Lucene search

Chloe ChamberlandWORDFENCE:A212874EE57CCA16876581ECDA243F7F

HistoryMay 30, 2024 - 3:23 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 20, 2024 to May 26, 2024)

2024-05-3015:23:45

Chloe Chamberland

www.wordfence.com

wordfence

wordpress

vulnerability

bug bounty program

security

api

webhook

cli

vulnerability scanner

mailing list

cvss severity

cwe type

patched

unpatched

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.035 Low

EPSS

Percentile

91.6%

JSON

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?__Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. _

Last week, there were 141 vulnerabilities disclosed in 121 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 16,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Patched	106
Unpatched	35

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Medium Severity	114
High Severity	20
Critical Severity	7

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	80
Missing Authorization	15
Cross-Site Request Forgery (CSRF)	9
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	7
Improper Access Control	4
Improper Control of Generation of Code ('Code Injection')	4
Deserialization of Untrusted Data	3
Improper Neutralization of Alternate XSS Syntax	3
Unrestricted Upload of File with Dangerous Type	3
Authentication Bypass Using an Alternate Path or Channel	2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	2
Server-Side Request Forgery (SSRF)	2
Exposure of Sensitive Data Through Data Queries	1
Improper Authorization	1
Improper Neutralization of Special Elements used in a Command ('Command Injection')	1
Improper Protection of Alternate Path	1
Information Exposure Through Log Files	1
URL Redirection to Untrusted Site ('Open Redirect')	1
Use of Hard-coded Password	1

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities

| 21

| 14

| 12

| 12

| 11

| 8

Ngô Thiên An (ancorn_)

| 7

| 4

| 3

| 3

| 2

| 2

| 2

| 2

| 2

| 2

James Myers (ConfidenceRemainsHigh)

| 2

Dmitrii Ignatyev

| 2

Thanh Nam Tran

| 2

Rayhan Ramdhany Hanaputra

| 2

Benedictus Jovan (aillesiM)

| 2

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

Thura Moe Myint (mgthuramoemyint)

| 1

Piotr Kuśpit

| 1

João Pedro Soares de Alcântara

| 1

Akbar Kustirama

| 1

Codean Labs

| 1

Tobias Weißhaar (kun_19)

| 1

Scott Kingsley Clark

| 1

Valentin LOBSTEIN

| 1

João G. Barbosa (4rCanJ0x!)

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

| 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
140+ Widgets	Xpro Addons For Elementor – FREE
AdFoxly – Ad Manager, AdSense Ads & Ads.txt	adfoxly
Advanced iFrame	advanced-iframe
AI ChatBot for WordPress – WPBot	chatbot
Alemha watermarker	alemha-watermark
Amen	amen
ApplyOnline – Application Form Builder and Manager	apply-online
Automatic Translator with Google Translate	auto-translate
Awesome Contact Form7 for Elementor	awesome-contact-form7-for-elementor
AZAN Plugin	azan
BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin	bookingpress-appointment-booking
Brizy – Page Builder	brizy
Business Directory Plugin – Easy Listing Directories for WordPress	business-directory-plugin
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder	fluentform
Country State City Dropdown CF7	country-state-city-auto-dropdown
Crafthemes Demo Import	crafthemes-demo-import
Custom Fonts – Host Your Fonts Locally	custom-fonts
Debug Log – Manger Tool	debug-log-config-tool
Dextaz Ping	dextaz-ping
Elegant Addons for elementor	elegant-addons-for-elementor
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)	bdthemes-element-pack-lite
Elementor Header & Footer Builder	header-footer-elementor
Elementor Website Builder – More than Just a Page Builder	elementor
ElementsKit Pro	elementskit
Email Log	email-log
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce	email-subscribers
EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor	embedpress
Event post	event-post
Fastly	fastly
Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty	chaty
FooGallery Premium	foogallery-premium
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel	foogallery
Gutenberg Blocks, Page Builder – ComboBlocks	post-grid
Hash Elements	hash-elements
Hash Form – Drag & Drop Form Builder	hash-form
HT Mega – Absolute Addons For Elementor	ht-mega-for-elementor
iframe	iframe
Inquiry cart	inquiry-cart
jQuery T(-) Countdown Widget	jquery-t-countdown-widget
LA-Studio Element Kit for Elementor	lastudio-element-kit
LayerSlider	LayerSlider
LearnPress – WordPress LMS Plugin	learnpress
LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor	include-lottie-animation-for-elementor
LuckyWP Table of Contents	luckywp-table-of-contents
Master Slider – Responsive Touch Slider	master-slider
Media Library Assistant	media-library-assistant
Memberpress	memberpress
Move Addons for Elementor	move-addons
ND Shortcodes	nd-shortcodes
NextScripts: Social Networks Auto-Poster	social-networks-auto-poster-facebook-twitter-g
Ninja Beaver Add-ons for Beaver Builder	ninja-beaver-lite-addons-for-beaver-builder
Opal Estate Pro – Property Management and Submission	opal-estate-pro
Oxygen Builder	oxygenbuilder
Page Builder by SiteOrigin	siteorigin-panels
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress	wp-user-avatar
PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode	paypal-pay-buy-donation-and-cart-buttons-shortcode
PDF Embedder	pdf-embedder
PDF Poster- PDF Embedder Plugin	pdf-poster
PDF Viewer for Elementor	pdf-viewer-for-elementor
PDF.js Viewer	pdfjs-viewer-shortcode
Pie Register - Social Sites Login (Add on)	pie-register-social-site
Piotnet Addons For Elementor	piotnet-addons-for-elementor
Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation	optinmonster
PopupAlly	popupally
Post SMTP – WP SMTP Plugin with Email Logs & Mobile App for Failure Alerts – Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark	post-smtp
Praison SEO WordPress	seo-wordpress
Pray For Me	pray-for-me
Premium Addons for Elementor	premium-addons-for-elementor
Primary Addon for Elementor	primary-addon-for-elementor
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider)	bdthemes-prime-slider-lite
Print-O-Matic	print-o-matic
Responsive Contact Form Builder & Lead Generation Plugin	lead-form-builder
Reviews and Rating – Google Reviews	g-business-reviews-rating
RomethemeForm For Elementor	romethemeform
Schema App Structured Data	schema-app-structured-data-for-schemaorg
Search & Replace	search-and-replace
SEOPress – On-site SEO	wp-seopress
ShareThis Share Buttons	sharethis-share-buttons
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)	woolentor-addons
Similarity	similarity
Simple Popup Manager	simple-popup-manager
SiteOrigin Widgets Bundle	so-widgets-bundle
Social Pixel	social-pixel
Social Sharing Plugin – Sassy Social Share	sassy-social-share
Spectra – WordPress Gutenberg Blocks	ultimate-addons-for-gutenberg
SVGator – Add Animated SVG Easily	svgator
SVGMagic	svgmagic
Tainacan	tainacan
Testimonial Carousel For Elementor	testimonials-carousel-elementor
The Events Calendar	the-events-calendar
The Events Calendar Pro	the-events-calendar-pro
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce	the-plus-addons-for-elementor-page-builder
Themify Builder	themify-builder
Toolbar Extras for Elementor & More – WordPress Admin Bar Enhanced	toolbar-extras
UberMenu	ubermenu
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)	unlimited-elements-for-elementor
UserPro - Community and User Profile WordPress Plugin	userpro
Videojs HTML5 Player	videojs-html5-player
Visual Website Collaboration, Feedback & Project Management – Atarim	atarim-visual-collaboration
Web Directory Free	web-directory-free
WordPress + Microsoft Office 365 / Azure AD	LOGIN
WordPress Jitsi Shortcode	wp-jitsi-shortcodes
WP Booking	wp-easy-booking
WP DSGVO Tools (GDPR)	shapepress-dsgvo
WP Font Awesome Share Icons	wp-font-awesome-share-icons
WP Go Maps (formerly WP Google Maps)	wp-google-maps
WP Next Post Navi	wp-next-post-navi
WP Photo Album Plus	wp-photo-album-plus
WP Prayer II	wp-prayers-request
WP Scraper	wp-scraper
WP Shortcodes Plugin — Shortcodes Ultimate	shortcodes-ultimate
WP Table Builder – WordPress Table Plugin	wp-table-builder
WP Ultimate Post Grid	wp-ultimate-post-grid
WP-ViperGB	wp-vipergb
WPB Elementor Addons	wpb-elementor-addons
WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce	wp-cafe
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin	wpdatatables
WPKoi Templates for Elementor	wpkoi-templates-for-elementor
WPZOOM Addons for Elementor (Templates, Widgets)	wpzoom-elementor-addons
YITH WooCommerce Ajax Search	yith-woocommerce-ajax-search
YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress	youtube-showcase

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Blocksy	blocksy

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Business Directory Plugin – Easy Listing Directories for WordPress <= 6.4.2 - Unauthenticated SQL Injection via listingfields Parameter

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-4443

Patch Status
Patched

Published
May 21, 2024

Affected Software
Business Directory Plugin – Easy Listing Directories for WordPress

Researcher

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 20, 2024 to May 26, 2024)

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Related