Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 94 vulnerabilities disclosed in 81 WordPress Plugins and 3 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 14,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-686 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 86
Unpatched 8


Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 78
High Severity 14
Critical Severity 2


Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 42
Missing Authorization 11
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 9
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 8
Cross-Site Request Forgery (CSRF) 4
Improper Access Control 4
Information Exposure 4
Authorization Bypass Through User-Controlled Key 2
Deserialization of Untrusted Data 2
Improper Input Validation 2
Unrestricted Upload of File with Dangerous Type 2
Improper Authentication 1
Information Exposure Through Directory Listing 1
Insufficient Verification of Data Authenticity 1
Server-Side Request Forgery (SSRF) 1


Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
17
13
9
7
6
6
4
4
3
ST
3
3
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
360 Javascript Viewer 360deg-javascript-viewer
Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More advanced-access-manager
Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms advanced-form-integration
AI Post Generator | AutoWriter ai-post-generator
Animated Headline animated-headline
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments
Better Search – Relevant search results for WordPress better-search
Blocksy Companion blocksy-companion
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages wc4bp
Cards for Beaver Builder bb-bootstrap-cards
Coming Soon & Maintenance Mode by Colorlib colorlib-coming-soon-maintenance
Coming Soon, Under Construction & Maintenance Mode By Dazzler coming-soon-wp
Contests by Rewards Fuel contests-from-rewards-fuel
Create by Mediavine mediavine-create
Custom WooCommerce Checkout Fields Editor add-fields-to-checkout-page-woocommerce
Easy Maintenance Mode easy-maintenance-mode-coming-soon
Easy Property Listings easy-property-listings
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor embedpress
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks
File Manager wp-file-manager
Font Farsi font-farsi
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
GamiPress – Button gamipress-button
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress gamipress
Getwid – Gutenberg Blocks getwid
GiveWP – Donation Plugin and Fundraising Platform give
Gum Elementor Addon gum-elementor-addon
Gutenberg Blocks by Kadence Blocks – Page Builder Features kadence-blocks
Inline Related Posts intelly-related-posts
Invitation Code Content Restriction Plugin from CreativeMinds invitation-code-content-access
JetWidgets For Elementor jetwidgets-for-elementor
Lightweight Accordion lightweight-accordion
LiquidPoll – Polls, Surveys, NPS and Feedback Reviews wp-poll
Live Sales Notification for Woocommerce – Woomotiv woomotiv
Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring wemanage-app-worker
Memberpress memberpress
MJM Clinic mjm-clinic
Modal Window – create popup modal window modal-window
Move Addons for Elementor move-addons
MyCurator Content Curation mycurator
Network Summary network-summary
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) mailin
Olive One Click Demo Import olive-one-click-demo-import
Order Tip for WooCommerce order-tip-woo
Page Builder by SiteOrigin siteorigin-panels
Page Builder Gutenberg Blocks – CoBlocks coblocks
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Passwordless Login passwordless-login
PDF Embedder pdf-embedder
Permalink Manager Lite permalink-manager
Permalink Manager Pro permalink-manager-pro
Popup Maker – Popup for opt-ins, lead gen, & more popup-maker
PowerPack Lite for Beaver Builder powerpack-addon-for-beaver-builder
Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin pretty-link
Qi Addons For Elementor qi-addons-for-elementor
Rank Math SEO with AI Best SEO Tools seo-by-rank-math
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit wp-marketing-automations
Responsive Gallery Grid responsive-gallery-grid
Restrict User Access – Ultimate Membership & Content Protection restrict-user-access
RevivePress – Keep your Old Content Evergreen wp-auto-republish
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions s2member
SEOPress – On-site SEO wp-seopress
Smart Custom Fields smart-custom-fields
Standout Color Boxes and Buttons standout-color-boxes-and-buttons
The Ultimate Video Player For WordPress – by Presto Player presto-player
Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking tourfic
Tracking Code Manager tracking-code-manager
Translate WordPress and go Multilingual – Weglot weglot
UX Flat ux-flat
Video Conferencing with Zoom video-conferencing-with-zoom-api
Website Article Monetization By MageNet website-article-monetization-by-magenet
WooCommerce Cloak Affiliate Links woocommerce-cloak-affiliate-links
WooCommerce Clover Payment Gateway woo-clover-gateway-by-zaytech
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels print-invoices-packing-slip-labels-for-woocommerce
WooCommerce POS – Point of Sale (POS) woocommerce-pos
WP Coder – Powerful HTML, CSS, JS and PHP Injection wp-coder
WP Compress – Image Optimizer [All-In-One] wp-compress-image-optimizer
WP Go Maps (formerly WP Google Maps) wp-google-maps
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor


WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Avada | Website Builder For WordPress & WooCommerce Avada
ColorMag colormag
Graphene graphene


Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-1711
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Create by Mediavine
Researcher
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-2804
Patch Status
Unpatched
Published
Mar 21, 2024
Affected Software
Network Summary
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-1893
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
Easy Property Listings
Researcher
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-1538
Patch Status
Patched
Published
Mar 20, 2024
Affected Software
File Manager
Researcher
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-1308
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-1934
Patch Status
Patched
Published
Mar 21, 2024
CVSS Rating
High (7.4)
CVE-ID
CVE-2024-2459
Patch Status
Unpatched
Published
Mar 19, 2024
Affected Software
UX Flat
Researcher
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-2344
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-29142
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-2392
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
Blocksy Companion
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-2702
Patch Status
Patched
Published
Mar 20, 2024
Affected Software
Olive One Click Demo Import
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2304
Patch Status
Unpatched
Published
Mar 19, 2024
Affected Software
Animated Headline
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2343
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2311
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2305
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
Cards for Beaver Builder
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2500
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
ColorMag
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-1787
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Contests by Rewards Fuel
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-1697
Patch Status
Patched
Published
Mar 22, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2460
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
GamiPress – Button
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-1948
Patch Status
Patched
Published
Mar 21, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2348
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Gum Elementor Addon
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2507
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2436
Patch Status
Patched
Published
Mar 22, 2024
Affected Software
Lightweight Accordion
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2131
Patch Status
Patched
Published
Mar 22, 2024
Affected Software
Move Addons for Elementor
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2202
Patch Status
Patched
Published
Mar 22, 2024
Affected Software
Page Builder by SiteOrigin
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-1049
Patch Status
Patched
Published
Mar 22, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-29143
Patch Status
Patched
Published
Mar 18, 2024
Affected Software
Passwordless Login
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-29141
Patch Status
Patched
Published
Mar 18, 2024
Affected Software
PDF Embedder
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2289
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-0826
Patch Status
Patched
Published
Mar 18, 2024
Affected Software
Qi Addons For Elementor
Researcher
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2165
Patch Status
Patched
Published
Mar 22, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-3512
Patch Status
Patched
Published
Mar 23, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2474
Patch Status
Unpatched
Published
Mar 19, 2024
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-2129
Patch Status
Unpatched
Published
Mar 19, 2024
CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-1850
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
AI Post Generator | AutoWriter
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-29127
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2022-4965
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-1412
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
Memberpress
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-29139
Patch Status
Patched
Published
Mar 18, 2024
Affected Software
MyCurator Content Curation
Researcher
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-2738
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-29138
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-29137
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-1379
Patch Status
Patched
Published
Mar 19, 2024
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-1785
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Contests by Rewards Fuel
Researcher
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-2538
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-1473
Patch Status
Unpatched
Published
Mar 19, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-1181
Patch Status
Patched
Published
Mar 19, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-1477
Patch Status
Unpatched
Published
Mar 19, 2024
Affected Software
Easy Maintenance Mode
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-1984
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Graphene
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-1119
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Order Tip for WooCommerce
Researcher
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-0626
Patch Status
Patched
Published
Mar 22, 2024
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2023-6777
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-3093
Patch Status
Unpatched
Published
Mar 18, 2024
Affected Software
Font Farsi
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-29140
Patch Status
Patched
Published
Mar 18, 2024
Affected Software
MJM Clinic
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-1664
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Responsive Gallery Grid
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-2579
Patch Status
Patched
Published
Mar 18, 2024
Affected Software
Tracking Code Manager
Researcher
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-2578
Patch Status
Patched
Published
Mar 18, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-1637
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
360 Javascript Viewer
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-2222
Patch Status
Patched
Published
Mar 19, 2024
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2023-6257
Patch Status
Patched
Published
Mar 21, 2024
Affected Software
Inline Related Posts
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-2080
Patch Status
Patched
Published
Mar 21, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-2543
Patch Status
Patched
Published
Mar 20, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-1844
Patch Status
Patched
Published
Mar 19, 2024
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-1995
Patch Status
Patched
Published
Mar 19, 2024
Affected Software
Smart Custom Fields
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-2033
Patch Status
Patched
Published
Mar 22, 2024
Affected Software
Video Conferencing with Zoom
Researcher
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-2384
Patch Status
Patched
Published
Mar 19, 2024
Researcher


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Did you enjoy this post? Share it!

Comments

No Comments