Lucene search

Chloe ChamberlandWORDFENCE:6697873696623EC67EC016EFDEDE045C

HistoryAug 22, 2024 - 3:46 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 12, 2024 to August 18, 2024)

2024-08-2215:46:20

Chloe Chamberland

www.wordfence.com

wordfence

wordpress

vulnerability

report

firewall

updates

intelligence

bug bounty program

api

webhook

scanner

premium

care

response

mailing list

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

45.3%

JSON

_** Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?**Through October 14th, r__esearchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. _

Last week, there were 161 vulnerabilities disclosed in 126 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 54 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 18,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

WAF-RULE-726 - Data redacted while we work with the vendor on a patch.
WAF-RULE-725 - Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	124
Unpatched	37

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	132
High Severity	21
Critical Severity	8

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	62
Missing Authorization	33
Cross-Site Request Forgery (CSRF)	20
Exposure of Sensitive Information to an Unauthorized Actor	11
Authorization Bypass Through User-Controlled Key	7
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')	5
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	4
Unrestricted Upload of File with Dangerous Type	4
Authentication Bypass Using an Alternate Path or Channel	3
Deserialization of Untrusted Data	3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	3
Improper Authorization	1
Improper Control of Generation of Code ('Code Injection')	1
Improper Input Validation	1
Incorrect Privilege Assignment	1
URL Redirection to Untrusted Site ('Open Redirect')	1
Use of Less Trusted Source	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities

| 16

| 13

| 13

| 11

| 9

Trương Hữu Phúc (truonghuuphuc)

| 6

Dhabaleshwar Das

| 5

João Pedro Soares de Alcântara

| 5

| 5

| 4

| 4

| 4

Ngô Thiên An (ancorn_)

| 3

| 3

| 3

| 3

| 3

João G. Barbosa (4rCanJ0x!)

| 3

| 3

| 3

| 3

| 2

| 2

| 2

| 2

| 2

| 2

| 2

| 1

| 1

| 1

Fariq Fadillah Gusti Insani (fariqfgi)

| 1

lowol

| 1

Jorge Rodriguez

| 1

Vuln Seeker Cybersecurity Team

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

Etan Imanol Castro Aldrete

| 1

| 1

| 1

| 1

| 1

| 1

Artem Polynko (Artem Polynko)

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
Admission AppManager	admission-appmanager
AFI – The Easiest Integration Plugin	advanced-form-integration
All Bootstrap Blocks	all-bootstrap-blocks
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)	wp-analytify
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup	armember-membership
Asset CleanUp: Page Speed Booster	wp-asset-clean-up
Backup and Restore WordPress – Backup Plugin	wp-backitup
BackWPup – WordPress Backup & Restore Plugin	backwpup
Bit Form Pro	bitformpro
Bold Timeline Lite	bold-timeline-lite
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content	brave-popup-builder
Button contact VR	button-contact-vr
Child Theme Creator by Orbisius	orbisius-child-theme-creator
Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer	clearfy
Clever Addons for Elementor	cafe-lite
Clone	wp-clone-by-wp-academy
Compute Links	compute-links
Cookie Notice & Compliance for GDPR / CCPA	cookie-notice
Create by Mediavine	mediavine-create
Cryptocurrency Widgets – Price Ticker & Coins List	cryptocurrency-price-ticker-widget
Custom Field For WP Job Manager	custom-field-for-wp-job-manager
Custom Layouts – Post + Product grids made easy	custom-layouts
Dark Mode for WP Dashboard	dark-mode-for-wp-dashboard
DN Popup	dn-popup
Download Plugins and Themes in ZIP from Dashboard	download-plugins-dashboard
E2Pdf – Export Pdf Tool for WordPress	e2pdf
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
ElementsKit Pro	elementskit
EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor	embedpress
Employee, Leave and Recruitment Management System – Crew HRM	hr-management
Envo's Elementor Templates & Widgets for WooCommerce	envo-elementor-for-woocommerce
Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders	essential-addons-for-elementor-lite
Event Tickets with Ticket Scanner	event-tickets-with-ticket-scanner
Flaming Forms	flaming-forms
Fonts Plugin	Use Google Fonts, Adobe Fonts or Upload Fonts
FormFacade – WordPress plugin for Google Forms	formfacade
FOX – Currency Switcher Professional for WooCommerce	woocommerce-currency-switcher
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor	gutentor
HTML5 Video Player – mp4 Video Player Plugin and Block	html5-video-player
Icegram Collect – Easy Form, Lead Collection and Subscription plugin	icegram-rainmaker
Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA	icegram
Indeed Membership Pro	indeed-membership-pro
InPost for WooCommerce	woo-inpost
InPost PL	inpost-for-woocommerce
Insert PHP Code Snippet	insert-php-code-snippet
Invite Anyone	invite-anyone
JetBlocks for Elementor	jet-blocks
JetElements	jet-elements
JetSearch	jet-search
JetTabs for Elementor	jet-tabs
JobSearch WP Job Board	wp-jobsearch
JoomSport – for Sports: Team & League, Football, Hockey & more	joomsport-sports-league-results-management
JS Help Desk – The Ultimate Help Desk & Support Plugin	js-support-ticket
KBucket: Your Curated Content in WordPress	kbucket
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…	ladipage
Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages	page-builder-add
Leopard - WordPress Offload Media	leopard-wordpress-offload-media
LOGIN AND REGISTRATION ATTEMPTS LIMIT	login-attempts-limit-wp
Login As Users	login-as-users
Masteriyo LMS – eLearning and Online Course Builder for WordPress	learning-management-system
Media Library Assistant	media-library-assistant
Mega Addons For Elementor	ultimate-addons-for-elementor
Meta Field Block	display-a-meta-field-as-block
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor	metform
Modal Window – create popup modal window	modal-window
MStore API – Create Native Android & iOS Apps On The Cloud	mstore-api
MyBookTable Bookstore by Stormhill Media	mybooktable
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification	mycred
Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue)	mailin
Newsletters	newsletters-lite
NinjaTeam Header Footer Custom Code	header-footer-code
oik	oik
Order Export for WooCommerce	order-export-and-more-for-woocommerce
Order Tracking – WordPress Status Tracking Plugin	order-tracking
Photo Engine (Media Organizer & Lightroom)	wplr-sync
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons	contest-gallery
Plugin Notes Plus	plugin-notes-plus
Post Grid and Gutenberg Blocks	post-grid
PowerPack for Beaver Builder	bbpowerpack
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce	a4-barcode-generator
Propovoice: All-in-One Client Management System	propovoice
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress	radio-player
Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin	recipe-card-blocks-by-wpzoom
RegistrationMagic – User Registration Plugin with Custom Registration Forms	custom-registration-form-builder-with-submission-manager
Relevanssi – A Better Search	relevanssi
Responsive Blocks – WordPress Gutenberg Blocks	responsive-block-editor-addons
ReviewX – Multi-criteria Rating & Reviews for WooCommerce	reviewx
Salon Booking System	salon-booking-system
Sheet to Table Live Sync for Google Sheet	sheet-to-wp-table-for-google-sheet
Short URL	shorten-url
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel	depicter
Slideshow, Image Slider by 2J	2j-slideshow
Smart Online Order for Clover	clover-online-orders
SpeedyCache – Cache, Optimization, Performance	speedycache
Store Locator Plus® for WordPress	store-locator-le
Stripe Payments For WooCommerce by Checkout Plugins	checkout-plugins-stripe-woo
Structured Content (JSON-LD) #wpsc	structured-content
tagDiv Opt-In Builder	td-subscription
Team Showcase	team
The Ultimate Video Player For WordPress – by Presto Player	presto-player
Theme My Login	theme-my-login
Tutor LMS – eLearning and online course solution	tutor
Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider	ultimate-store-kit
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP	userswp
Visual Website Collaboration, Feedback & Project Management – Atarim	atarim-visual-collaboration
Void Contact Form 7 Widget For Elementor Page Builder	cf7-widget-elementor
Void Elementor Post Grid Addon for Elementor Page builder	void-elementor-post-grid-addon-for-elementor-page-builder
weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin	wemail
White Label CMS	white-label-cms
WHMpress - WHMCS WordPress Integration Plugin	whmpress
Widgets for WooCommerce Products on Elementor	woo-products-widgets-for-elementor
WooCommerce	woocommerce
WordPress File Upload	wp-file-upload
WordPress Webinar Plugin – WebinarPress	wp-webinarsystem
WP Bannerize Pro	wp-bannerize-pro
WP Data Access – WordPress App, Table and Form Builder plugin	wp-data-access
WP Job Portal – A Complete Recruitment System for Company or Job Board website	wp-job-portal
WP SMS – Ultimate SMS & MMS Notifications, 2FA, OTP, and Integrations with WooCommerce, GravityForms, and More	wp-sms
WP Telegram Widget and Join Link	wptelegram-widget
WP Travel Gutenberg Blocks	wp-travel-blocks
WP User Manager – User Profile Builder & Membership	wp-user-manager
WP-Lister Lite for eBay	wp-lister-for-ebay
WPBakery Page Builder Addons by Livemesh	addons-for-visual-composer
WPC Frequently Bought Together for WooCommerce	woo-bought-together
wpForo Forum	wpforo
Zephyr Project Manager	zephyr-project-manager

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Allegiant	allegiant
Bravada	bravada
Bricks	bricks
Busiprof	busiprof
GivingPress Lite	givingpress-lite
Hello Agency	hello-agency
Houzez	houzez
Purity Of Soul	purity-of-soul
Visual Composer Starter	visual-composer-starter

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

InPost for WooCommerce <= 1.4.0 and InPost PL <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary File Read and Delete

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-6500

Patch Status
Patched

Published
Aug 16, 2024

Affected Software
InPost PL
InPost for WooCommerce

Researcher