Wordfence Intelligence Weekly WordPress Vulnerability Report (May 6, 2024 to May 12, 2024)

Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

Last week, there were 180 vulnerabilities disclosed in 142 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 62 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 16,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	133
Unpatched	47

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	144
High Severity	17
Critical Severity	18

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	82
Cross-Site Request Forgery (CSRF)	23
Missing Authorization	18
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	8
Unrestricted Upload of File with Dangerous Type	8
Information Exposure	7
Deserialization of Untrusted Data	6
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
Improper Control of Generation of Code (‘Code Injection’)	4
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	4
Server-Side Request Forgery (SSRF)	3
Authentication Bypass Using an Alternate Path or Channel	2
Information Exposure Through Log Files	2
Authorization Bypass Through User-Controlled Key	1
Improper Access Control	1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	1
Improper Privilege Management	1
Incorrect Authorization	1
Insecure Storage of Sensitive Information	1
Unprotected Alternate Channel	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Dhabaleshwar Das	19
stealthcopter	15
wesley (wcraft)	9
Sharanabasappa	8
István Márton	8
João G. Barbosa (4rCanJ0x!)	7
Bob Matyas	7
Benedictus Jovan (aillesiM)	7
Ngô Thiên An (ancorn_)	6
Peng Zhou	6
Webbernaut	5
Manab Jyoti Dowarah	5
Francesco Carlucci	4
Khalid	4
Rafie Muhammad	4
Joshua Chan	4
Krzysztof Zając	3
1337_Wannabe	3
Lucio Sá	3
Rayhan Ramdhany Hanaputra	3
Trinh Vu (Sonicrrrr)	2
Sebastião Gavião (Sebastgav)	2
Ray Wilson	2
Cronus	2
Kyle Sanchez	2
Huynh Tien Si	2
LVT-tholv2k	2
Le Ngoc Anh	2
CatFather	2
Majed Refaea	2
Ananda Dhakal	1
Eduardo Berlanga (seqode)	1
Daiki Sato	1
fewwords huang	1
Do Truong Giang	1
Myungju Kim	1
younsoung kim	1
SeoHyeon Lee	1
SeoHee Kang	1
beluga	1
alfido osdie	1
Krugov Artyom	1
Bassem Essam	1
t0y4	1
umi	1
Erdemstar	1
Peter Thaleikis	1
Phill Sav (Savphill)	1
domiee13	1
Hiro	1
Foxyyy	1
Dmitrii Ignatyev	1
rptl	1
Thanh Nam Tran	1
Phuoc Pham (p3tl0v3r)	1
Elmini	1
JoanClarke2	1
Jakick	1
Roby Firnando Yusuf	1
ngductung	1
ST	1
Trình Vũ	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
140+ Widgets \| Best Addons For Elementor – FREE	xpro-elementor-addons
3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin	real3d-flipbook-lite
Academy LMS – eLearning and online course solution for WordPress	academy
ADFO – Custom data in admin dashboard	admin-form
Advanced Ads – Ad Manager & AdSense	advanced-ads
AI Engine	ai-engine
Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit	aiomatic-automatic-ai-content-writer
All Bootstrap Blocks	all-bootstrap-blocks
All-in-One Addons for Elementor – WidgetKit	widgetkit-for-elementor
Arigato Autoresponder and Newsletter	bft-autoresponder
Auto Affiliate Links	wp-auto-affiliate-links
AWSOM News Announcement	awsom-news-announcement
Back In Stock Notifier for WooCommerce \| WooCommerce Waitlist Pro	back-in-stock-notifier-for-woocommerce
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
Better Elementor Addons	better-elementor-addons
Blocksy Companion	blocksy-companion
BlogLentor – Blog Designer Pack for Elementor	bloglentor-for-elementor
Breakdance	breakdance
Brozzme Scroll Top	brozzme-scroll-top
Business Card	business-card-by-esterox-100
canvasio3D Light	canvasio3d-light
Church Admin	church-admin
ClickCease Click Fraud Protection	clickcease-click-fraud-protection
Comments Evolved for WordPress	gplus-comments
Configure Login Timeout	configure-login-timeout
Contact List – Premium Staff Listing, Business Directory & Address Book	contact-list
Content Blocks (Custom Post Widget)	custom-post-widget
Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)	content-views-query-and-display-post-page
Counter Up – Animated Number Counter & Milestone Showcase	wp-counter-up
Custom Field Suite	custom-field-suite
Debug Info	debug-info
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler	cf7-styler
Ditty – Responsive News Tickers, Sliders, and Lists	ditty-news-ticker
Divi Builder	divi-builder
DS Site Message	ds-site-message
Dynamics 365 Integration	integration-dynamics
Easy Affiliate Links	easy-affiliate-links
Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy)	easy-digital-downloads
Edwiser Bridge – WordPress Moodle LMS Integration	edwiser-bridge
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor	embedpress
Enter Addons – Ultimate Template Builder for Elementor	enteraddons
Envo’s Elementor Templates & Widgets for WooCommerce	envo-elementor-for-woocommerce
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Falang multilanguage for WordPress	falang
Featured Content Gallery	featured-content-gallery
Flo Forms – Easy Drag & Drop Form Builder	flo-forms
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Forty Four – 404 Plugin for WordPress	forty-four
Gallery Block (Meow Gallery)	meow-gallery
GDPR Compliance	gdpr-compliance
gee Search Plus, improved WordPress search	gsearch-plus
Ghost	ghost
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers	rafflepress
Gold Addons for Elementor	gold-addons-for-elementor
Graphina – Elementor Charts and Graphs	graphina-elementor-charts-and-graphs
Gutenberg Blocks with AI by Kadence WP – Page Builder Features	kadence-blocks
Gutenify – Visual Site Builder Blocks & Site Templates.	gutenify
Heateor Social Login WordPress	heateor-social-login
Hostel	hostel
Hotel Booking Lite	motopress-hotel-booking-lite
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
HTML5 Audio Player- Best WordPress Audio Player Plugin	html5-audio-player
If-So Dynamic Content Personalization	if-so
Image Hover Effects – Elementor Addon	image-hover-effects-addon-for-elementor
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms	integration-for-contact-form-7-and-pipedrive
Joli FAQ SEO – WordPress FAQ Plugin	joli-faq-seo
KKProgressbar2 Free – advanced progress bars	kkprogressbar
Kognetiks Chatbot for WordPress	chatbot-chatgpt
LearnPress – WordPress LMS Plugin	learnpress
Link Library	link-library
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )	magical-addons-for-elementor
Mesmerize Companion	mesmerize-companion
Mihdan: Yandex Turbo Feed	mihdan-yandex-turbo-feed
Move Addons for Elementor	move-addons
Netgsm	netgsm
One Click Demo Import	one-click-demo-import
Orders Tracking for WooCommerce	woo-orders-tracking
Pk Favicon Manager	phpsword-favicon-manager
Playlist for Youtube	playlist-for-youtube
Pods – Custom Content Types and Fields	pods
Pootle Pagebuilder – WordPress Page builder	pootle-page-builder
Porto Theme – Functionality	porto-functionality
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder	ajax-filter-posts
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)	bdthemes-prime-slider-lite
Propovoice CRM – Best CRM & Invoicing Plugin to Manage Leads, Clients and Billings automation	propovoice
Pure Chat – Live Chat Plugin & More!	pure-chat
QuickieBar	quickiebar
Shared Counts – Social Media Share Buttons	shared-counts
Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads & Lead Generation	shared-files
Shipment Tracking, Tracking, and Order Tracking for WooCommerce – ParcelPanel (Free to install)	parcelpanel
ShopBuilder – Elementor WooCommerce Builder Addons	shopbuilder
Shopping Cart & eCommerce Store	wp-easycart
ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization	shortpixel-adaptive-images
Simple Website Banner	corona-virus-covid-19-banner
SKT Addons for Elementor	skt-addons-for-elementor
Soccer Engine – Soccer Plugin for WordPress	soccer-engine-lite
Social Connect	social-connect
Social Sharing Plugin – Social Warfare	social-warfare
SP Project & Document Manager	sp-client-document-manager
Spectra Pro	spectra-pro
SportsPress – Sports Club & League Manager	sportspress
Squelch Tabs and Accordions Shortcodes	squelch-tabs-and-accordions-shortcodes
Starter Templates — Elementor, WordPress & Beaver Builder Templates	astra-sites
Startklar Elementor Addons	startklar-elmentor-forms-extwidgets
Sticky banner	sticky-banner
Sticky Social Link	sticky-social-link
Stockholm Core	stockholm-core
Swift Performance Lite	swift-performance-lite
Table Maker	table-maker
The Best WordPress Knowledgebase and Documentation Plugin – weDocs	wedocs
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
Themify Shortcodes	themify-shortcodes
Thim Elementor Kit	thim-elementor-kit
Timber	timber-library
Translate Multilingual sites – TranslatePress	translatepress-multilingual
TT Custom Post Type Creator	tt-custom-post-type-creator
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider	ultimate-store-kit
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
Unyson	unyson
Viet Affiliate Link	viet-affiliate-link
Viet Nam Affiliate	viet-nam-affiliate
Visual Footer Credit Remover	visual-footer-credit-remover
WC Serial Numbers – Ultimate License Manager for Selling, Licensing & Securely Delivering Digital Content with WooCommerce	wc-serial-numbers
White Label CMS	white-label-cms
WOLF – WordPress Posts Bulk Editor and Manager Professional	bulk-editor
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)	smart-wishlist-for-more-convert
WordPress Affiliates Plugin — SliceWP Affiliates	slicewp
WordPress Webinar Plugin – WebinarPress	wp-webinarsystem
WP Discourse	wp-discourse
WP etracker	wp-etracker
WP Favorite Posts	wp-favorite-posts
WP Job Manager	wp-job-manager
WP Latest Posts	wp-latest-posts
WP Photo Album Plus	wp-photo-album-plus
WP Post Author – Enhance Your Posts with the Author Bio, Co-Authors, Guest Authors, and Post Rating System, including User Registration Form Builder	wp-post-author
WP STAGING WordPress Backup Plugin – Migration Backup Restore	wp-staging
WPCS ( WordPress Custom Search )	wpcs-wp-custom-search
XML Sitemap & Google News	xml-sitemap-feed
Yoast SEO	wordpress-seo
Z-Downloads	z-downloads
Zotpress	zotpress

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Divi	Divi
Divi Extra	extra
Himalayas	himalayas
Porto	porto
raindrops	raindrops
Stockholm	stockholm

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WP Photo Album Plus <= 8.7.01.001 – Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-31377

Patch Status
Patched

Published
May 7, 2024

Affected Software
WP Photo Album Plus

Researcher