Lucene search

Chloe ChamberlandWORDFENCE:2871E77BB878753F093ED536A5009D44

HistoryJul 11, 2024 - 3:09 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 1, 2024 to July 7, 2024)

2024-07-1115:09:14

Chloe Chamberland

www.wordfence.com

wordfence

weekly

vulnerability

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

40.4%

JSON

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?__Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! _

Last week, there were 130 vulnerabilities disclosed in 100 WordPress Plugins and 18 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	116
Unpatched	14

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	105
High Severity	19
Critical Severity	4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	63
Missing Authorization	23
Cross-Site Request Forgery (CSRF)	17
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')	8
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	3
Information Exposure	3
Unrestricted Upload of File with Dangerous Type	3
Improper Privilege Management	2
Deserialization of Untrusted Data	1
Incorrect Privilege Assignment	1
Server-Side Request Forgery (SSRF)	1
Uncontrolled Resource Consumption ('Resource Exhaustion')	1
Unprotected Alternate Channel	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities

Dhabaleshwar Das

| 15

Rafie Muhammad

| 14

João Pedro Soares de Alcântara

| 11

| 9

| 7

| 4

| 4

| 4

| 4

| 4

| 4

| 3

| 3

| 3

| 3

| 3

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 2

Ngô Thiên An (ancorn_)

| 2

Guido Iván García

| 1

filime

| 1

Benedictus Jovan (aillesiM)

| 1

Jaime F. Murillo

| 1

Masamichi Aoki

| 1

Muhammad Umer Adeem (Yldrm)

| 1

Vuln Seeker Cybersecurity Team

| 1

Mahesh Nagabhairava

| 1

Krzysztof Zając

| 1

Trương Hữu Phúc (truonghuuphuc)

| 1

Majed Refaea

| 1

Majdeddine Ben Hadj Brahim

| 1

Juan Pablo Gomez Postigo

| 1

Felipe Caon

| 1

Michael

| 1

Bassem Essam

| 1

João G. Barbosa (4rCanJ0x!)

| 1

piro

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Advanced Classifieds & Directory Pro	advanced-classifieds-and-directory-pro
AI Power: Complete AI Pack	gpt3-ai-content-generator
Apollo13 Framework Extensions	apollo13-framework-extensions
AWSM Team – Team Showcase Plugin	awsm-team
bbPress Notify (No-Spam)	bbpress-notify-nospam
Beaver Builder Addons by WPZOOM	wpzoom-addons-for-beaver-builder
Beaver Builder – WordPress Page Builder	beaver-builder-lite-version
CC & BCC for Woocommerce Order Emails	cc-bcc-for-woocommerce-order-emails
Church Admin	church-admin
CM Popup Plugin for WordPress – Popup Maker	cm-pop-up-banners
Comment Reply Email	comment-reply-email
Community Events	community-events
CopySafe Web Protection	wp-copysafe-web
Cost Calculator Builder	cost-calculator-builder
Create by Mediavine	mediavine-create
CRM Perks Forms – WordPress Form Builder	crm-perks-forms
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress	charitable
Easy Custom Code (LESS/CSS/JS) – Live editing	easy-custom-code
Easy Google Maps	google-maps-easy
Elementor Addons by Livemesh	addons-for-elementor
Elementor Header & Footer Builder	header-footer-elementor
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce	email-subscribers
Event Manager, Events Calendar, Tickets, Registrations – Eventin	wp-event-solution
Featured Image from URL (FIFU)	featured-image-from-url
FileBird Document Library	filebird-document-library
Floating Social Media Links	floating-social-media-links
Get Better Reviews for WooCommerce	more-better-reviews-for-woocommerce
HelloAsso	helloasso
Hide My WP Ghost – Security & Firewall	hide-my-wp
HTML Forms – Simple WordPress Forms Plugin	html-forms
IdeaPush	ideapush
IMGspider – 图片采集抓取插件	imgspider
JetThemeCore for Elementor	jet-theme-core
LA-Studio Element Kit for Elementor	lastudio-element-kit
Leaky Paywall	leaky-paywall
LearnPress – WordPress LMS Plugin	learnpress
Link To Bible	link-to-bible
Login Logo Editor	login-logo-editor-by-oizuled
MakeCommerce for WooCommerce	makecommerce
MasterStudy LMS WordPress Plugin – for Online Courses and Education	masterstudy-lms-learning-management-system
Media Library Assistant	media-library-assistant
Mega Elements – Addons for Elementor	mega-elements-addons-for-elementor
Meks Easy Ads Widget	meks-easy-ads-widget
Motors – Car Dealer, Classifieds & Listing	motors-car-dealership-classified-listings
Nested Pages	wp-nested-pages
Newspack Ads	newspack-ads
Newspack Campaigns	newspack-popups
Newspack Content Converter	newspack-content-converter
Newspack Newsletters	newspack-newsletters
NEX-Forms – Ultimate Form Builder – Contact forms and much more	nex-forms-express-wp-form-builder
Ninja Forms – The Contact Form Builder That Grows With You	ninja-forms
Ocean Extra	ocean-extra
One Click Order Re-Order	one-click-order-reorder
Online Booking & Scheduling Calendar for WordPress by vcita	meeting-scheduler-by-vcita
Page Builder Gutenberg Blocks – CoBlocks	coblocks
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions	paid-memberships-pro
PayPlus Payment Gateway	payplus-payment-gateway
Post Meta Data Manager	post-meta-data-manager
Premium Addons for Elementor	premium-addons-for-elementor
Premium Blocks – Gutenberg Blocks for WordPress	premium-blocks-for-gutenberg
ProfileGrid – User Profiles, Groups and Communities	profilegrid-user-profiles-groups-and-communities
PZ Frontend Manager	pz-frontend-manager
Request a Quote	request-a-quote
Rife Elementor Extensions & Templates	rife-elementor-extensions
Save as PDF Plugin by Pdfcrowd	save-as-pdf-by-pdfcrowd
ShopBuilder – Elementor WooCommerce Builder Addons	shopbuilder
Simple Newsletter Plugin – Noptin	newsletter-optin-box
Simple Social Share	simple-social-share
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)	sina-extension-for-elementor
Snippet Shortcodes	shortcode-variables
Social Media Share Buttons & Social Sharing Icons	ultimate-social-media-icons
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
SuperSaaS – online appointment scheduling	supersaas-appointment-scheduling
Swift Performance Lite	swift-performance-lite
Tablesome – Responsive Table, Woocommerce Automation, Email Log, Form Automation – Contact Form 7, Elementor, WPForms, Forminator	tablesome
Template Kit – Export	template-kit-export
Testimonials Widget	testimonials-widget
The Events Calendar	the-events-calendar
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid	the-post-grid
Ultimate Addons for Elementor	ultimate-elementor
Ultimate Blocks – WordPress Blocks Plugin	ultimate-blocks
Ultimate Bootstrap Elements for Elementor	ultimate-bootstrap-elements-for-elementor
Ultimate WordPress Auction Plugin	ultimate-auction
Void Contact Form 7 Widget For Elementor Page Builder	cf7-widget-elementor
Woffice Core	woffice-core
WooCommerce - Social Login	woo-social-login
WordPress Notification Bar	wordpress-notification-bar
WP Cookie Law Info	wp-cookie-law-info
WP Directory Kit	wpdirectorykit
WP Lightbox 2	wp-lightbox-2
WP QuickLaTeX	wp-quicklatex
WP To Do	wp-todo
WP ULike – Most Advanced Marketing Toolkit	wp-ulike
WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce	wp-cafe
WPFavicon	wpfavicon
WS Contact Form	ws-contact-form
XPlainer – Product FAQs for WooCommerce & AI FAQ Generator	faq-for-woocommerce
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress	youzify
Zephyr Project Manager	zephyr-project-manager

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Ashe	ashe
Bakes And Cakes	bakes-and-cakes
Bard	bard
Book Your Travel	bookyourtravel
Boot Store	boot-store
Business One Page	business-one-page
Construction Landing Page	construction-landing-page
Hestia	hestia
Highlight	highlight
Lawyer Landing Page	lawyer-landing-page
Metro Magazine	metro-magazine
Newsmatic	newsmatic
Posterity	posterity
Rara Business	rara-business
Rife Free	rife-free
Trendy News	trendy-news
Woffice CRM	woffice
zBench	zbench

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Youzify <= 1.2.5 - Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-37494

Patch Status
Patched

Published
Jul 4, 2024

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Researcher

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 1, 2024 to July 7, 2024)

New Firewall Rules Deployed Last Week

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Related