Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Chloe Chamberland

Wordfence Blog

Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on February 18, 2020 by Chloe Chamberland   15 Replies

Description: Remote Code Execution Affected Plugin: ThemeREX Addons Plugin Slug: trx_addons Affected Versions: Versions greater than 1.6.50 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched Version: Currently No Patch. Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This …
Read More

Vulnerability in wpCentral Plugin Leads to Privilege Escalation

This entry was posted in Vulnerabilities, WordPress Security on February 17, 2020 by Chloe Chamberland   5 Replies

Description: Improper Access Control to Privilege Escalation Affected Plugin: wpCentral Affected Versions: <= 1.5.0 CVE ID: CVE-2020-9043 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Patched Version: 1.5.1 On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000 sites. The flaw allowed anybody to escalate their privileges …
Read More

High Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 28, 2020 by Chloe Chamberland   5 Replies

Description: Cross-Site Request Forgery to Remote Code Execution Affected Plugin: Code Snippets Affected Versions: <= 2.13.3 CVE ID: CVE-2020-8417 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Patched Version: 2.14.0 On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to …
Read More

Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 16, 2020 by Chloe Chamberland   1 Reply

On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, …
Read More

Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin

This entry was posted in Vulnerabilities, WordPress Security on January 08, 2020 by Chloe Chamberland   5 Replies

A few weeks ago, our threat intelligence team discovered several vulnerabilities present in Minimal Coming Soon & Maintenance Mode – Coming Soon Page, a WordPress plugin installed on over 80,000 websites. The most severe weakness allowed for an attacker to exploit Cross Site Request Forgery (CSRF) and enable maintenance mode while injecting cross-site scripting (XSS), …
Read More

Critical Vulnerability Patched in 301 Redirects – Easy Redirect Manager

This entry was posted in Vulnerabilities, WordPress Security on December 19, 2019 by Chloe Chamberland   3 Replies

Description: Authenticated Arbitrary Redirect Injection and Modification Affected Plugin: 301 Redirects – Easy Redirect Manager  CVSS Score: 9.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVE ID: CVE-2019-19915 Affected Versions: <= 2.40 Patched Version: 2.45 On Friday December 13th, our Threat Intelligence team discovered vulnerabilities present in 301 Redirects – Easy Redirect Manager, a WordPress plugin installed on …
Read More

High Severity Vulnerability Patched in WP Maintenance Plugin

This entry was posted in Vulnerabilities, WordPress Security on November 19, 2019 by Chloe Chamberland   4 Replies

Description: Cross-Site Request Forgery to Stored Cross-Site Scripting CVE ID: CVE-2019-19979 CVSS v3.0 Score: 8.8 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H Affected Plugin: WP Maintenance Plugin Slug: wp-maintenance Affected Versions: <= 5.0.5 Patched Version: 5.0.6 On November 15th, 2019, our Threat Intelligence team identified a vulnerability present in WP Maintenance, a WordPress plugin with approximately 30,000+ active installs. …
Read More

Multiple Vulnerabilities Patched in Email Subscribers & Newsletters Plugin

This entry was posted in Vulnerabilities, WordPress Security on November 13, 2019 by Chloe Chamberland   0 Replies

A few weeks ago, our Threat Intelligence team identified several vulnerabilities present in Email Subscribers & Newsletters, a WordPress plugin with approximately 100,000+ active installs. We disclosed this issue privately to the plugin’s development team who responded quickly, releasing interim patches just a few days after our initial disclosure. The plugin team also worked with …
Read More

Medium Severity Vulnerability Patched in Fast Velocity Minify Plugin

This entry was posted in Vulnerabilities, WordPress Security on October 16, 2019 by Chloe Chamberland   2 Replies

Description: Full Path Disclosure CVE ID: CVE-2019-19983 CVSS v3.0 Score: 4.3 (Medium) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Plugin: Fast Velocity Minify Plugin Slug: fast-velocity-minify Affected Versions: <= 2.7.6 Patched Version: 2.7.7 A few days ago, our Threat Intelligence team identified a vulnerability present in Fast Velocity Minify, a WordPress plugin with approximately  80,000+ active installs. …
Read More

Authentication Bypass Vulnerability in GiveWP Plugin

This entry was posted in Vulnerabilities, WordPress Security on September 26, 2019 by Chloe Chamberland   0 Replies

Description: Authentication Bypass with Information Disclosure CVSS v3.0 Score: 7.5 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Plugin: GiveWP Plugin Slug: give Affected Versions: <= 2.5.4 Patched Version: 2.5.5 A few weeks ago, our Threat Intelligence team discovered a vulnerability present in GiveWP, a WordPress plugin installed on over 70,000 websites. The weakness allowed unauthenticated users to bypass …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates