Lucene search

Chloe ChamberlandWORDFENCE:5EF47CC42F1927CDEAB41F4FB7291B8D

HistoryAug 29, 2024 - 1:48 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 19, 2024 to August 25, 2024)

2024-08-2913:48:04

Chloe Chamberland

www.wordfence.com

bug bounty program

wordpress plugins

wordpress theme

vulnerability database

vulnerability researchers

user interface

api

webhook integration

cli vulnerability scanner

premium customers

firewall rules

exploit attempts

real-time updates.

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.639

Percentile

97.9%

JSON

_** Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?**Through October 14th, r__esearchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. _

Last week, there were 85 vulnerabilities disclosed in 63 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 18,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

LiteSpeed Cache <= 6.3.0.1 - Unauthenticated Privilege Escalation
- Over 650,000 exploit attempts already blocked by this rule since August 20th, 2024.
WAF-RULE-727 - Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	58
Unpatched	27

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	62
High Severity	14
Critical Severity	9

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	30
Cross-Site Request Forgery (CSRF)	18
Missing Authorization	12
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	6
Deserialization of Untrusted Data	3
Exposure of Sensitive Information to an Unauthorized Actor	3
Authorization Bypass Through User-Controlled Key	2
Improper Control of Generation of Code ('Code Injection')	2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	2
Unrestricted Upload of File with Dangerous Type	2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	1
Improper Neutralization of Special Elements Used in a Template Engine	1
Improper Privilege Management	1
Incorrect Authorization	1
URL Redirection to Untrusted Site ('Open Redirect')	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities

Bob Matyas

| 10

Daniel Ruf

| 10

Lucio Sá

| 9

TANG Cheuk Hei (siunam)

| 6

| 4

| 4

| 3

| 3

| 3

| 2

| 2

Trương Hữu Phúc (truonghuuphuc)

| 2

| 2

| 2

| 2

| 1

| 1

| 1

| 1

Wesley "dk4trin" Santos

| 1

kauenavarro

| 1

theviper17y

| 1

Colin Xu

| 1

João Pedro Soares de Alcântara

| 1

Ngô Thiên An (ancorn_)

| 1

Artem Polynko (Artem Polynko)

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress	acymailing
AdRotate Banner Manager – The only ad manager you'll need	adrotate
App Builder – Create Native Android & iOS Apps On The Flight	app-builder
AZIndex	azindex
blogintroduction-wordpress-plugin	blogintroduction-wordpress-plugin
BP Profile Search	bp-profile-search
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder	bit-form
Custom Permalinks	custom-permalinks
Event Espresso – Event Registration & Ticketing Sales	event-espresso-decaf
EventON	eventon-lite
Favicon Generator (CLOSED)	favicon-generator
File Manager Pro	wp-file-manager-pro
Flamix: Bitrix24 and Contact Form 7 integrations	flamix-bitrix24-and-contact-forms-7-integrations
Floating Contact Button	floating-contact
Gallery Plugin for WordPress – Envira Photo Gallery	envira-gallery-lite
GiveWP – Donation Plugin and Fundraising Platform	give
Gixaw Chat	gixaw-chat
Hide My Site	hide-my-site
ILC Thickbox	ilc-thickbox
Image Hotspot by DevVN	devvn-image-hotspot
Image Optimizer, Resizer and CDN – Sirv	sirv
ImageRecycle pdf & image compression	imagerecycle-pdf-image-compression
LH Add Media From Url	lh-add-media-from-url
LiquidPoll – Polls, Surveys, NPS and Feedback Reviews	wp-poll
LiteSpeed Cache	litespeed-cache
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation	gs-logo-slider
Misiek Paypal	misiek-paypal
Misiek Photo Album	misiek-photo-album
MM-Breaking News	mm-breaking-news
Music Request Manager	music-request-manager
Orbit Fox by ThemeIsle	themeisle-companion
OTA Sync Booking Engine Widget	ota-sync-booking-engine-widget
Piotnet Addons For Elementor	piotnet-addons-for-elementor
Pocket Widget	pocket-widget
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder	popup-maker
Quick Code	quick-code
Responsive Lightbox & Gallery	responsive-lightbox
Responsive Video	responsive-video
RT Easy Builder – Advanced addons for Elementor	rt-easy-builder-advanced-addons-for-elementor
Shopping Cart & eCommerce Store	wp-easycart
Simple Headline Rotator	simple-headline-rotator
Simple Job Board	simple-job-board
Smart Online Order for Clover	clover-online-orders
Snapshot Backup	snapshot-backup
Starbox – the Author Box for Humans	starbox
String locator	string-locator
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
Themify Builder	themify-builder
TI WooCommerce Wishlist	ti-woocommerce-wishlist
Tutor LMS Elementor Addons	tutor-lms-elementor-addons
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider	ultimate-store-kit
User Private Files – Upload Documents & Secure File Sharing with Frontend File Manager	user-private-files
Visual Sound	visual-sound
WBW Product Table Pro	woo-producttables-pro
Woo Inquiry	woo-inquiry
WooCommerce Google Feed Manager	wp-product-feed-manager
WordPress Button Plugin MaxButtons	maxbuttons
WordSurvey	wordsurvey
WP Content Copy Protection & No Right Click (PRO)	wccp-pro
WP Last Modified Info	wp-last-modified-info
WP Testimonial Widget	wp-testimonial-widget
WPML	sitepress-multilingual-cms
Zephyr Project Manager	zephyr-project-manager

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Phlox PRO	phlox-pro

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-5932

Patch Status
Patched

Published
Aug 19, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 19, 2024 to August 25, 2024)

New Firewall Rules Deployed Last Week

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Related