In November 2023, the Wordfence Threat Intelligence Team found 455 vulnerabilities in 373 plugins and 3 themes.
Each week, Wordfence releases a report that lists the vulnerabilities found in WordPress plugins and themes. Unfortunately, not all issues are immediately fixed. As of this writing, several vulnerabilities have not been patched.
In this post, I’ll provide a rundown of the plugins and themes that were affected. Be sure to check the list to determine if your WordPress site was affected. At the end of the post, I’ll explain what to do if your website has a vulnerable plugin or theme.
82% of vulnerabilities were classified as medium severity level
17% of vulnerabilities were classified as high or critical severity
269 vulnerabilities remain unpatched in 92 active plugins
53 Plugins were removed from the WordPress repository
Vulnerabilities found in 3 themes – all patched
What do the severity levels mean?
The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities in software. Scores are calculated based on various metrics that assess aspects like the complexity of the attack, the impact on confidentiality, integrity, and availability, and other factors.
Critical and high vulnerabilities can allow attackers to gain extensive control over a system or access sensitive data with minimal effort, posing a significant risk.
Medium severity vulnerabilities, while still important to address, typically have a more limited impact and may require more specific conditions to be exploited effectively.
While low severity vulnerabilities are less critical than higher-rated ones, they can still have significant impacts on a system. For example, attackers could chain multiple low severity vulnerabilities together to achieve a more impactful exploit.
What You Can Do
Review the list of plugins with unpatched vulnerabilities and plugins removed from the WordPress repository. Verify you don’t have any of those plugins installed on your website.
If you do, consider removing them and finding replacements.
Additionally, you can review the plugin page on the WordPress repository site and check for any notes from WordPress or the author. They may have updates/patches or other information to help you make your decision on what to do next.
Keep Your WordPress Website Safe
Here’s what you can do to keep your site secure:
Regular Updates: Ensure your WordPress core, plugins, and themes are up to date. This simple step is often the first line of defense against vulnerabilities.
Security Plugins: Consider using security plugins like Wordfence, Sucuri, or Solid Security to monitor and protect your site.
Stay Informed: Regularly follow reports like these to stay ahead of potential threats.
The findings from the November 2023 Wordfence reports serve as an important reminder of the ongoing challenges and responsibilities we face in protecting our WordPress sites.
The 455 vulnerabilities uncovered in 373 plugins and 3 themes, with a significant number still unpatched, highlight our need to stay vigilant and proactive.
The key takeaway from this report is the importance of regular maintenance and staying informed. By reviewing and updating your plugins and themes, and considering the use of security plugins, you can significantly enhance the security of your WordPress site.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.