Wordfence Intelligence Weekly WordPress Vulnerability Report (July 8, 2024 to July 14, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 225 vulnerabilities disclosed in 186 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 62 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	93
Unpatched	132

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	173
High Severity	32
Critical Severity	19

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	94
Missing Authorization	39
Cross-Site Request Forgery (CSRF)	29
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	12
Information Exposure	11
Unrestricted Upload of File with Dangerous Type	8
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	6
Information Exposure Through Log Files	5
Server-Side Request Forgery (SSRF)	5
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	4
Improper Privilege Management	3
Authentication Bypass Using an Alternate Path or Channel	2
Improper Control of Generation of Code (‘Code Injection’)	2
Authorization Bypass Through User-Controlled Key	1
Deserialization of Untrusted Data	1
File and Directory Information Exposure	1
Use of Hard-coded Credentials	1
Use of Less Trusted Source	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
stealthcopter	18
Lucio Sá	15
Joshua Chan	14
Dhabaleshwar Das	13
Majed Refaea	13
István Márton	12
Dave Jong	10
LVT-tholv2k	9
João Pedro Soares de Alcântara	7
Peng Zhou	7
Dimas Maulana	6
akas wisnu aji	6
Francesco Carlucci	6
Ananda Dhakal	5
João G. Barbosa (4rCanJ0x!)	4
Jean Tirstan T	4
Krzysztof Zając	4
shaman0x01	4
Khalid	4
Webbernaut	3
Ngô Thiên An (ancorn_)	3
Truoc Phan	3
Michael	3
Cronus	3
SouzaZinn	3
Rafie Muhammad	3
Foxyyy	2
Manab Jyoti Dowarah	2
Rafshanzani Suhada	2
Colin Xu	2
Tieu Pham Trong Nhan (aptx4869)	2
Peter Thaleikis	2
Benedictus Jovan (aillesiM)	2
Mika	2
Myungju Kim	2
younsoung kim	2
SeoHyeon Lee	2
SeoHee Kang	2
Phill Sav (Savphill)	2
beluga	2
Trinh Vu (Sonicrrrr)	1
filime	1
Emili Castells	1
Bob Matyas	1
Dikshita Trivedi (Cybersecdexter)	1
Dipak Panchal (th3.d1p4k)	1
Erwan LR	1
Le Ngoc Anh	1
Artem Polynko (Artem Polynko)	1
alfido osdie	1
thiennv	1
Nguyễn Trung Kiên	1
Project Black	1
LuxF0z	1
Thanh Nam Tran	1
zer0gh0st	1
wesley (wcraft)	1
Rayhan Ramdhany Hanaputra	1
Steven Julian	1
Edwin Siebel (edwinsiebel)	1
Vuln Seeker Cybersecurity Team	1
1337_Wannabe	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Academy LMS – eLearning and online course solution for WordPress	academy
Admin Dashboard RSS Feed	admin-dashboard-rss-feed
AdPush	adsense-plugin
Advanced AJAX Page Loader	advanced-ajax-page-loader
Advanced File Manager Shortcodes	file-manager-advanced-shortcode
Advanced post slider	advanced-post-slider
Amazing Hover Effects	amazing-hover-effects
Animated Typed JS Shortcode	animated-typed-js-shortcode
Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps	appmaker-woocommerce-mobile-app-manager
Arkhe Blocks	arkhe-blocks
Attachment File Icons (AF Icons)	attachment-file-icons
Auto Featured Image (Auto Post Thumbnail)	auto-post-thumbnail
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript	searchpro
Blog, Posts and Category Filter for Elementor	blog-posts-and-category-for-elementor
Booking Ultra Pro Appointments Booking Calendar Plugin	booking-ultra-pro
Bradmax Player	bradmax-player
Branda – White Label WordPress, Custom Login Page Customizer	branda-white-labeling
Calendar.online / Kalender.digital – Plugin	kalender-digital
Caxton – Create Pro page layouts in Gutenberg	caxton
Change From Email	wp-from-email
Cliengo – Chatbot	cliengo
codoc	codoc
Coming Soon Page – Responsive Coming Soon & Maintenance Mode	responsive-coming-soon-page
Comment Images Reloaded	comment-images-reloaded
ConeBlog – Elementor Blog Widgets	coneblog-widgets
Contact Form 7 Summary and Print	cf7-summary-and-print
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	bit-form
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder	arforms-form-builder
Default Thumbnail Plus	default-thumbnail-plus
DirectoryPress – Business Directory And Classified Ad Listing	directorypress
Download Button for Elementor	download-button-for-elementor
Duplicator – Migration & Backup Plugin	duplicator
Dynamic Word Spinner: CSS3 Animated Rotation	css3-rotating-words
Easy Pixels	easy-pixels-by-jevnet
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin	eazydocs
EleForms – All In One Form Integration including DB for Elementor	all-contact-form-integration-for-elementor
ElementInvader Addons for Elementor	elementinvader-addons-for-elementor
EmbedPress – Embed PDF, PDF 3D FlipBook, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor	embedpress
Event post	event-post
Event Tickets and Registration	event-tickets
EventON	eventon-lite
Events Calendar for Google	events-calendar-for-google
ExS Widgets	exs-widgets
Extensions for Elementor	extensions-for-elementor
FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor	post-block
Featured Image Generator	featured-image-generator
Feeds for YouTube (YouTube video, channel, and gallery plugin)	feeds-for-youtube
Form Vibes – Database Manager for Forms	form-vibes
FormFlow: WhatsApp & Social Form Builder for Leads	simple-form
FULL – Cliente	full-customer
Fusion Page Builder	fusion
GD Rating System	gd-rating-system
Generate PDF using Contact Form 7	generate-pdf-using-contact-form-7
Genesis Blocks	genesis-blocks
Get Use APIs – JSON Content Importer	json-content-importer
Goftino	goftino
Google Adsense & Banner Ads by AdsforWP	ads-for-wp
Gravity Forms: Multiple Form Instances	gravity-forms-multiple-form-instances
Gum Elementor Addon	gum-elementor-addon
Gutenberg Forms – WordPress Form Builder Plugin	forms-gutenberg
GutSlider – All in One Block Slider	slider-blocks
HitPay Payment Gateway for WooCommerce	hitpay-payment-gateway
Houzez CRM	houzez-crm
Houzez Theme – Functionality	houzez-theme-functionality
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
Image Optimizer, Resizer and CDN – Sirv	sirv
Import Spreadsheets from Microsoft Excel	import-spreadsheets-from-microsoft-excel
InstaWP Connect – 1-click WP Staging & Migration	instawp-connect
Internal Link Juicer: SEO Auto Linker for WordPress	internal-links
iPanorama 360 – WordPress Virtual Tour Builder	ipanorama-360-virtual-tour-builder-lite
IQ Testimonials	iq-testimonials
Job Board Manager	job-board-manager
JSON API User	json-api-user
Just Custom Fields	just-custom-fields
Laposta	laposta
LearnDash LMS – Reports	wisdm-reports-for-learndash
Light Poll	light-poll
Link Library	link-library
Login by Auth0	auth0
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )	magical-addons-for-elementor
Magical Posts Display – Elementor Advanced Posts widgets	magical-posts-display
MakeStories (for Google Web Stories)	makestories-helper
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor	master-addons
Master Popups	master-popups-lite
Matomo Analytics – Ethical Stats. Powerful Insights.	matomo
MBE eShip	mail-boxes-etc
Media Hygiene: Remove or Delete Unused Images and More!	media-hygiene
Meks Smart Author Widget	meks-smart-author-widget
Meks Video Importer	meks-video-importer
Metorik – Reports & Email Automation for WooCommerce	metorik-helper
Modern Events Calendar	modern-events-calendar
Modern Events Calendar Lite	modern-events-calendar-lite
Moloni	moloni
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar	mp3-music-player-by-sonaar
MStore API – Create Native Android & iOS Apps On The Cloud	mstore-api
oik	oik
Olive One Click Demo Import	olive-one-click-demo-import
Openpos – WooCommerce Point Of Sale(POS)	woocommerce-openpos
OSM – OpenStreetMap	osm
Packlink PRO shipping module	packlink-pro-shipping
Panda Video	pandavideo
Payflex Payment Gateway	payflex-payment-gateway
PayPlus Payment Gateway	payplus-payment-gateway
Plugin Name: CodePen Embedded Pens Shortcode	codepen-embedded-pen-shortcode
Plugin Notes Plus	plugin-notes-plus
Plum: Spin Wheel & Email Pop-up	qodeblock
Post Layouts for Gutenberg	post-layouts
Power BI Embedded for WordPress	embed-power-bi
PowerPress Podcasting plugin by Blubrry	powerpress
Predictive Search for WooCommerce	woocommerce-predictive-search
Premium Addons for Elementor	premium-addons-for-elementor
Pricing Table	elfsight-pricing-table
Product Delivery Date for WooCommerce – Lite	product-delivery-date-for-woocommerce-lite
Product Designer	product-designer
Product Table by WBW	woo-product-tables
ProfileGrid – User Profiles, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Qi Blocks	qi-blocks
Realtyna Organic IDX plugin + WPL Real Estate	real-estate-listing-realtyna-wpl
ReCaptcha Integration for WordPress	wp-recaptcha-integration
Recipe Cards For Your Food Blog from Zip Recipes	zip-recipes
ReDi Restaurant Reservation	redi-restaurant-reservation
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction	pie-register
REVIEWS.io WooCommerce Plugin	reviewscouk-for-woocommerce
ScrollTo Bottom	scrollto-bottom
ScrollTo Top	scrollto-top
SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue	happy-scss-compiler
Search & Replace	search-and-replace
Send Users Email	send-users-email
Seraphinite Accelerator Pro	seraphinite-accelerator-ext
Seraphinite Post .DOCX Source	seraphinite-post-docx-source
Simple Alert Boxes	simple-alert-boxes
Simple Popup Plugin	simple-popup-plugin
Simple Post Notes	simple-post-notes
Simple Responsive Slider	simple-responsive-slider
SKT Addons for Elementor	skt-addons-for-elementor
SKT Skill Bar	skt-skill-bar
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)	sky-elementor-addons
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)	slingblocks
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer	smartcrawl-seo
Social Sharing Plugin – Kiwi	kiwi-social-share
Spiffy Calendar	spiffy-calendar
Squelch Tabs and Accordions Shortcodes	squelch-tabs-and-accordions-shortcodes
Tabs For WPBakery Page Builder (formerly Visual Composer)	tabs-for-visual-composer
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics	taggbox-widget
Team Manager – WordPress Showcase Team Members	wp-team-manager
Team Members	team-members
Timeline Module for Beaver Builder	timeline-for-beaver-builder
Titan Anti-spam & Security	anti-spam
TOCHAT.BE	tochat-be
Tutor LMS – eLearning and online course solution	tutor
Typebot \| Create advanced chat experiences without coding	typebot
Ultimate Classified Listings	ultimate-classified-listings
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)	ultraaddons-elementor-lite
Uncanny Automator Pro	uncanny-automator-pro
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
User Activity Log Pro	user-activity-log-pro
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds	userfeedback-lite
VK All in One Expansion Unit	vk-all-in-one-expansion-unit
Wallet for WooCommerce	woo-wallet
Wallet System for WooCommerce – Wallet, Digital Wallet, Cashback, Recharge User Wallets, Partial Payments, Wallet restriction, Refunds	wallet-system-for-woocommerce
WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute	wapppress-builds-android-app-for-website
Webico Slider Flatsome Addons	webico-slider-flatsome-addons
Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More	woocommerce-wholesale-prices
WooCommerce Report	ithemelandco-woo-report
WordPress Multisite Content Copier/Updater	wp-multisite-content-copier
WP Accessibility Helper (WAH)	wp-accessibility-helper
WP Announcement \| Dynamic Announcement, Banner, & Countdown Timer for Effective Promotions	sp-announcement
WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting	erp
WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress	wp-event-aggregator
WP Fast Total Search – The Power of Indexed Search	fulltext-search
WP GoToWebinar	wp-gotowebinar
WP Links Page	wp-links-page
WP Photo Album Plus	wp-photo-album-plus
WP Popups – WordPress Popup builder	wp-popups-lite
WP Total Branding – Complete branding solution for WordPress	wp-total-branding
WP Travel Engine – Tour Booking Plugin – Tour Operator Software	wp-travel-engine
WP User Switch	wp-user-switch
WP2Speed Faster – Optimize PageSpeed Insights Score 90-100	wp2speed
WPBITS Addons For Elementor Page Builder	wpbits-addons-for-elementor
WPCS – WordPress Currency Switcher Professional	currency-switcher
XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin]	faq-for-woocommerce
YITH WooCommerce Ajax Product Filter	yith-woocommerce-ajax-navigation
Zephyr Project Manager	zephyr-project-manager
Zoho Campaigns	zoho-campaigns
Zoho CRM Lead Magnet	zoho-crm-forms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
BuddyBoss Theme	buddyboss-theme
Counterpoint	counterpoint
i-amaze	i-amaze
i-transform	i-transform
Noo JobMonster	noo-jobmonster
Oceanic	oceanic
OnePress	onepress
Patricia Blog	patricia-blog
Patricia Lite	patricia-lite
Point	point
Popularis Verse	popularis-verse
Responsive Mobile	responsive-mobile
SmartMag	smartmag-responsive-retina-wordpress-magazine
SociallyViral	sociallyviral

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Woocommerce OpenPos <= 6.4.4 – Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-37933

Patch Status
Unpatched

Published
Jul 9, 2024

Affected Software
Openpos – WooCommerce Point Of Sale(POS)

Researcher