Wordfence Intelligence Weekly WordPress Vulnerability Report (October 28, 2024 to November 3, 2024)

Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
Pending report limits are increased for all
It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 207 vulnerabilities disclosed in 200 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 43 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-759 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	71
Unpatched	136

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	188
High Severity	10
Critical Severity	9

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	114
Cross-Site Request Forgery (CSRF)	40
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	20
Unrestricted Upload of File with Dangerous Type	9
Missing Authorization	6
Exposure of Sensitive Information to an Unauthorized Actor	4
Authentication Bypass Using an Alternate Path or Channel	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	2
Improper Control of Generation of Code (‘Code Injection’)	2
Authorization Bypass Through User-Controlled Key	1
External Control of File Name or Path	1
Improper Access Control	1
Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)	1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Insertion of Sensitive Information into Log File	1
Missing Authentication for Critical Function	1
Server-Side Request Forgery (SSRF)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
SOPROBRO	74
Gab	21
LVT-tholv2k	14
stealthcopter	9
Francesco Carlucci	8
Peter Thaleikis	8
theviper17y	8
vgo0	6
Trương Hữu Phúc (truonghuuphuc)	4
Khalid Yusuf	4
zer0gh0st	4
João Pedro Soares de Alcântara	4
Joshua Chan	3
Michael	3
István Márton	3
Colin Xu	3
floerer	2
Arkadiusz Hydzik	2
Jonas Höbenreich	2
Dmitry Derr	2
Thies Lukas	2
Zlrqh	2
Ankit Patel	2
C_T_R_L	1
Lesor101	1
ghsinfosec	1
Dmitrii Ignatyev	1
stehled	1
Bob Matyas	1
Marek Mikita	1
Rafie Muhammad	1
Roby Firnando Yusuf	1
Rafshanzani Suhada	1
Ananda Dhakal	1
thiennv	1
ardias	1
Certus Cybersecurity	1
Felipe Caon	1
Webbernaut	1
casol	1
João G. Barbosa (4rCanJ0x!)	1
TANG Cheuk Hei (siunam)	1
Vijaysimha Reddy (vijaysimha)	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
(dp) AddThis	dp-addthis
3D Presentation	3d-presentation
Aajoda Testimonials	aajoda-testimonials
Accordion title for Elementor	accordion-title-for-elementor
Addressbook	addressbook
Admin SMS Alert	admin-sms-alert
Administrator Z	administrator-z
Advanced Control Manager for WordPress by ItalyStrap	advanced-control-manager
Advanced PDF Generator	advanced-pdf-generator
affiliate-toolkit	affiliate-toolkit-starter
AI Power: Complete AI Pack	gpt3-ai-content-generator
All Post Contact Form	allpost-contactform
Alley Elementor Widget	alley-elementor-widget
AmaDiscount Plugin	amadiscount
amazing neo icon font for elementor	amazing-neo-icon-font-for-elementor
Amazon Associate Filter	amazon-associate-filter
AMP Img Shortcode	amp-img-shortcode
Ancient World Linked Data for WordPress	ancient-world-linked-data-for-wordpress
APK Downloader	apk-downloader
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress	bookingpress-appointment-booking
Appointmind	appointmind
Arconix Shortcodes	arconix-shortcodes
aThemes Addons for Elementor	athemes-addons-for-elementor-lite
Audio Comparison Lite	audio-comparison-lite
Awesome Progress Bar	awesome-progess-bar
Awesome Shortcodes For Genesis	awesome-shortcodes-for-genesis
AwesomePress	awesomepress
BBP Core – Expand bbPress powered forums with useful features	bbp-core
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Beds24 Online Booking	beds24-online-booking
BetterLinks – An Advanced Plugin for Affiliate Links, Link Shortening, Link Tracking, Link Branding & Marketing	betterlinks
Bigmart Elements	bigmart-elements
Black Widgets For Elementor	black-widgets
Blrt WP Embed	blrt-wp-embed
Bonway Static Block Editor	bonway-static-block-editor
bpmn.io	bpmnio
Bricksable for Bricks Builder	bricksable
Build 5 Star Reviews on Google Reviews, Yelp, Facebook… easily and risk-free \| RRatingg	5-stars-rating-funnel
Classy Addons for Elementor	classy-addons-for-elementor
Clever Addons for Elementor	cafe-lite
Clyp	clyp
CM Table Of Contents – WordPress TOC Plugin	cm-table-of-content
Code Explorer	code-explorer
Cresta Addons for Elementor	cresta-addons-for-elementor
Crypto Tool	crypto
Custom Admin Menu	custom-admin-menu
Custom Author URL	author-slug
Custom post type templates for Elementor	custom-post-type-templates-for-elementor
DataMentor – Best DataTables Plugin for Elementor	datamentor
Definitive Addons for Elementor	definitive-addons-for-elementor
Delisho – Recipe Widgets and Blocks	dr-widgets-blocks
Display Terms Shortcode	display-terms-shortcode
Domain Sharding	domain-sharding
Download Monitor	download-monitor
Download-Mirror-Counter	wp-download-mirror-counter
Dynamic Widgets	dynamic-widgets
e-shopsカート2	e-shops-cart2
Easy Accordion Gutenberg Block	easy-accordion-block
Easy Gallery	simple-gallery-odihost
Easy SVG Upload	easy-svg-upload
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Elementary Addons	elementary-addons
Elo Rating Shortcode	elo-rating-shortcode
Emoji Shortcode	emoji-shortcode
Enable Shortcodes inside Widgets,Comments and Experts	enable-shortcodes-inside-widgetscomments-and-experts
EndomondoWP	endomondowp
Events Manager Pro – extended	events-manager-pro-extended
Exclusive Addons for Elementor	exclusive-addons-for-elementor
Extender All In One For Elementor	extender-all-in-one-for-elementor
EzyOnlineBookings Online Booking System Widget	ezyonlinebookings-online-booking-system
Featured Posts Scroll	featured-posts-scroll
FileOrganizer – Manage WordPress and Website Files	fileorganizer
Flash Show And Hide Box	flash-show-and-hide-box
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator
FraudLabs Pro SMS Verification	fraudlabs-pro-sms-verification
GDReseller	gdreseller
Genoo	genoo
Get Quote For Woocommerce – Request A Quote For Woocommerce	get-a-quote-for-woocommerce
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)	gift-voucher
Gmap Point List	gmap-point-list
Golf Tracker	golf-tracker
Group Chat & Video Chat by AtomChat	atomchat
Gutenberg Blocks with AI by Kadence WP – Page Builder Features	kadence-blocks
Header Footer Composer for Elementor	header-footer-composer
Hoo Addons for Elementor	hoo-addons-for-elementor
Hover Video Preview	hover-video-preview
HT Builder – WordPress Theme Builder for Elementor	ht-builder
HT Politic – For Political WordPress Themes / Website	wp-politic
ID-SK Toolkit	idsk-toolkit
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation	zero-bs-crm
Jetpackcrm Ext Woo Connect	jetpackcrm-ext-woo-connect
Jigoshop – Store Exporter	jigoshop-exporter
JS Help Desk – The Ultimate Help Desk & Support Plugin	js-support-ticket
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates	kata-plus
Kento Ads Rotator	kento-ads-rotator
Knowledge Base	knowledgebase
LH QR Codes	lh-qr-codes
Lodgix.com Vacation Rental Website Builder	lodgixcom-vacation-rental-listing-management-booking-plugin
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )	magical-addons-for-elementor
Manage User Columns	manage-user-columns
Market 360 Viewer	market-360-viewer
Marquee Elementor with Posts	marquee-elementor
MasterBip para Elementor	masterbip-for-elementor
Masteriyo LMS – eLearning and Online Course Builder for WordPress	learning-management-system
MDR Webmaster Tools	mdr-webmaster-tools
Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO – Media Library Tools	media-library-tools
Media Library Assistant	media-library-assistant
Media Modal	media-modal
Meta Store Elements	meta-store-elements
ML Responsive Audio player with playlist Shortcode	mlr-audio
Mobilize	mobilize
Move Addons for Elementor	move-addons
Multi Purpose Mail Form	multi-purpose-mail-form
Multiple Page Generator Plugin – MPG	multiple-pages-generator-by-porthas
MyCurator Content Curation	mycurator
MyOrderDesk	myorderdesk
Naver Blog	naver-blog-api
Newsletters	newsletters-lite
NMR Strava activities	nmr-strava-activities
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	otter-blocks
Paytium: Mollie payment forms & donations	paytium
Platform.ly Official	platformly
Plug your WooCommerce into the largest catalog of customized print products from Helloprint	helloprint
Plugin Name: GMO Social Connection	gmo-social-connection
Porsline	porsline
Post Status Notifier	post-status-notifier
Post Status Notifier Lite	post-status-notifier-lite
Premium Addons for Elementor	premium-addons-for-elementor
Pricer Ninja: Create and add responsive Pricing Tables to your website on-the-fly	pricer-ninja-pricing-tables
Pricing Tables WordPress Plugin – Easy Pricing Tables	easy-pricing-tables
Quran Shortcode	quran-shortcode
Random Featured Post	random-featured-post-plugin
ReCaptcha Integration for WordPress	wp-recaptcha-integration
Reftagger Shortcode	reftagger-shortcode
Responsive Flickr Gallery	responsive-flickr-gallery
Restaurant & Cafe Addon for Elementor	restaurant-cafe-addon-for-elementor
RLM Elementor Widgets Pack	rlm-elementor-widgets-pack
RSVP ME	rsvp-me
RSVPMaker for Toastmasters	rsvpmaker-for-toastmasters
Sales Page Addon – Elementor & Beaver Builder	sales-page-addon
Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates	sastra-essential-addons-for-elementor
Selar.co Widget	selar-co-widget
Seo Free	seo-free
SEUR Oficial	seur
SH Slideshow	sh-slideshow
Show Visitor IP Address	show-visitor-ip-address
Sided	sided
Simple Business Manager	simple-business-manager
Simple Goods	simple-goods
Simple Job Manager	simple-job-manager
Simple Page Specific Sidebars	page-specific-sidebars
SIP Reviews Shortcode for WooCommerce	sip-reviews-shortcode-woocommerce
Skip To	skip-to
SKSDEV Toolkit	sksdev-toolkit
Slicko	slicko-for-elementor
Smart Mockups	smart-mockups
SmartLink Dynamic URLs	smartlink-dinamic-urls
SMS Alert Order Notifications – WooCommerce	sms-alert
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder	stacks-mobile-app-builder
Stars SMTP Mailer	stars-smtp-mailer
Step by Step	step-by-step
Sticky Social Bar	sticky-social-bar
StreamWeasels Kick Integration	streamweasels-kick-integration
StreamWeasels YouTube Integration	streamweasels-youtube-integration
Subscribe to Comments	subscribe-to-comments
Super Addons for Elementor	super-addons-for-elementor
T(-) Countdown	t-countdown
Themedy Toolbox	themedy-toolbox
ThemeFuse Maintenance Mode	themefuse-maintenance-mode
ThemeShark Templates & Widgets for Elementor	themeshark-elementor
TradeMe widgets	trademe-widget
Training – Courses	training
Twitter @Anywhere Plus	twitter-anywhere-plus
Ultimate TinyMCE	ultimate-tinymce
UPDATE NOTIFICATIONS	update-notifications
W3P SEO	wp-perfect-plugin
W3SPEEDSTER	w3speedster-wp
Webriti Custom Login	webriti-custom-login-page
Website price calculator	price-calculator-to-your-website
WeChat Subscribers Lite 微信公众订阅号插件	wechat-subscribers-lite
While Loading	while-it-is-loading
Widget or Sidebar Shortcode	widget-or-sidebar-per-shortcode
WM Zoom	wm-zoom
Woo Manage Fraud Orders	woo-manage-fraud-orders
Woocommerce Quote Calculator	woo-quote-calculator-order
WordPress Business Plugin	business
World Prayer Time	world-prayer-time
WP Baidu Map	wp-baidu-map
WP Course Manager	wp-course-manager
WP EASY RECIPE	wp-easy-recipe
WP EIS	wp-eis
WP Feature Box	wp-feature-box
WP Hotel Booking	wp-hotel-booking
WP Pocket URLs	wp-pocket-urls
WP Simple Anchors Links	wp-simple-anchors-links
WP Team – WordPress Team Member Plugin	ht-team-member
WPAdverts – Classifieds Plugin	wpadverts
WPC Smart Messages for WooCommerce	wpc-smart-messages
WPGlobus Translate Options	wpglobus-translate-options
Курс валют UAH	ukrainian-currency

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

AI Power: Complete AI Pack <= 1.8.89 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-10392

Patch Status
Patched

Published
Oct 30, 2024

Affected Software
AI Power: Complete AI Pack

Researcher