Wordfence Intelligence Weekly WordPress Vulnerability Report (August 5, 2024 to August 11, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Through October 14th, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 127 vulnerabilities disclosed in 110 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 18,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

ElementsKit Elementor addons <= 3.2.0 – Unauthenticated Information Exposure via ekit_widgetarea_content Function
WAF-RULE-723 – Data redacted while we work with the vendor on a patch.
WAF-RULE-724 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	93
Unpatched	34

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	96
High Severity	20
Critical Severity	10

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	51
Missing Authorization	28
Information Exposure	11
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	8
Cross-Site Request Forgery (CSRF)	4
Deserialization of Untrusted Data	4
Unrestricted Upload of File with Dangerous Type	3
Authentication Bypass Using an Alternate Path or Channel	2
Improper Input Validation	2
Authorization Bypass Through User-Controlled Key	1
Improper Control of Generation of Code (‘Code Injection’)	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Improper Privilege Management	1
Server-Side Request Forgery (SSRF)	1
URL Redirection to Untrusted Site (‘Open Redirect’)	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
stealthcopter	11
João Pedro Soares de Alcântara	10
Rafie Muhammad	9
Abdi Pranata	7
LVT-tholv2k	7
Khalid	5
akas wisnu aji	4
Bob Matyas	4
Manab Jyoti Dowarah	4
Lucio Sá	4
João G. Barbosa (4rCanJ0x!)	4
István Márton	3
Phill Sav (Savphill)	3
Dave Jong	3
Trương Hữu Phúc (truonghuuphuc)	3
Ananda Dhakal	3
Francesco Carlucci	3
Jonas Benjamin Friedli	2
Steven Julian	2
Joshua Chan	2
wesley (wcraft)	2
Le Ngoc Anh	2
Ngô Thiên An (ancorn_)	2
Arkadiusz Hydzik	2
Webbernaut	2
vgo0	2
Karolina Jankowska	2
Foxyyy	1
Norbert Hofmann	1
Carson Chan	1
Michael	1
Gibran Abdillah	1
Project Black	1
hunter85	1
Xetnus	1
Scott Kingsley Clark	1
Dhabaleshwar Das	1
Majed Refaea	1
Mika	1
domiee13	1
Dmitriy Prokhorov	1
emad	1
Amandeep Singh Banga	1
Kieran Burge	1
Truoc Phan	1
Dimas Maulana	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
140+ Widgets \| Xpro Addons For Elementor – FREE	xpro-elementor-addons
3D FlipBook – PDF Flipbook WordPress	interactive-3d-flipbook-powered-physics-engine
Accept Stripe Payments	stripe-payments
Advanced Cron Manager – debug & control	advanced-cron-manager
affiliate-toolkit – WordPress Affiliate Plugin	affiliate-toolkit-starter
AMP for WP – Accelerated Mobile Pages	accelerated-mobile-pages
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress	bookingpress-appointment-booking
Aruba HiSpeed Cache	aruba-hispeed-cache
BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript	searchpro
BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer for Elementor & Gutenberg	betterdocs
Bitly’s WordPress Plugin	wp-bitly
Blox Page Builder	blox-page-builder
Booking for Appointments and Events Calendar – Amelia	ameliabooking
Brizy – Page Builder	brizy
BSK Forms Blacklist	bsk-gravityforms-blacklist
Card Elements for Elementor	card-elements-for-elementor
Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot	chatbot-support-ai
Christmasify!	christmasify
CM Tooltip Glossary	enhanced-tooltipglossary
Cost Calculator Builder	cost-calculator-builder
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
DL Robots.txt	dl-robotstxt
DL Verification	dl-verification
DL Yandex Metrika	dl-yandex-metrika
Docket (WooCommerce Collections / Wishlist / Watchlist)	woocommerce-collections
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads
Easy PayPal & Stripe Buy Now Button	wp-ecommerce-paypal
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Enter Addons – Ultimate Template Builder for Elementor	enteraddons
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin	mage-eventpress
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management
Falang multilanguage for WordPress	falang
Filr – Secure document library	filr-protection
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager	folders
Football Pool	football-pool
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
FormCraft – Form Builder	formcraft-form-builder
Fuse Social Floating Sidebar	fuse-social-floating-sidebar
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	geodirectory
Graphina – Elementor Charts and Graphs	graphina-elementor-charts-and-graphs
Gutenberg Blocks, Page Builder – ComboBlocks	post-grid
Gutenberg Page Builder Blocks & Ready-Made Patterns Library for Blogs, Magazines, Newspapers, and Business Websites. Easy One-Click Import, No Coding Needed! – Blockspare	blockspare
Horizontal scrolling announcements	horizontal-scrolling-announcements
Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals \| Critical CSS \| Minify CSS \| Defer CSS Javascript \| CDN	hummingbird-performance
HUSKY – Products Filter Professional for WooCommerce	woocommerce-products-filter
Import and export users and customers	import-users-from-csv-with-meta
JetGridBuilder — Grid Builder for Elementor and Gutenberg	jetgridbuilder
Kodex Posts likes	kodex-posts-likes
LA-Studio Element Kit for Elementor	lastudio-element-kit
LearnPress – WordPress LMS Plugin	learnpress
Lightbox & Modal Popup WordPress Plugin – FooBox	foobox-image-lightbox
Linkify Text	linkify-text
MainWP Child Reports	mainwp-child-reports
Masteriyo LMS – eLearning and Online Course Builder for WordPress	learning-management-system
Mediavine Control Panel	mediavine-control-panel
Meta Box – WordPress Custom Fields Framework	meta-box
Modern Events Calendar	modern-events-calendar
Modern Events Calendar Lite	modern-events-calendar-lite
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution	dc-woocommerce-multi-vendor
My Custom CSS PHP & ADS	my-custom-css
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification	mycred
No Update Nag	no-update-nag
Obfuscate Email	obfuscate-email
Opal Membership	opal-membership
Organization chart	organization-chart
Paid Memberships Pro – Membership Maps Add On	pmpro-membership-maps
ParcelPanel (Free to install) – Shipment Tracking, Tracking, and Order Tracking for WooCommerce	parcelpanel
Participants Database	participants-database
PDF Builder for WPForms	pdf-builder-for-wpforms
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder	ajax-filter-posts
Premium Addons for Elementor	premium-addons-for-elementor
Products, Order & Customers Export for WooCommerce	export-woocommerce
Registrations for the Events Calendar – Event Registration Plugin	registrations-for-the-events-calendar
Reveal Template	reveal-template
Robin image optimizer — save money on image compression	robin-image-optimizer
Selection Lite	selection-lite
Send Emails with Mandrill	send-emails-with-mandrill
Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce	sender-net-automated-emails
Shared Files – Frontend File Upload Form & Secure File Sharing	shared-files
Simple Local Avatars	simple-local-avatars
Simple Share	dts-simple-share
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel	depicter
Slider by 10Web – Responsive Image Slider	slider-wd
Slider by Soliloquy – Responsive Image Slider for WordPress	soliloquy-lite
Social Slider Feed	instagram-slider-widget
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
StreamCast – Radio Player for WordPress	streamcast
Sunshine Photo Cart: Free Client Photo Galleries for Photographers	sunshine-photo-cart
Themify Shortcodes	themify-shortcodes
Timeline and History slider	timeline-and-history-slider
Tutor LMS – eLearning and online course solution	tutor
TypeSquare Webfonts for エックスサーバー	xserver-typesquare-webfonts
Ultimate Addons for Beaver Builder – Lite	ultimate-addons-for-beaver-builder-lite
Ultimate Bootstrap Elements for Elementor	ultimate-bootstrap-elements-for-elementor
Unite Gallery Lite	unite-gallery-lite
Viral Signup – limited opt-in with viral refferal sharing	viral-signup
Visual Website Collaboration, Feedback & Project Management – Atarim	atarim-visual-collaboration
Waitlist Woocommerce ( Back in stock notifier )	waitlist-woocommerce
WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute	wapppress-builds-android-app-for-website
WooCommerce – Social Login	woo-social-login
WooCommerce Product Table Lite	wc-product-table-lite
WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly	tour-booking-manager
WP Dashboard Notes	wp-dashboard-notes
WP Search Analytics	search-analytics
WP Table Builder – WordPress Table Plugin	wp-table-builder
WPBakery Visual Composer	js_composer
WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce	wp-cafe
WPSection	wpsection
YaMaps for WordPress Plugin	yamaps
ووکامرس فارسی	persian-woocommerce

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
MDx	MDx
MultiPurpose	multipurpose
News Flash	news-flash
Orchid Store	orchid-store
The Next	the-next
Woffice CRM	woffice

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Cost Calculator Builder <= 3.2.15 – Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-43144

Patch Status
Patched

Published
Aug 7, 2024

Affected Software
Cost Calculator Builder

Researcher

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 5, 2024 to August 11, 2024)

New Firewall Rules Deployed Last Week

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

More great articles

6,000 WordPress Sites Affected by Unauthenticated Critical Vulnerability in WP Job Portal WordPress Plugin

700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 17, 2023 to Apr 23, 2023)

Emergency WordPress Help