Wordfence Intelligence Weekly WordPress Vulnerability Report (November 4, 2024 to November 10, 2024)
🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024:
- All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
- All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
- Minimum bounty of $5 for all valid in-scope submissions.
- All researchers earn automatic bonuses of between 5% to 180% for valid submissions
- Pending report limits are increased for all
- It’s possible to earn up to $31,200 for high impact vulnerabilities!
Last week, there were 288 vulnerabilities disclosed in 275 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 44 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 20,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Advanced Order Export For WooCommerce <= 3.5.5 – Unauthenticated PHP Object Injection via Order Details
- WAF-RULE-760 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-761 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-762 – Data redacted while we work with the vendor on a patch.
- WAF-RULE-764 – Data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 84 |
Unpatched | 204 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 254 |
High Severity | 14 |
Critical Severity | 20 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 227 |
Unrestricted Upload of File with Dangerous Type | 11 |
Missing Authorization | 10 |
Authorization Bypass Through User-Controlled Key | 7 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 7 |
Exposure of Sensitive Information to an Unauthorized Actor | 6 |
Improper Authentication | 4 |
Improper Control of Generation of Code ('Code Injection') | 4 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 3 |
Server-Side Request Forgery (SSRF) | 2 |
Authentication Bypass Using an Alternate Path or Channel | 1 |
Cross-Site Request Forgery (CSRF) | 1 |
Improper Access Control | 1 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 1 |
Improper Handling of Missing Values | 1 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1 |
Insecure Storage of Sensitive Information | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
123 | |
32 | |
21 | |
17 | |
8 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
140+ Widgets | Xpro Addons For Elementor – FREE | xpro-elementor-addons |
AA Audio Player | aa-audio-player |
AchillesTheme-shortcodes | achilles-shortcodes |
Active Products Tables for WooCommerce. Use constructor to create tables | profit-products-tables-for-woocommerce |
Add Ribbon Shortcode | add-ribbon |
Admin Amplify | wpr-admin-amplify |
Advanced Video Player with Analytics | advanced-video-player-with-analytics |
Adventure Bucket List | adventure-bucket-list |
AgendaPress – Easily Publish Meeting Agendas and Programs on WordPress | agendapress |
Ajax Content Filter | ajax-content-filter |
Alert Me! | alert-me |
Algori PDF Viewer | algori-pdf-viewer |
Anant Addons for Elementor | anant-addons-for-elementor |
Assist24 Help Desk | assist24it |
Attesa Extra | attesa-extra |
audioCase | audiocase |
Awesome Fitness Testimonials | awesome-fitness-testimonials |
Awesome Tool Tip | awesome-tool-tip |
AzonBox | azonbox |
Bamboo Enquiries | bamboo-enquiries |
Banner System | banner-system |
Basticom Framework | basticom-framework |
Be Shortcodes | be-shortcodes |
Beacon For Help Scout | beacon-for-helpscout |
BeBetter Social Icons | bebetter-social-icons |
best bootstrap widgets for elementor | best-bootstrap-widgets-for-elementor |
Bg Patriarchia BU | bg-patriarchia-bu |
Bing Search API Integration | abbs-bing-search |
Bitcoin Payments | bitcoin-payments |
Blocks Post Grid | blocks-post-grid |
Boombox Shortcode Plugin | boombox-shortcode |
Brand my Footer | brand-my-footer |
Browsing History | browsing-history |
BU Slideshow | bu-slideshow |
Buooy Sticky Header | buooy-sticky-header |
Category Ajax Filter | category-ajax-filter |
CE21 Suite | ce21-suite |
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | charitable |
Charity Addon for Elementor | charity-addon-for-elementor |
Christian Science Bible Lesson Subjects | christian-science-bible-lesson-subjects |
Code Embed | simple-embed-code |
codeSnips | codesnips |
Combo WP Rewrite Slugs | combo-wp-rewrite-slugs |
Community Yard Sale | community-yard-sale |
Contact Form 7 – Dynamic Text Extension | contact-form-7-dynamic-text-extension |
Contact Form 7 – PayPal & Stripe Add-on | contact-form-7-paypal-add-on |
Content Slider Block | content-slider-block |
Content Syndication Toolkit Reader | content-syndication-toolkit-reader |
Conversion Helper | conversion-helper |
Cookie Nonsense for YT | yt-cookie-nonsense |
Countdown Timer block – Display the event's date into a timer. | countdown-time |
Cowidgets – Elementor Addons | cowidgets-elementor-addons |
Creative Blocks – Ultimate Blocks for Gutenberg | creative-blocks |
CRM 2go – Formulario de contacto | crm2go |
CRM WordPress Plugin – RepairBuddy | computer-repair-shop |
Custom Dashboard Widget | create-custom-dashboard-widget |
Custom URL Shortener | custom-url-shorter |
Daily Image | daily-image |
Dashing Memberships | dashing-memberships |
Debug Tool | debug-tool |
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler | cf7-styler |
Don't Break The Code | dont-break-the-code |
Doofinder | doofinder |
drop in image slideshow gallery | drop-in-image-slideshow-gallery |
DuoGeek – Gutenberg Blocks | duogeek-blocks |
Dynamic Post Grid Elementor Addon | dynamic-post-grid-elementor-addon |
Easy Social Sharebar | easy-social-sharebar |
Easy SVG Support | easy-svg |
eewee admin custom | eewee-admincustom |
Ekiline Block Collection | ekiline-block-collection |
EleForms – All In One Form Integration including DB for Elementor | all-contact-form-integration-for-elementor |
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) | bdthemes-element-pack-lite |
ElementsReady Addons for Elementor | element-ready-lite |
Embed documents shortcode | embed-documents-shortcode |
Envo Extra | envo-extra |
ESB Testimonials | esb-testimonials |
Event post | event-post |
EventPress | wp-eventpress |
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | everest-backup |
Fabrica Synced Pattern Instances | fabrica-reusable-block-instances |
Faltu Testimonial Rotator | faltu-testimonial-rotator |
Fancy User List | fancy-user-listing |
Fast Video and Image Display | fast-video-and-image-display |
Featured product by category name | featured-product-by-category-name |
File Select Control For Elementor | file-select-control-for-elementor |
Firework Shoppable Live Video | firework-videos |
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | form-maker |
Forms | forms-by-made-it |
Forms: 3rd-Party Post Again | forms-3rdparty-post-again |
FOX – Currency Switcher Professional for WooCommerce | woocommerce-currency-switcher |
FriendStore for WooCommerce | friendstore-for-woocommerce |
Gboy Custom Google Map | gboy-custom-google-map |
Geoportail Shortcode | geoportail-shortcode |
Geotagged Media | geotagged-media |
Google Visualization Charts | google-visualization-charts |
GreenCon – Table, Listing, Marketing builder for Gutenberg | greencon |
Gutenium Blocks | gutenium |
HB AUDIO GALLERY | hb-audio-gallery |
Heateor Social Login WordPress | heateor-social-login |
Hola Free Video Player | hola-free-video-player |
Horsemanager | fruitcake-horsemanager |
HQ60 Fidelity Card | hq60-fidelity-card |
I Plant A Tree | i-plant-a-tree |
IA Map Analytics Basic | ia-map-analytics-basic |
Icon Widget | icon-widget-with-links |
Image Carousel Shortcode | image-carousel-shortcode |
Image Classify | image-classify |
imPress | wp-js-impress |
Inline Click To Tweet | inline-click-to-tweet |
IntelliWidget Elements | intelliwidget-elements |
Jigoshop – Store Toolkit | jigoshop-store-toolkit |
JobSearch WP Job Board | wp-jobsearch |
Keymaster Chord Notation Free | keymaster-chord-notation-free |
Kings Tab Slider | kings-tab-slider |
L Squared Hub WP – Virtual Device Plugin | l-squared-hub-wp-virtual-device |
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages | landing-page-cat |
Lead capture, gated content & newsletter opt-ins | bread-butter |
Lenxel Core | lenxel-core |
Leopard - WordPress Offload Media | leopard-wordpress-offload-media |
Lewe Bootstrap Visuals | shortcode-bootstrap-visuals |
LIQUID BLOCKS – Slider, Carousel, Accordion | liquid-blocks |
Location Click Map | location-click-map |
Loginizer | loginizer |
Loginizer Security | loginizer-security |
Loginplus | loginplus |
Luzuk Slider | luzuk-slider |
Luzuk Team | luzuk-team |
Luzuk Testimonials | luzuk-testimonials |
Mage Front End Forms | mage-forms |
Magic Slider | magic-slider |
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | magical-addons-for-elementor |
Map Store Locator | map-store-location |
Mapme | mapme |
MapPress Maps for WordPress | mappress-google-maps-for-wordpress |
Master Bar | master-bar |
MDC YouTube Downloader | mdc-youtube-downloader |
mFolio Lite | mfolio-lite |
MG Post Contributors | mg-post-contributors |
Minical Hotel Booking Plugin | minical |
Mobile Kiosk | mobile-kiosk |
Moka Get Posts Shortcode | moka-get-posts |
Moose Elementor Kit | moose-elementor-kit |
Multi-day Booking Calendar | multi-day-booking-calendar |
Multifox Plus | multifox-plus |
Multiple Votes in one page | multiple-votes-in-one-page |
My Restaurant Menu | my-restaurant-menu |
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. | mycred |
Narnoo Commerce Manager | narnoo-commerce-manager |
News Articles | news-articles |
News Ticker | newsticker |
NV Slider | nv-slider |
Official SalesWizard CRM Plugin | official-saleswizard-crm |
Olympus Shortcodes | olympus-shortcodes |
OpenCart Product Display | opencart-product-display |
OS BXSlider | os-bxslider |
OS Our Team | os-our-team |
OS Pricing Tables | os-pricing-tables |
OSM – OpenStreetMap | osm |
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
Parallaxer – Parallax Effect on Content | parallaxer-lite-parallax-effects-on-images |
ParOne Feeds | parone |
Pay With Stripe – Your WordPress Payments Stripe Gateway | payments-stripe-gateway |
Pdf Embedder Fay | pdf-embedder-fay |
Persian Nested Show/Hide Text | persian-nested-showhide-text |
PF Timer | pf-timer |
Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery | nextgen-gallery |
Photographer Connections | photographer-connections |
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons | contest-gallery |
Plenigo | plenigo |
Poll Maker – Versus Polls, Anonymous Polls, Image Polls | poll-maker |
Popup Image | popup-image |
Postcasa Shortcode | postcasa |
Postify: Post Layout For Elementor | postify-for-elementor |
Posts Filter | posts-filter |
Posts Search | posts-search |
Pricing Tables WordPress Plugin – Easy Pricing Tables | easy-pricing-tables |
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider) | bdthemes-prime-slider-lite |
Pro Addons For Elementor | pro-addons-for-elementor |
PropertyShift | propertyshift |
Provide Forex Signals | provide-forex-signals |
Pull This | pull-this |
Quform - WordPress Form Builder | quform |
ra_qrcode | ra-qrcode |
Realty by BestWebSoft | realty |
Redirecter | shortcode-for-redirection |
RegistrationMagic – User Registration Plugin with Custom Registration Forms | custom-registration-form-builder-with-submission-manager |
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates | responsive-addons-for-elementor |
Responsive Data Table | responsive-data-table |
Responsive Filterable Portfolio | responsive-filterable-portfolio |
Rig Elements For Elementor | rig-elements |
RSV 360 View | rsv-360-view |
RSV PDF Preview | rsv-pdf-preview |
Saragna – Social Stream WordPress | saragna-social-stream |
Satisfaction Reports from Help Scout | happiness-reports-for-help-scout |
scrollup | scrollup |
Search order by product SKU for WooCommerce | search-order-by-product-sku-for-woocommerce |
Sell Media File with Stripe | sell-media-file |
Semantic Shortcode | semantic-shortcode |
Seriously Simple Podcasting | seriously-simple-podcasting |
Share Buttons – Social Media | rich-web-share-button |
Shortcode Collection | shortcode-collection |
Shortcodes Blocks Creator Ultimate | ultimate-shortcodes-creator |
Simple Modal | simplemodal |
Simple Shortcode for Google Maps | simple-google-maps-short-code |
Simple Social Share Block | simple-social-share-block |
SimpleGMaps | simplegmaps |
Simplistic SEO | simplistic-seo |
Simpul Events by Esotech | simpul-events-by-esotech |
SKT Addons for Elementor | skt-addons-for-elementor |
Smooth Maps | colour-smooth-maps |
Social button | social-button |
Social Locker – Increase Traffic | social-locker-content |
Social Share, Social Login and Social Comments Plugin – Super Socializer | super-socializer |
SrcSet Responsive Images for WordPress | truenorth-srcset |
Stylish Internal Links | stylish-internal-links |
Surbma | Font Awesome | surbma-font-awesome |
SV Forms | sv-forms |
SVT Simple | svt-simple |
SysBasics Customize My Account for WooCommerce | customize-my-account-for-woocommerce |
Team Showcase and Slider – Team Members Builder | team-showcase-ultimate |
TeleAdmin | teleadmin |
Testimonial Slider Shortcode | testimonial-slider-shortcode |
Text Advertisements | text-advertisements |
The Novel Design Store Directory | noveldesign-store-directory |
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) | the-pack-addon |
Tickera – WordPress Event Ticketing | tickera-event-ticketing-system |
Tigris Flexplatform | tigris-flexplatform |
TinyCode | tinycode |
Topbar ID for Elementor | topbar-id-for-elementor |
Trendy Restaurant Menu – Best Restaurant Plugin for WordPress | trendy-restaurant-menu |
Tumult Hype Animations | tumult-hype-animations |
Twitter real time search scrolling | twitter-real-time-search-scrolling |
Ultimate Accordion | ultimate-accordion |
Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) | header-footer-elementor |
Ultimate Bootstrap Elements for Elementor | ultimate-bootstrap-elements-for-elementor |
Ultimate Flipbox Addon for Elementor | ultimate-flipbox-addon-for-elementor |
User Meta – User Profile Builder and User management plugin | user-meta |
User Password Reset | user-password-reset |
Utech Spinning Earth | utech-spinning-earth |
UW Freelancer | uw-freelancer |
Video Gallery for WooCommerce | video-wc-gallery |
VP Sitemap | vp-sitemap |
Wd-image-magnifier-xoss | wd-image-magnifier-xoss |
WE – Client Logo Carousel | we-client-logo-carousel |
Web Stories Widgets For Elementor | shortcodes-for-amp-web-stories-and-elementor-widget |
Websand Subscription Form | websand-subscription-form |
Website remote Install vor Gravity, WPForms, Formidable, Ninja, Caldera | wp-website-creator |
Wezido – Elementor Addon Based on Easy Digital Downloads | wezido-elementor-addon-based-on-easy-digital-downloads |
WooCommerce - Social Login | woo-social-login |
WooCommerce Report | ithemelandco-woo-report |
WooCommerce Support Ticket System | woocommerce-support-ticket-system |
WordPress User Extra Fields | wp-user-extra-fields |
WoW Guild Armory Roster | guild-armory-roster |
WP Agenda | wp-agenda |
WP Contest | wp-contest |
WP Listings Pro | wp-listings-pro |
WP Membership | wp-membership |
WP MMenu Lite | wp-mmenu-lite |
WP PagSeguro Payments | wp-pagseguro-payments |
WP Photo Album Plus | wp-photo-album-plus |
WP Responsive Video | my-wp-responsive-video |
Wp Slide Categorywise | wp-slide-categorywise |
WP Virtual Room Configurator | configure-conference-room |
WP Visual Adverts | wp-visual-adverts |
WP-Basics | wp-basics |
wp_automatic_widget | wp-automatic-widget |
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | wpforms-lite |
WPHelpful | wphelpful |
WS Form LITE – Drag & Drop Contact Form Builder for WordPress | ws-form |
XT Floating Cart for WooCommerce | woo-floating-cart-lite |
YaDisk Files | wp-yadisk-files |
yPHPlista | yphplista |
Zotpress | zotpress |
活动链接推广插件 | yr-activity-link |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Anih - Creative Agency WordPress Theme | anih |
Storely | storely |
Th Shop Mania | th-shop-mania |
Top Store | top-store |
WPLMS Learning Management System for WordPress, WordPress LMS | wplms |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
Comments