Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Research

Wordfence Blog

Cross-Site Request Forgery Patched in WP Fluent Forms

This entry was posted in Research, Vulnerabilities, WordPress Security on June 16, 2021 by Ram Gall   0 Replies

On March 2, 2021, the Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites. This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site. We reached out to the plugin …
Read More

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on June 14, 2021 by Chloe Chamberland   0 Replies

On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long …
Read More

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

This entry was posted in PSA, Research, WordPress Security on June 11, 2021 by Ram Gall   10 Replies

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and …
Read More

Critical 0-day in Fancy Product Designer Under Active Attack

This entry was posted in Research, Vulnerabilities, WordPress Security on June 01, 2021 by Ram Gall   2 Replies

Update: A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise. On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress …
Read More

Severe Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on May 26, 2021 by Chloe Chamberland   0 Replies

On April 8, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin installed on over 300,000 sites. One of these flaws made it possible for unauthenticated users to update redirects for the site allowing an attacker to redirect all site …
Read More

Over 600,000 Sites Impacted by WP Statistics Patch

This entry was posted in Research, Vulnerabilities, WordPress Security on May 18, 2021 by Ram Gall   0 Replies

On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. The vulnerability allowed any site visitor to extract sensitive information from a site’s database via Time-Based Blind SQL Injection. We received a response to our initial disclosure the same …
Read More

Critical Vulnerability Patched in External Media Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on May 13, 2021 by Chloe Chamberland   2 Replies

On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote …
Read More

SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on May 03, 2021 by Ram Gall   0 Replies

On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all …
Read More

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on April 26, 2021 by Chloe Chamberland   2 Replies

On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. We initially reached out to the plugin’s developer on March 5, 2021. We received no …
Read More

PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately

This entry was posted in Research, Vulnerabilities, WordPress Security on April 21, 2021 by Chloe Chamberland   13 Replies

Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates