This entry was posted in Research, Vulnerabilities, WordPress Security on July 16, 2020 by Chloe Chamberland 0 Replies
On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on May 28, 2020 by Chloe Chamberland 0 Replies
A few weeks ago, our Threat Intelligence team discovered several vulnerabilities present in Page Builder: PageLayer – Drag and Drop website builder, a WordPress plugin actively installed on over 200,000 sites. The plugin is from the same creators as wpCentral, a plugin within which we recently discovered a privilege escalation vulnerability. One flaw allowed any …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on May 19, 2020 by Chloe Chamberland 4 Replies
On May 6, our Threat Intelligence team was alerted to a zero-day vulnerability present in Elementor Pro, a WordPress plugin installed on approximately 1 million sites. That vulnerability was being exploited in conjunction with another vulnerability found in Ultimate Addons for Elementor, a WordPress plugin installed on approximately 110,000 sites. We immediately released a firewall …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on May 13, 2020 by Chloe Chamberland 0 Replies
On April 21st, our Threat Intelligence team discovered a vulnerability in Site Kit by Google, a WordPress plugin installed on over 300,000 sites. This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. We filed a security issue report …
Read More
This entry was posted in Vulnerabilities, Wordfence, WordPress Security on May 11, 2020 by Chloe Chamberland 5 Replies
On Monday, May 4, 2020, the Wordfence Threat Intelligence team discovered two vulnerabilities present in Page Builder by SiteOrigin, a WordPress plugin actively installed on over 1,000,000 sites. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to …
Read More
This entry was posted in Vulnerabilities, WordPress Security on May 06, 2020 by Chloe Chamberland 63 Replies
On May 6, 2020, our Threat Intelligence team received reports of active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of compromised sites to confirm this activity. As this is an active attack, we wanted to alert you so that you can take …
Read More
This entry was posted in WordPress Security on May 05, 2020 by Chloe Chamberland 29 Replies
This is a public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker. SSH, while extremely …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 27, 2020 by Chloe Chamberland 0 Replies
On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in …
Read More
This entry was posted in Vulnerabilities, WordPress Security on April 14, 2020 by Chloe Chamberland 1 Reply
A few weeks ago, our Threat Intelligence team discovered a vulnerability in Accordion, a WordPress plugin installed on over 30,000 sites. This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion. We initially reached out to the plugin’s …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 24, 2020 by Chloe Chamberland 0 Replies
A few weeks ago, we disclosed several flaws that were patched in the Pricing Table by Supsystic plugin. On January 20th, our Threat Intelligence team discovered several similar vulnerabilities present in another product from Supsystic: Data Tables Generator by Supsystic, a WordPress plugin installed on over 30,000 sites. These flaws were very similar and allowed …
Read More
