Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

Wordfence Blog

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

This entry was posted in Research, Vulnerabilities, WordPress Security on September 22, 2021 by Chloe Chamberland   0 Replies

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used …
Read More

Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

This entry was posted in Research, Vulnerabilities, WordPress Security on September 01, 2021 by Ram Gall   3 Replies

On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any …
Read More

Nested Pages Patches Post Deletion Vulnerability

This entry was posted in Research, Vulnerabilities, WordPress Security on August 25, 2021 by Ram Gall   0 Replies

On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished …
Read More

Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

This entry was posted in Research, Vulnerabilities, WordPress Security on August 24, 2021 by Chloe Chamberland   12 Replies

On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the …
Read More

XSS Vulnerability Patched in SEOPress Affects 100,000 sites

This entry was posted in Research, Vulnerabilities, WordPress Security on August 16, 2021 by Chloe Chamberland   2 Replies

On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the …
Read More

Multiple Vulnerabilities Patched in WordPress Download Manager

This entry was posted in Research, Vulnerabilities, WordPress Security on July 29, 2021 by Ram Gall   4 Replies

On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations. The …
Read More

Critical SQL Injection Vulnerability Patched in WooCommerce

This entry was posted in Vulnerabilities, WordPress Security on July 15, 2021 by Ram Gall   15 Replies

Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS (Development Operations Security) On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by a security researcher, Josh …
Read More

Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

This entry was posted in General Security, Vulnerabilities, WordPress Security on July 13, 2021 by Chloe Chamberland   4 Replies

WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with …
Read More

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on June 28, 2021 by Chloe Chamberland   9 Replies

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator …
Read More

Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers

This entry was posted in Research, Vulnerabilities, WordPress Security on June 17, 2021 by Charles Strader Sweethill   6 Replies

The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates