Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Chloe Chamberland

Wordfence Blog

Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

This entry was posted in General Security, Vulnerabilities, WordPress Security on July 13, 2021 by Chloe Chamberland   4 Replies

WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with …
Read More

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on June 28, 2021 by Chloe Chamberland   9 Replies

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator …
Read More

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on June 14, 2021 by Chloe Chamberland   0 Replies

On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long …
Read More

Wordfence is now a CVE Numbering Authority (CNA)

This entry was posted in General Security, WordPress Security on June 10, 2021 by Chloe Chamberland   5 Replies

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. WordPress powers over 40% of the World Wide Web in …
Read More

Severe Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on May 26, 2021 by Chloe Chamberland   0 Replies

On April 8, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin installed on over 300,000 sites. One of these flaws made it possible for unauthenticated users to update redirects for the site allowing an attacker to redirect all site …
Read More

Critical Vulnerability Patched in External Media Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on May 13, 2021 by Chloe Chamberland   2 Replies

On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote …
Read More

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on April 26, 2021 by Chloe Chamberland   2 Replies

On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. We initially reached out to the plugin’s developer on March 5, 2021. We received no …
Read More

PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately

This entry was posted in Research, Vulnerabilities, WordPress Security on April 21, 2021 by Chloe Chamberland   13 Replies

Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible …
Read More

Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on April 20, 2021 by Chloe Chamberland   6 Replies

On February 11, 2021, our Threat Intelligence team responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary …
Read More

Ten Password Mistakes That Could Get Your WordPress Site Hacked

This entry was posted in General Security, Wordfence, WordPress Security on April 07, 2021 by Chloe Chamberland   2 Replies

A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. From these common hacks, we have many cautionary tales of site security that could have been prevented by …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates