Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Chloe Chamberland

Wordfence Blog

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2020 by Chloe Chamberland   4 Replies

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October …
Read More

Unpacking the WordPress 5.5.2/5.5.3 Security Release

This entry was posted in WordPress Security on November 02, 2020 by Chloe Chamberland   0 Replies

On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here. …
Read More

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

This entry was posted in Research, Vulnerabilities, WordPress Security on October 14, 2020 by Chloe Chamberland   0 Replies

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an …
Read More

Vulnerability Exposes Over 4 Million Sites Using WPBakery

This entry was posted in Research, Vulnerabilities, WordPress Security on October 07, 2020 by Chloe Chamberland   22 Replies

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support …
Read More

Common Ways Attackers Are Stealing Credentials

This entry was posted in General Security, Wordfence, WordPress Security on October 02, 2020 by Chloe Chamberland   2 Replies

A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. On September 29, 2020, the Wordfence Live team …
Read More

Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on September 22, 2020 by Chloe Chamberland   0 Replies

On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on …
Read More

The Hacker Motive: What Attackers Are Doing with Your Hacked Site

This entry was posted in General Security, Wordfence, WordPress Security on September 16, 2020 by Chloe Chamberland   6 Replies

Yesterday, September 15, 2020, the Wordfence Live team covered The Hacker Motive: What Attackers Are Doing with Your Hacked Site. This companion blog post reviews the motives we discussed live during Wordfence Live and dives deeper into the minds of attackers. You can watch the video of Wordfence Live below. Timestamps You can click on …
Read More

700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on September 01, 2020 by Chloe Chamberland   16 Replies

This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released this morning …
Read More

10 WordPress Security Mistakes You Might Be Making

This entry was posted in General Security, Wordfence, WordPress Security on August 19, 2020 by Chloe Chamberland   15 Replies

Yesterday, August 18, 2020, the Wordfence Live team covered 10 WordPress Security Mistakes You Might be Making. This companion blog post reviews the recommendations we provided to avoid these mistakes and better secure your WordPress environment. You can watch the video of Wordfence Live below. Timestamps You can click on these timestamps to jump around …
Read More

Critical Vulnerabilities Patched in Quiz and Survey Master Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on August 13, 2020 by Chloe Chamberland   1 Reply

On July 17, 2020, our Threat Intelligence team discovered two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin installed on over 30,000 sites. These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file which could …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates