Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023)
🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Over the last two weeks, there were 263 vulnerabilities disclosed in 217 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 42 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Two Weeks
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Directory Traversal via HTTP Headers
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 43 |
Patched | 220 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 212 |
High Severity | 30 |
Critical Severity | 20 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 77 |
Missing Authorization | 51 |
Cross-Site Request Forgery (CSRF) | 47 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 30 |
Unrestricted Upload of File with Dangerous Type | 9 |
Deserialization of Untrusted Data | 7 |
Information Exposure Through Log Files | 7 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 5 |
Information Exposure | 4 |
Protection Mechanism Failure | 3 |
Authorization Bypass Through User-Controlled Key | 3 |
Server-Side Request Forgery (SSRF) | 2 |
URL Redirection to Untrusted Site (‘Open Redirect’) | 2 |
Storage of Sensitive Data in a Mechanism without Access Control | 2 |
Weak Password Recovery Mechanism for Forgotten Password | 2 |
Improper Input Validation | 2 |
Improper Privilege Management | 1 |
Reliance on IP Address for Authentication | 1 |
External Control of File Name or Path | 1 |
Information Exposure Through Debug Information | 1 |
Use of Less Trusted Source | 1 |
Improper Authentication | 1 |
Improper Authorization | 1 |
Improper Access Control | 1 |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | 1 |
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Rafie Muhammad | 61 |
Brandon James Roldan (tomorrowisnew) | 24 |
Muhammad Daffa | 23 |
Ngô Thiên An (ancorn_) | 16 |
LVT-tholv2k | 14 |
emad | 11 |
Abdi Pranata | 10 |
Joshua Chan | 10 |
Nguyen Xuan Chien | 9 |
Abu Hurayra (HurayraIIT) | 9 |
Mika | 6 |
Skalucy | 6 |
Dave Jong | 6 |
thiennv | 5 |
resecured.io | 5 |
Revan Arifio | 5 |
Huynh Tien Si | 3 |
wpdabh | 3 |
Le Ngoc Anh | 3 |
Dmitrii Ignatyev | 3 |
DoYeon Park (p6rkdoye0n) | 3 |
Hiroho Shimada | 2 |
Kyle Sanchez | 2 |
Hung -mov Nguyen | 2 |
Webbernaut | 2 |
Nguyen Anh Tien | 2 |
Jeongwoo-Lee(Roronoa) | 2 |
Elliot | 1 |
István Márton (Wordfence Vulnerability Researcher) | 1 |
Taihei Shimamine | 1 |
Rein Daelman (trein) | 1 |
Robert DeVore | 1 |
Marc-Alexandre Montpas | 1 |
Vladislav Pokrovsky (ΞX.MI) | 1 |
Yuchen Ji | 1 |
Fariq Fadillah Gusti Insani (fariqfgi) | 1 |
Yudistira Arya | 1 |
Lucio Sá | 1 |
Francesco Carlucci | 1 |
Benmalek Aymen (centaurus) | 1 |
Nex Team | 1 |
Françoa Taffarel | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
404 Solution | 404-solution |
AI Power: Complete AI Pack – Powered by GPT-4 | gpt3-ai-content-generator |
AMP for WP – Accelerated Mobile Pages | accelerated-mobile-pages |
ARI Stream Quiz – WordPress Quizzes Builder | ari-stream-quiz |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Accredible Certificates & Open Badges | accredible-certificates |
Active Products Tables for WooCommerce. Professional products tables for WooCommerce store | profit-products-tables-for-woocommerce |
Add Any Extension to Pages | add-any-extension-to-pages |
Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More | advanced-access-manager |
Advanced Category Template | advanced-category-template |
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms | advanced-form-integration |
Affiliates Manager | affiliates-manager |
All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs – My Sticky Elements | mystickyelements |
Apollo13 Framework Extensions | apollo13-framework-extensions |
Appointment & Event Booking Calendar Plugin – Webba Booking | webba-booking-lite |
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin | simply-schedule-appointments |
Author Box, Guest Author and Co-Authors for Your Posts – Molongui | molongui-authorship |
Auto Amazon Links – Amazon Associates Affiliate Plugin | amazon-auto-links |
Awesome Support – WordPress HelpDesk & Support Plugin | awesome-support |
BERTHA AI. Your AI co-pilot for WordPress and Chrome | bertha-ai-free |
Back Button Widget | back-button-widget |
Backup Migration | backup-backup |
Beaver Builder – WordPress Page Builder | beaver-builder-lite-version |
Block IPs for Gravity Forms | gf-block-ips |
Booking Calendar | Appointment Booking | BookIt | bookit |
Booking Manager | booking-manager |
Booking for Appointments and Events Calendar – Amelia | ameliabooking |
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin | bookingpress-appointment-booking |
Booster Elite for WooCommerce | booster-elite-for-woocommerce |
Branda – White Label WordPress, Custom Login Page Customizer | branda-white-labeling |
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content | brave-popup-builder |
BuddyPress | buddypress |
Build App Online | build-app-online |
BulkGate SMS Plugin for WooCommerce | woosms-sms-module-for-woocommerce |
Business Directory Plugin – Easy Listing Directories for WordPress | business-directory-plugin |
CBX Bookmark & Favorite | cbxwpbookmark |
CRM Perks Forms – WordPress Form Builder | crm-perks-forms |
CSS & JavaScript Toolbox | css-javascript-toolbox |
CURCY – Multi Currency for WooCommerce | UNKNOWN-CVE-2023-50831-1 |
Calculated Fields Form | calculated-fields-form |
Checkout Mestres WP | checkout-mestres-wp |
Clockwork SMS Notfications | mediaburst-email-to-sms |
Clone | wp-clone-by-wp-academy |
Colibri Page Builder | colibri-page-builder |
Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce | enhanced-e-commerce-for-woocommerce-store |
Crowdsignal Dashboard – Polls, Surveys & more | polldaddy |
Currency Converter Widget – Exchange Rates | currency-converter-widget |
Custom 404 Pro | custom-404-pro |
Custom Post Carousels with Owl | dd-post-carousel |
Custom Twitter Feeds – A Tweets Widget or X Feed Widget | custom-twitter-feeds |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Customize My Account for WooCommerce | customize-my-account-for-woocommerce |
Dan’s Embedder for Google Calendar | dans-gcal |
Database Cleaner: Clean, Optimize & Repair | database-cleaner |
Defender Security – Malware Scanner, Login Security & Firewall | defender-security |
Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan | antihacker |
Doofinder WP & WooCommerce Search | doofinder-for-woocommerce |
Duplicator – WordPress Migration & Backup Plugin | duplicator |
Dynamic Content for Elementor | dynamic-content-for-elementor |
E2Pdf – Export To Pdf Tool for WordPress | e2pdf |
Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) | easy-digital-downloads |
Easy PayPal & Stripe Buy Now Button | wp-ecommerce-paypal |
Easy Video Player | easy-video-player |
Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress | plugins-on-steroids |
Enable Media Replace | enable-media-replace |
EnvíaloSimple: Email Marketing y Newsletters | envialosimple-email-marketing-y-newsletters-gratis |
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
Event Monster – Event Management, Tickets Booking, Upcoming Event | event-monster |
Events Shortcodes For The Events Calendar | template-events-calendar |
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | everest-backup |
Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! | everest-forms |
Export Media URLs | export-media-urls |
FOX – Currency Switcher Professional for WooCommerce | woocommerce-currency-switcher |
FastDup – Fastest WordPress Migration & Duplicator | fastdup |
Floating Button | floating-button |
Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin | fluent-support |
Form plugin for WordPress – Zoho Forms | zoho-forms |
Frontend Admin by DynamiApps | acf-frontend-form-element |
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits | funnel-builder |
FunnelKit Checkout | woofunnels-aero-checkout |
GEO my WordPress | geo-my-wp |
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory | geodirectory |
Google Photos Gallery with Shortcodes | google-picasa-albums-viewer |
HT Mega – Absolute Addons For Elementor | ht-mega-for-elementor |
HTML Forms | html-forms |
HUSKY – Products Filter for WooCommerce Professional | woocommerce-products-filter |
Happy Addons for Elementor | happy-elementor-addons |
HashBar – WordPress Notification Bar | hashbar-wp-notification-bar |
Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building | icegram |
If-So Dynamic Content Personalization | if-so |
Image Optimizer, Resizer and CDN – Sirv | sirv |
Image Source Control Lite – Show Image Credits and Captions | image-source-control-isc |
Impreza – WordPress Website and WooCommerce Builder | impreza |
Inline Image Upload for BBPress | image-upload-for-bbpress |
Insert or Embed Articulate Content into WordPress | insert-or-embed-articulate-content-into-wordpress |
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site | integrate-google-drive |
JS Help Desk – Best Help Desk & Support Plugin | js-support-ticket |
JSM file_get_contents() Shortcode | wp-file-get-contents |
JVM Gutenberg Rich Text Icons | jvm-rich-text-icons |
Job Manager & Career – Manage job board listings, and recruitments | job-manager-career |
LA-Studio Element Kit for Elementor | lastudio-element-kit |
Limit Login Attempts Reloaded | limit-login-attempts-reloaded |
Loan Repayment Calculator and Application Form | quick-interest-slider |
Local Delivery Drivers for WooCommerce | local-delivery-drivers-for-woocommerce |
Login Lockdown – Protect Login Form | login-lockdown |
Login as User or Customer | login-as-customer-or-user |
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation | gs-logo-slider |
MC4WP: Mailchimp for WordPress | mailchimp-for-wp |
MF Gig Calendar | mf-gig-calendar |
MStore API | mstore-api |
Mail logging – WP Mail Catcher | wp-mail-catcher |
Malware Scanner | miniorange-malware-protection |
Media File Renamer: Rename Files (Manual, Auto & AI) | media-file-renamer |
Menu Image, Icons made easy | menu-image |
Metform Elementor Contact Form Builder | metform |
Most And Least Read Posts Widget | most-and-least-read-posts-widget |
Multi Step Form | multi-step-form |
MultiVendorX Marketplace – WooCommetrce MultiVendor Marketplace Solution | dc-woocommerce-multi-vendor |
My Agile Privacy – The only GDPR solution for WordPress that you can truly trust | myagileprivacy |
NEX-Forms – Ultimate Form Builder – Contact forms and much more | nex-forms-express-wp-form-builder |
New User Approve | new-user-approve |
NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images | nitropack |
Page Generator | page-generator |
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction | paid-member-subscriptions |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Pay with Vipps for WooCommerce | woo-vipps |
Photo Gallery by 10Web – Mobile-Friendly Image Gallery | photo-gallery |
Piotnet Forms | piotnetforms |
Poll Maker – Best WordPress Poll Plugin | poll-maker |
Pre* Party Resource Hints | pre-party-browser-hints |
Product Catalog Simple | post-type-x |
Product Code for WooCommerce | product-code-for-woocommerce |
Product Feed Manager – WooCommerce to Google Shopping, Social Catalogs, and 170+ Popular Marketplaces | best-woocommerce-feed |
Product Filter by WBW | woo-product-filter |
Product Table by WBW | woo-product-tables |
Product Vendors | woocommerce-product-vendors |
ProfileGrid – User Profiles, Memberships, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress | quiz-master-next |
Rate my Post – WP Rating System | rate-my-post |
Recipe Maker For Your Food Blog from Zip Recipes | zip-recipes |
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit | wp-marketing-automations |
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | custom-registration-form-builder-with-submission-manager |
Rencontre – Dating Site | rencontre |
Republish Old Posts | republish-old-posts |
Restaurant Reservations | nd-restaurant-reservations |
Rise Blocks – A Complete Gutenberg Page Builder | rise-blocks |
Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
Send Users Email | send-users-email |
Sensei LMS – Online Courses, Quizzes, & Learning | sensei-lms |
Seos Contact Form | seos-contact-form |
Simple Counter | abwp-simple-counter |
Simple Job Board | simple-job-board |
Simple Membership | simple-membership |
Simple Staff List | simple-staff-list |
Slider by Soliloquy – Responsive Image Slider for WordPress | soliloquy-lite |
Spam protection, Anti-Spam, FireWall by CleanTalk | cleantalk-spam-protect |
Split Test For Elementor | split-test-for-elementor |
Squirrly SEO – Advanced Pack | squirrly-seo-pack |
Sticky Chat Widget: WhatsApp, Messenger, Click to chat, SMS, Email, Messages, Call Button, Contact form and more Chat buttons | sticky-chat-widget |
Stock Ticker | stock-ticker |
Store Locator WordPress | agile-store-locator |
Strong Testimonials | strong-testimonials |
Stylish Price List – Price Table Builder & QR Code Restaurant Menu | stylish-price-list |
SureFeedback Client Site | projecthuddle-child-site |
TerraClassifieds – Simple Classifieds Plugin | terraclassifieds |
Theme per user | theme-per-user |
Themify Icons | themify-icons |
Thrive Automator | thrive-automator |
Ultimate Addons for Beaver Builder | bb-ultimate-addon |
Ultimate Addons for WPBakery | Ultimate_VC_Addons |
Ultimate Dashboard – Custom WordPress Dashboard | ultimate-dashboard |
Uncanny Automator – Automate everything with the #1 no-code automation and integration plugin | uncanny-automator |
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds | userfeedback-lite |
Verge3D Publishing and E-Commerce | verge3d |
WP Adminify – WordPress Dashboard Customization | Custom Login | Admin Columns | Dashboard Widget | Media Library Folders | adminify |
WP Affiliate Disclosure | wp-affiliate-disclosure |
WP Chat App | wp-whatsapp |
WP Crowdfunding | wp-crowdfunding |
WP Edit Username | wp-edit-username |
WP Frontend Profile | wp-front-end-profile |
WP Go Maps (formerly WP Google Maps) | wp-google-maps |
WP Job Portal – A Complete Job Board | wp-job-portal |
WP MLM SOFTWARE PLUGIN | wp-mlm |
WP Mail Log | wp-mail-log |
WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | wp-optin-wheel |
WP Remote Site Search | wp-remote-site-search |
WP Review Slider | wp-facebook-reviews |
WP Shortcodes Plugin — Shortcodes Ultimate | shortcodes-ultimate |
WP Simple Booking Calendar | wp-simple-booking-calendar |
WP Stripe Checkout | wp-stripe-checkout |
WP Tabs – Responsive Tabs Plugin for WordPress | wp-expand-tabs-free |
WP User Profile Avatar | wp-user-profile-avatar |
WPC Product Bundles for WooCommerce | woo-product-bundle |
WPCS – WordPress Currency Switcher Professional | currency-switcher |
WS Form LITE – Drag & Drop Contact Form Builder for WordPress | ws-form |
Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition | webinar-ignition |
Welcart e-Commerce | usc-e-shop |
White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard | white-label |
WooCommerce Easy Duplicate Product | woo-easy-duplicate-product |
WooCommerce Menu Extension | woocommerce-menu-extension |
WooCommerce PDF Invoice Builder, Create invoices, packing slips and more | woo-pdf-invoice-builder |
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels | print-invoices-packing-slip-labels-for-woocommerce |
WooCommerce Per Product Shipping | woocommerce-shipping-per-product |
WooCommerce Ship to Multiple Addresses | woocommerce-shipping-multiple-addresses |
WooCommerce Stripe Payment Gateway | woocommerce-gateway-stripe |
WooCommerce Warranty Requests | woocommerce-warranty |
WooPayments – Fully Integrated Solution Built and Supported by Woo | woocommerce-payments |
Woocommerce Shipping Canada Post | woocommerce-shipping-canada-post |
WordPress Infinite Scroll – Ajax Load More | ajax-load-more |
WordPress.com Editing Toolkit | full-site-editing |
YITH WooCommerce Product Add-Ons | yith-woocommerce-product-add-ons |
ZeroBounce Email Verification & Validation | zerobounce |
eCommerce Product Catalog Plugin for WordPress | ecommerce-product-catalog |
iframe | iframe |
iframe Shortcode | iframe-shortcode |
uncode-core | uncode-core |
weForms – Easy Drag & Drop Contact Form Builder For WordPress | weforms |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
BuddyBoss Theme | buddyboss-theme |
Divi | Divi |
TheGem | thegem |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
BERTHA AI Plugin
Source: wordfence.com