Wordfence Intelligence Weekly WordPress Vulnerability Report (November 4, 2024 to November 10, 2024)

Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through December 9th, 2024:

All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
Minimum bounty of $5 for all valid in-scope submissions.
All researchers earn automatic bonuses of between 5% to 180% for valid submissions
Pending report limits are increased for all
It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 286 vulnerabilities disclosed in 273 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 43 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 20,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Advanced Order Export For WooCommerce <= 3.5.5 – Unauthenticated PHP Object Injection via Order Details
WAF-RULE-760 – Data redacted while we work with the vendor on a patch.
WAF-RULE-761 – Data redacted while we work with the vendor on a patch.
WAF-RULE-762 – Data redacted while we work with the vendor on a patch.
WAF-RULE-764 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	75
Unpatched	211

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	252
High Severity	14
Critical Severity	20

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	225
Unrestricted Upload of File with Dangerous Type	11
Missing Authorization	10
Authorization Bypass Through User-Controlled Key	7
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	7
Exposure of Sensitive Information to an Unauthorized Actor	6
Improper Authentication	4
Improper Control of Generation of Code (‘Code Injection’)	4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	3
Server-Side Request Forgery (SSRF)	2
Authentication Bypass Using an Alternate Path or Channel	1
Cross-Site Request Forgery (CSRF)	1
Improper Access Control	1
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	1
Improper Handling of Missing Values	1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Insecure Storage of Sensitive Information	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
SOPROBRO	123
João Pedro Soares de Alcântara	32
Gab	21
Francesco Carlucci	17
Tonn	8
stealthcopter	6
Peter Thaleikis	6
LVT-tholv2k	6
Mika	6
wesley (wcraft)	5
Zlrqh	4
vgo0	4
István Márton	4
thiennv	3
Ankit Patel	3
Arkadiusz Hydzik	3
shaman0x01	3
Le Ngoc Anh	2
Akbar Kustirama	2
Bob Matyas	2
Joshua Chan	2
tmrswrr	2
Webbernaut	2
Sean Murphy	2
Kevin Murphy (knmurphy)	2
Colin Xu	1
Max Boll (_b0lli)	1
Foxyyy	1
Rafshanzani Suhada	1
incognito	1
Junwoo Kang	1
Tieu Pham Trong Nhan	1
Chinmoy Pratim Borah	1
floerer	1
theviper17y	1
Zaidan Rizaki	1
Michael	1
Khalid Yusuf	1
zer0gh0st	1
mikemyers	1
ghsinfosec	1
Lucio Sá	1
Robert DeVore	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
140+ Widgets \| Xpro Addons For Elementor – FREE	xpro-elementor-addons
AA Audio Player	aa-audio-player
AchillesTheme-shortcodes	achilles-shortcodes
Active Products Tables for WooCommerce. Use constructor to create tables	profit-products-tables-for-woocommerce
Add Ribbon Shortcode	add-ribbon
Admin Amplify	wpr-admin-amplify
Advanced Video Player with Analytics	advanced-video-player-with-analytics
Adventure Bucket List	adventure-bucket-list
AgendaPress – Easily Publish Meeting Agendas and Programs on WordPress	agendapress
Ajax Content Filter	ajax-content-filter
Alert Me!	alert-me
Algori PDF Viewer	algori-pdf-viewer
Anant Addons for Elementor	anant-addons-for-elementor
Assist24 Help Desk	assist24it
Attesa Extra	attesa-extra
audioCase	audiocase
Awesome Fitness Testimonials	awesome-fitness-testimonials
Awesome Tool Tip	awesome-tool-tip
AzonBox	azonbox
Bamboo Enquiries	bamboo-enquiries
Banner System	banner-system
Basticom Framework	basticom-framework
Be Shortcodes	be-shortcodes
Beacon For Help Scout	beacon-for-helpscout
BeBetter Social Icons	bebetter-social-icons
best bootstrap widgets for elementor	best-bootstrap-widgets-for-elementor
Bg Patriarchia BU	bg-patriarchia-bu
Bing Search API Integration	abbs-bing-search
Bitcoin Payments	bitcoin-payments
Blocks Post Grid	blocks-post-grid
Boombox Shortcode Plugin	boombox-shortcode
Brand my Footer	brand-my-footer
Browsing History	browsing-history
BU Slideshow	bu-slideshow
Buooy Sticky Header	buooy-sticky-header
Category Ajax Filter	category-ajax-filter
CE21 Suite	ce21-suite
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More	charitable
Charity Addon for Elementor	charity-addon-for-elementor
Christian Science Bible Lesson Subjects	christian-science-bible-lesson-subjects
Code Embed	simple-embed-code
codeSnips	codesnips
Combo WP Rewrite Slugs	combo-wp-rewrite-slugs
Community Yard Sale	community-yard-sale
Contact Form 7 – Dynamic Text Extension	contact-form-7-dynamic-text-extension
Contact Form 7 – PayPal & Stripe Add-on	contact-form-7-paypal-add-on
Content Slider Block	content-slider-block
Content Syndication Toolkit Reader	content-syndication-toolkit-reader
Conversion Helper	conversion-helper
Cookie Nonsense for YT	yt-cookie-nonsense
Countdown Timer block – Display the event’s date into a timer.	countdown-time
Cowidgets – Elementor Addons	cowidgets-elementor-addons
Creative Blocks – Ultimate Blocks for Gutenberg	creative-blocks
CRM 2go – Formulario de contacto	crm2go
CRM WordPress Plugin – RepairBuddy	computer-repair-shop
Custom Dashboard Widget	create-custom-dashboard-widget
Custom URL Shortener	custom-url-shorter
Daily Image	daily-image
Dashing Memberships	dashing-memberships
Debug Tool	debug-tool
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler	cf7-styler
Don’t Break The Code	dont-break-the-code
Doofinder	doofinder
drop in image slideshow gallery	drop-in-image-slideshow-gallery
DuoGeek – Gutenberg Blocks	duogeek-blocks
Dynamic Post Grid Elementor Addon	dynamic-post-grid-elementor-addon
Easy Social Sharebar	easy-social-sharebar
Easy SVG Support	easy-svg
eewee admin custom	eewee-admincustom
Ekiline Block Collection	ekiline-block-collection
EleForms – All In One Form Integration including DB for Elementor	all-contact-form-integration-for-elementor
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Elementor Header & Footer Builder	header-footer-elementor
ElementsReady Addons for Elementor	element-ready-lite
Embed documents shortcode	embed-documents-shortcode
Envo Extra	envo-extra
ESB Testimonials	esb-testimonials
Event post	event-post
EventPress	wp-eventpress
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin	everest-backup
Fabrica Synced Pattern Instances	fabrica-reusable-block-instances
Faltu Testimonial Rotator	faltu-testimonial-rotator
Fancy User List	fancy-user-listing
Fast Video and Image Display	fast-video-and-image-display
Featured product by category name	featured-product-by-category-name
File Select Control For Elementor	file-select-control-for-elementor
Firework Shoppable Live Video	firework-videos
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Forms	forms-by-made-it
Forms: 3rd-Party Post Again	forms-3rdparty-post-again
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
FriendStore for WooCommerce	friendstore-for-woocommerce
Gboy Custom Google Map	gboy-custom-google-map
Geoportail Shortcode	geoportail-shortcode
Geotagged Media	geotagged-media
Google Visualization Charts	google-visualization-charts
GreenCon – Table, Listing, Marketing builder for Gutenberg	greencon
Gutenium Blocks	gutenium
HB AUDIO GALLERY	hb-audio-gallery
Heateor Social Login WordPress	heateor-social-login
Hola Free Video Player	hola-free-video-player
Horsemanager	fruitcake-horsemanager
HQ60 Fidelity Card	hq60-fidelity-card
I Plant A Tree	i-plant-a-tree
IA Map Analytics Basic	ia-map-analytics-basic
Icon Widget	icon-widget-with-links
Image Carousel Shortcode	image-carousel-shortcode
Image Classify	image-classify
imPress	wp-js-impress
Inline Click To Tweet	inline-click-to-tweet
IntelliWidget Elements	intelliwidget-elements
Jigoshop – Store Toolkit	jigoshop-store-toolkit
JobSearch WP Job Board	wp-jobsearch
Keymaster Chord Notation Free	keymaster-chord-notation-free
Kings Tab Slider	kings-tab-slider
L Squared Hub WP – Virtual Device Plugin	l-squared-hub-wp-virtual-device
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages	landing-page-cat
Lead capture, gated content & newsletter opt-ins	bread-butter
Lenxel Core for Lenxel(LNX) LMS	lenxel-core
Leopard – WordPress Offload Media	leopard-wordpress-offload-media
Lewe Bootstrap Visuals	shortcode-bootstrap-visuals
LIQUID BLOCKS – Slider, Carousel, Accordion	liquid-blocks
Location Click Map	location-click-map
Loginizer	loginizer
Loginizer Security	loginizer-security
Loginplus	loginplus
Luzuk Slider	luzuk-slider
Luzuk Team	luzuk-team
Luzuk Testimonials	luzuk-testimonials
Mage Front End Forms	mage-forms
Magic Slider	magic-slider
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )	magical-addons-for-elementor
Map Store Locator	map-store-location
Mapme	mapme
MapPress Maps for WordPress	mappress-google-maps-for-wordpress
Master Bar	master-bar
MDC YouTube Downloader	mdc-youtube-downloader
mFolio Lite	mfolio-lite
MG Post Contributors	mg-post-contributors
Minical Hotel Booking Plugin	minical
Mobile Kiosk	mobile-kiosk
Moka Get Posts Shortcode	moka-get-posts
Moose Elementor Kit	moose-elementor-kit
Multi-day Booking Calendar	multi-day-booking-calendar
Multifox Plus	multifox-plus
Multiple Votes in one page	multiple-votes-in-one-page
My Restaurant Menu	my-restaurant-menu
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification	mycred
Narnoo Commerce Manager	narnoo-commerce-manager
News Articles	news-articles
News Ticker	newsticker
NV Slider	nv-slider
Official SalesWizard CRM Plugin	official-saleswizard-crm
Olympus Shortcodes	olympus-shortcodes
OpenCart Product Display	opencart-product-display
OS BXSlider	os-bxslider
OS Our Team	os-our-team
OS Pricing Tables	os-pricing-tables
OSM – OpenStreetMap	osm
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions
Parallaxer – Parallax Effect on Content	parallaxer-lite-parallax-effects-on-images
ParOne Feeds	parone
Pay With Stripe – Your WordPress Payments Stripe Gateway	payments-stripe-gateway
Pdf Embedder Fay	pdf-embedder-fay
Persian Nested Show/Hide Text	persian-nested-showhide-text
PF Timer	pf-timer
Photo Gallery by 10Web – Mobile-Friendly Image Gallery	photo-gallery
Photographer Connections	photographer-connections
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons	contest-gallery
Plenigo	plenigo
Poll Maker – Versus Polls, Anonymous Polls, Image Polls	poll-maker
Popup Image	popup-image
Postcasa Shortcode	postcasa
Postify: Post Layout For Elementor	postify-for-elementor
Posts Filter	posts-filter
Posts Search	posts-search
Pricing Tables WordPress Plugin – Easy Pricing Tables	easy-pricing-tables
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)	bdthemes-prime-slider-lite
Pro Addons For Elementor	pro-addons-for-elementor
PropertyShift	propertyshift
Provide Forex Signals	provide-forex-signals
Pull This	pull-this
Quform – WordPress Form Builder	quform
ra_qrcode	ra-qrcode
Realty by BestWebSoft	realty
Redirecter	shortcode-for-redirection
RegistrationMagic – User Registration Plugin with Custom Registration Forms	custom-registration-form-builder-with-submission-manager
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates	responsive-addons-for-elementor
Responsive Data Table	responsive-data-table
Responsive Filterable Portfolio	responsive-filterable-portfolio
Rig Elements For Elementor	rig-elements
RSV 360 View	rsv-360-view
RSV PDF Preview	rsv-pdf-preview
Saragna – Social Stream WordPress	saragna-social-stream
Satisfaction Reports from Help Scout	happiness-reports-for-help-scout
scrollup	scrollup
Search order by product SKU for WooCommerce	search-order-by-product-sku-for-woocommerce
Sell Media File with Stripe	sell-media-file
Semantic Shortcode	semantic-shortcode
Seriously Simple Podcasting	seriously-simple-podcasting
Share Buttons – Social Media	rich-web-share-button
Shortcode Collection	shortcode-collection
Shortcodes Blocks Creator Ultimate	ultimate-shortcodes-creator
Simple Modal	simplemodal
Simple Shortcode for Google Maps	simple-google-maps-short-code
Simple Social Share Block	simple-social-share-block
SimpleGMaps	simplegmaps
Simplistic SEO	simplistic-seo
Simpul Events by Esotech	simpul-events-by-esotech
SKT Addons for Elementor	skt-addons-for-elementor
Smooth Maps	colour-smooth-maps
Social button	social-button
Social Locker – Increase Traffic	social-locker-content
Social Share, Social Login and Social Comments Plugin – Super Socializer	super-socializer
SrcSet Responsive Images for WordPress	truenorth-srcset
Stylish Internal Links	stylish-internal-links
Surbma \| Font Awesome	surbma-font-awesome
SV Forms	sv-forms
SVT Simple	svt-simple
SysBasics Customize My Account for WooCommerce	customize-my-account-for-woocommerce
Team Showcase and Slider – Team Members Builder	team-showcase-ultimate
TeleAdmin	teleadmin
Testimonial Slider Shortcode	testimonial-slider-shortcode
Text Advertisements	text-advertisements
The Novel Design Store Directory	noveldesign-store-directory
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)	the-pack-addon
Tickera – WordPress Event Ticketing	tickera-event-ticketing-system
Tigris Flexplatform	tigris-flexplatform
TinyCode	tinycode
Topbar ID for Elementor	topbar-id-for-elementor
Trendy Restaurant Menu – Best Restaurant Plugin for WordPress	trendy-restaurant-menu
Tumult Hype Animations	tumult-hype-animations
Twitter real time search scrolling	twitter-real-time-search-scrolling
Ultimate Accordion	ultimate-accordion
Ultimate Bootstrap Elements for Elementor	ultimate-bootstrap-elements-for-elementor
Ultimate Flipbox Addon for Elementor	ultimate-flipbox-addon-for-elementor
User Meta – User Profile Builder and User management plugin	user-meta
User Password Reset	user-password-reset
Utech Spinning Earth	utech-spinning-earth
UW Freelancer	uw-freelancer
Video Gallery for WooCommerce	video-wc-gallery
VP Sitemap	vp-sitemap
Wd-image-magnifier-xoss	wd-image-magnifier-xoss
WE – Client Logo Carousel	we-client-logo-carousel
Web Stories Widgets For Elementor	shortcodes-for-amp-web-stories-and-elementor-widget
Websand Subscription Form	websand-subscription-form
Website remote Install vor Gravity, WPForms, Formidable, Ninja, Caldera	wp-website-creator
Wezido – Elementor Addon Based on Easy Digital Downloads	wezido-elementor-addon-based-on-easy-digital-downloads
WooCommerce – Social Login	woo-social-login
WooCommerce Report	ithemelandco-woo-report
WooCommerce Support Ticket System	woocommerce-support-ticket-system
WordPress User Extra Fields	wp-user-extra-fields
WoW Guild Armory Roster	guild-armory-roster
WP Agenda	wp-agenda
WP Contest	wp-contest
WP Listings Pro	wp-listings-pro
WP Membership	wp-membership
WP MMenu Lite	wp-mmenu-lite
WP PagSeguro Payments	wp-pagseguro-payments
WP Photo Album Plus	wp-photo-album-plus
WP Responsive Video	my-wp-responsive-video
Wp Slide Categorywise	wp-slide-categorywise
WP Virtual Room Configurator	configure-conference-room
WP Visual Adverts	wp-visual-adverts
WP-Basics	wp-basics
wp_automatic_widget	wp-automatic-widget
WPHelpful	wphelpful
WS Form LITE – Drag & Drop Contact Form Builder for WordPress	ws-form
XT Floating Cart for WooCommerce	woo-floating-cart-lite
YaDisk Files	wp-yadisk-files
yPHPlista	yphplista
Zotpress	zotpress
活动链接推广插件	yr-activity-link

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Anih – Creative Agency WordPress Theme	anih
Storely	storely
Th Shop Mania	th-shop-mania
Top Store	top-store
WPLMS Learning Management System for WordPress, WordPress LMS	wplms

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WP JobSearch <= 2.6.7 – Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-8615

Patch Status
Patched

Published
Nov 5, 2024

Affected Software
JobSearch WP Job Board

Researcher