Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!
Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- WAF-RULE-675 – data redacted while we work with the vendor on a patch.
- WAF-RULE-676 – data redacted while we work with the vendor on a patch.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 13 |
Patched | 82 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 2 |
Medium Severity | 82 |
High Severity | 7 |
Critical Severity | 4 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 30 |
Cross-Site Request Forgery (CSRF) | 21 |
Missing Authorization | 18 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 5 |
Information Exposure | 3 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 |
Deserialization of Untrusted Data | 2 |
Authorization Bypass Through User-Controlled Key | 2 |
Improper Access Control | 2 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 2 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Uncontrolled Resource Consumption (‘Resource Exhaustion’) | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Insecure Storage of Sensitive Information | 1 |
Incorrect Authorization | 1 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | 1 |
Improper Authorization | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Francesco Carlucci | 24 |
Lucio Sá | 10 |
Dhabaleshwar Das | 7 |
Webbernaut | 6 |
Dimas Maulana | 3 |
Ngô Thiên An (ancorn_) | 3 |
Krzysztof Zając | 3 |
beluga | 2 |
Sh | 2 |
Rhynorater | 2 |
kodaichodai | 2 |
Kyle Sanchez | 2 |
Felipe Restrepo Rodriguez (pfelilpe) | 2 |
István Márton (Wordfence Vulnerability Researcher) |
2 |
Rafie Muhammad | 2 |
Sean Murphy | 2 |
stealthcopter | 2 |
hir0ot | 1 |
Dave Jong | 1 |
Le Ngoc Anh | 1 |
villu164 | 1 |
Colin Xu | 1 |
Christian Angel | 1 |
LVT-tholv2k | 1 |
wesley (wcraft) | 1 |
Dmitrii Ignatyev | 1 |
Abu Hurayra (HurayraIIT) | 1 |
Muhammad Hassham Nagori | 1 |
Abdi Pranata | 1 |
Skalucy | 1 |
Pham Ho Anh Dung | 1 |
Savphill | 1 |
Scott Kingsley Clark | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
3D Tag Cloud | cardoza-3d-tag-cloud |
AMP for WP – Accelerated Mobile Pages | accelerated-mobile-pages |
Admin Menu Editor | admin-menu-editor |
Advanced Forms for ACF | advanced-forms |
All 404 Pages Redirect to Homepage | all-404-pages-redirect-to-homepage |
All-In-One Security (AIOS) – Security and Firewall | all-in-one-wp-security-and-firewall |
Apollo13 Framework Extensions | apollo13-framework-extensions |
Awesome Support – WordPress HelpDesk & Support Plugin | awesome-support |
Backuply – Backup, Restore, Migrate and Clone | backuply |
Basic Log Viewer | wpsimpletools-log-viewer |
Before After Image Slider WP | before-after-image-slider |
Buttons Shortcode and Widget | buttons-shortcode-and-widget |
Contact Form 7 Connector | ari-cf7-connector |
Content Cards | content-cards |
Coupon Referral Program | coupon-referral-program |
Custom Twitter Feeds – A Tweets Widget or X Feed Widget | custom-twitter-feeds |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Elementor Addon Elements | addon-elements-for-elementor-page-builder |
Elementor Addons by Livemesh | addons-for-elementor |
Elementor Website Builder – More than Just a Page Builder | elementor |
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin | wp-event-solution |
Honeypot for WP Comment | honeypot-for-wp-comment |
ImageRecycle pdf & image compression | imagerecycle-pdf-image-compression |
InfiniteWP Client | iwp-client |
Insert PHP Code Snippet | insert-php-code-snippet |
Internal Link Juicer: SEO Auto Linker for WordPress | internal-links |
Link Library | link-library |
Login Lockdown – Protect Login Form | login-lockdown |
Matomo Analytics – Ethical Stats. Powerful Insights. | matomo |
Meta Box – WordPress Custom Fields Framework | meta-box |
Minimal Coming Soon – Coming Soon Page | minimal-coming-soon-maintenance-mode |
My Calendar | my-calendar |
NextMove Lite – Thank You Page for WooCommerce | woo-thank-you-page-nextmove-lite |
PPWP – Password Protect Pages | password-protect-page |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Passster – Password Protect Pages and Content | content-protector |
Payment Forms for Paystack | payment-forms-for-paystack |
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress | contest-gallery |
Podlove Podcast Publisher | podlove-podcasting-plugin-for-wordpress |
Podlove Subscribe button | podlove-subscribe-button |
Polls CP | cp-polls |
Portugal CTT Tracking for WooCommerce | portugal-ctt-tracking-woocommerce |
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) | powerpack-lite-for-elementor |
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) | bdthemes-prime-slider-lite |
Product Labels For Woocommerce (Sale Badges) | aco-product-labels-for-woocommerce |
Quiz Maker | quiz-maker |
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | feedzy-rss-feeds |
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging | wp-rss-aggregator |
Royal Elementor Addons and Templates | royal-elementor-addons |
Shariff Wrapper | shariff |
Shield Security – Smart Bot Blocking & Intrusion Prevention Security | wp-simple-firewall |
Simple Page Access Restriction | simple-page-access-restriction |
Starbox – the Author Box for Humans | starbox |
Themify Builder | themify-builder |
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) | timeline-widget-addon-for-elementor |
VK Poster Group | vk-poster-group |
WP 404 Auto Redirect to Similar Post | wp-404-auto-redirect-to-similar-post |
WP Booking Calendar | booking |
WP Club Manager – WordPress Sports Club Plugin | wp-club-manager |
WP Contact Form | wp-contact-form |
WP Recipe Maker | wp-recipe-maker |
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
Wonder Slider Lite | wonderplugin-slider-lite |
Woocommerce Vietnam Checkout | woo-vietnam-checkout |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
Blocksy | blocksy |
Royal Elementor Kit | royal-elementor-kit |
brooklyn | brooklyn |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 – Unauthenticated Local File Inclusion
CVE ID: CVE-2023-6989
CVSS Score: 9.8 (Critical)
Researcher/s: hir0ot
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c
Coupon Referral Program <= 1.7.2 – Unauthenticated PHP Object Injection
CVE ID: CVE-2024-25100
CVSS Score: 9.8 (Critical)
Researcher/s: Dave Jong
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0e556ca2-1b83-4589-bff8-64323eb594e7
Booking Calendar <= 9.9 – Unauthenticated SQL Injection
CVE ID: CVE-2024-1207
CVSS Score: 9.8 (Critical)
Researcher/s: Muhammad Hassham Nagori
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2
Honeypot for WP Comment <= 2.2.3 – Directory Traversal to Unauthenticated Arbitrary File Deletion
CVE ID: CVE-2024-1350
CVSS Score: 9.1 (Critical)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b6b0bb48-eb61-4236-a03f-19d5d2084a75
Elementor <= 3.19.0 – Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization
CVE ID: CVE-2024-24934
CVSS Score: 8.8 (High)
Researcher/s: Rhynorater
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4915b769-9499-40ac-835e-279e3a910558
Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Authenticated (Subscriber+) SQL Injection
CVE ID: CVE-2024-0594
CVSS Score: 8.8 (High)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a
WP Recipe Maker <= 9.1.2 – Missing Authorization to Authenticated (Subscriber+) SQL Injecton
CVE ID: CVE-2024-1206
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362
RSS Aggregator by Feedzy <= 4.4.2 – Authenticated(Contributor+) SQL Injection
CVE ID: CVE-2024-1317
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cf57aeaa-e37e-4b22-aeaa-f0a9f4877484
Podlove Subscribe button <= 1.3.10 – Authenticated (Contributor+) SQL Injection
CVE ID: CVE-2024-1118
CVSS Score: 8.8 (High)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f234f05f-e377-4e89-81e1-f47ff44eebc5
Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service
CVE ID: CVE-2024-0842
CVSS Score: 7.5 (High)
Researcher/s: villu164
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716
Brooklyn <= 4.9.7.6 – PHP Object Injection
CVE ID: CVE-2024-24926
CVSS Score: 7.5 (High)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5dd962a5-ec0e-415f-8efa-91e78bb80d16
NextMove Lite <= 2.17.0 – Missing Authorization to Authenticated(Subscriber+) Plugin Activation
CVE ID: CVE-2024-25092
CVSS Score: 6.5 (Medium)
Researcher/s: beluga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0b04ab77-880b-423a-bba6-59822f0463bc
RSS Aggregator by Feedzy <= 4.4.2 – Missing Authorization to Arbitrary Page Creation and Publication
CVE ID: CVE-2024-1318
CVSS Score: 6.5 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/181edcec-a57d-4516-935d-6777d2de77ae
AMP for WP <= 1.0.93.1 – Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data
CVE ID: CVE-2024-1043
CVSS Score: 6.5 (Medium)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ffb70e82-355b-48f3-92d0-19659ed2550e
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2024-0792
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0d8c043c-e347-4dc8-8a72-943a7e6c4394
Starbox <= 3.4.8 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings
CVE ID: CVE-2023-6806
CVSS Score: 6.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1f413fc2-8543-4478-987d-d983581027bf
Royal Elementor Addons and Templates <= 1.3.87 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0442
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/256b4818-290b-4660-8e83-c18b068a8959
Meta Box – WordPress Custom Fields Framework <= 5.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2023-6526
CVSS Score: 6.4 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc
Apollo13 Framework Extensions <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24880
CVSS Score: 6.4 (Medium)
Researcher/s: LVT-tholv2k
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/33386b7b-fae3-42a4-96d3-df3cdc342317
Content Cards <= 0.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2024-24928
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3e7d10ab-2525-407b-b814-ef7d884d5287
Elementor Website Builder – More than Just a Page Builder <= 3.18.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt
CVE ID: CVE-2024-0506
CVSS Score: 6.4 (Medium)
Researcher/s: wesley (wcraft)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4473d3f6-e324-40f5-b92b-167f76b17332
Elementor Addon Elements <= 1.12.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0834
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6ebb5654-ba3e-4f18-8720-a6595a771964
Elementor Addons by Livemesh <= 8.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-1235
CVSS Score: 6.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/70bda4b7-e442-4956-b3cb-8df96043bcde
Payment Forms for Paystack <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE-2023-5665
CVSS Score: 6.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f
Before After Image Slider WP <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2024-24931
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af76e32b-ba7d-4eaa-97c8-ed6a25e8f387
My Calendar <= 3.4.23 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d039ba8f-0452-4c14-a655-7f6880c1f1b4
Buttons Shortcode and Widget <= 1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
CVE ID: CVE-2024-24930
CVSS Score: 6.4 (Medium)
Researcher/s: Ngô Thiên An (ancorn_)
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ea6e0856-ba3d-4fa1-ac90-45a51ff994ef
VK Poster Group <= 2.0.3 – Reflected Cross-Site Scripting via vkp_repost
CVE ID: CVE-2024-24932
CVSS Score: 6.1 (Medium)
Researcher/s: Le Ngoc Anh
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/14f030bd-8d8d-4152-817d-d72c9b7a0152
Matomo <= 4.15.3 – Reflected Cross-Site Scripting via idsite
CVE ID: CVE-2023-6923
CVSS Score: 6.1 (Medium)
Researcher/s: Felipe Restrepo Rodriguez (pfelilpe)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e2d54eb-c176-49c4-a4fc-833e17189cad
WP SMS <= 6.5.2 – Reflected Cross-Site Scripting via ‘page’
CVE ID: CVE-2024-24881
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/31f7dc1e-2008-4672-85ba-56fa35f4f0e1
WP 404 Auto Redirect to Similar Post <= 1.0.3 – Reflected Cross-Site Scripting via request
CVE ID: CVE-2024-0509
CVSS Score: 6.1 (Medium)
Researcher/s: kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6eef5549-3f89-4d6f-8c4e-6e4ee6082042
Wonder Slider Lite <= 13.9 – Reflected Cross-Site Scripting via ‘page’
CVE ID: CVE-2024-24877
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/712d2d8b-2103-4262-807e-bb26cabb771c
Brooklyn <= 4.9.7.6 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-24927
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/724d8382-cef3-4584-a255-c2ecc7c986b3
Link Library <= 7.5.13 – Reflected Cross-Site Scripting via ‘link_price’ and ‘link_tags’
CVE ID: CVE-2024-24879
CVSS Score: 6.1 (Medium)
Researcher/s: beluga
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9d5f9d2e-6719-4ce7-bbdd-afaf437bd080
Portugal CTT Tracking for WooCommerce <= 2.1 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-24878
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a69e6ca8-efd6-4b89-ae63-b320f9936842
All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 – Reflected Cross-Site Scripting
CVE ID: CVE-2024-1037
CVSS Score: 6.1 (Medium)
Researcher/s: stealthcopter
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba
Honeypot for WP Comment <= 2.2.3 – Reflected Cross-Site Scripting via page
CVE ID: CVE-2024-24933
CVSS Score: 6.1 (Medium)
Researcher/s: Dimas Maulana
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c1441e68-5c41-4c90-ba99-1656af87a29d
All 404 Pages Redirect to Homepage <= 1.9 – Unauthenticated Stored Cross-Site Scripting
CVE ID: CVE-2024-24889
CVSS Score: 6.1 (Medium)
Researcher/s: Pham Ho Anh Dung
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/de5d5ffc-e76a-4ea9-be68-9ca5f847a363
InfiniteWP Client <= 1.12.3 – Unauthenticated Sensitive Information Exposure
CVE ID: CVE-2023-6565
CVSS Score: 5.9 (Medium)
Researcher/s: Christian Angel
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-1055
CVSS Score: 5.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/036cf299-80c2-48a8-befc-02899ab96e3c
Basic Log Viewer <= 1.0.4 – Cross-Site Request Forgery via wpst_lw_viewer
CVE ID: CVE-2024-24935
CVSS Score: 5.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/18acd104-a5a5-4811-9aea-abc227a1712c
Login Lockdown – Protect Login Form <= 2.08 – Missing Authorization
CVE ID: CVE-2024-1340
CVSS Score: 5.4 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c
3D Tag Cloud <= 3.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID: CVE-2022-41990
CVSS Score: 5.4 (Medium)
Researcher/s: István Márton
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4dfa825c-b0f7-4588-9bf8-cd186a5fc0ff
Prime Slider – Addons For Elementor <= 3.11.10 – Incorrect Authorization via bdt_duplicate_as_draft
CVE ID: CVE-2024-24883
CVSS Score: 5.4 (Medium)
Researcher/s: Abu Hurayra (HurayraIIT)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/691b7428-73e5-4800-85a1-19daa85aff4e
Passster – Password Protect Pages and Content <= 4.2.6.2 – Missing Authorization to Sensitive Information Exposure
CVE ID: CVE-2024-0616
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/00b81467-8d00-4816-895a-89d67c541c17
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 – Missing Authorization to Unauthenticated Events Export
CVE ID: CVE-2024-1122
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be
CP Polls <= 1.0.71 – Unauthenticated Poll Limit Bypass
CVE ID: CVE-2024-24873
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c80de83-3996-4048-8aa3-3611b002fc01
Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Settings Import
CVE ID: CVE-2024-1110
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2c9cf461-572c-4be8-96e6-659acf3208f3
PPWP – Password Protect Pages <= 1.8.9 – Protection Mechanism Bypass
CVE ID: CVE-2024-0620
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58
Customer Reviews for WooCommerce <= 5.38.12 – Improper Authorization via submit_review
CVE ID: CVE-2024-1044
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8
Quiz Maker <= 6.5.2.4 – Missing Authorization to Unauthenticated Quiz Data Retrieval
CVE ID: CVE-2024-1079
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/602df370-cd5b-46dc-a653-6522aef0c62f
WP Club Manager – WordPress Sports Club Plugin <= 2.2.10 – Missing Authorization to Unauthenticated Event Permalink Update
CVE ID: CVE-2024-1177
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/64c2c8c2-58f5-4b7d-b226-39ba39e887d5
Advanced Forms for ACF <= 1.9.3.2 – Missing Authorization to Unauthenticated Form Settings Export
CVE ID: CVE-2024-1121
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b33f2ee-3f20-4494-bdae-3f8cc3c6dc73
Podlove Podcast Publisher <= 4.0.11 – Missing Authorization to Unauthenticated Data Export
CVE ID: CVE-2024-1109
CVSS Score: 5.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635
Royal Elementor Addons and Templates <= 1.3.87 – Missing Authorization via wpr_update_form_action_meta
CVE ID: CVE-2024-0516
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d3457b87-c860-4cf2-ac3d-2c6521b629ea
Simple Page Access Restriction <= 1.0.21 – Improper Access Control to Sensitive Information Exposure via REST API
CVE ID: CVE-2024-0965
CVSS Score: 5.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d99dc270-1b28-4e76-9346-38b2b96be01c
Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via editor_html()
CVE ID: CVE-2024-0596
CVSS Score: 5.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd
CP Polls <= 1.0.71 – Unauthenticated Content Injection
CVE ID: CVE-2024-24874
CVSS Score: 5.3 (Medium)
Researcher/s: Kyle Sanchez
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f28d7659-9244-4da8-97e9-4539d7d874f7
Paid Memberships Pro <= 2.12.8 – Authenticated (Contributor+) User Meta Disclosure
CVE ID: CVE Unknown
CVSS Score: 5.3 (Medium)
Researcher/s: Scott Kingsley Clark
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f6c5e3f8-ebbd-4cc3-b9b1-3f1704e3c07a
Woocommerce Vietnam Checkout <= 2.0.7 – Authenticated (Shop manager+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24885
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/02402620-89db-448d-9028-379856735a2a
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) <= 1.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0977
CVSS Score: 4.4 (Medium)
Researcher/s: Webbernaut
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/03073726-58d0-45b3-b7a6-7d12dbede919
Product Labels For Woocommerce <= 1.5.3 – Authenticated (Shop manager+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24886
CVSS Score: 4.4 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/24226595-6ae7-44c2-a159-5b69808273fa
Internal Link Juicer <= 2.23.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0657
CVSS Score: 4.4 (Medium)
Researcher/s: Sh
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/41d39fe4-b114-4612-92f6-75d6597610f7
Shariff Wrapper <= 4.6.9 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2024-1106
CVSS Score: 4.4 (Medium)
Researcher/s: Dmitrii Ignatyev
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5ab9c383-14da-479d-9709-1ae154dae398
My Calendar <= 3.4.23 – Authenticated (Admin+) Stored Cross-Site Scripting via Events
CVE ID: CVE Unknown
CVSS Score: 4.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ad98db62-4253-4fd5-90b3-c28a563c7697
Insert PHP Code Snippet <= 1.3.4 – Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID: CVE-2024-0658
CVSS Score: 4.4 (Medium)
Researcher/s: Felipe Restrepo Rodriguez (pfelilpe)
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c4a6b786-d0ef-41f6-b2bf-83307ec02b91
Blocksy <= 2.0.19 – Authenticated (Editor+) Stored Cross-Site Scripting
CVE ID: CVE-2024-24871
CVSS Score: 4.4 (Medium)
Researcher/s: Savphill
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e781e1aa-7fa2-4cea-913b-4aa582ec6a4f
ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in enableOptimization
CVE ID: CVE-2024-1334
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0318ec4a-185a-405d-90f8-008ba373114b
All In One WP Security <= 5.2.6 – Cross-Site Request Forgery to IP Blocking
CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/05991bf2-ee61-4bf7-89df-c2f66db7caec
ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in enableOptimization
CVE ID: CVE-2024-0983
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/175dd04d-ce06-45a0-8cfe-14498e2f9198
Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 – Cross-Site Request Forgery to Plugin Options Update
CVE ID: CVE-2024-0379
CVSS Score: 4.3 (Medium)
Researcher/s: Rhynorater, kodaichodai
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/29e2ff11-053b-45cc-adf1-d276f1ee576e
ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Plugin Data Removal in reinitialize
CVE ID: CVE-2024-1339
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2d08e462-8297-477e-89da-47f26bd6beae
ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Plugin Data Removal in reinitialize
CVE ID: CVE-2024-1091
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3cb8b08c-a028-48bd-acad-c00313fe06b8
Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_wishlist
CVE ID: CVE-2024-0513
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d3516e7-cce4-4def-be38-d16be3110d59
Admin Menu Editor <= 1.12 – Cross-Site Request Forgery via ajax_hide_hint()
CVE ID: CVE-2024-24876
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/53fa9be4-a2b3-458c-af6e-d3ada639a622
ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in stopOptimizeAll
CVE ID: CVE-2024-1338
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5e3dd131-dbd8-431c-96f4-4ab2c3be4dbd
Royal Elementor Kit <= 1.0.116 – Missing Authorization to Arbitrary Transient Update
CVE ID: CVE-2024-0835
CVSS Score: 4.3 (Medium)
Researcher/s: Sean Murphy
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c
Themify Builder <= 7.0.5 – Cross-Site Request Forgery
CVE ID: CVE-2024-24872
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6840c91f-a5d9-4940-8a08-d62acc5d43eb
Quiz Maker <= 6.5.2.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification
CVE ID: CVE-2024-1078
CVSS Score: 4.3 (Medium)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67
ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in optimizeAllOn
CVE ID: CVE-2024-1089
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/8ff16906-2516-4b3c-8217-e3fb24924e27
Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via remove_from_compare
CVE ID: CVE-2024-0515
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a4178271-c09e-4094-a616-5a00d28f39a3
Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_compare
CVE ID: CVE-2024-0514
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b0955689-43a0-442c-974b-5db5e4171f6a
Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via add_to_wishlist
CVE ID: CVE-2024-0512
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2ff2954-f494-4cd7-9f29-ee0e8551e339
ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in disableOptimization
CVE ID: CVE-2024-1335
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b3900e4f-4ae4-4026-89df-b63bd869a763
Contact Form 7 Connector <= 1.2.2 – Cross-Site Request Forgery
CVE ID: CVE-2024-24884
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b74a5a4c-250a-46bc-bf08-2dd720de41ae
Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 – Missing Authorization via wpas_get_users()
CVE ID: CVE-2024-0595
CVSS Score: 4.3 (Medium)
Researcher/s: Krzysztof Zając
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982
WP Contact Form <= 1.6 – Cross-Site Request Forgery via wpcf_adminpage
CVE ID: CVE-2024-24929
CVSS Score: 4.3 (Medium)
Researcher/s: Skalucy
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c5decbb3-05a0-403f-918a-9b516df85778
ImageRecycle pdf & image compression <= 3.1.13 – Cross-Site Request Forgery to Settings Update in optimizeAllOn
CVE ID: CVE-2024-1336
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ca4cf299-9dee-4ebf-83f3-4c3471bd9fb0
ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in disableOptimization
CVE ID: CVE-2024-0984
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc9dd55d-3c37-4f24-81a1-fdc8ca284566
Royal Elementor Addons and Templates <= 1.3.87 – Cross-Site Request Forgery via wpr_update_form_action_meta
CVE ID: CVE-2024-0511
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/dc8bef03-51e0-4448-bddd-85300104e875
Contest Gallery <= 21.2.8.4 – Cross-Site Request Forgery
CVE ID: CVE-2024-24887
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e4ed8c6e-5f80-4360-9478-fff49b1fee94
ImageRecycle pdf & image compression <= 3.1.13 – Missing Authorization to Settings Update in stopOptimizeAll
CVE ID: CVE-2024-1090
CVSS Score: 4.3 (Medium)
Researcher/s: Francesco Carlucci
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3fae909-5564-4e0a-9114-edd0e45865e5
Link Library <= 7.5.13 – Cross-Site Request Forgery via action_admin_init
CVE ID: CVE-2024-24875
CVSS Score: 4.3 (Medium)
Researcher/s: Dhabaleshwar Das
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fefe4499-8b03-4c07-b248-ae0ae5153b4f
WP RSS Aggregator <= 4.23.5 – Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source
CVE ID: CVE-2024-0628
CVSS Score: 3.8 (Low)
Researcher/s: Colin Xu
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb
Minimal Coming Soon – Coming Soon Page <= 2.37 – Unauthenticated Maintenance Mode Bypass
CVE ID: CVE-2024-1075
CVSS Score: 3.7 (Low)
Researcher/s: Lucio Sá
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07
As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.
This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) appeared first on Wordfence.