This entry was posted in Research, Vulnerabilities, WordPress Security on February 16, 2021 by Chloe Chamberland 0 Replies
On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on February 10, 2021 by Chloe Chamberland 4 Replies
On December 17, 2020, our Threat Intelligence team responsibly disclosed three vulnerabilities in Responsive Menu, a WordPress plugin installed on over 100,000 sites. The first flaw made it possible for authenticated attackers with low-level permissions to upload arbitrary files and ultimately achieve remote code execution. The remaining two flaws made it possible for attackers to …
Read More
This entry was posted in Research, WordPress Security on February 04, 2021 by Chloe Chamberland 9 Replies
On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites. Please note that this is a separate plugin from “Contact Form 7” and is designed as an add-on to that …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on January 12, 2021 by Chloe Chamberland 1 Reply
On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress …
Read More
This entry was posted in General Security, Research, WordPress Security on December 24, 2020 by Chloe Chamberland 18 Replies
Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2020 by Chloe Chamberland 4 Replies
On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October …
Read More
This entry was posted in WordPress Security on November 02, 2020 by Chloe Chamberland 0 Replies
On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here. …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on October 14, 2020 by Chloe Chamberland 0 Replies
On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on October 07, 2020 by Chloe Chamberland 22 Replies
On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support …
Read More
This entry was posted in General Security, Wordfence, WordPress Security on October 02, 2020 by Chloe Chamberland 2 Replies
A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. On September 29, 2020, the Wordfence Live team …
Read More