Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Episode 65: WordCamp Asia Cancellation Prompts Community Support

This entry was posted in Podcasts on February 14, 2020 by Kathy Zant   0 Replies

WordCamp Asia was cancelled this week due to concerns of COVID-19/coronavirus in the region. This week, Wordfence CEO Mark Maunder talks about the decision to offer the WordCamp Asia Cancellation Fee Assistance Package to attendees, volunteers, organizers, and speakers that had planned to travel to this inaugural regional WordCamp. We also cover a number of …
Read More

Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover

This entry was posted in Vulnerabilities, WordPress Security on February 13, 2020 by Mikey Veenstra   0 Replies

Description: Unauthenticated Administrator Registration Affected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected) Affected Versions: <= 3.1.0 CVSS Score: 10.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Patched Version: 3.1.1 Earlier this week, a critical vulnerability was patched in the Profile Builder plugin for WordPress. This vulnerability affected the free version available on the WordPress.org repository, as …
Read More

Wordcamp Asia Cancellation Fee Assistance Package from Wordfence

This entry was posted in Wordfence on February 11, 2020 by Mark Maunder   1 Reply

A few minutes ago it was announced that Wordcamp Asia has been cancelled due to the recent COVID-19 concerns in the region. This was a very tough call, but I believe the right one. To give you some context, I’m going to include an extract from the final part of the World Health Organization Director …
Read More

Improper Access Controls in GDPR Cookie Consent Plugin

This entry was posted in Vulnerabilities, WordPress Security on February 11, 2020 by Matt Barry   7 Replies

Description: Improper Access Controls Affected Plugin: GDPR Cookie Consent Affected Versions: <= 1.8.2 CVSS Score: 9.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Patched Version: 1.8.3 The following post describes how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it was removed from the repository. The Wordfence …
Read More

Podcast Episode 64: Backdoors, Webshells, and the Growing Risks of Leaks & Breaches

This entry was posted in Podcasts on February 08, 2020 by Kathy Zant   0 Replies

We take a look at the annual hacked site report from GoDaddy’s Sucuri Security and the types of malware they found in various CMS and shopping cart applications. Microsoft reports they’re finding 77k webshells daily, and WP Scan’s roundup lists a number of popular plugins and themes with recent vulnerabilities. A report from students at …
Read More

Podcast Episode 63: Succeeding as a Remote Working Nomad with Chloe Chamberland

This entry was posted in Podcasts on January 31, 2020 by Kathy Zant   0 Replies

Chloe Chamberland never wanted to get into security, and yet in the last three years, she has emerged as one of our most effective and prolific threat researchers. Not only does she find vulnerabilities in numerous popular plugins, she also travels the world while doing so. Chloe talked to me from a cabin in a …
Read More

High Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 28, 2020 by Chloe Chamberland   5 Replies

Description: Cross-Site Request Forgery to Remote Code Execution Affected Plugin: Code Snippets Affected Versions: <= 2.13.3 CVE ID: CVE-2020-8417 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Patched Version: 2.14.0 On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to …
Read More

Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 16, 2020 by Chloe Chamberland   1 Reply

On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, …
Read More

Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 14, 2020 by Matt Barry   8 Replies

Description: Authentication Bypass Affected Plugin: InfiniteWP Client Affected Versions: < 1.9.4.5 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched Version: 1.9.4.5 A vulnerability has been discovered in the InfiniteWP Client plugin versions 1.9.4.4 or earlier. InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner to manage unlimited WordPress …
Read More

Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 08, 2020 by Chloe Chamberland   5 Replies

A few weeks ago, our threat intelligence team discovered several vulnerabilities present in Minimal Coming Soon & Maintenance Mode – Coming Soon Page, a WordPress plugin installed on over 80,000 websites. The most severe weakness allowed for an attacker to exploit Cross Site Request Forgery (CSRF) and enable maintenance mode while injecting cross-site scripting (XSS), …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates