Wordfence Intelligence Weekly WordPress Vulnerability Report (April 15, 2024 to April 21, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 190 vulnerabilities disclosed in 155 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WP Datepicker <= 2.1.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
WAF-RULE-691 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	149
Unpatched	41

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	162
High Severity	15
Critical Severity	12

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	98
Missing Authorization	42
Cross-Site Request Forgery (CSRF)	9
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	8
Authorization Bypass Through User-Controlled Key	5
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Information Exposure	3
Unrestricted Upload of File with Dangerous Type	3
Deserialization of Untrusted Data	2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	2
Improper Control of Generation of Code (‘Code Injection’)	2
Information Exposure Through Log Files	2
Server-Side Request Forgery (SSRF)	2
Exposure of Sensitive Information Through Metadata	1
Guessable CAPTCHA	1
Improper Authorization	1
Improper Input Validation	1
Incorrect Privilege Assignment	1
Not Failing Securely (‘Failing Open’)	1
Protection Mechanism Failure	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Krzysztof Zając	14
LVT-tholv2k	12
Dimas Maulana	12
Rafie Muhammad	11
Ngô Thiên An (ancorn_)	11
Abdi Pranata	10
beluga	9
Khalid	9
wesley (wcraft)	8
Francesco Carlucci	8
Majed Refaea	7
stealthcopter	6
CatFather	6
Lucio Sá	5
Dave Jong	4
Kyle Sanchez	4
Joshua Chan	4
Steven Julian	3
Webbernaut	3
Tim Coen	3
Dhabaleshwar Das	3
hibiki moriyama	3
Friday	2
João Pedro Soares de Alcântara	2
Emili Castells	2
István Márton	2
haidv35	2
Thura Moe Myint (mgthuramoemyint)	2
emad	2
Maksim Kosenko	1
Ray Wilson	1
AtaTurk1925	1
Phill Sav (Savphill)	1
Ananda Dhakal	1
Matheus Nascimento de Camargo	1
Colin Xu	1
Brandon James Roldan (tomorrowisnew)	1
Dau Hoang Tai	1
Alex Thomas	1
RandomRoot	1
Joel Indra	1
Amir Hossein Fallahi	1
Skalucy	1
Cronus	1
Whit Taylor	1
Stiofan	1
Arkadiusz Hydzik	1
Vladislav Pokrovsky (ΞX.MI)	1
ST	1
Faizal Abroni	1
Rhynorater	1
Michael Brackett	1
thiennv	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
2Checkout Payment Gateway for WooCommerce	woocommerce-2checkout-payment
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin	real3d-flipbook-lite
Access Category Password	access-category-password
Active Products Tables for WooCommerce. Use constructor to create tables	profit-products-tables-for-woocommerce
AI Infographic Maker	infographic-and-list-builder-ilist
App Builder – Create Native Android & iOS Apps On The Flight	app-builder
Attesa Extra	attesa-extra
BA Book Everything	ba-book-everything
Backend Designer	backend-designer
Backup Migration	backup-backup
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
BMI Adult & Kid Calculator	bmi-adultkid-calculator
Bulk Block Converter	bulk-block-converter
Canva – Design beautiful blog graphics	canva
CBX Bookmark & Favorite	cbxwpbookmark
Click to Chat – HoliThemes	click-to-chat-for-whatsapp
Code Insert Manager (Q2W3 Inc Manager)	q2w3-inc-manager
Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More	content-control
Cornerstone	cornerstone
Country State City Dropdown CF7	country-state-city-auto-dropdown
Custom Order Statuses for WooCommerce	custom-order-statuses-for-woocommerce
Custom Thank You Page Customize For WooCommerce by Binary Carpenter	bc-woo-custom-thank-you-pages
Customer Reviews for WooCommerce	customer-reviews-woocommerce
Debug Log Manager	debug-log-manager
Delete Custom Fields	delete-custom-fields
DethemeKit For Elementor	dethemekit-for-elementor
DirectoryPress – Business Directory And Classified Ad Listing	directorypress
Ditty – Responsive News Tickers, Sliders, and Lists	ditty-news-ticker
DSGVO Youtube	dsgvo-youtube
EAN for WooCommerce	ean-for-woocommerce
Easy CountDowner	easy-countdowner
Easy Custom Auto Excerpt	easy-custom-auto-excerpt
Easy Textillate	easy-textillate
eCommerce Product Catalog Plugin for WordPress	ecommerce-product-catalog
EleForms – All In One Form Integration including DB for Elementor	all-contact-form-integration-for-elementor
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Elements Plus!	elements-plus
ElementsKit Pro	elementskit
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce	email-subscribers
Enhanced Media Library	enhanced-media-library
Envo Extra	envo-extra
EnvíaloSimple: Email Marketing y Newsletters	envialosimple-email-marketing-y-newsletters-gratis
Essential Addons for Elementor Pro	essential-addons-elementor
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Exclusive Addons for Elementor	exclusive-addons-for-elementor
FileBird – WordPress Media Library Folders & File Manager	filebird
Fixed HTML Toolbar	fixed-html-toolbar
Flash Video Player	flash-video-player
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
Frontend Admin by DynamiApps	acf-frontend-form-element
GG Woo Feed for WooCommerce Shopping Feed on Google Facebook and Other Channels	gg-woo-feed
Happy Addons for Elementor	happy-elementor-addons
hCaptcha for WordPress	hcaptcha-for-forms-and-more
HelloAsso	helloasso
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce	hurrytimer
HUSKY – Products Filter Professional for WooCommerce	woocommerce-products-filter
Icon Widget	icon-widget
Import Content in WordPress & WooCommerce with Excel	content-excel-importer
Jobs for WordPress	job-postings
Jotform Online Forms – Drag & Drop Form Builder, Securely Embed Contact Forms	embed-form
Knight Lab Timeline	knight-lab-timelinejs
Language Switcher for Transposh	language-switcher-for-transposh
LearnPress Export Import – WordPress extension for LearnPress	learnpress-import-export
LearnPress – WordPress LMS Plugin	learnpress
LH Add Media From Url	lh-add-media-from-url
Login with phone number	login-with-phone-number
LoginPress Pro	loginpress-pro
Mailster – Email Newsletter Plugin for WordPress	mailster
Master Slider – Responsive Touch Slider	master-slider
MaxGalleria	maxgalleria
Media Library Folders	media-library-plus
Mega Addons For Elementor	ultimate-addons-for-elementor
Mega Elements – Addons for Elementor	mega-elements-addons-for-elementor
MJ Update History	mj-update-history
Mortgage Calculators WP	mortgage-calculators-wp
Multi Currency For WooCommerce	wc-multi-currency
MyRewards – Loyalty Points and Rewards for WooCommerce – Reward orders, referrals, product reviews and more	woorewards
Navigation menu as Dropdown Widget	navigation-menu-as-dropdown-widget
Netgsm	netgsm
Open Close WooCommerce Store – Best Business Schedules Manager	woc-open-close
Order Limit for WooCommerce	wc-order-limit-lite
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	otter-blocks
Ovic Responsive WPBakery	ovic-vc-addon
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
PeproDev CF7 Database	pepro-cf7-database
PeproDev Ultimate Invoice	pepro-ultimate-invoice
Poll Maker – Best WordPress Poll Plugin	poll-maker
Popup Anything – Popup for opt-ins and Lead Generation Conversions	popup-anything-on-click
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX	ultimate-post
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)	bdthemes-prime-slider-lite
Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More	woo-product-feed-pro
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
QR Code Composer – Automatic QR code Generator	qr-code-composer
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress	radio-player
Real Media Library: Media Library Folder & File Manager	real-media-library-lite
Really Simple SSL	really-simple-ssl
Related Posts for WordPress	microkids-related-posts
Restaurant Menu – Food Ordering System – Table Reservation	menu-ordering-reservations
Royal Elementor Addons and Templates	royal-elementor-addons
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator	feedzy-rss-feeds
RSS Feed Widget	rss-feed-widget
Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads & Lead Generation	shared-files
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)	woolentor-addons
Shortcodes and extra features for Phlox theme	auxin-elements
Simple Registration for WooCommerce	woocommerce-simple-registration
Simple Testimonials Showcase	simple-testimonials-showcase
Slider by 10Web – Responsive Image Slider	slider-wd
Smart Forms – when you need more than just a contact form	smart-forms
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer	smartcrawl-seo
SP Project & Document Manager	sp-client-document-manager
Speed Optimizer – The All-In-One WordPress Performance-Boosting Plugin	sg-cachepress
Support Genix – Support Tickets Managing System & Helpdesk Plugin for WordPress and WooCommerce	support-genix-lite
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics	taggbox-widget
Tagembed: Embed Twitter Feed, Google Reviews, YouTube Videos, TikTok, RSS Feed & More Social Media Feeds	tagembed-widget
Tax Rate Upload	tax-rate-upload
Theme My Login	theme-my-login
TrackShip for WooCommerce	trackship-for-woocommerce
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin	user-registration
VikBooking Hotel Booking Engine & PMS	vikbooking
Void Elementor WHMCS Elements For Elementor Page Builder	void-elementor-whmcs-elements
What’s New Generator	whats-new-genarator
WooCommerce Google Feed Manager	wp-product-feed-manager
WooCommerce Multilingual & Multicurrency with WPML	woocommerce-multilingual
WordPress Automatic Plugin	wp-automatic
WordPress Menu Plugin — Superfly Responsive Menu	superfly-menu
WordPress Simple HTML Sitemap	wp-simple-html-sitemap
WP 2FA – Two-factor authentication for WordPress	wp-2fa
WP 404 Auto Redirect to Similar Post	wp-404-auto-redirect-to-similar-post
WP Club Manager – WordPress Sports Club Plugin	wp-club-manager
WP Cookie Consent ( for GDPR, CCPA & ePrivacy )	gdpr-cookie-consent
WP Cost Estimation & Payment Forms Builder	wp-estimation-form
WP Dummy Content Generator	wp-dummy-content-generator
WP Dynamic Keywords Injector	wp-dynamic-keywords-injector
WP File Download Light	wp-file-download-light
WP Helper Premium	wp-helper-lite
WP Meta SEO	wp-meta-seo
WP Poll Maker – Best WordPress Poll Plugin for Voting Contest	epoll-wp-voting
WP Show Posts	wp-show-posts
WP Smart Import : Import any XML File to WordPress	wp-smart-import
WP Social Comments	gs-facebook-comments
WP Stripe Checkout	wp-stripe-checkout
WP TradingView	wp-tradingview
WP Ultimate Review	wp-ultimate-review
WP-Cufon	wp-cufon
WP-FormAssembly	formassembly-web-forms
WP-Lister Lite for eBay	wp-lister-for-ebay
WP-Recall – Registration, Profile, Commerce & More	wp-recall
WPC Frequently Bought Together for WooCommerce	woo-bought-together
WPC Grouped Product for WooCommerce	wpc-grouped-product
Yoga Schedule Momoyoga	momoyoga-integration
Zero Spam for WordPress	zero-spam
Zynith SEO	zynith-seo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
GuCherry Blog	gucherry-blog
Tainacan Interface	tainacan-interface

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WP Dummy Content Generator <= 3.2.1 – Unauthenticated Code Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-32599

Patch Status
Patched

Published
Apr 16, 2024

Affected Software
WP Dummy Content Generator

Researcher