Wordfence Intelligence Weekly WordPress Vulnerability Report (April 1, 2024 to April 7, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 173 vulnerabilities disclosed in 138 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 64 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	157
Unpatched	16

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	141
High Severity	17
Critical Severity	14

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	53
Missing Authorization	33
Cross-Site Request Forgery (CSRF)	25
Information Exposure	12
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	8
Unrestricted Upload of File with Dangerous Type	7
Authorization Bypass Through User-Controlled Key	4
Deserialization of Untrusted Data	4
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	4
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
Incorrect Privilege Assignment	2
URL Redirection to Untrusted Site (‘Open Redirect’)	2
Absolute Path Traversal	1
Exposure of Private Information (‘Privacy Violation’)	1
External Control of Assumed-Immutable Web Parameter	1
Guessable CAPTCHA	1
Improper Access Control	1
Improper Authorization	1
Improper Control of Generation of Code (‘Code Injection’)	1
Improper Neutralization of Alternate XSS Syntax	1
Improper Neutralization of Formula Elements in a CSV File	1
Incorrect Authorization	1
Information Exposure Through Log Files	1
Path Traversal: ‘…/…//’	1
Server-Side Request Forgery (SSRF)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Francesco Carlucci	14
Lucio Sá	9
Dhabaleshwar Das	9
Majed Refaea	8
Ngô Thiên An (ancorn_)	8
beluga	7
Joshua Chan	7
wesley (wcraft)	7
Rafie Muhammad	6
Dave Jong	5
Webbernaut	4
Khalid	4
Abdi Pranata	4
stealthcopter	4
Le Ngoc Anh	4
Krzysztof Zając	4
Colin Xu	3
Mika	3
Ananda Dhakal	3
Steven Julian	3
Bob Matyas	3
João Pedro Soares de Alcântara	3
1337_Wannabe	2
Skalucy	2
drop	2
Dau Hoang Tai	2
João G. Barbosa (4rCanJ0x!)	2
Tim Coen	2
Nikolas	2
Peng Zhou	2
movrment	2
LVT-tholv2k	2
Phuoc Pham (p3tl0v3r)	2
Akbar Kustirama	2
Thura Moe Myint (mgthuramoemyint)	2
emad	2
Muhammad Daffa	2
Myungju Kim	1
younsoung kim	1
SeoHyeon Lee	1
SeoHee Kang	1
Dian Sun	1
thiennv	1
Peter17	1
Khayal Farzaliyev (shaman0x01)	1
Brandon James Roldan (tomorrowisnew)	1
Sh	1
Peng Zhou	1
Fariq Fadillah Gusti Insani (fariqfgi)	1
Jobert Krohnen	1
Hiroho Shimada	1
Benedictus Jovan	1
Ray Wilson	1
Friday	1
Abdi Prawira Negara	1
ST	1
Cronus	1
DarkT	1
Trình Vũ	1
qilin_99	1
Kyle Sanchez	1
Robert Kruczek (ProXy)	1
CatFather	1
RandomRoot	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Advanced Local Pickup for WooCommerce	advanced-local-pickup-for-woocommerce
Advanced Order Export For WooCommerce	woo-order-export-lite
All-in-One Video Gallery	all-in-one-video-gallery
Announce from the Dashboard	announce-from-the-dashboard
Announcer – Sticky Message Banner, Notification Bar – Add to Top, Bottom of your Website	announcer
App Builder – Create Native Android & iOS Apps On The Flight	app-builder
AppPresser – Mobile App Framework	apppresser
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
Auto Poster	auto-poster
Bannerlid	bannerlid
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Beaver Themer	beaver-themer
Best WordPress Gallery Plugin – FooGallery	foogallery
Bold Page Builder	bold-page-builder
BoldGrid Easy SEO – Simple and Effective SEO	boldgrid-easy-seo
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin	bookingpress-appointment-booking
Bricksforge	bricksforge
Captcha by BestWebSoft – Spam Protection, Security Plugin for WordPress Forms	captcha-bws
Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce	wp-carousel-free
CGC Maintenance Mode	cgc-maintenance-mode
Church Admin	church-admin
Classified Listing – Classified ads & Business Directory Plugin	classified-listing
CMB2	cmb2
Colibri Page Builder	colibri-page-builder
Contact Form Email	contact-form-to-email
Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder	arforms-form-builder
ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages	convertkit
Creative Addons for Elementor	creative-addons-for-elementor
Custom post types, Custom Fields & more	custom-post-types
Demo My WordPress	demo-my-wordpress
Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy)	easy-digital-downloads
Easy Login Styler – White Label Admin Login Page for WordPress	easy-login-styler
Easy Social Share Buttons for WordPress	easy-social-share-buttons3
Edwiser Bridge – WordPress Moodle LMS Integration	edwiser-bridge
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Elementor Addons, Widgets and Enhancements – Stax	stax-addons-for-elementor
ElementsKit Elementor addons	elementskit-lite
ELEX WooCommerce Dynamic Pricing and Discounts	elex-woocommerce-dynamic-pricing-and-discounts
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce	email-subscribers
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor	embedpress
EnvíaloSimple: Email Marketing y Newsletters	envialosimple-email-marketing-y-newsletters-gratis
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
FancyBox for WordPress	fancybox-for-wordpress
FG Drupal to WordPress	fg-drupal-to-wp
File Manager	wp-file-manager
Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager	flexible-checkout-fields
Form to Chat App	form-to-chat
Formsite \| Embed online forms to collect orders, registrations, leads, and surveys	formsite
Generate Child Theme	generate-child-theme
Genesis Blocks	genesis-blocks
Global Elementor Buttons	global-elementor-buttons
Gradient Text Widget for Elementor	gradient-text-widget-for-elementor
Gutenberg Blocks by Kadence Blocks – Page Builder Features	kadence-blocks
Happy Addons for Elementor	happy-elementor-addons
Image Watermark	image-watermark
Import XML and RSS Feeds	import-xml-feed
Jeg Elementor Kit	jeg-elementor-kit
JS Help Desk – Best Help Desk & Support Plugin	js-support-ticket
LayerSlider	LayerSlider
LearnPress Export Import – WordPress extension for LearnPress	learnpress-import-export
LearnPress – WordPress LMS Plugin	learnpress
Loan Repayment Calculator and Application Form	quick-interest-slider
MailMunch – Grow your Email List	mailmunch
Masteriyo LMS – eLearning and Online Course Builder for WordPress	learning-management-system
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
Media Library Folders	media-library-plus
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor	metform
MM-email2image	mm-email2image
Modal Popup Box – Popup Builder, Show Offers And News in Popup	modal-popup-box
MP3 Audio Player for Music, Radio & Podcast by Sonaar	mp3-music-player-by-sonaar
Multiple Page Generator Plugin – MPG	multiple-pages-generator-by-porthas
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution	dc-woocommerce-multi-vendor
Nudgify Social Proof, Sales Popup & FOMO – Best WordPress Social Proof Plugin	nudgify
Passster – Password Protect Pages and Content	content-protector
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Post Grid Gutenberg Blocks and WordPress News Plugin – PostX	ultimate-post
Post Views Counter	post-views-counter
Powerkit – Supercharge your WordPress Site	powerkit
Premium Addons for Elementor	premium-addons-for-elementor
Product Designer	product-designer
Product Sort and Display for WooCommerce	woocommerce-product-sort-and-display
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
RapidLoad 2.2 – Speed Monster in One Plugin	unusedcss
ReDi Restaurant Reservation	redi-restaurant-reservation
rehub-framework	rehub-framework
Relevanssi – A Better Search	relevanssi
Relevanssi – A Better Search (Pro)	relevanssi-premium
Responsive Lightbox & Gallery	responsive-lightbox
Royal Elementor Addons and Templates	royal-elementor-addons
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator	feedzy-rss-feeds
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions	s2member
SearchIQ – The Search Solution	searchiq
SecuPress Free — WordPress Security	secupress
Sharkdropship Dropshipping & Affiliate for for AliExpress	wooshark-aliexpress-importer
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)	woolentor-addons
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization	shortpixel-adaptive-images
Sign-up Sheets	sign-up-sheets
Slideshow Gallery LITE	slideshow-gallery
Smart Online Order for Clover	clover-online-orders
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
Squelch Tabs and Accordions Shortcodes	squelch-tabs-and-accordions-shortcodes
Subscribe To Comments Reloaded	subscribe-to-comments-reloaded
Sumo – Boost Conversion and Sales	sumome
Super Testimonials	super-testimonial
Sydney Toolbox	sydney-toolbox
Template Kit – Import	template-kit-import
Tracking Code Manager	tracking-code-manager
Transcoder	transcoder
Ultimate Bootstrap Elements for Elementor	ultimate-bootstrap-elements-for-elementor
Ultimate Maps by Supsystic	ultimate-maps-by-supsystic
User Activity Log	user-activity-log
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	profile-builder
User Spam Remover	user-spam-remover
Watu Quiz	watu
Wholesale For WooCommerce	woocommerce-wholesale-pricing
WooCommerce	woocommerce
WooCommerce Checkout Field Editor (Checkout Manager)	woo-checkout-regsiter-field-editor
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels	print-invoices-packing-slip-labels-for-woocommerce
WordPress Backup & Migration	wp-migration-duplicator
WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds	another-wordpress-classifieds-plugin
WordPress Comments Import & Export	comments-import-export-woocommerce
WordPress Gallery Exporter – Export your NextGen, Envira and FooGallery galleries to your computer	wp-gallery-exporter
WordPress Gallery Plugin – NextGEN Gallery	nextgen-gallery
WordPress Tag and Category Manager – AI Autotagger	simple-tags
WordPress Tooltips	wordpress-tooltips
WordPress Webinar Plugin – WebinarPress	wp-webinarsystem
WP Directory Kit	wpdirectorykit
WP Import Export Lite	wp-import-export-lite
WP OAuth Server (OAuth Authentication)	oauth2-provider
WP Photo Album Plus	wp-photo-album-plus
WP Poll Maker – Best WordPress Poll Plugin for Voting Contest	epoll-wp-voting
WP Server Health Stats	wp-server-stats
WP Sort Order	wp-sort-order
WP-Members Membership Plugin	wp-members
WP-Stateless – Google Cloud Storage	wp-stateless
WPFront User Role Editor	wpfront-user-role-editor
WPvivid Backup for MainWP	wpvivid-backup-mainwp

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Hello Elementor	hello-elementor
rehub-theme	rehub-theme

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Slideshow Gallery <= 1.7.8 – Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-31355

Patch Status
Unpatched

Published
Apr 7, 2024

Affected Software
Slideshow Gallery LITE

Researcher