Wordfence Intelligence Weekly WordPress Vulnerability Report (July 1, 2024 to July 7, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers!

Last week, there were 121 vulnerabilities disclosed in 91 WordPress Plugins and 18 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 40 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	97
Unpatched	24

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	97
High Severity	18
Critical Severity	4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	58
Missing Authorization	23
Cross-Site Request Forgery (CSRF)	16
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	8
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	3
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	3
Unrestricted Upload of File with Dangerous Type	3
Information Exposure	2
Deserialization of Untrusted Data	1
Improper Privilege Management	1
Incorrect Privilege Assignment	1
Uncontrolled Resource Consumption (‘Resource Exhaustion’)	1
Unprotected Alternate Channel	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Dhabaleshwar Das	15
Rafie Muhammad	14
João Pedro Soares de Alcântara	11
wesley (wcraft)	9
LVT-tholv2k	7
Webbernaut	4
shaman0x01	4
Joshua Chan	4
Manab Jyoti Dowarah	4
Cronus	4
Sharanabasappa	4
stealthcopter	3
Le Ngoc Anh	3
Peng Zhou	3
akas wisnu aji	2
István Márton	2
Myungju Kim	2
younsoung kim	2
SeoHyeon Lee	2
SeoHee Kang	2
Ananda Dhakal	2
Dave Jong	2
Dimas Maulana	2
Francesco Carlucci	2
Lucio Sá	2
Ngô Thiên An (ancorn_)	2
Guido Iván García	1
filime	1
Benedictus Jovan (aillesiM)	1
Masamichi Aoki	1
Muhammad Umer Adeem (Yldrm)	1
Vuln Seeker Cybersecurity Team	1
Mahesh Nagabhairava	1
Krzysztof Zając	1
Trương Hữu Phúc (truonghuuphuc)	1
Majed Refaea	1
Michael	1
Bassem Essam	1
João G. Barbosa (4rCanJ0x!)	1
piro	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Advanced Classifieds & Directory Pro	advanced-classifieds-and-directory-pro
AI Power: Complete AI Pack – Powered by GPT-4	gpt3-ai-content-generator
Apollo13 Framework Extensions	apollo13-framework-extensions
AWSM Team – Team Showcase Plugin	awsm-team
bbPress Notify (No-Spam)	bbpress-notify-nospam
Beaver Builder Addons by WPZOOM	wpzoom-addons-for-beaver-builder
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
CC & BCC for Woocommerce Order Emails	cc-bcc-for-woocommerce-order-emails
Church Admin	church-admin
Comment Reply Email	comment-reply-email
CopySafe Web Protection	wp-copysafe-web
Cost Calculator Builder	cost-calculator-builder
Create by Mediavine	mediavine-create
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress	charitable
Easy Custom Code (LESS/CSS/JS) – Live editing	easy-custom-code
Easy Google Maps	google-maps-easy
Elementor Addons by Livemesh	addons-for-elementor
Elementor Header & Footer Builder	header-footer-elementor
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce	email-subscribers
Event Manager, Events Calendar, Tickets, Registrations – Eventin	wp-event-solution
Featured Image from URL (FIFU)	featured-image-from-url
FileBird Document Library	filebird-document-library
Floating Social Media Links	floating-social-media-links
Get Better Reviews for WooCommerce	more-better-reviews-for-woocommerce
HelloAsso	helloasso
IdeaPush	ideapush
IMGspider – 图片采集抓取插件	imgspider
JetThemeCore for Elementor	jet-theme-core
LA-Studio Element Kit for Elementor	lastudio-element-kit
Leaky Paywall	leaky-paywall
LearnPress – WordPress LMS Plugin	learnpress
Link To Bible	link-to-bible
Login Logo Editor	login-logo-editor-by-oizuled
MakeCommerce for WooCommerce	makecommerce
Media Library Assistant	media-library-assistant
Mega Elements – Addons for Elementor	mega-elements-addons-for-elementor
Meks Easy Ads Widget	meks-easy-ads-widget
Motors – Car Dealer, Classifieds & Listing	motors-car-dealership-classified-listings
Nested Pages	wp-nested-pages
Newspack Ads	newspack-ads
Newspack Campaigns	newspack-popups
Newspack Content Converter	newspack-content-converter
Newspack Newsletters	newspack-newsletters
NEX-Forms – Ultimate Form Builder – Contact forms and much more	nex-forms-express-wp-form-builder
Ninja Forms – The Contact Form Builder That Grows With You	ninja-forms
Ocean Extra	ocean-extra
One Click Order Re-Order	one-click-order-reorder
Online Booking & Scheduling Calendar for WordPress by vcita	meeting-scheduler-by-vcita
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
PayPlus Payment Gateway	payplus-payment-gateway
Post Meta Data Manager	post-meta-data-manager
Premium Addons for Elementor	premium-addons-for-elementor
Premium Blocks – Gutenberg Blocks for WordPress	premium-blocks-for-gutenberg
ProfileGrid – User Profiles, Groups and Communities	profilegrid-user-profiles-groups-and-communities
PZ Frontend Manager	pz-frontend-manager
Rife Elementor Extensions & Templates	rife-elementor-extensions
Save as PDF Plugin by Pdfcrowd	save-as-pdf-by-pdfcrowd
ShopBuilder – Elementor WooCommerce Builder Addons	shopbuilder
Simple Newsletter Plugin – Noptin	newsletter-optin-box
Simple Social Share	simple-social-share
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)	sina-extension-for-elementor
Snippet Shortcodes	shortcode-variables
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
SuperSaaS – online appointment scheduling	supersaas-appointment-scheduling
Swift Performance Lite	swift-performance-lite
Tablesome – Responsive Table, Woocommerce Automation, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Forminator	tablesome
Template Kit – Export	template-kit-export
Testimonials Widget	testimonials-widget
The Events Calendar	the-events-calendar
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid	the-post-grid
Ultimate Addons for Elementor	ultimate-elementor
Ultimate Blocks – WordPress Blocks Plugin	ultimate-blocks
Ultimate Bootstrap Elements for Elementor	ultimate-bootstrap-elements-for-elementor
Ultimate WordPress Auction Plugin	ultimate-auction
Void Contact Form 7 Widget For Elementor Page Builder	cf7-widget-elementor
Woffice Core	woffice-core
WooCommerce – Social Login	woo-social-login
WordPress Notification Bar	wordpress-notification-bar
WP Cookie Law Info	wp-cookie-law-info
WP Directory Kit	wpdirectorykit
WP Lightbox 2	wp-lightbox-2
WP To Do	wp-todo
WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce	wp-cafe
WPFavicon	wpfavicon
WS Contact Form	ws-contact-form
XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin]	faq-for-woocommerce
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress	youzify
Zephyr Project Manager	zephyr-project-manager

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Ashe	ashe
Bakes And Cakes	bakes-and-cakes
Bard	bard
Book Your Travel	bookyourtravel
Boot Store	boot-store
Business One Page	business-one-page
Construction Landing Page	construction-landing-page
Hestia	hestia
Highlight	highlight
Lawyer Landing Page	lawyer-landing-page
Metro Magazine	metro-magazine
Newsmatic	newsmatic
Posterity	posterity
Rara Business	rara-business
Rife Free	rife-free
Trendy News	trendy-news
Woffice CRM	woffice
zBench	zbench

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Youzify <= 1.2.5 – Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37494

Patch Status
Patched

Published
Jul 4, 2024

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Researcher

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 1, 2024 to July 7, 2024)

New Firewall Rules Deployed Last Week

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

More great articles

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023)

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023)

Zero-Day RCE in vBulletin v5.0.0-v5.5.4

Emergency WordPress Help