Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024)

Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
Pending report limits are increased for all
It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	122
Unpatched	39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	141
High Severity	15
Critical Severity	5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	121
Missing Authorization	9
Deserialization of Untrusted Data	5
Cross-Site Request Forgery (CSRF)	4
Unrestricted Upload of File with Dangerous Type	4
URL Redirection to Untrusted Site (‘Open Redirect’)	4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	3
Authentication Bypass Using an Alternate Path or Channel	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	2
Improper Control of Generation of Code (‘Code Injection’)	2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	2
Improper Neutralization of Alternate XSS Syntax	1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Improper Privilege Management	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
vgo0	22
Francesco Carlucci	21
João Pedro Soares de Alcântara	12
Le Ngoc Anh	8
Robert DeVore	6
Colin Xu	6
stealthcopter	5
ardias	5
SOPROBRO	4
Dimas Maulana	4
theviper17y	4
Rafie Muhammad	4
Peter Thaleikis	4
Webbernaut	3
TaiYou	3
Khalid Yusuf	3
Phill Sav (Savphill)	3
Michael	3
Leo	3
Bonds	3
István Márton	2
Krzysztof Zając	2
0tter	2
Hakiduck	2
Jack Taylor	2
Trương Hữu Phúc (truonghuuphuc)	2
Abdi Pranata	2
Tonn	2
zhenhua fan	1
Mika	1
Shebu B (sh3bu)	1
wesley (wcraft)	1
yudha	1
TANG Cheuk Hei (siunam)	1
tahu.datar	1
Ivan Kuzymchak	1
LVT-tholv2k	1
Truoc Phan	1
Thanh Nam Tran	1
Arkadiusz Hydzik	1
Ngô Thiên An (ancorn_)	1
Certus Cybersecurity	1
kslatz	1
Rein Daelman (trein)	1
Joshua Chan	1
Lucio Sá	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
123.chat – Video Chat	123-chat-videochat
Advanced Woo Labels – Product Labels for WooCommerce	advanced-woo-labels
Affiliate Program Suite — SliceWP Affiliates	slicewp
Aggregator Advanced Settings	aggregator-advanced-settings
Author Avatars List/Block	author-avatars
Auto Amazon Links – Amazon Associates Affiliate Plugin	amazon-auto-links
Auto Featured Image from Title	auto-featured-image-from-title
Automatically Hierarchic Categories in Menu	automatically-hierarchic-categories-in-menu
AVIF Uploader	avif-support
BA Book Everything	ba-book-everything
BerqWP – Automated All-In-One PageSpeed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript	searchpro
Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress	file-manager
Blockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed	blockspare
Bold Page Builder	bold-page-builder
Broken Link Checker	broken-link-checker
BSK Forms Blacklist	bsk-gravityforms-blacklist
CartBounty – Save and recover abandoned carts for WooCommerce	woo-save-abandoned-carts
Checkout Field Editor (Checkout Manager) for WooCommerce	woo-checkout-field-editor-pro
Clio Grow	clio-grow-form
Code Embed	simple-embed-code
Confetti Fall Animation	confetti-fall-animation
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder	fluentform
Copyscape Premium	copyscape-premium
Cozy Blocks – Page Builder for Gutenberg & Site Editor, Post Blocks, WooCommerce Blocks, Magazine Blocks, WordPress Gutenberg Blocks, Patterns and Templates Library	cozy-addons
Custom Banners	custom-banners
Demo Importer Plus	demo-importer-plus
DethemeKit For Elementor	dethemekit-for-elementor
Display Medium Posts	display-medium-posts
DK PDF	dk-pdf
Easy Demo Importer – A Modern One-Click Demo Import Solution	easy-demo-importer
Easy Load More	easy-load-more
Easy WordPress Subscribe – Optin Hound	opt-in-hound
Echo RSS Feed Post Generator	rss-feed-post-generator-echo
Elastik Page Builder	elastik-page-builder
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
ElementInvader Addons for Elementor	elementinvader-addons-for-elementor
Elementor Addon Elements	addon-elements-for-elementor-page-builder
ElementsReady Addons for Elementor	element-ready-lite
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce	email-subscribers
Enter Addons – Ultimate Template Builder for Elementor	enteraddons
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
FAQ / Accordion / Docs – Helpie WordPress FAQ Accordion plugin	helpie-faq
Fish and Ships – Most flexible shipping table rate. A WooCommerce shipping rate	fish-and-ships
Form plugin for WordPress – Zoho Forms	zoho-forms
Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials	stars-testimonials-with-slider-and-masonry-grid
Gallery Lightbox	gallery-lightbox-slider
Geo Mashup	geo-mashup
Gravity Forms Toolbar	gravity-forms-toolbar
Guten Post Layout – An Advanced Post Grid Collection for WordPress Gutenberg	guten-post-layout
Happy Addons for Elementor	happy-elementor-addons
Hash Form – Drag & Drop Form Builder	hash-form
Hello World	hello-world
Ibtana – WordPress Website Builder	ibtana-visual-editor
Iconize	iconize
Include Fussball.de Widgets	include-fussball-de-widgets
Jeg Elementor Kit	jeg-elementor-kit
JobSearch WP Job Board	wp-jobsearch
KB Support – WordPress Help Desk and Knowledge Base	kb-support
Keap Official Opt-in Forms	infusionsoft-official-opt-in-forms
LA-Studio Element Kit for Elementor	lastudio-element-kit
LH Copy Media File	lh-copy-media-file
LiteSpeed Cache	litespeed-cache
LocateAndFilter	locateandfilter
Loggedin – Limit Active Logins	loggedin
Login Logout Shortcode	login-logout-shortcode
Logo Carousel – Clients logo carousel for WP	responsive-client-logo-carousel-slider
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid	magazine-blocks
MaxSlider	maxslider
MC4WP: Mailchimp Top Bar	mailchimp-top-bar
Memberful – Membership Plugin	memberful-wp
Move Addons for Elementor	move-addons
NEX-Forms – Ultimate Form Builder – Contact forms and much more	nex-forms-express-wp-form-builder
Online Booking & Scheduling Calendar for WordPress by vcita	meeting-scheduler-by-vcita
Page-list	page-list
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions
Payflex Payment Gateway	payflex-payment-gateway
PDF Image Generator	pdf-image-generator
Popularis Extra	popularis-extra
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder	popup-maker
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)	buddyforms
Premium Blocks – Gutenberg Blocks for WordPress	premium-blocks-for-gutenberg
Product Delivery Date for WooCommerce – Lite	product-delivery-date-for-woocommerce-lite
PWA — easy way to Progressive Web App	iworks-pwa
QS Dark Mode Plugin	qs-dark-mode
Quantity Dynamic Pricing & Bulk Discounts for WooCommerce	wholesale-pricing-woocommerce
Quill Forms \| The Best Typeform Alternative \| Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress	quillforms
R Animated Icon Plugin	r-animated-icon
RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more	rabbit-loader
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings	seo-by-rank-math
Re:WP	rewp
Relogo	relogo
Robokassa payment gateway for Woocommerce	robokassa
RomethemeKit For Elementor	rometheme-for-elementor
RumbleTalk Live Group Chat – HTML5	rumbletalk-chat-a-chat-with-themes
Search Analytics for WP	search-analytics
Search Atlas SEO – Best SEO Plugin for One-Click WP Publishing & Integrated AI Optimization	metasync
SEOPress – On-site SEO	wp-seopress
ShiftController Employee Shift Scheduling	shiftcontroller
Shortcodes and extra features for Phlox theme	auxin-elements
Simple Membership After Login Redirection	simple-membership-after-login-redirection
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel	depicter
Slider Revolution	revslider
Slideshow Gallery LITE	slideshow-gallery
Smart Custom 404 Error Page	404page
Social Auto Poster	social-auto-poster
Social Web Suite – Social Media Auto Post, Social Media Auto Publish	social-web-suite
Soumettre.fr	soumettre-fr
Spice Starter Sites	spice-starter-sites
Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More	woocommerce-exporter
Strong Testimonials	strong-testimonials
SVG Complete	svg-complete
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)	the-pack-addon
The Ultimate WordPress Toolkit – WP Extended	wpextended
Themify Builder	themify-builder
TinyPNG – JPEG, PNG & WebP image compression	tiny-compress-images
TNC PDF viewer	pdf-viewer-by-themencode
Top Bar – PopUps – by WPOptin	wpoptin
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider	ultimate-store-kit
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
VdoCipher: Secure Video Player and Hosting	vdocipher
Visual CSS Style Editor	yellow-pencil-visual-theme-customizer
Web Directory Free	web-directory-free
Wechat Social login 微信QQ钉钉登录插件	wechat-social-login
WordPress & WooCommerce Affiliate Program	wp-wc-affiliate-program
WordPress Captcha Plugin by Captcha Bank	captcha-bank
WordPress Infinite Scroll – Ajax Load More	ajax-load-more
WP Blocks Hub	wp-blocks-hub
WP Booking Calendar	booking
WP Bulk Delete	wp-bulk-delete
WP Cleanup and Basic Functions	wp-cleanup-and-basic-functions
WP Compress – Instant Performance & Speed Optimization	wp-compress-image-optimizer
WP Easy Gallery – WordPress Gallery Plugin	wp-easy-gallery
WP Hotel Booking	wp-hotel-booking
WP MyLinks	wp-mylinks
WP Travel Gutenberg Blocks	wp-travel-blocks
WP-Lister Lite for eBay	wp-lister-for-ebay
WP-WebAuthn	wp-webauthn
WPCOM Member	wpcom-member
WPMobile.App — Android and iOS Mobile Application	wpappninja
XLTab – Accordions and Tabs for Elementor Page Builder	xl-tab
XO Slider	xo-liteslider
YITH WooCommerce Ajax Search	yith-woocommerce-ajax-search
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons
YML for Yandex Market	yml-for-yandex-market
Zotpress	zotpress

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Create	create
Empowerment	empowerment
Full Frame	full-frame
UltraPress	ultrapress
Unseen Blog	unseen-blog

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Echo RSS Feed Post Generator <= 5.4.6 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-9265

Patch Status
Patched

Published
Sep 30, 2024

Affected Software
Echo RSS Feed Post Generator

Researcher