This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Newest
Coupon Creation Vulnerability Patched In WooCommerce Smart Coupons
Description: Unauthenticated Coupon Creation Affected Plugin: WooCommerce Smart Coupons Affected Plugin Slug: woocommerce-smart-coupons Affected Versions: <= 4.6.0 CVSS Score: 5.3 (Medium) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Patched Version: 4.6.5 Late last month a patch was released for WooCommerce Smart Coupons, a commercial WooCommerce plugin that helps store managers handle coupons and gift certificates. In vulnerable versions of the …
Read More
Site Takeover Campaign Exploits Multiple Zero-Day Vulnerabilities
Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings.
Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities
As part of our ongoing research efforts, the Wordfence Threat Intelligence team continually monitors our network for noteworthy threats facing WordPress.
Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites
Description: Unauthenticated Arbitrary File Download Affected Plugin: Duplicator Affected Versions: <= 1.3.26 CVE ID: CVE-2020-11738 CVSS Score: 7.5 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Patched Version: 1.3.28 A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem.
Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover
Description: Unauthenticated Administrator Registration Affected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected) Affected Versions: <= 3.1.0 CVSS Score: 10.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Patched Version: 3.1.1 Earlier this week, a critical vulnerability was patched in the Profile Builder plugin for WordPress.
WP-VCD Evolves To Remain Most Prevalent WordPress Infection
Early last month we released a comprehensive paper covering WP-VCD, the most prevalent malware campaign affecting the WordPress ecosystem in recent memory.
WP-VCD: The Malware You Installed On Your Own Site
One of the most prevalent malware infections facing the WordPress ecosystem in recent weeks is a campaign known as WP-VCD.
Open Redirect Vulnerability Patched In Bridge Theme
Description: Open Redirect CVSS v3.0 Score: 7.1 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Affected Software: Two built-in plugins packaged with the Bridge theme – Qode Instagram Widget and Qode Twitter Feed Plugin Slugs: qode-instagram-widget, qode-twitter-feed Affected Versions: Bridge Theme: 18.2 / Plugins: 2.0 (Twitter plugin) 2.0.1 (Instagram plugin) Patched Version: Bridge Theme: 18.2.1 / Plugins: 2.0.1 (Twitter ...
Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild
Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: <= 1.7.4 CVSS Score: 8.3 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Rich Reviews plugin for WordPress.
Ongoing Malvertising Campaign Evolves, Adds Backdoors and Targets New Plugins
In July, we reported on a malvertising campaign which was distributing redirect and popup code through a number of public vulnerabilities affecting the WordPress ecosystem.
Breaking WordPress Security Research in your inbox as it happens.
