Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Chloe Chamberland

Wordfence Blog

The Hacker Motive: What Attackers Are Doing with Your Hacked Site

This entry was posted in General Security, Wordfence, WordPress Security on September 16, 2020 by Chloe Chamberland   6 Replies

Yesterday, September 15, 2020, the Wordfence Live team covered The Hacker Motive: What Attackers Are Doing with Your Hacked Site. This companion blog post reviews the motives we discussed live during Wordfence Live and dives deeper into the minds of attackers. You can watch the video of Wordfence Live below. Timestamps You can click on …
Read More

700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on September 01, 2020 by Chloe Chamberland   16 Replies

This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released this morning …
Read More

10 WordPress Security Mistakes You Might Be Making

This entry was posted in General Security, Wordfence, WordPress Security on August 19, 2020 by Chloe Chamberland   15 Replies

Yesterday, August 18, 2020, the Wordfence Live team covered 10 WordPress Security Mistakes You Might be Making. This companion blog post reviews the recommendations we provided to avoid these mistakes and better secure your WordPress environment. You can watch the video of Wordfence Live below. Timestamps You can click on these timestamps to jump around …
Read More

Critical Vulnerabilities Patched in Quiz and Survey Master Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on August 13, 2020 by Chloe Chamberland   1 Reply

On July 17, 2020, our Threat Intelligence team discovered two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin installed on over 30,000 sites. These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file which could …
Read More

The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks

This entry was posted in Research, Vulnerabilities, WordPress Security on August 04, 2020 by Chloe Chamberland   0 Replies

On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors …
Read More

Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

This entry was posted in Research, Vulnerabilities, WordPress Security on August 04, 2020 by Chloe Chamberland   11 Replies

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, …
Read More

Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

This entry was posted in General Security, Vulnerabilities, WordPress Security on July 28, 2020 by Chloe Chamberland   3 Replies

On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. We initially reached out to the plugin’s developer …
Read More

2 Million Users Affected by Vulnerability in All in One SEO Pack

This entry was posted in Research, Vulnerabilities, WordPress Security on July 16, 2020 by Chloe Chamberland   9 Replies

On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all …
Read More

High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on May 28, 2020 by Chloe Chamberland   0 Replies

A few weeks ago, our Threat Intelligence team discovered several vulnerabilities present in Page Builder: PageLayer – Drag and Drop website builder, a WordPress plugin actively installed on over 200,000 sites. The plugin is from the same creators as wpCentral, a plugin within which we recently discovered a privilege escalation vulnerability. One flaw allowed any …
Read More

The Elementor Attacks: How Creative Hackers Combined Vulnerabilities to Take Over WordPress Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on May 19, 2020 by Chloe Chamberland   4 Replies

On May 6, our Threat Intelligence team was alerted to a zero-day vulnerability present in Elementor Pro, a WordPress plugin installed on approximately 1 million sites. That vulnerability was being exploited in conjunction with another vulnerability found in Ultimate Addons for Elementor, a WordPress plugin installed on approximately 110,000 sites. We immediately released a firewall …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates