Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 202 vulnerabilities disclosed in 185 WordPress Plugins, 21 WordPress Themes, and one in WordPress Core that have been added to the Wordfence Intelligence Vulnerability Database, and there were 63 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 15,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
WordPress Core < 6.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block
WAF-RULE-690 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	160
Unpatched	42

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	178
High Severity	11
Critical Severity	13

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Cross-Site Request Forgery (CSRF)	92
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	49
Missing Authorization	24
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	14
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	6
Deserialization of Untrusted Data	3
Information Exposure	3
Server-Side Request Forgery (SSRF)	3
Improper Authorization	2
Improper Input Validation	2
Unrestricted Upload of File with Dangerous Type	2
URL Redirection to Untrusted Site (‘Open Redirect’)	2

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Dhabaleshwar Das	51
Majed Refaea	12
Joshua Chan	11
Krzysztof Zając	7
Mika	6
wesley (wcraft)	5
João Pedro Soares de Alcântara	5
Nikolas	5
Dave Jong	5
Brandon James Roldan (tomorrowisnew)	5
Dimas Maulana	4
Nguyen Xuan Chien	4
Le Ngoc Anh	4
Abdi Pranata	4
Ngô Thiên An (ancorn_)	4
Steven Julian	4
stealthcopter	4
Francesco Carlucci	3
thiennv	3
Cronus	3
Rafie Muhammad	3
Lucio Sá	3
Webbernaut	2
Ananda Dhakal	2
1337_Wannabe	2
Byeongjun Jo	2
Vladislav Pokrovsky (ΞX.MI)	2
emad	2
John Blackbourn	2
Khalid	2
Muhammad Daffa	2
Ivan Spiridonov (xbz0n)	2
Peng Zhou	2
Thura Moe Myint (mgthuramoemyint)	2
Duc Manh	2
Thanh Nam Tran	1
Karl Emil Nikka	1
Krugov Artyom	1
CatFather	1
Liu Shaohong	1
Joel Indra	1
Ulyses Saicha	1
Trình Vũ	1
tiborisaak	1
Skalucy	1
Christiaan Swiers (YouGina)	1
Yuchen Ji	1
Nathaniel Oh (0x4n3)	1
Briana Campbell (TerraByte)	1
Maksim Kosenko	1
Dau Hoang Tai	1
Emili Castells	1
Manab Jyoti Dowarah	1
hoanpk	1
Phill Sav (Savphill)	1
Ray Wilson	1
beluga	1
Sharanabasappa	1
AtaTurk1925	1
Myungju Kim	1
younsoung kim	1
SeoHyeon Lee	1
SeoHee Kang	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
5 star review funnel for Google Reviews, Trustpilot, ProvenExpert and more \| RRatingg	5-stars-rating-funnel
Account Engagement	pardot
ActiveCampaign – Forms, Site Tracking, Live Chat	activecampaign-subscription-forms
Ads.txt Admin	ads-txt-admin
Advanced Cron Manager – debug & control	advanced-cron-manager
Advanced iFrame	advanced-iframe
Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress	advanced-page-visit-counter
Advanced Post Block – Display Posts, Pages, or Custom Posts on Your Page	advanced-post-block
AffiEasy	affieasy
AIKit – WordPress AI Automatic Writer, Chatbot, Writing Assistant & Content Repurposer / OpenAI GPT	aikit-wordpress-ai-writing-assistant-using-gpt3
All-in-One Addons for Elementor – WidgetKit	widgetkit-for-elementor
Appointment Bookings for Zoom GoogleMeet and more – Wappointment	wappointment
AppPresser – Mobile App Framework	apppresser
Asgaros Forum	asgaros-forum
Aspose.Words – Import and Export word documents	aspose-doc-exporter
BA Book Everything	ba-book-everything
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net	woo-bulk-editor
Before And After: Lead Capture Forms For WordPress	before-and-after
Benchmark Email Lite	benchmark-email-lite
Better Chat Support – Chat Bubble and Chat Button with Gutenberg, Elementor and Shortcode	chat-help
BizCalendar Web	bizcalendar-web
Blocksy Companion	blocksy-companion
Bold Page Builder	bold-page-builder
Booking for Appointments and Events Calendar – Amelia	ameliabooking
Boostify Header Footer Builder for Elementor	boostify-header-footer-builder
bunny.net – WordPress CDN Plugin	bunnycdn
BWL Advanced FAQ Manager	bwl-advanced-faq-manager
Calendarista Basic Edition – WordPress appointment booking system	calendarista-basic-edition
Carousel Slider	carousel-slider
Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce	wp-carousel-free
CBX Bookmark & Favorite	cbxwpbookmark
Church Admin	church-admin
Church Content – Sermons, Events and More	church-theme-content
Citadela Directory	citadela-directory
Clone	wp-clone-by-wp-academy
Contact Form Plugin	contact-form-lite
Convert Post Types	convert-post-types
Crony Cronjob Manager	crony
Currency per Product for WooCommerce	currency-per-product-for-woocommerce
Customily Product Personalizer	customily-v2
Dashboard To-Do List	dashboard-to-do-list
Dashboard Welcome for Elementor	dashboard-welcome-for-elementor
Disable Comments \| WPZest	disable-comments-wpz
Download Manager	downloadmanager
E2Pdf – Export To Pdf Tool for WordPress	e2pdf
Easy Logo	easylogo
eCommerce Product Catalog Plugin for WordPress	ecommerce-product-catalog
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Elementor Addons by Livemesh	addons-for-elementor
ELEX WooCommerce Dynamic Pricing and Discounts	elex-woocommerce-dynamic-pricing-and-discounts
Email Marketing for WooCommerce by Omnisend	omnisend-connect
eRoom – Zoom Meetings & Webinars	eroom-zoom-meetings-webinar
Essential Grid Gallery WordPress Plugin	essential-grid
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin	mage-eventpress
Exclusive Addons for Elementor	exclusive-addons-for-elementor
Extra Product Options Builder for WooCommerce	additional-product-fields-for-woocommerce
EZ Form Calculator	ez-form-calculator
F4 Improvements	f4-improvements
Favicon by RealFaviconGenerator	favicon-by-realfavicongenerator
Filter Custom Fields & Taxonomies Light	filter-custom-fields-taxonomies-light
Finale Lite – Sales Countdown Timer & Discount for WooCommerce	finale-woocommerce-sales-countdown-timer-discount
Find Duplicates	find-duplicates
Forminator – Contact Form, Payment Form & Custom Form Builder	forminator
Forms to Zapier, Integromat, IFTTT, Workato, Automate.io, elastic.io, Built.io, APIANT, Webhook	forms-to-zapier
Freshdesk (official)	freshdesk-support
FV Flowplayer Video Player	fv-wordpress-flowplayer
Gallery Box	gallery-box
GEO my WordPress	geo-my-wp
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)	gift-voucher
GiveWP – Donation Plugin and Fundraising Platform	give
GP Unique ID	gp-unique-id
Gutenberg	gutenberg
Gutenberg Blocks by Kadence Blocks – Page Builder Features	kadence-blocks
Import any XML or CSV File to WordPress	wp-all-import
Import Users from CSV	import-users-from-csv
Inline Related Posts	intelly-related-posts
InstaWP Connect – 1-click WP Staging & Migration	instawp-connect
Intagrate Lite	instagrate-to-wordpress
IP2Location Country Blocker	ip2location-country-blocker
Ivory Search – WordPress Search Plugin	add-search-to-menu
Jobs for WordPress	job-postings
Kimili Flash Embed	kimili-flash-embed
Language Translate Widget for WordPress – ConveyThis	conveythis-translate
Leadinfo	leadinfo
Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)	leaflet-maps-marker
Legal Pages – Privacy Policy, Terms & Conditions, GDPR, CCPA, and Cookie Notice Generator	legal-pages
Libsyn Publisher Hub	libsyn-podcasting
LifterLMS – WordPress LMS Plugin for eLearning	lifterlms
Link Whisper Free	link-whisper
Load More Anything	ajax-load-more-anything
Login With Ajax – Fast Logins, 2FA, Redirects	login-with-ajax
Login with phone number	login-with-phone-number
Login \| Login Page \| Login Logo \| Rename Login Page \| Custom Login Page \| Temporary Users \| Rebrand Login \| Login Captcha	feather-login-page
Mail logging – WP Mail Catcher	wp-mail-catcher
MailChimp Forms by MailMunch	mailchimp-forms-by-mailmunch
Marker.io – Visual Website Feedback	marker-io
Membership Plugin – Restrict Content	restrict-content
Migration, Backup, Staging – WPvivid	wpvivid-backuprestore
MihanPanel – User Login , Registration and Dashboard	mihanpanel-lite
MultiParcels Shipping For WooCommerce	multiparcels-shipping-for-woocommerce
MWW Disclaimer Buttons	mww-disclaimer-buttons
Newsletter – Send awesome emails from WordPress	newsletter
NextMove Lite – Thank You Page for WooCommerce	woo-thank-you-page-nextmove-lite
No-Bot Registration	no-bot-registration
Novelist	novelist
Ocean Extra	ocean-extra
Order Delivery Date for WooCommerce	order-delivery-date-for-woocommerce
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	otter-blocks
Ovic Addon Toolkit	ovic-addon-toolkit
Page Builder: Live Composer	live-composer-page-builder
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress	wp-user-avatar
Podlove Podcast Publisher	podlove-podcasting-plugin-for-wordpress
POEditor	poeditor
Popup by Supsystic	popup-by-supsystic
Popup Like box – Page Plugin	ays-facebook-popup-likebox
Post Type Builder	themify-ptb
Premium Addons for Elementor	premium-addons-for-elementor
Premmerce Product Filter for WooCommerce	premmerce-woocommerce-product-filter
Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More	purple-xmls-google-product-feed-for-woocommerce
Product Input Fields for WooCommerce	product-input-fields-for-woocommerce
ProfileGrid – User Profiles, Memberships, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Realtyna Organic IDX plugin + WPL Real Estate	real-estate-listing-realtyna-wpl
ReDi Restaurant Reservation	redi-restaurant-reservation
Redirection	redirect-redirection
Remove Footer Credit	remove-footer-credit
Responsive Contact Form Builder & Lead Generation Plugin	lead-form-builder
Responsive Slider – Sangar Slider	sangar-slider-lite
RestroPress – Online Food Ordering System	restropress
Save as Image Plugin by Pdfcrowd	save-as-image-by-pdfcrowd
Search Keyword Redirect	wp-search-keyword-redirect
SEO Booster	seo-booster
Shopkeeper Extender	shopkeeper-extender
Shopping Cart & eCommerce Store	wp-easycart
Short URL	shorten-url
Simple Post Notes	simple-post-notes
Siteimprove	siteimprove
Slider Revolution	revslider
Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows	ml-slider
Smart Slider 3	smart-slider-3
Smash Balloon Social Post Feed	custom-facebook-feed
Spotlight Social Feeds [Block, Shortcode, and Widget]	spotlight-social-photo-feeds
Subscribe2 – Form, Email Subscribers & Newsletters	subscribe2
Sync Post With Other Site	sync-post-with-other-site
Table Plugin for WordPress with Google Sheets Integration – Sheets to WP Table Live Sync	sheets-to-wp-table-live-sync
Tablesome – Responsive Table, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Gravity Forms, Fluent, Forminator	tablesome
TempTool [Show Current Template Info]	current-template-name
The Events Calendar	the-events-calendar
Top Bar	top-bar
TOP Table Of Contents	top-table-of-contents
TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys	visitor-analytics-io
Ultimate Before After Image Slider & Gallery – BEAF	beaf-before-and-after-gallery
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member
Ultimate Product Catalog	ultimate-product-catalogue
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider	ultimate-store-kit
UNKNOWN-CVE-2014-4663	UNKNOWN-CVE-2014-4663
Unlimited Elementor Inner Sections By BoomDevs	unlimited-elementor-inner-sections-by-boomdevs
User Activity Log Pro	user-activity-log-pro
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress	userswp
USPS Shipping for WooCommerce – Live Rates	flexible-shipping-usps
Wallet System for WooCommerce – Digital Wallet, Cashback Rewards, Recharge User Wallets, View Transaction History	wallet-system-for-woocommerce
Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings \| WebinarIgnition	webinar-ignition
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	coming-soon
Welcart e-Commerce	usc-e-shop
WOLF – WordPress Posts Bulk Editor and Manager Professional	bulk-editor
WooCommerce UPS Shipping – Live Rates and Access Points	flexible-shipping-ups
WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds	another-wordpress-classifieds-plugin
WordPress Flipbook by Supsystic	digital-publications-by-supsystic
WordPress Hosting Benchmark tool	wpbenchmark
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly	tour-booking-manager
WP Accessibility Helper (WAH)	wp-accessibility-helper
WP Activity Log Premium	wp-security-audit-log-premium
WP Client Reports	wp-client-reports
WP Compress – Image Optimizer [All-In-One]	wp-compress-image-optimizer
WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, Security+	wp-letsencrypt-ssl
WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress	wp-event-aggregator
WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics	wp-google-analytics-events
WP Login and Logout Redirect	wp-login-and-logout-redirect
WP Matterport Shortcode	shortcode-gallery-for-matterport-showcase
WP Radio – Worldwide Online Radio Stations Directory for WordPress	wp-radio
WP2LEADS \| WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden	wp2leads
WPBakery Visual Composer	js_composer
WPC Smart Quick View for WooCommerce	woo-smart-quick-view
WPZOOM Social Feed Widget & Block	instagram-widget-by-wpzoom
XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin]	faq-for-woocommerce
Zoho Campaigns	zoho-campaigns

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Blocksy	blocksy
CityLogic	citylogic
Default Mag	default-mag
Emmet Lite	emmet-lite
Gridsby	gridsby
HappenStance	happenstance
i-excel	i-excel
i-max	i-max
Lightning	lightning
Namaha	namaha
NewsXpress	newsxpress
Panoramic	panoramic
PopularFX	popularfx
Sarada Lite	sarada-lite
Sensible WP	sensible-wp
Shopstar!	shopstar
Sliding Door	sliding-door
Soledad	soledad
Spa and Salon	spa-and-salon
The Conference	the-conference
X-T9	x-t9

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Realtyna Organic IDX plugin <= 4.14.4 – Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-32128

Patch Status
Unpatched

Published
Apr 12, 2024

Affected Software
Realtyna Organic IDX plugin + WPL Real Estate

Researcher