Wordfence Intelligence Weekly WordPress Vulnerability Report (April 29, 2024 to May 5, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 159 vulnerabilities disclosed in 141 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 71 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 16,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-698 – Data redacted while we work with the vendor on a patch.
WAF-RULE-696 – Data redacted while we work with the vendor on a patch.
WAF-RULE-693 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	92
Unpatched	67

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	142
High Severity	14
Critical Severity	3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	78
Missing Authorization	38
Cross-Site Request Forgery (CSRF)	8
Deserialization of Untrusted Data	5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	4
Information Exposure	3
Improper Access Control	2
Improper Control of Generation of Code (‘Code Injection’)	2
Server-Side Request Forgery (SSRF)	2
URL Redirection to Untrusted Site (‘Open Redirect’)	2
Authorization Bypass Through User-Controlled Key	1
Exposure of System Data to an Unauthorized Control Sphere	1
External Control of Assumed-Immutable Web Parameter	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Improper Input Validation	1
Information Exposure Through Log Files	1
Insecure Storage of Sensitive Information	1
Unrestricted Upload of File with Dangerous Type	1
Use of Insufficiently Random Values	1
Use of Less Trusted Source	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Francesco Carlucci	16
stealthcopter	15
Krzysztof Zając	11
Ngô Thiên An (ancorn_)	10
Steven Julian	8
Benedictus Jovan (aillesiM)	8
Lucio Sá	8
Dhabaleshwar Das	7
wesley (wcraft)	7
Abdi Pranata	6
Dimas Maulana	5
Bob Matyas	5
Joshua Chan	4
Mika	4
Webbernaut	3
Khalid	3
Tim Coen	2
Cronus	2
Nathaniel Oh (0x4n3)	2
Manab Jyoti Dowarah	2
István Márton	2
Peng Zhou	2
LVT-tholv2k	2
Dmitrii Ignatyev	1
M.Awad	1
Etan Imanol Castro Aldrete	1
Eduardo Berlanga (seqode)	1
Joaquin Alvarez	1
Abraham de León (h4m1)	1
José Vazquez (AKA Retr0_1000101)	1
Samuel Gonzalez (Winsad)	1
j0r38	1
Manuel Manjarrez	1
Alex Delgado	1
Emiliano Perez	1
M41w4r3	1
Xeniel	1
Cr4zyD14m0nd	1
l1ttl3Bugc4t	1
Dr4c0t4	1
Bryan Velez	1
mrgh057	1
D4ZC	1
Deibyd	1
MindFall	1
PumaHat	1
Tr3ckR	1
xm4nd0	1
pCix	1
0xjar8	1
Majed Refaea	1
Van Lyubov	1
Peter Thaleikis	1
Ivan Spiridonov (xbz0n)	1
andrea bocchetti	1
Abu Hurayra	1
Asaf Mozes	1
Richard Telleng (stueotue)	1
Edwin Siebel (edwinsiebel)	1
Le Ngoc Anh	1
thiennv	1
Muhammad Daffa	1
Dikshita Trivedi (Cybersecdexter)	1
Dave Jong	1
mike harris	1
Ray Wilson	1
Dau Hoang Tai	1
Jean Tirstan T	1
Pavel Palii	1
Mike	1
1337_Wannabe	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
3D FlipBook – PDF Flipbook WordPress	interactive-3d-flipbook-powered-physics-engine
5280 Bootstrap Modal Contact Form	5280-bootstrap-modal-contact-form
AA Cash Calculator	aa-calculator
Academy LMS – eLearning and online course solution for WordPress	academy
ACF Front End Editor	acf-front-end-editor
ACF On-The-Go	acf-on-the-go
Admin Page Spider	admin-page-spider
AJAX Login and Registration modal popup + inline form	ajax-login-and-registration-modal-popup
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic	all-in-one-seo-pack
All-in-One Addons for Elementor – WidgetKit	widgetkit-for-elementor
All-in-One Video Gallery	all-in-one-video-gallery
Alt Text AI – Automatically generate image alt text for SEO and accessibility	alttext-ai
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)	wp-analytify
AnnounceKit	announcekit
Anti-Spam: Spam Protection \| Block Spam Users, Comments, Forms	stop-spammer-registrations-plugin
Archives Calendar Widget	archives-calendar-widget
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
AWeber for WooCommerce	woocommerce-aweber-newsletter-subscription
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Booster Extension	booster-extension
Booster for WooCommerce	woocommerce-jetpack
Breakdance	breakdance
BuddyPress	buddypress
Button contact VR	button-contact-vr
Calendar	calendar
ChatBot Conversational Forms	conversational-forms
CodeBard’s Patron Button and Widgets for Patreon	patron-button-and-widgets-by-codebard
Contact Form by WPForms – Drag & Drop Form Builder for WordPress	wpforms-lite
ConvertPlug	convertplug
Cost Calculator Builder	cost-calculator-builder-pro
CPO Companion	cpo-companion
Custom WooCommerce Checkout Fields Editor	add-fields-to-checkout-page-woocommerce
Customer Email Verification for WooCommerce	emails-verification-for-woocommerce
Debug Log Manager	debug-log-manager
Democracy Poll	democracy-poll
Different Menu in Different Pages – Control Menu Visibility (All in One)	different-menus-in-different-pages
Directorist – WordPress Business Directory Plugin with Classified Ads Listings	directorist
Drag and Drop Multiple File Upload – Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7
EAN for WooCommerce	ean-for-woocommerce
Easy Restaurant Table Booking	easy-table-booking
Eleblog – Elementor Blog And Magazine Addons	ele-blog
Elementor Addon Elements	addon-elements-for-elementor-page-builder
Elementor ImageBox	fd-elementor-imagebox
Elementor Website Builder Pro	elementor-pro
ElementsKit Elementor addons and Templates Library	elementskit-lite
ElementsReady Addons for Elementor	element-ready-lite
Embed Google Fonts	embed-google-fonts
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Event Monster – Event Management, Tickets Booking, Upcoming Event	event-monster
EventON	eventon-lite
Exclusive Addons for Elementor	exclusive-addons-for-elementor
Fancy Elementor Flipbox	fancy-elementor-flipbox
Flattr	flattr
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	folders
Follow Us Badges	wpsite-follow-us-badges
Giphypress	giphypress
Google Doc Embedder	google-document-embedder
Google Typography	google-typography
Grid Gallery – Photo Image Grid Gallery	new-grid-gallery
Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor	front-editor
Gutenberg Blocks with AI by Kadence WP – Page Builder Features	kadence-blocks
GWP-Histats	gwp-histats
Import and export users and customers	import-users-from-csv-with-meta
Inline Google Spreadsheet Viewer	inline-google-spreadsheet-viewer
iPages Flipbook For WordPress	ipages-flipbook
iPanorama 360 – WordPress Virtual Tour Builder	ipanorama-360-virtual-tour-builder-lite
Jeg Elementor Kit	jeg-elementor-kit
JW Player for WordPress	jw-player-7-for-wp
LA-Studio Element Kit for Elementor	lastudio-element-kit
Last Viewed Posts by WPBeginner	last-viewed-posts
LeadConnector	leadconnector
Login Logout Register Menu	login-logout-register-menu
Login with phone number	login-with-phone-number
MailerLite – Signup forms (official)	official-mailerlite-sign-up-forms
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor	master-addons
Masteriyo LMS – eLearning and Online Course Builder for WordPress	learning-management-system
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
MDTF – Meta Data and Taxonomies Filter	wp-meta-data-filter-and-taxonomy-filter
Media Cleaner: Clean your WordPress!	media-cleaner
Mhr Post Ticker	mhr-post-ticker
Min and Max Purchase for WooCommerce	min-and-max-purchase-for-woocommerce
Mini Loops	mini-loops
Mooberry Book Manager	mooberry-book-manager
PB MailCrypt – AntiSpam Email Encryption	pb-mailcrypt-antispam-email-encryption
Perfect Pullquotes	perfect-pullquotes
Pet Manager	pet-manager
Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery	new-photo-gallery
Photo Gallery, Images, Slider in Rbs Image Gallery	robo-gallery
Popup Box – Best WordPress Popup Plugin	ays-popup-box
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder	ajax-filter-posts
Premium Addons for Elementor	premium-addons-for-elementor
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce	a4-barcode-generator
Print My Blog – Print, PDF, & eBook Converter WordPress Plugin	print-my-blog
Print-O-Matic	print-o-matic
Progressive WordPress (PWA)	progressive-wp
PropertyHive	propertyhive
Rank Math SEO with AI Best SEO Tools	seo-by-rank-math
Realtyna Organic IDX plugin + WPL Real Estate	real-estate-listing-realtyna-wpl
RegistrationMagic – User Registration Plugin with Custom Registration Forms	custom-registration-form-builder-with-submission-manager
ReviewX – Multi-criteria Rating & Reviews for WooCommerce	reviewx
RomethemeKit For Elementor	rometheme-for-elementor
rtMedia for WordPress, BuddyPress and bbPress	buddypress-media
Sailthru Triggermail	sailthru-triggermail
SEOPress – On-site SEO	wp-seopress
Share This Image	share-this-image
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)	woolentor-addons
Simple Basic Contact Form	simple-basic-contact-form
Simple Image Popup	simple-image-popup
Simple Membership	simple-membership
SimpleShop	simpleshop-cz
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)	sina-extension-for-elementor
Slider Revolution	revslider
Sliding Widgets	sliding-widgets
Social Share Icons & Social Share Buttons	ultimate-social-media-plus
SP Project & Document Manager	sp-client-document-manager
Subway – Private Site Option	subway
Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder	supreme-modules-for-divi
SVS Pricing Tables	svs-pricing-tables
Swift Framework	swift-framework
Sydney Toolbox	sydney-toolbox
Tabellen von faustball.com	docollipics-faustball-de
Table Plugin for WordPress with Google Sheets Integration – Sheets to WP Table Live Sync	sheets-to-wp-table-live-sync
Testimonial Slider	testimonial-slider
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid	the-post-grid
The School Management Pro	school-management-pro
TweetScroll Widget	tweetscroll-widget
Ultimate Under Construction	ultimate-under-construction
Video Gallery – Api Gallery, YouTube and Vimeo, Link Gallery	new-video-gallery
Web Push Notifications – Webpushr	webpushr-web-push-notifications
Where Did You Hear About Us Checkout Field for WooCommerce	wc-customer-source
Woo Total Sales	woo-total-sales
WordPress Flipbook by Supsystic	digital-publications-by-supsystic
WordPress Header Builder Plugin – Pearl	pearl-header-builder
WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting	erp
WP Recipe Maker	wp-recipe-maker
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
WP Video Lightbox	wp-video-lightbox
WPify Woo Czech	wpify-woo
WTI Like Post	wti-like-post
Xserver Migrator	xserver-migrator
ZD YouTube FLV Player	zd-youtube-flv-player

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Adventure Journal	adventure-journal
Blocksy	blocksy
Edge	edge
Freesia Empire	freesia-empire
Pliska	pliska
Restaurant and Cafe	restaurant-and-cafe
Unique	unique

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Last Viewed Posts by WPBeginner <= 1.0.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-3070

Patch Status
Patched

Published
May 2, 2024

Affected Software
Last Viewed Posts by WPBeginner

Researcher