Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Matt Barry

Wordfence Blog

Emergency WP 5.5.3 Release

This entry was posted in WordPress Security on October 30, 2020 by Matt Barry   26 Replies

The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in WordPress 5.5.2 making it impossible to install WordPress on a brand new website without a database connection configured. In preparing for this emergency …
Read More

Introducing Wordfence Central Teams

This entry was posted in Wordfence on October 27, 2020 by Matt Barry   5 Replies

Last year, we introduced Wordfence Central and today thousands of WordPress site owners are using this free tool to manage their WordPress sites. Whether you’re using Wordfence Premium or still on the free plugin, Wordfence Central makes it possible for you to manage your sites’ security settings, tune your security alerts, and quickly assess security …
Read More

WordPress Auto-Updates: What do you have to lose?

This entry was posted in WordPress Security on August 06, 2020 by Matt Barry   35 Replies

A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and …
Read More

Improper Access Controls in GDPR Cookie Consent Plugin

This entry was posted in Vulnerabilities, WordPress Security on February 11, 2020 by Matt Barry   7 Replies

Description: Improper Access Controls Affected Plugin: GDPR Cookie Consent Affected Versions: <= 1.8.2 CVSS Score: 9.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Patched Version: 1.8.3 The following post describes how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it was removed from the repository. The Wordfence …
Read More

Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 14, 2020 by Matt Barry   8 Replies

Description: Authentication Bypass Affected Plugin: InfiniteWP Client Affected Versions: < CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched Version: A vulnerability has been discovered in the InfiniteWP Client plugin versions or earlier. InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner to manage unlimited WordPress …
Read More

Stored XSS Patched in SyntaxHighlighter Evolved Plugin

This entry was posted in Vulnerabilities, WordPress Security on October 22, 2019 by Matt Barry   6 Replies

Description: Stored XSS CVSS Severity Score: 6.1 (Medium) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Software: SyntaxHighlighter Evolved Plugin Slug: syntaxhighlighter Affected Version: 3.5.0 Patched Version: 3.5.1 While doing a security audit of the plugins and themes we run on wordfence.com, I discovered a stored XSS vulnerability in SyntaxHighlighter Evolved. SyntaxHighlighter Evolved currently has around 40,000+ active installations. …
Read More

Wordfence Now Works on WP Engine and with Load Balancers

This entry was posted in Wordfence on August 21, 2019 by Matt Barry   15 Replies

Today we are launching a version of Wordfence containing a new feature for sites on hosting providers with read-only file systems such as WP Engine or for environments where multiple web servers are behind a load balancer. This new feature uses a MySQL storage engine for firewall attack data to protect WordPress sites in complex …
Read More

Details of an Additional File Deletion Vulnerability – Patched in WordPress 4.9.7

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 05, 2018 by Matt Barry   4 Replies

Today WordPress released version 4.9.7, a security release which addresses two separate arbitrary file deletion vulnerabilities requiring Author privileges. Some details can be found on the WordPress.org blog. The first arbitrary file deletion vulnerability was disclosed June 26, 2018 on the RIPS Tech blog with no official patch to WordPress in place. We released a …
Read More

Wordfence Now Includes 1.4 Billion Leaked Passwords in Password Auditing Feature

This entry was posted in Wordfence, WordPress Security on December 28, 2017 by Matt Barry   7 Replies

Last week, we reported a massive upsurge in brute force login attempts following the leak of a database of 1.4 billion clear text credentials. No one had seen 14% of the exposed username/password pairs before, making this a ripe opportunity for hackers to attempt to break into WordPress sites. Historically, brute force attacks targeting WordPress …
Read More

Backdoor in Captcha Plugin Affects 300K WordPress Sites

This entry was posted in WordPress Security on December 19, 2017 by Matt Barry   105 Replies

The WordPress repository recently removed the plugin Captcha over what initially appeared to be a trademark issue with the current author using “WordPress” [Editors note: the original page has been removed, we’re now linking to a screen shot.] in their brand name. Whenever the WordPress repository removes a plugin with a large user base, we check …
Read More

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates