Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 76 vulnerabilities disclosed in 62 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 30 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 14,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-678 – data redacted while we work with the vendor on a patch.
- Bricks <= 1.9.6 – Unauthenticated Remote Code Execution
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
---|---|
Patched | 58 |
Unpatched | 18 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
---|---|
Medium Severity | 62 |
High Severity | 3 |
Critical Severity | 11 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
---|---|
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 31 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 9 |
Missing Authorization | 9 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 6 |
Cross-Site Request Forgery (CSRF) | 4 |
Improper Access Control | 3 |
Information Exposure | 3 |
Improper Control of Generation of Code (‘Code Injection’) | 2 |
Information Exposure Through Log Files | 2 |
Protection Mechanism Failure | 2 |
Unrestricted Upload of File with Dangerous Type | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
---|---|
7 | |
7 | |
7 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Action Network | wp-action-network |
Best WordPress Gallery Plugin – FooGallery | foogallery |
Bold Page Builder | bold-page-builder |
Booster for WooCommerce | woocommerce-jetpack |
Broken Link Checker | broken-link-checker |
Canto | canto |
Comments Like Dislike | comments-like-dislike |
Community by PeepSo – Social Network, Membership, Registration, User Profiles | peepso-core |
Custom Field Template | custom-field-template |
Cwicly | cwicly |
Defender Security – Malware Scanner, Login Security & Firewall | defender-security |
Directorist – WordPress Business Directory Plugin with Classified Ads Listings | directorist |
Doofinder WP & WooCommerce Search | doofinder-for-woocommerce |
Easy Forms for Mailchimp | yikes-inc-easy-mailchimp-extender |
Elementor Addons by Livemesh | addons-for-elementor |
Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor | embedpress |
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders | essential-addons-for-elementor-lite |
Frontend File Manager Plugin | nmedia-user-file-uploader |
Happy Addons for Elementor | happy-elementor-addons |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages | landing-page-cat |
Malware Scanner | miniorange-malware-protection |
Maspik – Spam Blacklist | contact-forms-anti-spam |
MasterStudy LMS WordPress Plugin – for Online Courses and Education | masterstudy-lms-learning-management-system |
Microsoft Clarity | microsoft-clarity |
moveto | moveto |
Multi Step Form | multi-step-form |
My Private Site | jonradio-private-site |
MyWaze | my-waze |
NEX-Forms – Ultimate Form Builder – Contact forms and much more | nex-forms-express-wp-form-builder |
Ocean Extra | ocean-extra |
Page scroll to id | page-scroll-to-id |
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
Paytium: Mollie payment forms & donations | paytium |
PB oEmbed HTML5 Audio – with Cache Support | pb-oembed-html5-audio-with-cache-support |
Peach Payments Gateway | wc-peach-payments-gateway |
Pexels: Free Stock Photos | wp-pexels-free-stock-photos |
Piraeus Bank WooCommerce Payment Gateway | woo-payment-gateway-for-piraeus-bank |
PJ News Ticker | pj-news-ticker |
postMash – custom post order | postmash |
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
Premium Addons for Elementor | premium-addons-for-elementor |
Simple Share Buttons Adder | simple-share-buttons-adder |
SiteOrigin Widgets Bundle | so-widgets-bundle |
Sitepact’s Contact Form 7 Extension For Klaviyo | sitepact-klaviyo-contact-form-7 |
SKT Page Builder | skt-builder |
SMTP Mail | smtp-mail |
Sunshine Photo Cart: Free Client Galleries for Photographers | sunshine-photo-cart |
Sydney Toolbox | sydney-toolbox |
SysBasics Easy Checkout Field Editor, Fees & Discounts | phppoet-checkout-fields |
TinyMCE and TinyMCE Advanced Professsional Formats and Styles | tinymce-and-tinymce-advanced-professsional-formats-and-styles |
TNC PDF viewer | pdf-viewer-by-themencode |
Ultimate Posts Widget | ultimate-posts-widget |
Ultimate Reviews | ultimate-reviews |
Widgets Controller | widgets-controller |
WP Activity Log | wp-security-audit-log |
WP Editor | wp-editor |
WP Maintenance | wp-maintenance |
WP Setup Wizard | wp-setup-wizard |
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
wp-media-folder | wp-media-folder |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
Bricks | bricks |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Critical (9.8)
CVE-2024-25600
Patched
Feb 13, 2024
Critical (9.8)
CVE-2024-25096
Unpatched
Feb 12, 2024
Canto
Critical (9.8)
CVE-2024-1512
Patched
Feb 16, 2024
MasterStudy LMS WordPress Plugin – for Online Courses and Education
Critical (9.8)
CVE-2024-25912
Unpatched
Feb 12, 2024
Critical (9.8)
CVE-2024-25913
Unpatched
Feb 12, 2024
Critical (9.8)
CVE-2024-25911
Unpatched
Feb 12, 2024
Critical (9.8)
CVE-2024-25910
Unpatched
Feb 12, 2024
Critical (9.8)
CVE-2024-0610
Patched
Feb 16, 2024
Piraeus Bank WooCommerce Payment Gateway
Critical (9.8)
CVE-2024-25927
Unpatched
Feb 15, 2024
postMash – custom post order
Critical (9.8)
CVE-2024-25928
Unpatched
Feb 15, 2024
Sitepact’s Contact Form 7 Extension For Klaviyo
Critical (9.8)
CVE-2024-25925
Patched
Feb 14, 2024
SysBasics Easy Checkout Field Editor, Fees & Discounts
High (8.8)
CVE-2024-24707
Patched
Feb 14, 2024
High (8.8)
CVE-2024-25918
Patched
Feb 14, 2024
InstaWP Connect – 1-click WP Staging & Migration
High (7.5)
CVE-2024-25095
Unpatched
Feb 12, 2024
Easy Forms for Mailchimp
Medium (6.6)
CVE-2024-25902
Unpatched
Feb 12, 2024
Malware Scanner
Medium (6.5)
CVE-2024-25923
Patched
Feb 14, 2024
Medium (6.5)
CVE-2024-25595
Patched
Feb 12, 2024
Defender Security – Malware Scanner, Login Security & Firewall
Medium (6.5)
CVE-2024-25917
Patched
Feb 14, 2024
WP Setup Wizard
Medium (6.4)
CVE-2024-1159
Patched
Feb 12, 2024
Bold Page Builder
Medium (6.4)
CVE-2024-1054
Patched
Feb 12, 2024
Booster for WooCommerce
Medium (6.4)
CVE-2024-25919
Patched
Feb 14, 2024
Custom Field Template
Medium (6.4)
CVE-2024-1282
Patched
Feb 13, 2024
Email Encoder – Protect Email Addresses and Phone Numbers
Medium (6.4)
CVE-2024-1349
Patched
Feb 14, 2024
Medium (6.4)
CVE-2024-1425
Patched
Feb 14, 2024
Medium (6.4)
CVE-2024-1236
Patched
Feb 12, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Medium (6.4)
CVE-2024-1276
Patched
Feb 12, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Medium (6.4)
CVE-2024-0438
Patched
Feb 13, 2024
Happy Addons for Elementor
Medium (6.4)
CVE-2024-0838
Patched
Feb 13, 2024
Happy Addons for Elementor
Medium (6.4)
CVE-2024-25598
Patched
Feb 12, 2024
Elementor Addons by Livemesh
Medium (6.4)
CVE-2024-25594
Unpatched
Feb 12, 2024
MyWaze
Medium (6.4)
CVE-2024-25593
Patched
Feb 12, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more
Medium (6.4)
CVE-2024-1277
Patched
Feb 16, 2024
Ocean Extra
Page scroll to id <= 1.7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Medium (6.4)
CVE-2024-1445
Patched
Feb 16, 2024
Page scroll to id
Medium (6.4)
CVE-2024-25099
Patched
Feb 12, 2024
Paytium: Mollie payment forms & donations
Medium (6.4)
CVE-2024-25098
Unpatched
Feb 12, 2024
PB oEmbed HTML5 Audio – with Cache Support
PJ News Ticker <= 6.8.10 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Medium (6.4)
CVE-2024-25094
Unpatched
Feb 12, 2024
PJ News Ticker
Medium (6.4)
CVE-2024-1411
Patched
Feb 15, 2024
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Premium Addons for Elementor <= 4.10.18 – Authenticated (Contributor+) Stored Cross-Site Scripting
Medium (6.4)
CVE-2024-1242
Patched
Feb 14, 2024
Premium Addons for Elementor
Medium (6.4)
CVE-2024-1070
Patched
Feb 12, 2024
SiteOrigin Widgets Bundle
Medium (6.4)
CVE-2024-1058
Patched
Feb 12, 2024
SiteOrigin Widgets Bundle
Medium (6.4)
CVE-2024-1447
Patched
Feb 14, 2024
Sydney Toolbox
TNC PDF viewer <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Medium (6.4)
CVE-2024-25097
Patched
Feb 12, 2024
TNC PDF viewer
Medium (6.4)
CVE-2024-25920
Patched
Feb 14, 2024
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc
Medium (6.1)
CVE-2024-25921
Patched
Feb 14, 2024
Action Network
Medium (6.1)
CVE-2024-0590
Patched
Feb 16, 2024
Microsoft Clarity
Medium (6.1)
CVE-2024-25597
Patched
Feb 12, 2024
Ultimate Reviews
Medium (6.1)
CVE-2024-25926
Unpatched
Feb 15, 2024
Widgets Controller
Medium (6.1)
CVE-2023-50905
Patched
Feb 14, 2024
WP Activity Log
Bold Page Builder <= 4.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL
Medium (5.4)
CVE-2024-1157
Patched
Feb 12, 2024
Bold Page Builder
Bold Page Builder <= 4.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Link
Medium (5.4)
CVE-2024-1160
Patched
Feb 12, 2024
Bold Page Builder
Medium (5.4)
CVE-2024-1172
Patched
Feb 12, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Medium (5.4)
CVE-2024-1171
Patched
Feb 12, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Medium (5.4)
CVE-2024-25915
Unpatched
Feb 12, 2024
Pexels: Free Stock Photos
Medium (5.3)
CVE-2024-1322
Patched
Feb 12, 2024
Medium (5.3)
CVE-2024-25903
Patched
Feb 12, 2024
Frontend File Manager Plugin
Medium (5.3)
CVE-2024-0708
Patched
Feb 14, 2024
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages
My Private Site <= 3.0.14 – Improper Access Control to Sensitive Information Exposure via REST API
Medium (5.3)
CVE-2024-0978
Patched
Feb 16, 2024
My Private Site
Medium (5.3)
CVE-2024-1389
Patched
Feb 13, 2024
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Medium (5.3)
CVE-2024-25914
Unpatched
Feb 12, 2024
SMTP Mail
Medium (5.3)
CVE-2024-1294
Patched
Feb 12, 2024
Sunshine Photo Cart: Free Client Galleries for Photographers
Medium (5.3)
CVE-2024-25591
Patched
Feb 12, 2024
WP Editor
Medium (5.3)
CVE-2024-1472
Patched
Feb 16, 2024
WP Maintenance
Medium (4.9)
CVE-2024-0326
Patched
Feb 14, 2024
Premium Addons for Elementor
Medium (4.4)
CVE-2024-0604
Patched
Feb 14, 2024
Best WordPress Gallery Plugin – FooGallery
Medium (4.4)
CVE-2024-25592
Patched
Feb 12, 2024
Broken Link Checker
Medium (4.4)
CVE-2024-25596
Patched
Feb 12, 2024
Doofinder WP & WooCommerce Search
Medium (4.4)
CVE-2024-25101
Patched
Feb 12, 2024
Maspik – Spam Blacklist
Medium (4.4)
CVE-2024-0621
Patched
Feb 14, 2024
Simple Share Buttons Adder
Medium (4.4)
CVE-2024-0561
Patched
Feb 13, 2024
Ultimate Posts Widget
Medium (4.3)
CVE-2024-25906
Unpatched
Feb 12, 2024
Comments Like Dislike
Medium (4.3)
CVE-2024-25905
Unpatched
Feb 12, 2024
Multi Step Form
Medium (4.3)
CVE-2024-1390
Patched
Feb 13, 2024
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction
Medium (4.3)
CVE-2024-25922
Patched
Feb 14, 2024
Peach Payments Gateway
Medium (4.3)
CVE-2024-1337
Patched
Feb 12, 2024
SKT Page Builder
Medium (4.3)
CVE-2024-25904
Unpatched
Feb 12, 2024
TinyMCE and TinyMCE Advanced Professsional Formats and Styles
Medium (4.3)
CVE-2024-25907
Patched
Feb 12, 2024
wp-media-folder
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 12, 2024 to February 18, 2024) appeared first on Wordfence.