Lucene search

Chloe ChamberlandWORDFENCE:3E45AA3E58A9D0D99172226D7128013E

HistoryJul 18, 2024 - 3:33 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 8, 2024 to July 14, 2024)

2024-07-1815:33:42

Chloe Chamberland

www.wordfence.com

wordfence

bug bounty

wordpress security

vulnerability database

vulnerability researchers

firewall rules

premium customers

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.001

Percentile

40.0%

JSON

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?__Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. _

Last week, there were 261 vulnerabilities disclosed in 212 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 75 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 17,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	165
Unpatched	96

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	1
Medium Severity	203
High Severity	34
Critical Severity	23

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	111
Missing Authorization	41
Cross-Site Request Forgery (CSRF)	37
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	14
Information Exposure	13
Unrestricted Upload of File with Dangerous Type	9
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')	6
Server-Side Request Forgery (SSRF)	6
Information Exposure Through Log Files	5
Authentication Bypass Using an Alternate Path or Channel	4
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	4
Improper Privilege Management	3
Authorization Bypass Through User-Controlled Key	2
Improper Control of Generation of Code ('Code Injection')	2
Deserialization of Untrusted Data	1
File and Directory Information Exposure	1
Use of Hard-coded Credentials	1
Use of Less Trusted Source	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities

| 18

| 15

| 14

| 14

| 14

| 13

| 12

| 11

| 9

João Pedro Soares de Alcântara

| 7

| 7

| 6

| 6

| 6

| 5

João G. Barbosa (4rCanJ0x!)

| 4

| 4

| 4

| 4

| 4

| 4

| 4

| 3

Ngô Thiên An (ancorn_)

| 3

| 3

| 3

| 3

| 3

| 3

| 3

| 2

| 2

| 2

| 2

| 2

Tieu Pham Trong Nhan (aptx4869)

| 2

Peter Thaleikis

| 2

Benedictus Jovan (aillesiM)

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 2

Miguel Xavier Penha Neto

| 1

| 1

| 1

| 1

| 1

Dikshita Trivedi (Cybersecdexter)

| 1

Dipak Panchal (th3.d1p4k)

| 1

John Castro

| 1

Le Ngoc Anh

| 1

Artem Polynko (Artem Polynko)

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

Rayhan Ramdhany Hanaputra

| 1

Steven Julian

| 1

Majdeddine Ben Hadj Brahim

| 1

Edwin Siebel (edwinsiebel)

| 1

Simone Onofri

| 1

0xded093

| 1

Kim Cerra

| 1

Vuln Seeker Cybersecurity Team

| 1

Michel Prunet

| 1

1337_Wannabe

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution	academy
Admin Dashboard RSS Feed	admin-dashboard-rss-feed
AdPush	adsense-plugin
Advanced AJAX Page Loader	advanced-ajax-page-loader
Advanced File Manager Shortcodes	file-manager-advanced-shortcode
Advanced post slider	advanced-post-slider
Amazing Hover Effects	amazing-hover-effects
Animated Typed JS Shortcode	animated-typed-js-shortcode
Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps	appmaker-woocommerce-mobile-app-manager
Arkhe Blocks	arkhe-blocks
Attachment File Icons (AF Icons)	attachment-file-icons
Auto Featured Image (Auto Post Thumbnail)	auto-post-thumbnail
Backup and Staging by WP Time Capsule	wp-time-capsule
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders
BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript	searchpro
Blog, Posts and Category Filter for Elementor	blog-posts-and-category-for-elementor
Booking Ultra Pro Appointments Booking Calendar Plugin	booking-ultra-pro
Bradmax Player	bradmax-player
Branda – White Label & Branding, Custom Login Page Customizer	branda-white-labeling
Business Card	business-card-by-esterox-100
Calendar.online / Kalender.digital – Plugin	kalender-digital
Caxton – Create Pro page layouts in Gutenberg	caxton
Change From Email	wp-from-email
Cliengo – Chatbot	cliengo
CodePen Embedded Pens Shortcode	codepen-embedded-pen-shortcode
codoc	codoc
Coming Soon Page – Responsive Coming Soon & Maintenance Mode	responsive-coming-soon-page
Comment Images Reloaded	comment-images-reloaded
ConeBlog – Elementor Blog Widgets	coneblog-widgets
Contact Form 7 Summary and Print	cf7-summary-and-print
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	bit-form
Contact Form, Survey, Quiz & Popup Form Builder – ARForms	arforms-form-builder
CZ Loan Management	cz-loan-management
Default Thumbnail Plus	default-thumbnail-plus
DirectoryPress – Business Directory And Classified Ad Listing	directorypress
Donation Block For PayPal	donations-block
Download Button for Elementor	download-button-for-elementor
Duplicator – Migration & Backup Plugin	duplicator
Dynamic Word Spinner: CSS3 Animated Rotation	css3-rotating-words
Easy Google Adsense and Banner Ads Manager – AdsforWP	ads-for-wp
Easy Pixels	easy-pixels-by-jevnet
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin	eazydocs
EleForms – All In One Form Integration including DB for Elementor	all-contact-form-integration-for-elementor
ElementInvader Addons for Elementor	elementinvader-addons-for-elementor
Email Encoder – Protect Email Addresses and Phone Numbers	email-encoder-bundle
EmbedPress – Embed PDF, PDF 3D FlipBook, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor	embedpress
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Event post	event-post
Event Tickets and Registration	event-tickets
EventON	eventon-lite
Events Calendar for Google	events-calendar-for-google
ExS Widgets	exs-widgets
Extensions for Elementor	extensions-for-elementor
FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor	post-block
Featured Image Generator	featured-image-generator
Feeds for YouTube (YouTube video, channel, and gallery plugin)	feeds-for-youtube
Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu)	mystickymenu
Form Vibes – Database Manager for Forms	form-vibes
FormFlow- WhatsApp Social and WP Form Builder with Easy Lead Management	simple-form
FULL – Cliente	full-customer
Fusion Page Builder	fusion
GD Rating System	gd-rating-system
Generate PDF using Contact Form 7	generate-pdf-using-contact-form-7
Genesis Blocks	genesis-blocks
Get Use APIs – JSON Content Importer	json-content-importer
Goftino	goftino
Gravity Forms: Multiple Form Instances	gravity-forms-multiple-form-instances
Gum Elementor Addon	gum-elementor-addon
Gutenberg Forms – WordPress Form Builder Plugin	forms-gutenberg
GutSlider – All in One Block Slider	slider-blocks
HitPay Payment Gateway for WooCommerce	hitpay-payment-gateway
Houzez CRM	houzez-crm
Houzez Theme - Functionality	houzez-theme-functionality
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
HTML Forms – Simple WordPress Forms Plugin	html-forms
Image Optimizer, Resizer and CDN – Sirv	sirv
Import Spreadsheets from Microsoft Excel	import-spreadsheets-from-microsoft-excel
Inline Related Posts	intelly-related-posts
InstaWP Connect – 1-click WP Staging & Migration	instawp-connect
Internal Link Juicer: SEO Auto Linker for WordPress	internal-links
iPanorama 360 – WordPress Virtual Tour Builder	ipanorama-360-virtual-tour-builder-lite
IQ Testimonials	iq-testimonials
Jetpack Boost – Website Speed, Performance and Critical CSS	jetpack-boost
Job Board Manager	job-board-manager
JSON API User	json-api-user
Just Custom Fields	just-custom-fields
Laposta	laposta
LearnDash LMS – Reports	wisdm-reports-for-learndash
Light Poll	light-poll
Link Library	link-library
Login by Auth0	auth0
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )	magical-addons-for-elementor
Magical Posts Display – Elementor Advanced Posts widgets	magical-posts-display
MakeStories (for Google Web Stories)	makestories-helper
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor	master-addons
Master Popups	master-popups-lite
Matomo Analytics – Ethical Stats. Powerful Insights.	matomo
MBE eShip	mail-boxes-etc
Media Hygiene: Remove or Delete Unused Images and More!	media-hygiene
Meks Smart Author Widget	meks-smart-author-widget
Meks Video Importer	meks-video-importer
Metorik – Reports & Email Automation for WooCommerce	metorik-helper
Modern Events Calendar	modern-events-calendar
Modern Events Calendar Lite	modern-events-calendar-lite
Moloni	moloni
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar	mp3-music-player-by-sonaar
MStore API – Create Native Android & iOS Apps On The Cloud	mstore-api
oik	oik
Olive One Click Demo Import	olive-one-click-demo-import
Openpos - WooCommerce Point Of Sale(POS)	woocommerce-openpos
OSM – OpenStreetMap	osm
Packlink PRO shipping module	packlink-pro-shipping
Paid Memberships Pro - Member Directory Add On	pmpro-member-directory
Panda Video	pandavideo
Payflex Payment Gateway	payflex-payment-gateway
PayPlus Payment Gateway	payplus-payment-gateway
Plugin Notes Plus	plugin-notes-plus
Plum: Spin Wheel & Email Pop-up	qodeblock
Post Layouts for Gutenberg	post-layouts
Power BI Embedded for WordPress	embed-power-bi
PowerPress Podcasting plugin by Blubrry	powerpress
Predictive Search for WooCommerce	woocommerce-predictive-search
Premium Addons for Elementor	premium-addons-for-elementor
Pricing Table	elfsight-pricing-table
Product Delivery Date for WooCommerce – Lite	product-delivery-date-for-woocommerce-lite
Product Designer	product-designer
Product Table by WBW	woo-product-tables
ProfileGrid – User Profiles, Groups and Communities	profilegrid-user-profiles-groups-and-communities
Qi Blocks	qi-blocks
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker	quiz-master-next
Realtyna Organic IDX plugin + WPL Real Estate	real-estate-listing-realtyna-wpl
ReCaptcha Integration for WordPress	wp-recaptcha-integration
Recipe Cards For Your Food Blog from Zip Recipes	zip-recipes
ReDi Restaurant Reservation	redi-restaurant-reservation
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction	pie-register
Responsive Tabs	responsive-tabs
REVIEWS.io for WooCommerce	reviewscouk-for-woocommerce
ScrollTo Bottom	scrollto-bottom
ScrollTo Top	scrollto-top
SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue	happy-scss-compiler
Search & Replace	search-and-replace
Send email only on Reply to My Comment	send-email-only-on-reply-to-my-comment
Send Users Email	send-users-email
Seraphinite Accelerator Pro	seraphinite-accelerator-ext
Seraphinite Post .DOCX Source	seraphinite-post-docx-source
Simple Alert Boxes	simple-alert-boxes
Simple Popup Plugin	simple-popup-plugin
Simple Post Notes	simple-post-notes
Simple Responsive Slider	simple-responsive-slider
SKT Addons for Elementor	skt-addons-for-elementor
SKT Skill Bar	skt-skill-bar
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)	sky-elementor-addons
Slider by 10Web	UNKNOWN-CVE-2024-32578-1
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)	slingblocks
SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer	smartcrawl-seo
Social Sharing Plugin – Kiwi	kiwi-social-share
SpiderContacts	spider-contacts
Spiffy Calendar	spiffy-calendar
SportsPress – Sports Club & League Manager	sportspress
Squelch Tabs and Accordions Shortcodes	squelch-tabs-and-accordions-shortcodes
Tabs For WPBakery Page Builder (formerly Visual Composer)	tabs-for-visual-composer
Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics	taggbox-widget
Team Manager – WordPress Showcase Team Members	wp-team-manager
Team Members	team-members
Timeline Module for Beaver Builder	timeline-for-beaver-builder
Titan Anti-spam & Security	anti-spam
TOCHAT.BE	tochat-be
Tutor LMS – eLearning and online course solution	tutor
Typebot	Create advanced chat experiences without coding
Ultimate Classified Listings	ultimate-classified-listings
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)	ultraaddons-elementor-lite
Uncanny Automator Pro	uncanny-automator-pro
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
User Activity Log Pro	user-activity-log-pro
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds	userfeedback-lite
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	profile-builder
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP	userswp
VK All in One Expansion Unit	vk-all-in-one-expansion-unit
Wallet for WooCommerce	woo-wallet
Wallet System for WooCommerce – Wallet, Digital Wallet, Cashback, Recharge User Wallets, Partial Payments, Wallet restriction, Refunds	wallet-system-for-woocommerce
WANotifier – Send Message Notifications Using WhatsApp API	notifier
WappPress – Create Mobile App for any WordPress site with our Mobile App Builder in just 1 minute	wapppress-builds-android-app-for-website
Web Directory Free	web-directory-free
Webico Slider Flatsome Addons	webico-slider-flatsome-addons
Wholesale Suite – WooCommerce Wholesale Prices, B2B, Catalog Mode, Order Form, Wholesale User Roles, Dynamic Pricing & More	woocommerce-wholesale-prices
WooCommerce Customers Manager	woocommerce-customers-manager
WooCommerce Report	ithemelandco-woo-report
WordPress Multisite Content Copier/Updater	wp-multisite-content-copier
WP Accessibility Helper (WAH)	wp-accessibility-helper
WP Affiliate Platform	wp-affiliate-platform
WP Ajax Contact Form	wp-ajax-contact-form
WP Announcement	Dynamic Announcement, Banner, & Countdown Timer for Effective Promotions
WP ERP	Complete HR solution with recruitment & job listings
WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into WordPress	wp-event-aggregator
WP Fast Total Search – The Power of Indexed Search	fulltext-search
WP GoToWebinar	wp-gotowebinar
WP Links Page	wp-links-page
WP Photo Album Plus	wp-photo-album-plus
WP Popups – WordPress Popup builder	wp-popups-lite
WP Total Branding – Complete branding solution for WordPress	wp-total-branding
WP Travel Engine – Tour Booking Plugin – Tour Operator Software	wp-travel-engine
WP User Switch	wp-user-switch
WP2Speed Faster – Optimize PageSpeed Insights Score 90-100	wp2speed
WPBITS Addons For Elementor Page Builder	wpbits-addons-for-elementor
WPCS – WordPress Currency Switcher Professional	currency-switcher
WpStickyBar – Sticky Bar, Sticky Header	wpstickybar-sticky-bar-sticky-header
XPlainer – Product FAQs for WooCommerce & AI FAQ Generator	faq-for-woocommerce
YITH WooCommerce Ajax Product Filter	yith-woocommerce-ajax-navigation
Zephyr Project Manager	zephyr-project-manager
Zoho Campaigns	zoho-campaigns
Zoho CRM Lead Magnet	zoho-crm-forms
پلاگین پرداخت دلخواه	pardakht-delkhah

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
BuddyBoss Theme	buddyboss-theme
Counterpoint	counterpoint
i-amaze	i-amaze
i-transform	i-transform
Noo JobMonster	noo-jobmonster
Oceanic	oceanic
OnePress	onepress
Patricia Blog	patricia-blog
Patricia Lite	patricia-lite
Point	point
Popularis Verse	popularis-verse
Responsive Mobile	responsive-mobile
SmartMag	smartmag-responsive-retina-wordpress-magazine
SociallyViral	sociallyviral

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

CZ Loan Management <= 1.1 - Unauthenticated SQL Injection

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-5975

Patch Status
Unpatched

Published
Jul 9, 2024

Affected Software
CZ Loan Management

Researcher