Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024)
🎉Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now!
Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.
Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.
Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.
New Firewall Rules Deployed Last Week
The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
- Stored Cross-Site Scripting via Block
- WAF-RULE-666 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
- WAF-RULE-665 – This is for an undisclosed vulnerability that we are working with the vendor on getting patched.
Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.
Total Unpatched & Patched Vulnerabilities Last Week
Patch Status | Number of Vulnerabilities |
Unpatched | 12 |
Patched | 55 |
Total Vulnerabilities by CVSS Severity Last Week
Severity Rating | Number of Vulnerabilities |
Low Severity | 1 |
Medium Severity | 54 |
High Severity | 7 |
Critical Severity | 5 |
Total Vulnerabilities by CWE Type Last Week
Vulnerability Type by CWE | Number of Vulnerabilities |
Cross-Site Request Forgery (CSRF) | 20 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 19 |
Missing Authorization | 8 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 4 |
Unrestricted Upload of File with Dangerous Type | 4 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 3 |
Information Exposure | 2 |
Information Exposure Through Debug Information | 1 |
Exposure of Private Information (‘Privacy Violation’) | 1 |
Use of Less Trusted Source | 1 |
Protection Mechanism Failure | 1 |
Server-Side Request Forgery (SSRF) | 1 |
Authorization Bypass Through User-Controlled Key | 1 |
Improper Access Control | 1 |
Researchers That Contributed to WordPress Security Last Week
Researcher Name | Number of Vulnerabilities |
Francesco Carlucci | 5 |
Rafie Muhammad | 4 |
Dave Jong | 3 |
Daniel Ruf | 2 |
Nex Team | 2 |
drop | 2 |
Artem Guzhva (hexcat) | 2 |
Ngô Thiên An (ancorn_) | 2 |
Abdi Pranata | 2 |
Brandon James Roldan (tomorrowisnew) | 2 |
Webbernaut | 2 |
Dateoljo of BoB 12th | 1 |
Lucio Sá | 1 |
LVT-tholv2k | 1 |
Le Ngoc Anh | 1 |
Huynh Tien Si | 1 |
Mika | 1 |
Joshua Chan | 1 |
Abu Hurayra (HurayraIIT) | 1 |
Akbar Kustirama | 1 |
Yudistira Arya | 1 |
Naveen Muthusamy | 1 |
thiennv | 1 |
Yuchen Ji | 1 |
Dmitrii Ignatyev | 1 |
Rafshanzani Suhada | 1 |
Ulyses Saicha | 1 |
Elliot | 1 |
Nicolas Decayeux | 1 |
Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.
WordPress Plugins with Reported Vulnerabilities Last Week
Software Name | Software Slug |
AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! | ai-engine |
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | armember-membership |
Advanced Flamingo | advanced-flamingo |
Advanced Woo Search | advanced-woo-search |
Auto Affiliate Links | wp-auto-affiliate-links |
Beds24 Online Booking | beds24-online-booking |
Constant Contact Forms by MailMunch | constant-contact-forms-by-mailmunch |
Contact Form 7 Connector | ari-cf7-connector |
Contact Form 7 Extension For Mailchimp | contact-form-7-mailchimp-extension |
Contact Form 7 – Dynamic Text Extension | contact-form-7-dynamic-text-extension |
Customer Reviews for WooCommerce | customer-reviews-woocommerce |
Download Monitor | download-monitor |
Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder | droit-elementor-addons |
ElementsKit Elementor addons | elementskit-lite |
Email Encoder – Protect Email Addresses and Phone Numbers | email-encoder-bundle |
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates | essential-blocks |
EventON | eventon-lite |
EventON Pro | eventon |
Football Pool | football-pool |
Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | formidable |
GD Rating System | gd-rating-system |
Gallery Plugin for WordPress – Envira Photo Gallery | envira-gallery-lite |
Happy Addons for Elementor | happy-elementor-addons |
Index Now | mihdan-index-now |
InstaWP Connect – 1-click WP Staging & Migration | instawp-connect |
List category posts | list-category-posts |
MailerLite – WooCommerce integration | woo-mailerlite |
Metform Elementor Contact Form Builder | metform |
Newsletter – Send awesome emails from WordPress | newsletter |
OneClick Chat to Order | oneclick-whatsapp-order |
Order Export & Order Import for WooCommerce | order-import-export-for-woocommerce |
PDF Invoices & Packing Slips for WooCommerce | woocommerce-pdf-invoices-packing-slips |
POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications | post-smtp |
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions | paid-memberships-pro |
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress | contest-gallery |
Plugin for Google Reviews | widget-google-reviews |
Products, Order & Customers Export for WooCommerce | export-woocommerce |
Profile Builder Pro | profile-builder-pro |
RabbitLoader | rabbit-loader |
Schema & Structured Data for WP & AMP | schema-and-structured-data-for-wp |
Seraphinite Accelerator | seraphinite-accelerator |
Seraphinite Alternative Slugs Manager | seraphinite-old-slugs-mgr |
Shortcodes Finder | shortcodes-finder |
Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce | barcode-scanner-lite-pos-to-manage-products-inventory-and-orders |
Swift SMTP (formerly Welcome Email Editor) | welcome-email-editor |
TNC PDF viewer | pdf-viewer-by-themencode |
The Events Calendar | the-events-calendar |
Voting Record | voting-record |
WP Register Profile With Shortcode | wp-register-profile-with-shortcode |
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | wp-sms |
WP Spell Check | wp-spell-check |
WP Testimonials | testimonial-widgets |
WPS Hide Login | wps-hide-login |
WooCommerce | woocommerce |
Woocommerce Vietnam Checkout | woo-vietnam-checkout |
Word Replacer Pro | word-replacer-ultra |
WordPress Button Plugin MaxButtons | maxbuttons |
WordPress Live Chat Plugin for Elementor – LiveChat | livechat-elementor |
WordPress Live Chat Plugin for WooCommerce – LiveChat | livechat-woocommerce |
WordPress Manutenção | wp-manutencao |
Vulnerability Details
Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.
Barcode Scanner with Inventory & Order Manager
Source: wordfence.com