Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)

Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
Pending report limits are increased for all
It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 221 vulnerabilities disclosed in 205 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-756 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	93
Unpatched	128

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	149
High Severity	40
Critical Severity	32

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	99
Cross-Site Request Forgery (CSRF)	32
Unrestricted Upload of File with Dangerous Type	17
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	14
Missing Authorization	12
Deserialization of Untrusted Data	10
Exposure of Sensitive Information to an Unauthorized Actor	7
Improper Control of Generation of Code (‘Code Injection’)	5
Authentication Bypass Using an Alternate Path or Channel	4
Authorization Bypass Through User-Controlled Key	4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	4
Incorrect Privilege Assignment	4
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)	3
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)	1
Improper Check or Handling of Exceptional Conditions	1
Improper Privilege Management	1
Reliance on Cookies without Validation and Integrity Checking in a Security Decision	1
Server-Side Request Forgery (SSRF)	1
Weak Password Recovery Mechanism for Forgotten Password	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
João Pedro Soares de Alcântara	24
stealthcopter	22
SOPROBRO	18
Francesco Carlucci	16
vgo0	13
István Márton	12
LVT-tholv2k	8
Khalid Yusuf	6
theviper17y	6
Mika	6
Peter Thaleikis	6
Robert DeVore	4
TANG Cheuk Hei (siunam)	4
wesley (wcraft)	4
Colin Xu	4
Rafie Muhammad	4
Trương Hữu Phúc (truonghuuphuc)	4
Le Ngoc Anh	4
Joshua Chan	4
akas wisnu aji	3
RE-ALTER	3
Muhammad Daffa	3
Marek Mikita	2
Jeewan Kumar Bhatta	2
Bilal Chawich (Duke)	2
Vijaysimha Reddy (vijaysimha)	2
ghsinfosec	2
Phill Sav (Savphill)	2
Gab	2
Nishiv	2
Hakiduck	2
Ala Arfaoui	1
Sharanabasappa	1
shaman0x01	1
C_T_R_L	1
Bikram Kharal	1
Noah Stead (TurtleBurg)	1
Nguyễn Trung Kiên	1
Tieu Pham Trong Nhan	1
Ananda Dhakal	1
Muhammad Adel (ItsFadinG)	1
Ankit Patel	1
Dimas Maulana	1
kayge	1
Duc Luong Tran	1
drop	1
Michael	1
lefab	1
Bob Matyas	1
UKO	1
Abdi Pranata	1
Max Boll (_b0lli)	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AADMY – Add Auto Date Month Year Into Posts	auto-date-year-month
AB Categories Search Widget	ab-categories-search-widget
Accordion Slider	accordion-slider
Ad Inserter – Ad Manager & AdSense Ads	ad-inserter
Add Categories Post Footer	add-categories-post-footer
Add Widget After Content	add-widget-after-content
Adding drop down roles in registration	user-drop-down-roles-in-registration
ADIF Log Search Widget	adif-log-search-widget
Admin Management Xtended	admin-management-xtended
Advanced Advertising System	advanced-advertising-system
Advanced Category and Custom Taxonomy Image	advanced-category-and-custom-taxonomy-image
Advanced Custom Fields	advanced-custom-fields
Advanced Custom Fields Pro	advanced-custom-fields-pro
Affiliator	affiliator-lite
Ahime Image Printer	ahime-image-printer
Ahmeti Wp Timeline	ahmeti-wp-timeline
Ajax Custom CSS/JS	ajax-awesome-css
Ajax Rating with Custom Login	ajax-rating-with-custom-login
ajax-extend	ajax-extend
Akismet htaccess writer	akismet-htaccess-writer
Analyse Uploads	analyse-uploads
Animator – Scroll Triggered Animations	scroll-triggered-animations
Apa Banner Slider	apa-banner-slider
APA Register Newsletter Form	apa-register-newsletter-form
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments
AppPresser – Mobile App Framework	apppresser
Arconix Shortcodes	arconix-shortcodes
Arkhe Blocks	arkhe-blocks
Author Discussion	author-discussion
Awesome Contact Form7 for Elementor	awesome-contact-form7-for-elementor
Azz Anonim Posting	azz-anonim-posting
Back Link Tracker	back-link-tracker
Better Author Bio	better-author-bio
Booking.com Banner Creator	bookingcom-banner-creator
Branding	branding
BuddyPress Better Registration	better-bp-registration
Bulk images optimizer: Resize, optimize, convert to webp, rename …	bulk-image-resizer
bVerse Convert	bverse-convert
Calculated Fields Form	calculated-fields-form
CJ Change Howdy	cj-change-howdy
Click to Chat – WP Support All-in-One Floating Widget	support-chat
Clio Grow Form	clio-grow-form
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors	publishpress-authors
Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App	peepso-core
Community Lite Video Chat	avchat-3
Contact Form by Supsystic	contact-form-by-supsystic
Contact Forms, Live Support, CRM, Video Messages	live-support-tickets
Cooked Pro	cooked-pro
Cookie Scanner – automated cookie list	cookie-scanner
Country Flags for Elementor	country-flags-for-elementor
Crazy Call To Action Box	crazy-call-to-action-box
cSlider	cslider
CSV Product Import Export for WooCommerce	csv-wc-product-import-export
CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x	woo-multi-currency
Custom Add to Cart Button Label and Link	woo-custom-cart-button
Customer Email Verification for WooCommerce	emails-verification-for-woocommerce
Da Reactions	da-reactions
Debrandify · Remove or Replace WordPress Branding	debrandify
Digital Lottery	digital-lottery
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons	woo-discount-rules
DPD Baltic Shipping	woo-shipping-dpd-baltic
Duplicate Title Validate	duplicate-title-validate
Dynamic Elementor Addons	dynamic-elementor-addons
Easy Menu Manager \| WPZest	easy-menu-manager-wpzest
Edit WooCommerce Templates	woo-edit-templates
Edwiser Bridge – WordPress Moodle LMS Integration	edwiser-bridge
El mejor Cluster	mejorcluster
Elemenda	elemenda
ElementInvader Addons for Elementor	elementinvader-addons-for-elementor
Elementor Website Builder – More than Just a Page Builder	elementor
ElementsReady Addons for Elementor	element-ready-lite
Email Template Customizer for WooCommerce	email-template-customizer-for-woo
Encyclopedia / Glossary / Wiki	encyclopedia-lexicon-glossary-wiki-dictionary
Endless Posts Navigation	endless-posts-navigation
EventON Pro	eventon
Events Addon for Elementor	events-addon-for-elementor
Exclusive Addons for Elementor	exclusive-addons-for-elementor
Feed Comments Number	feed-comments-number
FERMA.ru.net	ferma-ru-net-checkout
File Manager Pro	wp-file-manager-pro
Flat UI Button	flat-ui-button
Flexmls® IDX Plugin	flexmls-idx
Fonto – Custom Web Fonts Manager	fonto
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator
FREE DOWNLOAD MANAGER	free-download-manager
Free Stock Photos Foter	free-stock-photos-foter
G Meta Keywords	g-meta-keywords
Gantry 4 Framework	gantry
GERRYWORKS Post by Mail	gerryworks-post-by-mail
GetResponse Forms by Optin Cat	getresponse
Giveaway Boost	giveaway-boost
GiveWP – Donation Plugin and Fundraising Platform	give
Google Map Locations	google-map-locations
GoogleDrive folder list	googledrive-folder-list
Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file	htaccess-file-editor
Hyperlink Group Block	hyperlink-group-block
IdeaPush	ideapush
Infinite-Scroll	infinite-scroll
Jetpack – WP Security, Backup, Speed, & Growth	jetpack
JiangQie Free Mini Program	jiangqie-free-mini-program
Job Board Manager for WordPress	jemployee
Kama SpamBlock	kama-spamblock
Leyka	leyka
Lightbox slider – Responsive Lightbox Gallery	simple-lightbox-gallery
Limb Gallery \| Create Beautiful Image & Video Galleries	limb-gallery
Linked Variation for WooCommerce	linked-variation-for-woocommerce
Locatoraid Store Locator	locatoraid
Maan Addons For Elementor	maan-elementor-addons
MAS Companies For WP Job Manager	mas-wp-job-manager-company
MAS Elementor	mas-addons-for-elementor
Mighty Builder – Drag & Drop WordPress Page Builder	mighty-builder
Miniorange OTP Verification with Firebase	miniorange-firebase-sms-otp-verification
Mitm Bug Tracker	mitm-bug-tracker
Most And Least Read Posts Widget	most-and-least-read-posts-widget
Multiline files upload for contact form 7	multiline-files-for-contact-form-7
My Favorites	my-favorites
My Reading Library	my-reading-library
MyTweetLinks	mytweetlinks
Nextend Social Login Pro	nextend-social-login-pro
Nice Backgrounds	nicebackgrounds
Omnipress	omnipress
Parallax Image	parallax-image
Parcel Pro	woo-parcel-pro
PeproDev Ultimate Invoice	pepro-ultimate-invoice
Photo Gallery Builder	photo-gallery-builder
Photo Gallery Slideshow & Masonry Tiled Gallery	wp-responsive-photo-gallery
photokit	photokit
Pinpoint Booking System – #1 WordPress Booking Plugin	booking-system
Plexx Elementor Extension	plexx-elementor-extension
Plugin Name: Sovratec Case Management	sovratec-case-management
Point Maker	point-maker
Post From Frontend	post-from-frontend
Primary Addon for Elementor	primary-addon-for-elementor
Product Customizer Light	product-customizer-light
Product Website Showcase	product-websites-showcase
ProfileGrid – User Profiles, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Property Lot Management System	plms
Rate Own Post	rate-own-post
Recently – Viewed, Most Viewed and Sold Products for WooCommerce	recently-viewed-most-viewed-and-sold-products-for-woocommerce
ReDi Restaurant Reservation	redi-restaurant-reservation
Responsive Lightbox & Gallery	responsive-lightbox
Responsive Pricing Table Builder – wpPricing Builder	wppricing-builder-lite-responsive-pricing-table-builder
Royal Elementor Addons and Templates	royal-elementor-addons
RS-Members	rs-members
RSS Feed Widget	rss-feed-widget
SafetyForms – Create forms with Real-time Email Validation	safetymails-forms
Secure Custom Fields	advanced-custom-fields
SendGrid for WordPress	wp-sendgrid-mailer
SendPulse Free Web Push	sendpulse-web-push
SEO Manager	seo-manager
SermonAudio Widgets	sermonaudio-widgets
Shipyaari Shipping Management	shipyaari-shipping-managment
Simple Code Insert Shortcode	simple-code-insert-shortcode
Simple Custom Post Order	simple-custom-post-order
Simple Testimonials Showcase	simple-testimonials-showcase
Simple User Registration	wp-registration
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)	sina-extension-for-elementor
SiteBuilder Dynamic Components	sitebuilder-dynamic-components
SlimStat Analytics	wp-slimstat
Smart Blocks	smart-blocks
Smart Online Order for Clover	clover-online-orders
Social Auto Poster	social-auto-poster
Social Link Groups	social-link-groups
Social Share With Floating Bar	social-share-with-floating-bar
StreamWeasels Twitch Integration	streamweasels-twitch-integration
Suki Sites Import	suki-sites-import
Surfer – WordPress Plugin	surferseo
SW Contact Form	sw-contact-form
Table of Contents Plus	table-of-contents-plus
TAKETIN To WP Membership	taketin-to-wp-membership
The Ultimate WordPress Toolkit – WP Extended	wpextended
Themesflat Addons For Elementor	themesflat-addons-for-elementor
Time Clock Pro	time-clock-pro
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin	time-clock
Tito	tito
Ultimate AI	Ultimate_AI
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)	ultraaddons-elementor-lite
Unlimited Addon For Elementor	unlimited-addon-for-elementor
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
VKontakte Wall Post	vkontakte-wall-post
VOD Infomaniak	vod-infomaniak
Woo Manage Fraud Orders	woo-manage-fraud-orders
WooCommerce	woocommerce
Woostagram Connect	woostagram-connect
WordPress Image SEO	wp-image-seo
WordPress Portfolio Builder – Portfolio Gallery	uber-grid
WordPress Social Share Buttons	share-button
WordPress Video	wordpress-video
WP 2FA with Telegram	two-factor-login-telegram
WP Content Copy Protection & No Right Click	wp-content-copy-protector
WP Dropbox Dropins	wp-dropbox-dropins
WP Easy Post Types	easy-post-types
WP Education – Education WordPress Plugin for Elementor	wp-education
WP Photo Album Plus	wp-photo-album-plus
WP Popup Builder – Popup Forms and Marketing Lead Generation	wp-popup-builder
WP REST API FNS Plugin	rest-api-fns
WP SendFox	wp-sendfox
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin	timetics
WP ULike – All-in-One Engagement Toolkit	wp-ulike
WP VR – 360 Panorama and Virtual Tour Builder For WordPress	wpvr
WP-Spreadplugin	wp-spreadplugin
WPIDE – File Manager & Code Editor	wpide
Wsify widget	wsify-widget
Zita Elementor Site Library	zita-site-library
افزونه پیامک ووکامرس Persian WooCommerce SMS	persian-woocommerce-sms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Digitally	digitally
Disconnected	disconnected
my flatonica	my-flatonica
my wooden under construction	my-wooden-under-construction

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Adding drop down roles in registration <= 1.1 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-49217

Patch Status
Unpatched

Published
Oct 14, 2024

Affected Software
Adding drop down roles in registration

Researcher