Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Podcasts

Wordfence Blog

Episode 95: Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites

This entry was posted in Podcasts on November 13, 2020 by Kathy Zant   0 Replies

Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search in May 2021 and what this means for WordPress sites using page builders or Gutenberg. Microsoft warns against using telephone/SMS-based multi-factor …
Read More

Episode 94: Hosting Provider Exposed 63 Million Customer Records

This entry was posted in Podcasts on November 06, 2020 by Ram Gall   0 Replies

A hosting provider exposed over 63 million customer records via an open elastic search database containing verbose logs with plain-text username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3 and the accidental 5.5.3-alpha autoupdate. We talk about object injection vulnerabilities like the one discovered in …
Read More

Episode 93: Nitro Documents on the Dark Web and Botnets Targeting Older Vulnerabilities

This entry was posted in Podcasts on October 31, 2020 by Kathy Zant   1 Reply

We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on Friday, October 30. In preparation for this, a number of sites autoupdated to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2-Factor Authentication could have prevented this. We also look …
Read More

Episode 92: WordPress Forced Security Autoupdate Protects Sites from Loginizer Vulnerability

This entry was posted in Podcasts on October 23, 2020 by Ram Gall   0 Replies

An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over one million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version. The Justice Department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update …
Read More

Episode 91: How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress

This entry was posted in Podcasts on October 17, 2020 by Kathy Zant   0 Replies

On this week’s episode of Think Like a Hacker, we chat about the cross-site request forgery (CSRF) vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform. With WordPress …
Read More

Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

This entry was posted in Podcasts on October 09, 2020 by Scott Miller   0 Replies

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins. The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles, …
Read More

Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks

This entry was posted in Podcasts on October 02, 2020 by Scott Miller   0 Replies

Shopify reports that two rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers’ earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. …
Read More

Episode 88: XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty

This entry was posted in Podcasts on September 25, 2020 by Scott Miller   0 Replies

Our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. These vulnerabilities could have allowed an attacker to modify arbitrary files, including PHP files. The US government Cybersecurity and Infrastructure Security Agency is warning of detected persistent malicious activity traced back to LokiBot infections. …
Read More

Episode 87: Vulnerabilities Affect Discount Rules for WooCommerce Plugin, ModSecurity & Windows

This entry was posted in Podcasts on September 18, 2020 by Scott Miller   0 Replies

Vulnerabilities were recently patched in the Discount Rules for WooCommerce plugin installed on over 40,000 WordPress sites. Developers from OWASP Core Rule Set said ModSecurity v3 is exposed to denial of service exploits, though the maintainers of ModSecurity reject that claim. A severe vulnerability called Zerologon in Windows Netlogon was patched in August; this bug …
Read More

Episode 86: War of the Hackers

This entry was posted in Podcasts on September 11, 2020 by Scott Miller   0 Replies

Millions of attacks have been targeting the recent File Manager plugin zero-day vulnerability discovered last week. Two attackers are vying for control over sites compromised through the vulnerability. A security researcher has revealed that specially crafted Windows 10 themes can be used to perform Pass-the-Hash attacks. A database belonging to the Digital Point webmaster forum …
Read More

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates