Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Chloe Chamberland

Wordfence Blog

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

This entry was posted in Research, Vulnerabilities, WordPress Security on February 16, 2021 by Chloe Chamberland   0 Replies

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to …
Read More

Multiple Vulnerabilities Patched in Responsive Menu Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on February 10, 2021 by Chloe Chamberland   4 Replies

On December 17, 2020, our Threat Intelligence team responsibly disclosed three vulnerabilities in Responsive Menu, a WordPress plugin installed on over 100,000 sites. The first flaw made it possible for authenticated attackers with low-level permissions to upload arbitrary files and ultimately achieve remote code execution. The remaining two flaws made it possible for attackers to …
Read More

Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style

This entry was posted in Research, WordPress Security on February 04, 2021 by Chloe Chamberland   9 Replies

On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. Please note that this is a separate plugin from “Contact Form 7” and is designed as an add-on to that …
Read More

Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on January 12, 2021 by Chloe Chamberland   1 Reply

On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress …
Read More

Who Attacked SolarWinds and Why WordPress Users Need to Know

This entry was posted in General Security, Research, WordPress Security on December 24, 2020 by Chloe Chamberland   18 Replies

Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on …
Read More

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2020 by Chloe Chamberland   4 Replies

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October …
Read More

Unpacking the WordPress 5.5.2/5.5.3 Security Release

This entry was posted in WordPress Security on November 02, 2020 by Chloe Chamberland   0 Replies

On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here. …
Read More

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

This entry was posted in Research, Vulnerabilities, WordPress Security on October 14, 2020 by Chloe Chamberland   0 Replies

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an …
Read More

Vulnerability Exposes Over 4 Million Sites Using WPBakery

This entry was posted in Research, Vulnerabilities, WordPress Security on October 07, 2020 by Chloe Chamberland   22 Replies

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support …
Read More

Common Ways Attackers Are Stealing Credentials

This entry was posted in General Security, Wordfence, WordPress Security on October 02, 2020 by Chloe Chamberland   2 Replies

A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. On September 29, 2020, the Wordfence Live team …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates