Weekly WordPress Vulnerabilities Report May 13 to May 19 2024

admin

WP-Firewall Weekly WordPress Vulnerability Report (May 13, 2024 to May 19, 2024)

In the ever-evolving landscape of WordPress security, staying ahead of vulnerabilities is paramount. At WP-Firewall, our mission is to provide robust protection and timely updates to safeguard your WordPress sites. This week, we delve into the latest vulnerabilities reported from May 13, 2024, to May 19, 2024, and how WP-Firewall is equipped to protect you against these threats.

The Importance of Vigilance in WordPress Security

WordPress powers over 40% of the web, making it a prime target for cyberattacks. With the continuous discovery of new vulnerabilities, it’s crucial to have a proactive security strategy. WP-Firewall not only offers a powerful firewall plugin but also provides comprehensive security services to ensure your site remains secure.

Vulnerabilities Overview

In the past week, 107 vulnerabilities were disclosed in 82 WordPress plugins and 8 WordPress themes. These vulnerabilities were contributed by 42 researchers, highlighting the collaborative effort in the WordPress security community. Here’s a detailed breakdown of the vulnerabilities:

Total Unpatched & Patched Vulnerabilities

Patched: 96
Unpatched: 11

Total Vulnerabilities by CVSS Severity

Medium Severity: 86
High Severity: 14
Critical Severity: 7

Total Vulnerabilities by CWE Type

– Cross-site Scripting (XSS): 61
– Missing Authorization: 17
– Cross-Site Request Forgery (CSRF): 7
– SQL Injection: 3
– Unrestricted File Upload: 3
– Path Traversal: 2
– Authentication Bypass: 1
– Improper Access Control: 1
– Server-Side Request Forgery (SSRF): 1
– Open Redirect: 1

Enhanced Protection with WP-Firewall

At WP-Firewall, we continuously monitor and update our firewall rules to protect against new threats. Our premium users receive real-time updates, ensuring immediate protection against emerging vulnerabilities. Here’s a look at the new firewall rules deployed last week:

– WAF-RULE-700: Data redacted while we work with the vendor on a patch.
– WAF-RULE-699: Data redacted while we work with the vendor on a patch.

Premium, Care, and Response customers received this protection immediately, while free version users will receive these updates after a 30-day delay.

Highlighted Vulnerabilities

Critical Vulnerabilities

1. Kognetiks Chatbot for WordPress <= 2.0.0 – Unauthenticated Arbitrary File Upload
– CVSS Rating: 10.0
– CVE-ID: CVE-2024-32700
– Patch Status: Patched
– Published: May 13, 2024

2. Build App Online <= 1.0.21 – Authentication Bypass via Header
– CVSS Rating: 9.8
– CVE-ID: CVE-2024-3658
– Patch Status: Unpatched
– Published: May 17, 2024

3. Contact Form Plugin by Fluent Forms <= 5.1.16 – Missing Authorization**
– CVSS Rating: 9.8
– CVE-ID: CVE-2024-2771
– Patch Status: Patched
– Published: May 17, 2024

High Severity Vulnerabilities

1. All-in-One Video Gallery <= 3.6.5 – Authenticated Local File Inclusion**
– CVSS Rating: 8.8
– CVE-ID: CVE-2024-4670
– Patch Status: Patched
– Published: May 14, 2024

2. **Alt Text AI <= 1.4.9 – Authenticated SQL Injection**
– **CVSS Rating:** 8.8
– **CVE-ID:** CVE-2024-4847
– **Patch Status:** Patched
– **Published:** May 14, 2024

3. **Email Subscribers by Icegram Express <= 5.7.19 – Missing Authorization**
– **CVSS Rating:** 8.8
– **CVE-ID:** CVE-2024-4010
– **Patch Status:** Patched
– **Published:** May 14, 2024

WP-Firewall’s Commitment to Security

Our team at WP-Firewall is dedicated to providing the highest level of security for your WordPress## WP-Firewall Weekly WordPress Vulnerability Report (May 13, 2024 to May 19, 2024)

Mission of WP-Firewall

In the ever-evolving landscape of WordPress security, staying ahead of vulnerabilities is paramount. At WP-Firewall, our mission is to provide robust protection and timely updates to safeguard your WordPress sites. This week, we delve into the latest vulnerabilities reported from May 13, 2024, to May 19, 2024, and how WP-Firewall is equipped to protect you against these threats.

The Importance of Vigilance in WordPress Security

WordPress powers over 40% of the web, making it a prime target for cyberattacks. With the continuous discovery of new vulnerabilities, it’s crucial to have a proactive security strategy. WP-Firewall not only offers a powerful firewall plugin but also provides comprehensive security services to ensure your site remains secure.

Enhanced Protection with WP-Firewall

At WP-Firewall, we continuously monitor and update our firewall rules to protect against new threats. Our premium users receive real-time updates, ensuring immediate protection against emerging vulnerabilities. Our team at WP-Firewall is dedicated to providing the highest level of security for your WordPress

The Latest WordPress Vulnerability Report: A WP-Firewall Perspective

The WordPress ecosystem is a vibrant and dynamic space, but it also attracts a significant amount of malicious activity. Every week, new vulnerabilities are discovered, and attackers are constantly looking for ways to exploit them. This is why staying informed about the latest threats is crucial for every WordPress site owner.

This report highlights a staggering 107 vulnerabilities across 82 plugins and 8 themes. While this number might seem daunting, it underscores the importance of proactive security measures.

WP-Firewall: Your Shield Against the Latest Threats

At WP-Firewall, we understand the gravity of these vulnerabilities. We are committed to providing our users with the most robust and up-to-date security solutions to protect their WordPress sites. Our approach to security is multi-layered, encompassing:

  • A Powerful Firewall: Our firewall is designed to block malicious traffic and prevent attacks before they can reach your site. We constantly update our firewall rules to address the latest threats, including those highlighted in the Wordfence report.
  • Real-Time Threat Detection: We leverage advanced threat intelligence to identify and block known malicious actors and attack patterns. This proactive approach ensures that your site is protected from the most common and emerging threats.
  • Vulnerability Scanning: We offer comprehensive vulnerability scanning services to identify and remediate potential weaknesses in your WordPress installation, plugins, and themes. This helps you stay ahead of the curve and address vulnerabilities before they can be exploited.
  • Expert Support: Our team of security experts is available 24/7 to provide support and guidance on all aspects of WordPress security. We can help you understand the latest threats, implement best practices, and respond to security incidents.

Report Key Takeaways

The report reveals several key trends that WordPress site owners should be aware of:

  • Prevalence of Cross-Site Scripting (XSS): XSS vulnerabilities were the most common type of vulnerability reported, accounting for 61 out of the 107 vulnerabilities. XSS attacks allow attackers to inject malicious scripts into your website, potentially stealing user data, redirecting users to malicious websites, or taking control of your site.
  • Critical Vulnerabilities: The report also highlighted several critical vulnerabilities, including those affecting popular plugins like Kognetiks Chatbot and Build App Online. These vulnerabilities could allow attackers to gain full control of your website, making it essential to patch them immediately.
  • Unpatched Vulnerabilities: While many of the vulnerabilities reported in the Wordfence report have been patched, there are still 11 vulnerabilities that remain unpatched. This means that websites using these plugins or themes are still at risk of attack.

WP-Firewall's Response: Protecting Your Site

WP-Firewall is actively working to protect our users from the vulnerabilities highlighted in the Wordfence report. We have already implemented enhanced firewall rules to block attacks targeting these vulnerabilities.

Beyond the Report: A Proactive Approach to WordPress Security

While staying informed about the latest vulnerabilities is crucial, it's equally important to adopt a proactive approach to WordPress security. Here are some best practices that every WordPress site owner should follow:

  • Keep WordPress Core, Plugins, and Themes Updated: Regularly update your WordPress core, plugins, and themes to ensure that you are running the latest versions with the latest security patches.
  • Use Strong Passwords: Choose strong passwords for your WordPress administrator account and other user accounts. Avoid using common passwords and consider using a password manager to generate and store strong passwords.
  • Enable Two-Factor Authentication (2FA): 2FA adds an extra layer of security by requiring users to enter a code from their mobile device in addition to their password. This makes it much harder for attackers to gain access to your website.
  • Limit User Privileges: Only grant users the minimum privileges they need to perform their tasks. This helps to prevent unauthorized access to sensitive data and settings.
  • Backup Your Website Regularly: Regular backups are essential for recovering your website in case of a security incident. Consider using a reliable backup plugin or service to automate the backup process.
  • Be Aware of Phishing Attacks: Phishing attacks are a common way for attackers to gain access to your website. Be cautious about clicking on links in emails or on social media, and always verify the authenticity of any website before entering your login credentials.

WP-Firewall: Your Trusted Partner in WordPress Security

The Intelligence report serves as a stark reminder of the ever-present threat to WordPress security. At WP-Firewall, we are committed to providing our users with the tools and expertise they need to stay safe. We encourage you to take proactive steps to secure your website and to contact us if you have any questions or concerns.

Together, we can make the WordPress ecosystem a safer and more secure place for everyone.


wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now
!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.