Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 14,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-684 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	146
Unpatched	13

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	132
High Severity	21
Critical Severity	6

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	98
Missing Authorization	18
Cross-Site Request Forgery (CSRF)	13
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	4
Deserialization of Untrusted Data	3
Improper Control of Generation of Code (‘Code Injection’)	2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	2
Server-Side Request Forgery (SSRF)	2
Unrestricted Upload of File with Dangerous Type	2
Authorization Bypass Through User-Controlled Key	1
Exposure of Sensitive Data Through Data Queries	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Improper Input Validation	1
Incorrect Authorization	1
Information Exposure	1
Insufficiently Protected Credentials	1
Missing Critical Step in Authentication	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Francesco Carlucci	18
Krzysztof Zając	11
stealthcopter	11
Lucio Sá	8
Rafie Muhammad	8
GiongfNef	7
wesley (wcraft)	6
Webbernaut	5
LVT-tholv2k	5
Joshua Chan	4
Richard Telleng (stueotue)	3
Nikolas	3
RandomRoot	3
beluga	3
Majed Refaea	2
Abu Hurayra (HurayraIIT)	2
Ngô Thiên An (ancorn_)	2
Eldar Zeynalli	2
Dave Jong	2
CatFather	2
Mochamad Sofyan	2
Bassem Essam	2
wpdabh	2
István Márton	2
Brandon James Roldan (tomorrowisnew)	2
Vladislav Pokrovsky (ΞX.MI)	2
resecured.io	1
isacaya	1
Marco Wotschka	1
Akbar Kustirama	1
Kang SeoHee	1
Byeongjun Jo	1
Maksim Kosenko	1
Arkadiusz Hydzik	1
Jean Tirstan T	1
thiennv	1
Drian	1
Dhabaleshwar Das	1
Stiofan	1
hye0ngseok	1
Sh	1
0liveira	1
Dimas Maulana	1
Muhammad Daffa	1
Huynh Tien Si	1
Alex Thomas	1
Kursat Cetin	1
Faizal Abroni	1
Tien Luong	1
Ala Arfaoui	1
Joel Indra	1
Dau Hoang Tai	1
Rafshanzani Suhada	1
Le Ngoc Anh	1
Steven Julian	1
hir0ot	1
Van Lyubov	1
Asaf Mozes	1
Abdi Pranata	1
Marzieh Hashemi	1
Tim Coen	1
Sean Murphy	1
Ulyses Saicha	1
Delbert Giovanni Lie	1
Phill Sav (Savphill)	1
drop	1
Muhammad Hassham Nagori	1
Hung -mov Nguyen	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Accordion	accordions
Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More	advanced-access-manager
Advanced Sermons	advanced-sermons
AntiSpam for Contact Form 7	cf7-antispam
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
Auto Affiliate Links	wp-auto-affiliate-links
Awesome Support – WordPress HelpDesk & Support Plugin	awesome-support
Backuply – Backup, Restore, Migrate and Clone	backuply
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Beaver Builder Addons by WPZOOM	wpzoom-addons-for-beaver-builder
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Builder for WooCommerce product reviews shortcodes – ReviewShort	woo-product-reviews-shortcode
Bulgarisation for WooCommerce	bulgarisation-for-woocommerce
Burst Statistics – Privacy-Friendly Analytics for WordPress	burst-statistics
Calendarista Basic Edition – WordPress appointment booking system	calendarista-basic-edition
Contact Form 7	contact-form-7
Contact Form 7 – PayPal & Stripe Add-on	contact-form-7-paypal-add-on
Contact Form Builder by Bit Form: Create Contact Form, Multi Step Form, Conversational Form	bit-form
Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress	contact-form-plugin
Coupon Affiliates – WooCommerce Affiliate Plugin	woo-coupon-usage
Crisp – Live Chat and Chatbot	crisp
Cryptocurrency Widgets – Price Ticker & Coins List	cryptocurrency-price-ticker-widget
CWW Companion	cww-companion
Database for Contact Form 7	cf7-database
Download Manager Pro	download-manager
DSGVO All in one for WP	dsgvo-all-in-one-for-wp
Easiest Sales Funnel Builder For WordPress & WooCommerce by WPFunnels	wpfunnels
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box	easy-facebook-likebox
ElementInvader Addons for Elementor	elementinvader-addons-for-elementor
Elementor Addon Elements	addon-elements-for-elementor-page-builder
Elementor Addons by Livemesh	addons-for-elementor
Elementor Header & Footer Builder	header-footer-elementor
Elements Plus!	elements-plus
ElementsKit Elementor addons	elementskit-lite
Email Subscription Popup	email-subscribe
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Everest Forms – Build Contact Forms, Surveys, Polls, Quizzes, Newsletter & Application Forms, and Many More with Ease!	everest-forms
Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media	evergreen-content-poster
Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)	extensions-for-cf7
f(x) Private Site	fx-private-site
Free Downloads WooCommerce	download-now-for-woocommerce
FV Flowplayer Video Player	fv-wordpress-flowplayer
GiveWP – Donation Plugin and Fundraising Platform	give
HT Easy GA4 – Google Analytics WordPress Plugin	ht-easy-google-analytics
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
HUSKY – Products Filter Professional for WooCommerce	woocommerce-products-filter
Hustle – Email Marketing, Lead Generation, Optins, Popups	wordpress-popup
JetWidgets For Elementor	jetwidgets-for-elementor
Knight Lab Timeline	knight-lab-timelinejs
LA-Studio Element Kit for Elementor	lastudio-element-kit
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…	ladipage
Link Library	link-library
Link Whisper Free	link-whisper
Malware Scanner	miniorange-malware-protection
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
MJM Clinic	mjm-clinic
Mollie Forms	mollie-forms
Multiple Page Generator Plugin – MPG	multiple-pages-generator-by-porthas
News Announcement Scroll	news-announcement-scroll
Newsletter2Go	newsletter2go
oik	oik
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	otter-blocks
OxyExtras	oxyextras
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress	wp-user-avatar
Permalink Manager Pro	permalink-manager
Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks	post-grid
Premium Addons for Elementor	premium-addons-for-elementor
Premium Addons Pro for Elementor	premium-addons-pro
Premmerce Permalink Manager for WooCommerce	woo-permalink-manager
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)	bdthemes-prime-slider-lite
PropertyHive	propertyhive
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress	quiz-master-next
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction	pie-register
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login	custom-registration-form-builder-with-submission-manager
Related Posts for WordPress	related-posts-for-wp
Restaurant Menu and Food Ordering	food-and-drink-menu
Scrollsequence – Cinematic Scroll Image Animation Plugin	scrollsequence
Sell Tickets – Event Ticketing and Event Registration – Ticket Tailor for WordPress	ticket-tailor
Shariff Wrapper	shariff
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)	woolentor-addons
Simple Job Board	simple-job-board
Site Reviews	site-reviews
Sitekit	sitekit
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)	sky-elementor-addons
Smart Online Order for Clover	clover-online-orders
Social Media Share Buttons	social-media-builder
Specific Content For Mobile – Customize the mobile version without redirections	specific-content-for-mobile
Super Page Cache for Cloudflare	wp-cloudflare-page-cache
SupportCandy – Helpdesk & Customer Support Ticket System	supportcandy
Survey Maker – Best WordPress Survey Plugin	survey-maker
Tablesome – Responsive Table, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Gravity Forms, Fluent, Forminator	tablesome
Team Circle Image Slider With Lightbox	circle-image-slider-with-lightbox
The Moneytizer	the-moneytizer
Tutor LMS – eLearning and online course solution	tutor
Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates	woo-gift-cards-lite
User profile	user-profile
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress	userswp
Video Conferencing with Zoom	video-conferencing-with-zoom-api
Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages	visualcomposer
Visualizer: Tables and Charts Manager for WordPress	visualizer
WC Shop Sync – Integrate Square and WooCommerce for Seamless Shop Management	woosquare
Web Application Firewall – website security	web-application-firewall
weForms – Easy Drag & Drop Contact Form Builder For WordPress	weforms
WEN Responsive Columns	wen-responsive-columns
WooCommerce Google Feed Manager	wp-product-feed-manager
WooCommerce License Manager	fs-license-manager
WooThumbs for WooCommerce by Iconic	iconic-woothumbs
Word Replacer Pro	word-replacer-ultra
WordPress Automatic Plugin	wp-automatic
WordPress Contact Forms by Cimatti	contact-forms
WP Armour – Honeypot Anti Spam	honeypot
WP Calameo	wp-calameo
WP Fusion Lite – Marketing Automation and CRM Integration for WordPress	wp-fusion-lite
WP Go Maps (formerly WP Google Maps)	wp-google-maps
WP Popups – WordPress Popup builder	wp-popups-lite
WP Recipe Maker	wp-recipe-maker
WP Responsive Tabs horizontal vertical and accordion Tabs	responsive-horizontal-vertical-and-accordion-tabs
WP SendFox	wp-sendfox
WP Statistics	wp-statistics
wp-mpdf	wp-mpdf
WPBakery Page Builder Addons by Livemesh	addons-for-visual-composer
YITH WooCommerce Product Add-Ons	yith-woocommerce-product-add-ons
Zippy	zippy

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Blossom Spa	blossom-spa

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Automatic <= 3.92.0 – Unauthenticated Arbitrary File Download and Server-Side Request Forgery

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-27954

Patch Status
Patched

Published
Mar 13, 2024

Affected Software
WordPress Automatic Plugin

Researcher