Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 280 vulnerabilities disclosed in 220 WordPress Plugins and 22 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	220
Unpatched	60

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	4
Medium Severity	227
High Severity	28
Critical Severity	21

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	85
Missing Authorization	82
Cross-Site Request Forgery (CSRF)	23
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	12
Information Exposure	12
Server-Side Request Forgery (SSRF)	12
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	6
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	6
Information Exposure Through Log Files	6
Unrestricted Upload of File with Dangerous Type	5
Authorization Bypass Through User-Controlled Key	4
Deserialization of Untrusted Data	4
Improper Privilege Management	4
External Control of Assumed-Immutable Web Parameter	3
Use of Less Trusted Source	3
Improper Control of Generation of Code (‘Code Injection’)	2
Improper Input Validation	2
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	2
Authentication Bypass Using an Alternate Path or Channel	1
Guessable CAPTCHA	1
Improper Access Control	1
Improper Authorization	1
Improper Neutralization of Alternate XSS Syntax	1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	29
Joshua Chan	23
stealthcopter	17
Dhabaleshwar Das	17
Steven Julian	13
Majed Refaea	12
Ngô Thiên An (ancorn_)	12
Dave Jong	11
Krzysztof Zając	10
Abdi Pranata	10
Lucio Sá	7
Mika	7
wesley (wcraft)	7
Khalid	7
Webbernaut	7
Tim Coen	6
beluga	6
LVT-tholv2k	6
Emili Castells	5
Kyle Sanchez	4
Brandon James Roldan (tomorrowisnew)	4
Peng Zhou	4
CatFather	4
Bob Matyas	3
emad	3
thiennv	3
Hoa Le Ngoc (lengochoa)	2
Ananda Dhakal	2
Ray Wilson	2
Trình Vũ	2
Richard Telleng (stueotue)	2
Le Ngoc Anh	2
Dimas Maulana	2
Mochamad Sofyan	2
Francois Harvey	1
Francesco Carlucci	1
Yuchen Ji	1
ST	1
João Pedro Soares de Alcântara	1
Dmitrii Ignatyev	1
Phill Sav (Savphill)	1
andrea bocchetti	1
Thanh Nam Tran	1
Do Minh Long	1
Abu Hurayra	1
haidv35	1
Cronus	1
1337_Wannabe	1
Jean Tirstan T	1
Skalucy	1
Manab Jyoti Dowarah	1
dk0pf	1
Usama Arshad	1
Bassem Essam	1
Yash Chauhan	1
Elliot	1
Kursat Cetin	1
Christiaan Swiers (YouGina)	1
Benedictus Jovan	1
M.Awad	1
Nikolas	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Academy LMS – eLearning and online course solution for WordPress	academy
Accessibility Widget	accessibility-widget
ActiveDEMAND	activedemand
Admin and Customer Messages After Order for WooCommerce: OrderConvo	admin-and-client-message-after-order-for-woocommerce
Admin Bar Editor – Hide Toolbar by User Roles	admin-bar
Advanced Floating Content Lite	advanced-floating-content-lite
Advanced Local Pickup for WooCommerce	advanced-local-pickup-for-woocommerce
Advanced Most Recent Posts Mod	advanced-most-recent-posts-mod
Advanced Post List	advanced-post-list
Advanced Testimonial Carousel for Elementor	advanced-testimonial-carousel-for-elementor
AGCA – Custom Dashboard & Login Page	ag-custom-admin
All-in-one Like Widget	all-in-one-facebook-like-widget
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)	wp-analytify
Annual Archive	anual-archive
Appointment Hour Booking – WordPress Booking Plugin	appointment-hour-booking
AppPresser – Mobile App Framework	apppresser
Arconix FAQ	arconix-faq
Arconix Shortcodes	arconix-shortcodes
ARforms	arforms
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
Assistant – Every Day Productivity Apps	assistant
Auto Featured Image (Auto Post Thumbnail)	auto-post-thumbnail
BackUpWordPress	backupwordpress
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Better Elementor Addons	better-elementor-addons
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss	bp-better-messages
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More.	print-google-cloud-print-gcp-woocommerce
Blog2Social: Social Media Auto Post & Scheduler	blog2social
Booking Ultra Pro Appointments Booking Calendar Plugin	booking-ultra-pro
Brevo for WooCommerce	woocommerce-sendinblue-newsletter-subscription
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free \| RRatingg	5-stars-rating-funnel
Car Dealer (Dealership) and Vehicle sales	cardealer
CF7 File Download – File Download for CF7	cf7-file-download
ChatBot Conversational Forms	conversational-forms
Classified Listing – Classified ads & Business Directory Plugin	classified-listing
ClickCease Click Fraud Protection	clickcease-click-fraud-protection
Client Dash	client-dash
CM Tooltip Glossary	enhanced-tooltipglossary
Colibri Page Builder	colibri-page-builder
Collapse-O-Matic	jquery-collapse-o-matic
Comments – wpDiscuz	wpdiscuz
Contact Form 7 Database Addon – CFDB7	contact-form-cfdb7
Contact Form 7 Extension For Mailchimp	contact-form-7-mailchimp-extension
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder	arforms-form-builder
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)	content-views-query-and-display-post-page
Cookie Information \| Free GDPR Consent Solution	wp-gdpr-compliance
CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance)	cookiehub
Cornerstone	cornerstone
Coupon & Discount Code Reveal Button	coupon-reveal-button
Crelly Slider	crelly-slider
Culqi	culqi-checkout
Custom field finder	custom-field-finder
Customify Site Library	customify-sites
Data Tables Generator by Supsystic	data-tables-generator-by-supsystic
Database for Contact Form 7, WPforms, Elementor forms	contact-form-entries
Easy Accept Payments via PayPal	wordpress-easy-paypal-payment-or-donation-accept-plugin
Easy Property Listings	easy-property-listings
Easy Set Favicon	easy-set-favicon
Element Pack Pro – Addon for Elementor Page Builder WordPress Plugin	bdthemes-element-pack
ElementsKit Elementor addons and Templates Library	elementskit-lite
ElementsKit Pro	elementskit
Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required!	elespare
Email Customizer for WooCommerce \| Drag and Drop Email Templates Builder	email-customizer-for-woocommerce
Embed Google Photos album	embed-google-photos-album-easily
ENL Newsletter	enl-newsletter
EPROLO Dropshipping	eprolo-dropshipping
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media	evergreen-content-poster
Exclusive Addons for Elementor	exclusive-addons-for-elementor
Export and Import Users and Customers	users-customers-import-export-for-wp-woocommerce
FameTheme Demo Importer	famethemes-demo-importer
Fan Page Widget by ThemeNcode	facebook-fan-page-widget
Fancy Product Designer	fancy-product-designer
FG Joomla to WordPress	fg-joomla-to-wordpress
FileOrganizer – Manage WordPress and Website Files	fileorganizer
Filterable Portfolio	jungbillig-portfolio-gallery
Five Star Restaurant Reservations – WordPress Booking Plugin	restaurant-reservations
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
Frontend Dashboard	frontend-dashboard
FV Flowplayer Video Player	fv-wordpress-flowplayer
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory	geodirectory
Getwid – Gutenberg Blocks	getwid
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers	rafflepress
Happy Addons for Elementor	happy-elementor-addons
Header Footer Code Manager Pro	99robots-header-footer-code-manager-pro
Headline Analyzer	headline-analyzer
Hide Dashboard Notifications	wp-hide-backed-notices
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
Hummingbird – Cache & Page Speed Optimization for Core Web Vitals \| Critical CSS \| Minify CSS \| Defer CSS Javascript	hummingbird-performance
Image Optimizer, Resizer and CDN – Sirv	sirv
Image Slider	image-slider-widget
Import and export users and customers	import-users-from-csv-with-meta
InstaWP Connect – 1-click WP Staging & Migration	instawp-connect
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site	integrate-google-drive
Interactive World Maps	interactive-world-maps
Jeg Elementor Kit	jeg-elementor-kit
KB Support – WordPress Help Desk and Knowledge Base	kb-support
Knowledge Base documentation & wiki plugin – BasePress Docs	basepress
Leaky Paywall	leaky-paywall
List Custom Taxonomy Widget	list-custom-taxonomy-widget
Login with phone number	login-with-phone-number
Maintenance Mode	hkdev-maintenance-mode
MainWP Child Reports	mainwp-child-reports
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor	master-addons
Max Addons Pro for Bricks	max-addons-pro-bricks
MDTF – Meta Data and Taxonomies Filter	wp-meta-data-filter-and-taxonomy-filter
Meks Smart Social Widget	meks-smart-social-widget
Meks ThemeForest Smart Widget	meks-themeforest-smart-widget
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor	metform
MF Gig Calendar	mf-gig-calendar
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin	mycred
Newsletters	newsletters-lite
Opal Widgets For Elementor	opal-widgets-for-elementor
Page Builder: Live Composer	live-composer-page-builder
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions
Payment Gateway Based Fees and Discounts for WooCommerce	checkout-fees-for-woocommerce
PDF Invoices & Packing Slips for WooCommerce	woocommerce-pdf-invoices-packing-slips
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery	gt3-photo-video-gallery
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Competition Plugin for WordPress	contest-gallery
Piotnet Addons For Elementor	piotnet-addons-for-elementor
Piotnet Addons For Elementor Pro	piotnet-addons-for-elementor-pro
Podlove Podcast Publisher	podlove-podcasting-plugin-for-wordpress
Poll \| Vote \| Contest – Best Poll Plugin for WordPress	totalpoll-lite
Popup Box – Best WordPress Popup Plugin	ays-popup-box
Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation	optinmonster
PopupAlly	popupally
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)	buddyforms
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX	ultimate-post
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks	post-grid
Premium Addons for Elementor	premium-addons-for-elementor
Pretty Google Calendar	pretty-google-calendar
Pricing Table by Supsystic	pricing-table-by-supsystic
Print Invoice & Delivery Notes for WooCommerce	woocommerce-delivery-notes
Product Addons & Fields for WooCommerce	woocommerce-product-addon
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
PropertyHive	propertyhive
Qi Addons For Elementor	qi-addons-for-elementor
Quick Featured Images	quick-featured-images
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress	radio-player
Radio Station by netmix® – Manage and play your Show Schedule in WordPress!	radio-station
Rank Math SEO with AI Best SEO Tools	seo-by-rank-math
Rate My Post – Star Rating Plugin by FeedbackWP	rate-my-post
Recencio Book Reviews	recencio-book-reviews
Reviews Plus	reviews-plus
RomethemeForm For Elementor	romethemeform
RomethemeKit For Elementor	rometheme-for-elementor
Royal Elementor Addons and Templates	royal-elementor-addons
rtMedia for WordPress, BuddyPress and bbPress	buddypress-media
Salon booking system	salon-booking-system
Save as PDF Plugin by Pdfcrowd	save-as-pdf-by-pdfcrowd
SchedulePress – Best Editorial Calendar, Missed Schedule & Auto Social Share	wp-scheduled-posts
Schema & Structured Data for WP & AMP	schema-and-structured-data-for-wp
Secure Copy Content Protection and Content Locking	secure-copy-content-protection
Seers \| GDPR & CCPA Cookie Consent & Compliance	seers-cookie-consent-banner-privacy-policy
Send PDF for Contact Form 7	send-pdf-for-contact-form-7
Serious Slider	cryout-serious-slider
SharkDropship and Affiliate for AliExpress, eBay, Amazon, Etsy	woo-aliexpress-dropshipping
ShortPixel Critical CSS	shortpixel-critical-css
Simple Membership	simple-membership
Simply Static	simply-static
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)	sina-extension-for-elementor
Slash Admin	slash-admin
Smart Forms – when you need more than just a contact form	smart-forms
Smart Maintenance Mode	smart-maintenance-mode
Smart Recent Posts Widget	smart-recent-posts-widget
Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap	socialsnap
Social Sharing Plugin – Social Warfare	social-warfare
Solid Affiliate	solid-affiliate
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
SSU – WordPress Amazon S3 & Wasabi Smart File Uploads Plugin	wp-s3-smart-upload
Sticky Anything	toast-stick-anything
StreamWeasels Twitch Integration	streamweasels-twitch-integration
Table Rate Shipping Method for WooCommerce by Flexible Shipping	flexible-shipping
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)	the-pack-addon
The Plus Addons for Elementor	the-plus-addons-for-elementor-page-builder
The Plus Blocks for Block Editor \| Gutenberg	the-plus-addons-for-block-editor
Timetable and Event Schedule by MotoPress	mp-timetable
Tutor LMS – eLearning and online course solution	tutor
Ultimate 410 Gone Status Code	ultimate-410
User Meta – User Profile Builder and User management plugin	user-meta
USPS Shipping for WooCommerce – Live Rates	flexible-shipping-usps
Video Conferencing with Zoom	video-conferencing-with-zoom-api
VikRentCar Car Rental Management System	vikrentcar
Vision – Image Map Builder	vision
Vitepos – Point of sale (POS) plugin for WooCommerce	vitepos-lite
VK Block Patterns	vk-block-patterns
VOD Infomaniak	vod-infomaniak
Wallet for WooCommerce – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds	woo-wallet
Widget Post Slider	widget-post-slider
WooCommerce Amazon Affiliates – WordPress Plugin	woozone
WooCommerce Shipping Label	shipping-labels-for-woo
WordPress Ad Widget	ad-widget
WordPress Backup & Migration	wp-migration-duplicator
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress	wp-ada-compliance-check-basic
WP Club Manager – WordPress Sports Club Plugin	wp-club-manager
WP Datepicker	wp-datepicker
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress	wp-fusion-lite
WP GoToWebinar	wp-gotowebinar
WP LinkedIn Auto Publish	wp-linkedin-auto-publish
WP Masquerade	wp-masquerade
WP Media Category Management	wp-media-category-management
WP Page Post Widget Clone	wp-page-post-widget-clone
WP SMTP	wp-smtp
WP STAGING Pro WordPress Backup Plugin	wp-staging-pro
WP STAGING WordPress Backup Plugin – Migration Backup Restore	wp-staging
WP Time Slots Booking Form	wp-time-slots-booking-form
WP Travel Engine – Best Travel Booking WordPress Plugin	wp-travel-engine
WP ULike – Most Advanced WordPress Marketing Toolkit	wp-ulike
WP-Lister Lite for eBay	wp-lister-for-ebay
WP-Members Membership Plugin	wp-members
WP-Recall – Registration, Profile, Commerce & More	wp-recall
WPC Composite Products for WooCommerce	wpc-composite-products
WPCal.io – Easy Meeting Scheduler	wpcal
WPPizza – A Restaurant Plugin	wppizza
WPZOOM Addons for Elementor (Templates, Widgets)	wpzoom-elementor-addons
XforWooCommerce	xforwoocommerce
XStore Core	et-core-plugin
YITH WooCommerce Compare	yith-woocommerce-compare

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Accountra	accountra
Althea WP	althea-wp
Blocksy	blocksy
Brite	brite
Colibri WP	colibri-wp
ColorNews	colornews
Elevate WP	elevate-wp
Financio	financio
Hugo WP	hugo-wp
Intrace	intrace
Pathway	pathway
Photology	photology
Royal Elementor Kit	royal-elementor-kit
Startupzy	startupzy
Teluro	teluro
Travey	travey
uDesign – Responsive WordPress Theme	u-design
Vertice	vertice
Virtue	virtue
WP Portfolio	wp-portfolio
XStore	xstore
Zeever	zeever

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

ActiveDEMAND <= 0.2.41 – Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-32809

Patch Status
Patched

Published
Apr 22, 2024

Affected Software
ActiveDEMAND

Researcher