This entry was posted in Research, Vulnerabilities, WordPress Security on May 13, 2021 by Chloe Chamberland 1 Reply
On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 26, 2021 by Chloe Chamberland 2 Replies
On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. We initially reached out to the plugin’s developer on March 5, 2021. We received no …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 21, 2021 by Chloe Chamberland 13 Replies
Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 20, 2021 by Chloe Chamberland 6 Replies
On February 11, 2021, our Threat Intelligence team responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary …
Read More
This entry was posted in General Security, Wordfence, WordPress Security on April 07, 2021 by Chloe Chamberland 2 Replies
A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. From these common hacks, we have many cautionary tales of site security that could have been prevented by …
Read More
This entry was posted in General Security, Research, WordPress Security on March 29, 2021 by Chloe Chamberland 16 Replies
Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. Remote …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on March 25, 2021 by Chloe Chamberland 2 Replies
On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on March 24, 2021 by Chloe Chamberland 6 Replies
On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on March 15, 2021 by Chloe Chamberland 1 Reply
On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites. The first five flaws made it possible for authenticated attackers to inject and execute arbitrary SQL statements on WordPress sites. This made it possible for attackers to obtain information stored in a …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on March 08, 2021 by Chloe Chamberland 28 Replies
UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure. Special thanks to the plugin developers for working as quickly as possible to resolve these issues. UPDATE 1: As of March 9th, 2021, the vulnerability …
Read More
