Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)

Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
Pending report limits are increased for all
It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 234 vulnerabilities disclosed in 206 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 56 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-757 – Data redacted while we work with the vendor on a patch.
WAF-RULE-758 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	133
Unpatched	101

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	165
High Severity	35
Critical Severity	34

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	116
Missing Authorization	37
Unrestricted Upload of File with Dangerous Type	18
Authentication Bypass Using an Alternate Path or Channel	13
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	9
Cross-Site Request Forgery (CSRF)	8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	7
Exposure of Sensitive Information to an Unauthorized Actor	6
Improper Control of Generation of Code (‘Code Injection’)	5
Deserialization of Untrusted Data	3
Improper Authentication	2
Improper Authorization	2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
URL Redirection to Untrusted Site (‘Open Redirect’)	2
Authorization Bypass Through User-Controlled Key	1
Improper Restriction of XML External Entity Reference	1
Incorrect Privilege Assignment	1
Weak Password Recovery Mechanism for Forgotten Password	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
João Pedro Soares de Alcântara	25
Mika	23
stealthcopter	22
István Márton	22
SOPROBRO	13
Francesco Carlucci	10
wesley (wcraft)	8
Trương Hữu Phúc (truonghuuphuc)	8
Peter Thaleikis	7
Rafie Muhammad	7
theviper17y	5
tahu.datar	5
UKO	5
vgo0	5
Hakiduck	5
ardias	4
Le Ngoc Anh	4
ghsinfosec	4
zer0gh0st	3
Bonds	3
Webbernaut	3
LVT-tholv2k	3
David Gallagher (BatFeats)	2
Michael	2
Ankit Patel	2
Joshua Chan	2
Gab	2
Robert DeVore	2
Aitor F (kr0no)	1
incognito	1
Hazem Brini	1
Sc1duck	1
akas wisnu aji	1
Dominik Dziura (Domons)	1
C_T_R_L	1
Tieu Pham Trong Nhan	1
paulmockford	1
Noah Stead (TurtleBurg)	1
Krzysztof Zając	1
Ivan Kuzymchak	1
Dimas Maulana	1
Ananda Dhakal	1
Jonas Benjamin Friedli	1
Marek Mikita	1
Thanayut Maktheppongt	1
Sean Murphy	1
Fariq Fadillah Gusti Insani (fariqfgi)	1
villu164	1
theop	1
Ryan Kozak	1
Brian Sans-Souci (liardom)	1
sav4n	1
Phill Sav (Savphill)	1
Felipe Alcantara	1
Hwang Se-yeon	1
Nishiv	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
1-Click Login: Passwordless Authentication	swoop-password-free-authentication
10Web Social Post Feed	wd-facebook-feed
3D Work In Progress	renee-work-in-progress
Accept Stripe Donation and Payments – AidWP	wp-stripe-donation
ACL Floating Cart for WooCommerce	acl-floating-cart-for-woocommerce
Acnoo Flutter API	acnoo-flutter-api
aDirectory – Directory Listing WordPress Plugin	adirectory
Ads.txt & App-ads.txt Manager for WordPress	app-ads-txt
Advanced Online Ordering and Delivery Platform	advanced-online-ordering-and-delivery-platform
Advanced Sermons	advanced-sermons
Affiliate Platform	smdp-affiliate-platform
AffiliateX – Affiliate Blocks for WordPress, Amazon, eBay, AliExpress Affiliates	affiliatex
Agile Video Player Lite	agile-video-player
AI Image Generator for Your Content & Featured Images – AI Postpix	ai-postpix
Ajar in5 Embed	ajar-productions-in5-embed
All-in-One WP Migration and Backup	all-in-one-wp-migration
Amilia Store	amilia-store
AMP for WP – Accelerated Mobile Pages	accelerated-mobile-pages
Anchor Episodes Index (Spotify for Podcasters)	anchor-episodes-index
App Builder – Create Native Android & iOS Apps On The Flight	app-builder
AR For WordPress	ar-for-wordpress
Astra Widgets	astra-widgets
Auto Login using a secure tokenized url. Role wise login restriction.	token-login
Automatic Translation	automatic-translation
Awesome buttons	wp-awesome-buttons
Backup and Staging by WP Time Capsule	wp-time-capsule
Bamazoo – Button Generator	bamazoo-button-generator
Banner Slider	banner-slider
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Beek Widget Extention	beek-widget-extention
Bet WC 2018 Russia	bet-wc-2018-russia
Bold Page Builder	bold-page-builder
Booking Plugin for Your WordPress Appointments – Time Slot	timeslot
BP Member Type Manager	bp-member-type-manager
Breeze – WordPress Cache Plugin	breeze
Bstone Demo Importer	bstone-demo-importer
BuddyPress	buddypress
BuddyPress Greeting Message	bp-greeting-message
Call / Contact Button	button-contact-vr
Campus Explorer Widget	campus-explorer-widget
Category and Taxonomy Image	wp-custom-taxonomy-image
Category and Taxonomy Meta Fields	wp-custom-taxonomy-meta
chatplusjp	chatplusjp
Church Admin	church-admin
Clever Addons for Elementor	cafe-lite
Client Power Tools Portal	client-power-tools
Code Generate	code-generator
CodePen Embedded Pens Shortcode	codepen-embedded-pen-shortcode
Comments – wpDiscuz	wpdiscuz
Compact WP Audio Player	compact-wp-audio-player
Conditional Fields for Contact Form 7	cf7-conditional-fields
Contact Form 7 + Telegram	cf7-telegram
Contact Form 7 – Repeatable Fields	cf7-repeatable-fields
Coub	coub
Cozy Blocks – Page Builder for Gutenberg & Site Editor, Post Blocks, WooCommerce Blocks, Magazine Blocks, WordPress Gutenberg Blocks, Patterns and Templates Library	cozy-addons
Custom Icons for Elementor	custom-icons-for-elementor
Custom Twitter Feeds – A Tweets Widget or X Feed Widget	custom-twitter-feeds
CWD 3D Image Gallery	cwd-3d-image-gallery
DarkMySite – Advanced Dark Mode Plugin for WordPress	darkmysite
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer	3d-flipbook-dflip-lite
DocumentPress	documentpress-display-any-document-on-your-site
Download Monitor	download-monitor
Download Plugin	download-plugin
Editor Custom Color Palette	editor-custom-color-palette
Editorial Assistant by Sovrn	zemanta
EKC Tournament Manager	ekc-tournament-manager
ElementsKit Elementor addons	elementskit-lite
EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor	embedpress
Envo’s Elementor Templates & Widgets for WooCommerce	envo-elementor-for-woocommerce
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin	mage-eventpress
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
Exam Matrix	exam-matrix
Extensions by HocWP Team	sb-core
Extra Privacy for Elementor	extra-privacy-for-elementor
Extra Product Options Builder for WooCommerce	additional-product-fields-for-woocommerce
File Upload Types by WPForms	file-upload-types
Firelight Lightbox	easy-fancybox
FormFacade – WordPress plugin for Google Forms	formfacade
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List	mailchimp-wp
Futurio Extra	futurio-extra
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	geodirectory
Google Docs RSVP, WordPress Plugin	google-docs-rsvp-guestlist
Great Restaurant Menu WP	best-restaurant-menu-by-pricelisto
Greenshift – animation and page builder blocks	greenshift-animation-and-page-builder-blocks
GRÜN spendino Spendenformular – Mehr Spenden! Weniger Arbeit!	spendino
HD Quiz – Save Results Light	hd-quiz-save-results-light
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce	hurrytimer
ID-SK Toolkit	idsk-toolkit
Image Map Pro – Drag-and-drop Builder for Interactive Images	image-map-pro
Import and export users and customers	import-users-from-csv-with-meta
INK Official	ink-official
Interactive World Map	interactive-world-map
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates	kata-plus
Kodex Posts likes	kodex-posts-likes
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages	landing-page-cat
LaTeX2HTML	latex2html
League of Legends Shortcodes	league-of-legends-shortcodes
leenk.me	leenkme
Local Business Addons For Elementor (Formally Waze Map)	map-addons-for-elementor-waze-map
MaanStore API	maanstore-api
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid	magazine-blocks
Mapster WP Maps	mapster-wp-maps
Marketing Automation by AZEXO	marketing-automation-by-azexo
MDTF – Meta Data and Taxonomies Filter	wp-meta-data-filter-and-taxonomy-filter
Meetup	meetup
Mega Elements – Addons for Elementor	mega-elements-addons-for-elementor
Monitor.chat – Monitor WordPress with Instant Messages	monitor-chat
Monkee-Boy Essentials	monkee-boy-wp-essentials
Multi Purpose Mail Form	multi-purpose-mail-form
Multi Step Form	multi-step-form
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution	dc-woocommerce-multi-vendor
My Wp Brand – Hide menu & Hide Plugin	my-wp-brand
myCred Elementor	mycred-for-elementor
Namaste! LMS	namaste-lms
News Kit Elementor Addons	news-kit-elementor-addons
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates	the-plus-addons-for-block-editor
Order Notification for Telegram	order-notification-for-telegram
PDF Generator Addon for Elementor Page Builder	pdf-generator-addon-for-elementor-page-builder
PDF Invoices & Packing Slips for WooCommerce	woocommerce-pdf-invoices-packing-slips
PegaPoll	pegapoll
Photo Gallery, Images, Slider in Rbs Image Gallery	robo-gallery
Plugin Name: iBryl Switch User	ibryl-switch-user
Plugin Propagator	wp-propagator
Poll Maker – Versus Polls, Anonymous Polls, Image Polls	poll-maker
Portfolleo	portfolleo
Post Grid and Gutenberg Blocks	post-grid
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX	ultimate-post
Premium SEO Pack – WP SEO Plugin	premium-seo-pack
PriPre	pripre
Product Filter by WBW	woo-product-filter
ProfilePress Pro	profilepress-pro
Qi Addons For Elementor	qi-addons-for-elementor
Qi Blocks	qi-blocks
Qode Essential Addons	qode-essential-addons
Raptor Editor	wp-raptor
Realty Workstation	realty-workstation
Risk Warning Bar	risk-warning-bar
Rover IDX	rover-idx
Royal Elementor Addons and Templates	royal-elementor-addons
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging	wp-rss-aggregator
RSVP ME	rsvp-me
Schema & Structured Data for WP & AMP	schema-and-structured-data-for-wp
School Management System – WPSchoolPress	wpschoolpress
Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin	scrollbar-by-webxapp
Selection Lite	selection-lite
SEOPress – On-site SEO	wp-seopress
Shoutcast Icecast HTML5 Radio Player	shoutcast-icecast-html5-radio-player
Signup Page	signup-page
Simple Custom Admin	simple-custom-admin
Simple Load More	simple-load-more
Simple Membership	simple-membership
Simple News	simple-news
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)	sky-elementor-addons
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder	stacks-mobile-app-builder
Sudan Payment Gateway for WooCommerce	wc-sudan-payment-gateway
Sunshine Photo Cart: Free Client Photo Galleries for Photographers	sunshine-photo-cart
Survey Maker	survey-maker
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity	surveyjs
SVG Captcha	svg-captcha
Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!	templately
TeploBot – Telegram Bot for WP	green-wp-telegram-bot-by-teplitsa
Terms descriptions	terms-descriptions
Textboxes	textboxes
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)	the-pack-addon
Themes4WP YouTube External Subtitles	themes4wp-youtube-external-subtitles
Tida URL Screenshot	tida-url-screenshot
Todo Custom Field	todo-custom-field
Transients Manager	transients-manager
Trip Plan	tripplan
uCAT – Next Story	ucat-next-story
Uix Shortcodes – Compatible with Gutenberg	uix-shortcodes
User Toolkit	user-toolkit
Verbalize WP	verbalize-wp
WatchTowerHQ	watchtowerhq
Web Bricks Addons for Elementor: Elite-Designed Elementor & eCommerce Widgets	webbricks-addons
Whitelist	fifthsegment-whitelist
WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) – Smart Manager	smart-manager-for-wp-e-commerce
Woocommerce Custom Profile Picture	woo-custom-profile-picture
WooCommerce Maintenance Mode (Free)	woocommerce-maintenance-mode
WooCommerce Order Proposal	wooCommerce-order-proposal
Woocommerce Product Design	woo-product-design
Woocommerce Quote Calculator	woo-quote-calculator-order
WooCommerce UPS Shipping – Live Rates and Access Points	flexible-shipping-ups
WordPress eCommerce – ScottCart	scottcart
WordPress Post Grid Layouts with Pagination – Sogrid	sogrid
WP Abstracts	wp-abstracts-manuscripts-manager
WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer	adminify
WP Awesome Login	wp-awesome-login
WP Booking System – Booking Calendar	wp-booking-system
WP Crowdfunding	wp-crowdfunding
WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting	erp
WP Flow Plus	wp-imageflow2
WP Query Console	wp-query-console
WP Recipe Maker	wp-recipe-maker
WP Sessions Time Monitoring Full Automatic	activitytime
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
WP show more	wp-show-more
Wp Social Login and Register Social Counter	wp-social
WP VR – 360 Panorama and Virtual Tour Builder For WordPress	wpvr
WP-Members Membership Plugin	wp-members
WPC Shop as a Customer for WooCommerce	wpc-shop-as-customer
WPKoi Templates for Elementor	wpkoi-templates-for-elementor
WPS Telegram Chat	wps-telegram-chat
Wux Blog Editor	wux-blog-editor
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Clean Retina	clean-retina
Js Paper	js-paper
Mags	mags
Meta News	meta-news
NewsCard	newscard
Nioland – SaaS & Software Startup Tech WordPress Theme	nioland

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

1-Click Login: Passwordless Authentication 1.4.5 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-50478

Patch Status
Unpatched

Published
Oct 25, 2024

Affected Software
1-Click Login: Passwordless Authentication

Researcher