Lucene search

K
wordfenceChloe ChamberlandWORDFENCE:F3C6D63346B94249E9B1AE2A828C499A
HistoryFeb 15, 2024 - 4:21 p.m.

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)

2024-02-1516:21:23
Chloe Chamberland
www.wordfence.com
13
bug bounty
vulnerability database
api
webhook
cli vulnerability scanner
firewall rules
premium
care
response
patch status

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.116 Low

EPSS

Percentile

95.3%


🎉 Did you know we're running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!


Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 12,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _


New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-675 - data redacted while we work with the vendor on a patch.
  • WAF-RULE-676 - data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.


Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 13
Patched 82

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 82
High Severity 7
Critical Severity 4

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 30
Cross-Site Request Forgery (CSRF) 21
Missing Authorization 18
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 5
Information Exposure 3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3
Deserialization of Untrusted Data 2
Authorization Bypass Through User-Controlled Key 2
Improper Access Control 2
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 1
Uncontrolled Resource Consumption ('Resource Exhaustion') 1
Server-Side Request Forgery (SSRF) 1
Insecure Storage of Sensitive Information 1
Incorrect Authorization 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 1
Improper Authorization 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Francesco Carlucci 24
Lucio Sá 10
Dhabaleshwar Das 7
Webbernaut 6
Dimas Maulana 3
Ngô Thiên An (ancorn_) 3
Krzysztof Zając 3
beluga 2
Sh 2
Rhynorater 2
kodaichodai 2
Kyle Sanchez 2
Felipe Restrepo Rodriguez (pfelilpe) 2
István Márton
(Wordfence Vulnerability Researcher) 2
Rafie Muhammad 2
Sean Murphy 2
stealthcopter 2
hir0ot 1
Dave Jong 1
Le Ngoc Anh 1
villu164 1
Colin Xu 1
Christian Angel 1
LVT-tholv2k 1
wesley (wcraft) 1
Dmitrii Ignatyev 1
Abu Hurayra (HurayraIIT) 1
Muhammad Hassham Nagori 1
Abdi Pranata 1
Skalucy 1
Pham Ho Anh Dung 1
Savphill 1
Scott Kingsley Clark 1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.


WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
3D Tag Cloud cardoza-3d-tag-cloud
AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages
Admin Menu Editor admin-menu-editor
Advanced Forms for ACF advanced-forms
All 404 Pages Redirect to Homepage all-404-pages-redirect-to-homepage
All-In-One Security (AIOS) – Security and Firewall all-in-one-wp-security-and-firewall
Apollo13 Framework Extensions apollo13-framework-extensions
Awesome Support – WordPress HelpDesk & Support Plugin awesome-support
Backuply – Backup, Restore, Migrate and Clone backuply
Basic Log Viewer wpsimpletools-log-viewer
Before After Image Slider WP before-after-image-slider
Buttons Shortcode and Widget buttons-shortcode-and-widget
Contact Form 7 Connector ari-cf7-connector
Content Cards content-cards
Coupon Referral Program coupon-referral-program
Custom Twitter Feeds – A Tweets Widget or X Feed Widget custom-twitter-feeds
Customer Reviews for WooCommerce customer-reviews-woocommerce
Elementor Addon Elements addon-elements-for-elementor-page-builder
Elementor Addons by Livemesh addons-for-elementor
Elementor Website Builder – More than Just a Page Builder elementor
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin wp-event-solution
Honeypot for WP Comment honeypot-for-wp-comment
ImageRecycle pdf & image compression imagerecycle-pdf-image-compression
InfiniteWP Client iwp-client
Insert PHP Code Snippet insert-php-code-snippet
Internal Link Juicer: SEO Auto Linker for WordPress internal-links
Link Library link-library
Login Lockdown – Protect Login Form login-lockdown
Matomo Analytics – Ethical Stats. Powerful Insights. matomo
Meta Box – WordPress Custom Fields Framework meta-box
Minimal Coming Soon – Coming Soon Page minimal-coming-soon-maintenance-mode
My Calendar my-calendar
NextMove Lite – Thank You Page for WooCommerce woo-thank-you-page-nextmove-lite
PPWP – Password Protect Pages password-protect-page
Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions paid-memberships-pro
Passster – Password Protect Pages and Content content-protector
Payment Forms for Paystack payment-forms-for-paystack
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress contest-gallery
Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress
Podlove Subscribe button podlove-subscribe-button
Polls CP cp-polls
Portugal CTT Tracking for WooCommerce portugal-ctt-tracking-woocommerce
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) powerpack-lite-for-elementor
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) bdthemes-prime-slider-lite
Product Labels For Woocommerce (Sale Badges) aco-product-labels-for-woocommerce
Quiz Maker quiz-maker
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator feedzy-rss-feeds
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator
Royal Elementor Addons and Templates royal-elementor-addons
Shariff Wrapper shariff
Shield Security – Smart Bot Blocking & Intrusion Prevention Security wp-simple-firewall
Simple Page Access Restriction simple-page-access-restriction
Starbox – the Author Box for Humans starbox
Themify Builder themify-builder
Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) timeline-widget-addon-for-elementor
VK Poster Group vk-poster-group
WP 404 Auto Redirect to Similar Post wp-404-auto-redirect-to-similar-post
WP Booking Calendar booking
WP Club Manager – WordPress Sports Club Plugin wp-club-manager
WP Contact Form wp-contact-form
WP Recipe Maker wp-recipe-maker
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc wp-sms
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
Wonder Slider Lite wonderplugin-slider-lite
Woocommerce Vietnam Checkout woo-vietnam-checkout

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Blocksy blocksy
Royal Elementor Kit [royal-elementor-kit](<https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/Royal Elementor Kit>)
brooklyn brooklyn

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 - Unauthenticated Local File Inclusion

Affected Software: Shield Security – Smart Bot Blocking & Intrusion Prevention Security CVE ID: CVE-2023-6989 CVSS Score: 9.8 (Critical) Researcher/s: hir0ot Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/063826cc-7ff3-4869-9831-f6a4a4bbe74c&gt;


Coupon Referral Program <= 1.7.2 - Unauthenticated PHP Object Injection

Affected Software: Coupon Referral Program CVE ID: CVE-2024-25100 CVSS Score: 9.8 (Critical) Researcher/s: Dave Jong Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0e556ca2-1b83-4589-bff8-64323eb594e7&gt;


Booking Calendar <= 9.9 - Unauthenticated SQL Injection

Affected Software: WP Booking Calendar CVE ID: CVE-2024-1207 CVSS Score: 9.8 (Critical) Researcher/s: Muhammad Hassham Nagori Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2&gt;


Honeypot for WP Comment <= 2.2.3 - Directory Traversal to Unauthenticated Arbitrary File Deletion

Affected Software: Honeypot for WP Comment CVE ID: CVE-2024-1350 CVSS Score: 9.1 (Critical) Researcher/s: Abdi Pranata Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b6b0bb48-eb61-4236-a03f-19d5d2084a75&gt;


Elementor <= 3.19.0 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization

Affected Software: Elementor Website Builder – More than Just a Page Builder CVE ID: CVE-2024-24934 CVSS Score: 8.8 (High) Researcher/s: Rhynorater Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4915b769-9499-40ac-835e-279e3a910558&gt;


Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Authenticated (Subscriber+) SQL Injection

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin CVE ID: CVE-2024-0594 CVSS Score: 8.8 (High) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a&gt;


WP Recipe Maker <= 9.1.2 - Missing Authorization to Authenticated (Subscriber+) SQL Injecton

Affected Software: WP Recipe Maker CVE ID: CVE-2024-1206 CVSS Score: 8.8 (High) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362&gt;


RSS Aggregator by Feedzy <= 4.4.2 - Authenticated(Contributor+) SQL Injection

Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID: CVE-2024-1317 CVSS Score: 8.8 (High) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cf57aeaa-e37e-4b22-aeaa-f0a9f4877484&gt;


Podlove Subscribe button <= 1.3.10 - Authenticated (Contributor+) SQL Injection

Affected Software: Podlove Subscribe button CVE ID: CVE-2024-1118 CVSS Score: 8.8 (High) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f234f05f-e377-4e89-81e1-f47ff44eebc5&gt;


Backuply - Backup, Restore, Migrate and Clone <= 1.2.5 - Denial of Service

Affected Software: Backuply – Backup, Restore, Migrate and Clone CVE ID: CVE-2024-0842 CVSS Score: 7.5 (High) Researcher/s: villu164 Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716&gt;


Brooklyn <= 4.9.7.6 - PHP Object Injection

Affected Software: brooklyn CVE ID: CVE-2024-24926 CVSS Score: 7.5 (High) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5dd962a5-ec0e-415f-8efa-91e78bb80d16&gt;


NextMove Lite <= 2.17.0 - Missing Authorization to Authenticated(Subscriber+) Plugin Activation

Affected Software: NextMove Lite – Thank You Page for WooCommerce CVE ID: CVE-2024-25092 CVSS Score: 6.5 (Medium) Researcher/s: beluga Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0b04ab77-880b-423a-bba6-59822f0463bc&gt;


RSS Aggregator by Feedzy <= 4.4.2 - Missing Authorization to Arbitrary Page Creation and Publication

Affected Software: RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE ID: CVE-2024-1318 CVSS Score: 6.5 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/181edcec-a57d-4516-935d-6777d2de77ae&gt;


AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

Affected Software: AMP for WP – Accelerated Mobile Pages CVE ID: CVE-2024-1043 CVSS Score: 6.5 (Medium) Researcher/s: Sean Murphy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ffb70e82-355b-48f3-92d0-19659ed2550e&gt;


WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: WP Shortcodes Plugin — Shortcodes Ultimate CVE ID: CVE-2024-0792 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0d8c043c-e347-4dc8-8a72-943a7e6c4394&gt;


Starbox <= 3.4.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings

Affected Software: Starbox – the Author Box for Humans CVE ID: CVE-2023-6806 CVSS Score: 6.4 (Medium) Researcher/s: Sh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/1f413fc2-8543-4478-987d-d983581027bf&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0442 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/256b4818-290b-4660-8e83-c18b068a8959&gt;


Meta Box – WordPress Custom Fields Framework <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Meta Box – WordPress Custom Fields Framework CVE ID: CVE-2023-6526 CVSS Score: 6.4 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc&gt;


Apollo13 Framework Extensions <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Apollo13 Framework Extensions CVE ID: CVE-2024-24880 CVSS Score: 6.4 (Medium) Researcher/s: LVT-tholv2k Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/33386b7b-fae3-42a4-96d3-df3cdc342317&gt;


Content Cards <= 0.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Content Cards CVE ID: CVE-2024-24928 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3e7d10ab-2525-407b-b814-ef7d884d5287&gt;


Elementor Website Builder – More than Just a Page Builder <= 3.18.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via get_image_alt

Affected Software: Elementor Website Builder – More than Just a Page Builder CVE ID: CVE-2024-0506 CVSS Score: 6.4 (Medium) Researcher/s: wesley (wcraft) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4473d3f6-e324-40f5-b92b-167f76b17332&gt;


Elementor Addon Elements <= 1.12.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addon Elements CVE ID: CVE-2024-0834 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6ebb5654-ba3e-4f18-8720-a6595a771964&gt;


Elementor Addons by Livemesh <= 8.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Elementor Addons by Livemesh CVE ID: CVE-2024-1235 CVSS Score: 6.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/70bda4b7-e442-4956-b3cb-8df96043bcde&gt;


Payment Forms for Paystack <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: Payment Forms for Paystack CVE ID: CVE-2023-5665 CVSS Score: 6.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f&gt;


Before After Image Slider WP <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Before After Image Slider WP CVE ID: CVE-2024-24931 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/af76e32b-ba7d-4eaa-97c8-ed6a25e8f387&gt;


My Calendar <= 3.4.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software: My Calendar CVE ID: CVE Unknown CVSS Score: 6.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d039ba8f-0452-4c14-a655-7f6880c1f1b4&gt;


Buttons Shortcode and Widget <= 1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software: Buttons Shortcode and Widget CVE ID: CVE-2024-24930 CVSS Score: 6.4 (Medium) Researcher/s: Ngô Thiên An (ancorn_) Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ea6e0856-ba3d-4fa1-ac90-45a51ff994ef&gt;


VK Poster Group <= 2.0.3 - Reflected Cross-Site Scripting via vkp_repost

Affected Software: VK Poster Group CVE ID: CVE-2024-24932 CVSS Score: 6.1 (Medium) Researcher/s: Le Ngoc Anh Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/14f030bd-8d8d-4152-817d-d72c9b7a0152&gt;


Matomo <= 4.15.3 - Reflected Cross-Site Scripting via idsite

Affected Software: Matomo Analytics – Ethical Stats. Powerful Insights. CVE ID: CVE-2023-6923 CVSS Score: 6.1 (Medium) Researcher/s: Felipe Restrepo Rodriguez (pfelilpe) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2e2d54eb-c176-49c4-a4fc-833e17189cad&gt;


WP SMS <= 6.5.2 - Reflected Cross-Site Scripting via 'page'

Affected Software: WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc CVE ID: CVE-2024-24881 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/31f7dc1e-2008-4672-85ba-56fa35f4f0e1&gt;


WP 404 Auto Redirect to Similar Post <= 1.0.3 - Reflected Cross-Site Scripting via request

Affected Software: WP 404 Auto Redirect to Similar Post CVE ID: CVE-2024-0509 CVSS Score: 6.1 (Medium) Researcher/s: kodaichodai Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6eef5549-3f89-4d6f-8c4e-6e4ee6082042&gt;


Wonder Slider Lite <= 13.9 - Reflected Cross-Site Scripting via 'page'

Affected Software: Wonder Slider Lite CVE ID: CVE-2024-24877 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/712d2d8b-2103-4262-807e-bb26cabb771c&gt;


Brooklyn <= 4.9.7.6 - Reflected Cross-Site Scripting

Affected Software: brooklyn CVE ID: CVE-2024-24927 CVSS Score: 6.1 (Medium) Researcher/s: Rafie Muhammad Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/724d8382-cef3-4584-a255-c2ecc7c986b3&gt;


Link Library <= 7.5.13 - Reflected Cross-Site Scripting via 'link_price' and 'link_tags'

Affected Software: Link Library CVE ID: CVE-2024-24879 CVSS Score: 6.1 (Medium) Researcher/s: beluga Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/9d5f9d2e-6719-4ce7-bbdd-afaf437bd080&gt;


Portugal CTT Tracking for WooCommerce <= 2.1 - Reflected Cross-Site Scripting

Affected Software: Portugal CTT Tracking for WooCommerce CVE ID: CVE-2024-24878 CVSS Score: 6.1 (Medium) Researcher/s: stealthcopter Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a69e6ca8-efd6-4b89-ae63-b320f9936842&gt;


All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 - Reflected Cross-Site Scripting

Affected Software: All-In-One Security (AIOS) – Security and Firewall CVE ID: CVE-2024-1037 CVSS Score: 6.1 (Medium) Researcher/s: stealthcopter Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba&gt;


Honeypot for WP Comment <= 2.2.3 - Reflected Cross-Site Scripting via page

Affected Software: Honeypot for WP Comment CVE ID: CVE-2024-24933 CVSS Score: 6.1 (Medium) Researcher/s: Dimas Maulana Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c1441e68-5c41-4c90-ba99-1656af87a29d&gt;


All 404 Pages Redirect to Homepage <= 1.9 - Unauthenticated Stored Cross-Site Scripting

Affected Software: All 404 Pages Redirect to Homepage CVE ID: CVE-2024-24889 CVSS Score: 6.1 (Medium) Researcher/s: Pham Ho Anh Dung Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/de5d5ffc-e76a-4ea9-be68-9ca5f847a363&gt;


InfiniteWP Client <= 1.12.3 - Unauthenticated Sensitive Information Exposure

Affected Software: InfiniteWP Client CVE ID: CVE-2023-6565 CVSS Score: 5.9 (Medium) Researcher/s: Christian Angel Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2fdc32a4-adf8-4174-924b-5d0b763d010c&gt;


PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) CVE ID: CVE-2024-1055 CVSS Score: 5.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/036cf299-80c2-48a8-befc-02899ab96e3c&gt;


Basic Log Viewer <= 1.0.4 - Cross-Site Request Forgery via wpst_lw_viewer

Affected Software: Basic Log Viewer CVE ID: CVE-2024-24935 CVSS Score: 5.4 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/18acd104-a5a5-4811-9aea-abc227a1712c&gt;


Login Lockdown – Protect Login Form <= 2.08 - Missing Authorization

Affected Software: Login Lockdown – Protect Login Form CVE ID: CVE-2024-1340 CVSS Score: 5.4 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/34021007-b5d3-479b-a0d4-50e301f22c9c&gt;


3D Tag Cloud <= 3.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Software: 3D Tag Cloud CVE ID: CVE-2022-41990 CVSS Score: 5.4 (Medium) Researcher/s: István Márton Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4dfa825c-b0f7-4588-9bf8-cd186a5fc0ff&gt;


Prime Slider – Addons For Elementor <= 3.11.10 - Incorrect Authorization via bdt_duplicate_as_draft

Affected Software: Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Media Slider, Drag Drop Slider, Video Slider, Product Slider, Ecommerce Slider) CVE ID: CVE-2024-24883 CVSS Score: 5.4 (Medium) Researcher/s: Abu Hurayra (HurayraIIT) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/691b7428-73e5-4800-85a1-19daa85aff4e&gt;


Passster – Password Protect Pages and Content <= 4.2.6.2 - Missing Authorization to Sensitive Information Exposure

Affected Software: Passster – Password Protect Pages and Content CVE ID: CVE-2024-0616 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/00b81467-8d00-4816-895a-89d67c541c17&gt;


Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 - Missing Authorization to Unauthenticated Events Export

Affected Software: Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin CVE ID: CVE-2024-1122 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be&gt;


CP Polls <= 1.0.71 - Unauthenticated Poll Limit Bypass

Affected Software: Polls CP CVE ID: CVE-2024-24873 CVSS Score: 5.3 (Medium) Researcher/s: Kyle Sanchez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2c80de83-3996-4048-8aa3-3611b002fc01&gt;


Podlove Podcast Publisher <= 4.0.11 - Missing Authorization to Settings Import

Affected Software: Podlove Podcast Publisher CVE ID: CVE-2024-1110 CVSS Score: 5.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2c9cf461-572c-4be8-96e6-659acf3208f3&gt;


PPWP – Password Protect Pages <= 1.8.9 - Protection Mechanism Bypass

Affected Software: PPWP – Password Protect Pages CVE ID: CVE-2024-0620 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58&gt;


Customer Reviews for WooCommerce <= 5.38.12 - Improper Authorization via submit_review

Affected Software: Customer Reviews for WooCommerce CVE ID: CVE-2024-1044 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8&gt;


Quiz Maker <= 6.5.2.4 - Missing Authorization to Unauthenticated Quiz Data Retrieval

Affected Software: Quiz Maker CVE ID: CVE-2024-1079 CVSS Score: 5.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/602df370-cd5b-46dc-a653-6522aef0c62f&gt;


WP Club Manager – WordPress Sports Club Plugin <= 2.2.10 - Missing Authorization to Unauthenticated Event Permalink Update

Affected Software: WP Club Manager – WordPress Sports Club Plugin CVE ID: CVE-2024-1177 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/64c2c8c2-58f5-4b7d-b226-39ba39e887d5&gt;


Advanced Forms for ACF <= 1.9.3.2 - Missing Authorization to Unauthenticated Form Settings Export

Affected Software: Advanced Forms for ACF CVE ID: CVE-2024-1121 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7b33f2ee-3f20-4494-bdae-3f8cc3c6dc73&gt;


Podlove Podcast Publisher <= 4.0.11 - Missing Authorization to Unauthenticated Data Export

Affected Software: Podlove Podcast Publisher CVE ID: CVE-2024-1109 CVSS Score: 5.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Missing Authorization via wpr_update_form_action_meta

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0516 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d3457b87-c860-4cf2-ac3d-2c6521b629ea&gt;


Simple Page Access Restriction <= 1.0.21 - Improper Access Control to Sensitive Information Exposure via REST API

Affected Software: Simple Page Access Restriction CVE ID: CVE-2024-0965 CVSS Score: 5.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/d99dc270-1b28-4e76-9346-38b2b96be01c&gt;


Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Missing Authorization via editor_html()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin CVE ID: CVE-2024-0596 CVSS Score: 5.3 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd&gt;


CP Polls <= 1.0.71 - Unauthenticated Content Injection

Affected Software: Polls CP CVE ID: CVE-2024-24874 CVSS Score: 5.3 (Medium) Researcher/s: Kyle Sanchez Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f28d7659-9244-4da8-97e9-4539d7d874f7&gt;


Paid Memberships Pro <= 2.12.8 - Authenticated (Contributor+) User Meta Disclosure

Affected Software: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions CVE ID: CVE Unknown CVSS Score: 5.3 (Medium) Researcher/s: Scott Kingsley Clark Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f6c5e3f8-ebbd-4cc3-b9b1-3f1704e3c07a&gt;


Woocommerce Vietnam Checkout <= 2.0.7 - Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Woocommerce Vietnam Checkout CVE ID: CVE-2024-24885 CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/02402620-89db-448d-9028-379856735a2a&gt;


Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Affected Software: Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) CVE ID: CVE-2024-0977 CVSS Score: 4.4 (Medium) Researcher/s: Webbernaut Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/03073726-58d0-45b3-b7a6-7d12dbede919&gt;


Product Labels For Woocommerce <= 1.5.3 - Authenticated (Shop manager+) Stored Cross-Site Scripting

Affected Software: Product Labels For Woocommerce (Sale Badges) CVE ID: CVE-2024-24886 CVSS Score: 4.4 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/24226595-6ae7-44c2-a159-5b69808273fa&gt;


Internal Link Juicer <= 2.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Internal Link Juicer: SEO Auto Linker for WordPress CVE ID: CVE-2024-0657 CVSS Score: 4.4 (Medium) Researcher/s: Sh Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/41d39fe4-b114-4612-92f6-75d6597610f7&gt;


Shariff Wrapper <= 4.6.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Shariff Wrapper CVE ID: CVE-2024-1106 CVSS Score: 4.4 (Medium) Researcher/s: Dmitrii Ignatyev Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5ab9c383-14da-479d-9709-1ae154dae398&gt;


My Calendar <= 3.4.23 - Authenticated (Admin+) Stored Cross-Site Scripting via Events

Affected Software: My Calendar CVE ID: CVE Unknown CVSS Score: 4.4 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ad98db62-4253-4fd5-90b3-c28a563c7697&gt;


Insert PHP Code Snippet <= 1.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Affected Software: Insert PHP Code Snippet CVE ID: CVE-2024-0658 CVSS Score: 4.4 (Medium) Researcher/s: Felipe Restrepo Rodriguez (pfelilpe) Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c4a6b786-d0ef-41f6-b2bf-83307ec02b91&gt;


Blocksy <= 2.0.19 - Authenticated (Editor+) Stored Cross-Site Scripting

Affected Software: Blocksy CVE ID: CVE-2024-24871 CVSS Score: 4.4 (Medium) Researcher/s: Savphill Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e781e1aa-7fa2-4cea-913b-4aa582ec6a4f&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Cross-Site Request Forgery to Settings Update in enableOptimization

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1334 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/0318ec4a-185a-405d-90f8-008ba373114b&gt;


All In One WP Security <= 5.2.6 - Cross-Site Request Forgery to IP Blocking

Affected Software: All-In-One Security (AIOS) – Security and Firewall CVE ID: CVE Unknown CVSS Score: 4.3 (Medium) Researcher/s: Unknown Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/05991bf2-ee61-4bf7-89df-c2f66db7caec&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in enableOptimization

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-0983 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/175dd04d-ce06-45a0-8cfe-14498e2f9198&gt;


Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.1 - Cross-Site Request Forgery to Plugin Options Update

Affected Software: Custom Twitter Feeds – A Tweets Widget or X Feed Widget CVE ID: CVE-2024-0379 CVSS Score: 4.3 (Medium) Researcher/s: Rhynorater, kodaichodai Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/29e2ff11-053b-45cc-adf1-d276f1ee576e&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Cross-Site Request Forgery to Plugin Data Removal in reinitialize

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1339 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2d08e462-8297-477e-89da-47f26bd6beae&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Plugin Data Removal in reinitialize

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1091 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3cb8b08c-a028-48bd-acad-c00313fe06b8&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via remove_from_wishlist

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0513 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/3d3516e7-cce4-4def-be38-d16be3110d59&gt;


Admin Menu Editor <= 1.12 - Cross-Site Request Forgery via ajax_hide_hint()

Affected Software: Admin Menu Editor CVE ID: CVE-2024-24876 CVSS Score: 4.3 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/53fa9be4-a2b3-458c-af6e-d3ada639a622&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Cross-Site Request Forgery to Settings Update in stopOptimizeAll

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1338 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/5e3dd131-dbd8-431c-96f4-4ab2c3be4dbd&gt;


Royal Elementor Kit <= 1.0.116 - Missing Authorization to Arbitrary Transient Update

Affected Software: Royal Elementor Kit CVE ID: CVE-2024-0835 CVSS Score: 4.3 (Medium) Researcher/s: Sean Murphy Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c&gt;


Themify Builder <= 7.0.5 - Cross-Site Request Forgery

Affected Software: Themify Builder CVE ID: CVE-2024-24872 CVSS Score: 4.3 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/6840c91f-a5d9-4940-8a08-d62acc5d43eb&gt;


Quiz Maker <= 6.5.2.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification

Affected Software: Quiz Maker CVE ID: CVE-2024-1078 CVSS Score: 4.3 (Medium) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/7ba2b270-5f02-4cd8-8a22-1723c3873d67&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in optimizeAllOn

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1089 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/8ff16906-2516-4b3c-8217-e3fb24924e27&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via remove_from_compare

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0515 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/a4178271-c09e-4094-a616-5a00d28f39a3&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via add_to_compare

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0514 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b0955689-43a0-442c-974b-5db5e4171f6a&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via add_to_wishlist

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0512 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b2ff2954-f494-4cd7-9f29-ee0e8551e339&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Cross-Site Request Forgery to Settings Update in disableOptimization

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1335 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b3900e4f-4ae4-4026-89df-b63bd869a763&gt;


Contact Form 7 Connector <= 1.2.2 - Cross-Site Request Forgery

Affected Software: Contact Form 7 Connector CVE ID: CVE-2024-24884 CVSS Score: 4.3 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/b74a5a4c-250a-46bc-bf08-2dd720de41ae&gt;


Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Missing Authorization via wpas_get_users()

Affected Software: Awesome Support – WordPress HelpDesk & Support Plugin CVE ID: CVE-2024-0595 CVSS Score: 4.3 (Medium) Researcher/s: Krzysztof Zając Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982&gt;


WP Contact Form <= 1.6 - Cross-Site Request Forgery via wpcf_adminpage

Affected Software: WP Contact Form CVE ID: CVE-2024-24929 CVSS Score: 4.3 (Medium) Researcher/s: Skalucy Patch Status: Unpatched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/c5decbb3-05a0-403f-918a-9b516df85778&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Cross-Site Request Forgery to Settings Update in optimizeAllOn

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1336 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/ca4cf299-9dee-4ebf-83f3-4c3471bd9fb0&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in disableOptimization

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-0984 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/cc9dd55d-3c37-4f24-81a1-fdc8ca284566&gt;


Royal Elementor Addons and Templates <= 1.3.87 - Cross-Site Request Forgery via wpr_update_form_action_meta

Affected Software: Royal Elementor Addons and Templates CVE ID: CVE-2024-0511 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/dc8bef03-51e0-4448-bddd-85300104e875&gt;


Contest Gallery <= 21.2.8.4 - Cross-Site Request Forgery

Affected Software: Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress CVE ID: CVE-2024-24887 CVSS Score: 4.3 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/e4ed8c6e-5f80-4360-9478-fff49b1fee94&gt;


ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in stopOptimizeAll

Affected Software: ImageRecycle pdf & image compression CVE ID: CVE-2024-1090 CVSS Score: 4.3 (Medium) Researcher/s: Francesco Carlucci Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/f3fae909-5564-4e0a-9114-edd0e45865e5&gt;


Link Library <= 7.5.13 - Cross-Site Request Forgery via action_admin_init

Affected Software: Link Library CVE ID: CVE-2024-24875 CVSS Score: 4.3 (Medium) Researcher/s: Dhabaleshwar Das Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/fefe4499-8b03-4c07-b248-ae0ae5153b4f&gt;


WP RSS Aggregator <= 4.23.5 - Authenticated (Admin+) Server-Side Request Forgery via RSS Feed Source

Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging CVE ID: CVE-2024-0628 CVSS Score: 3.8 (Low) Researcher/s: Colin Xu Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/2154383e-eabb-4964-8991-423dd68d5efb&gt;


Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass

Affected Software: Minimal Coming Soon – Coming Soon Page CVE ID: CVE-2024-1075 CVSS Score: 3.7 (Low) Researcher/s: Lucio Sá Patch Status: Patched Vulnerability Details: <https://wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07&gt;


As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) appeared first on Wordfence.

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.116 Low

EPSS

Percentile

95.3%