For Elementor Page Builder	cf7-widget-elementor
WP 2FA – Two-factor authentication for WordPress	wp-2fa
WP Compress – Image Optimizer [All-In-One]	wp-compress-image-optimizer
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting	erp
WP Job Manager	wp-job-manager
WP Plugin Lister	wp-plugin-lister
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc	wp-sms
WP SOCIAL BOOKMARK MENU	wp-social-bookmark-menu
WP Ultimate Review	wp-ultimate-review
WP-Members Membership Plugin	wp-members
WooCommerce	woocommerce
WooCommerce Conversion Tracking	woocommerce-conversion-tracking
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels	print-invoices-packing-slip-labels-for-woocommerce
Woocommerce Tranzila Payment Gateway	woo-tranzila-gateway
WordPress Users	wordpress-users
cformsII	cforms2
oEmbed Gist	oembed-gist
pTypeConverter	ptypeconverter

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Meris	meris
Weaver Xtreme	weaver-xtreme

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WooCommerce Tranzila Gateway <= 1.0.8 – Unauthenticated PHP Object Injection

---

LearnPress <= 4.2.5.7 – Unauthenticated SQL Injection via order_by

---

Taggbox <= 3.1 – Unauthenticated PHP Object Injection

---

WP Compress – Image Optimizer [All-In-One] <= 6.10.33 – Unauthenticated Directory Traversal via css

---

Gecka Terms Thumbnails <= 1.1 – Authenticated (Subscriber+) PHP Object Injection

---

HTML5 SoundCloud Player <= 2.8.0 – Authenticated (Author+) PHP Object Injection

---

Page Builder: Live Composer <= 1.5.25 – Authenticated (Author+) PHP Object Injection

---

HTML5 MP3 Player with Playlist Free <= 3.0.0 – Authenticated (Author+) PHP Object Injecton

---

Randomize <= 1.4.3 – Authenticated (Contributor+) SQL Injection

---

HTML5 MP3 Player with Folder Feedburner <= 2.8.0 – Authenticated (Author+) PHP Object Injection

---

OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. <= 5.7.9 – Missing Authorization to Unauthenticated Directory Deletion and Cross-Site Scripting

---

LearnPress <= 4.2.5.7 – Command Injection

---

Hostinger <= 1.9.7 – Missing Authorization to Maintenance Mode Activation

---

ARForms <= 1.5.8 – Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url

---

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device

---

WP ERP <= 1.12.8 – Authenticated (Accounting manager+) SQL Injection

---

pTypeConverter <= 0.2.8.1 – Authenticated (Editor+) SQL Injection

---

WP-Members Membership Plugin <= 3.4.8 – Missing Authorization to Sensitive Information Exposure

---

Coupon Referral Program <= 1.7.2 – Sensitive Information Disclosure

---

Ideal Interactive Map <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Page Builder: Live Composer <= 1.5.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Easy SVG Allow <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

---

Orbit Fox Companion <= 2.10.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields

---

MapPress Maps for WordPress <= 2.88.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Posts to Page <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Laybuy Payment Extension for WooCommerce <= 5.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

3D Flipbook <= 1.15.2 – Authenticated (Contributor+) Cross-Site Scripting via Ready Function

---

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Infogram <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Keap Official Opt-in Forms <= 1.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Authenticated (Author+) Stored Cross-Site Scripting

---

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Mapster WP Maps <= 1.2.38 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

FooGallery Premium <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Private Google Calendars <= 20231125 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Oxygen Builder <= 4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

---

TJ Shortcodes 0.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

oEmbed Gist <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Rate Star Review <= 1.5.1 – Reflected Cross-Site Scripting

---

Autotitle for WordPress <= 1.0.3 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

---

Happy Addons for Elementor <= 3.9.1.1 – Reflected Cross-Site Scripting

---

Ajax Search Lite <= 4.11.4 – Reflected Cross-Site Scripting

---

WP Plugin Lister <= 2.1.0 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

---

POST SMTP Mailer <= 2.8.6 – Reflected Cross-Site Scripting via msg

---

Meris <= 1.1.2 – Reflected Cross-Site Scripting

---

CPT Bootstrap Carousel <= 1.12 – Reflected Cross-Site Scripting

---

WP SMS <= 6.5 – Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting

---

Weaver Xtreme <= 6.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.3.2 – Missing Authorization

---

Product Expiry for WooCommerce <= 2.5 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

---

PageLayer <= 1.7.8 – Authenticated(Contributor+) Stored Cross-Site Scripting via meta fields

---

Constant Contact Forms <= 2.4.2 – Information Disclosure via Log Files

---

Wp Ultimate Review <= 2.2.5 – IP Spoofing

---

ActivityPub <= 1.0.5 – Missing Authorization

---

Product Delivery Date for WooCommerce – Lite <= 2.7.0 – Missing Authorization

---

WP Job Manager <= 2.0.0 – Missing Authorization

---

PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 – Cross-Site Request Forgery

---

Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings

---

CformsII <= 15.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Ads Invalid Click Protection <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Icegram <= 3.1.20 – Missing Authorization

---

WP 2FA – Two-factor authentication for WordPress <= 2.5.0 – Cross-Site Request Forgery

---

WP Social Bookmark Menu <= 1.2 – Cross-Site Request Forgery to Settings Update

---

LearnPress <= 4.2.5.7 – Insecure Direct Object Reference to Information Disclosure

---

Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure

---

WordPress Users <= 1.4 – Cross-Site Request Forgery to Settings Update

---

Easy Social Feed <= 6.5.2 – Missing Authorization to Settings Modification

---

Quiz Maker <= 6.5.1.1 – Missing Authorization

---

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 – Missing Authorization to Order Export

---

WP Job Manager <= 2.0.0 – Cross-Site Request Forgery

---

Google Analytics by Monster Insights <= 8.21.0 – Missing Authorization

---

Site Notes <= 2.0.0 – Cross-Site Request Forgery to Admin Note Deletion

---

Void Contact Form 7 Widget For Elementor Page Builder <= 2.3 – Missing Authorization

---

WP SMS <= 6.5 – Cross-Site Request Forgery to Subscriber Deletion

---

LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 – Missing Authorization

---

WooCommerce Conversion Tracking <= 2.0.11 – Missing Authorization

---

Depicter Slider – Responsive Image Slider, Video Slider & Post Slider <= 2.0.6 – Cross-Site Request Forgery via save

---

WP 2FA <= 2.5.0 – Insecure Direct Object Reference to Arbitrary Email Sending

---

Booster Plus for WooCommerce < 7.1.3 – Missing Authorization to Arbitrary Options Disclosure

---

Booster Plus for WooCommerce < 7.1.2 – Missing Authorization to Arbitrary Page/Post Deletion

---

WooCommerce <= 8.2.2 – Cross-Site Request Forgery

---

Booster Elite for WooCommerce < 7.1.2 – Missing Authorization to Order Information Disclosure

---

Profile Builder <= 3.10.7 – Insecure Direct Object Reference to Sensitive Information Exposure via user_meta Shortcode

---

JS & CSS Script Optimizer <= 0.3.3 – Cross-Site Request Forgery

---

My Sticky Bar <= 2.6.6 – Cross-Site Request Forgery to Sensitive Information Exposure

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.