Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

XSS Injection Campaign Exploits WordPress AMP Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 20, 2018 by Mikey Veenstra   19 Replies

News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites. WordPress contributor Sybre Waaijer identified the security issue and confidentially disclosed it to the WordPress plugins team. To exploit the flaw, an attacker needs to have a minimum of subscriber-level access on a vulnerable site. The …
Read More

Trends Emerging Following Vulnerability In WP GDPR Compliance Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2018 by Mikey Veenstra   19 Replies

Earlier this week the WP GDPR Compliance plugin was briefly removed from the WordPress.org repository after the discovery of critical security issues impacting its users. In yesterday’s post, we provided some details regarding these issues and illustrated their severity. In the hours since that post was published, our team has continued tracking the adversaries seeking …
Read More

Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on November 08, 2018 by Mikey Veenstra   23 Replies

After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, …
Read More

PSA: Multiple Vulnerabilities Present In Firefox 61

This entry was posted in General Security, Vulnerabilities on September 06, 2018 by Mikey Veenstra   2 Replies

In an advisory published yesterday, Mozilla disclosed the presence of nine security flaws in Firefox 61 which have been patched in the latest release of the browser. Some of the bugs are severe, but at this time do not appear to be receiving attacks in the wild. To protect yourself as a Firefox user, ensure …
Read More

Duplicator Update Patches Remote Code Execution Flaw

This entry was posted in Vulnerabilities, WordPress Security on September 05, 2018 by Mikey Veenstra   3 Replies

A critical remote code execution (RCE) vulnerability has been patched in the latest release of Duplicator, a WordPress backup and migration plugin with millions of downloads. In their public disclosure of this flaw, Synacktiv detailed its scope and severity, and provided a viable proof of concept exploit for the security community. In this post we’ll …
Read More

Ninja Forms Security Updates: What You Need To Know

This entry was posted in Vulnerabilities, WordPress Security on August 28, 2018 by Mikey Veenstra   1 Reply

Yesterday, the popular WordPress plugin Ninja Forms released version 3.3.14, which disclosed and patched two security issues present in the plugin. Upon review of these issues we’ve determined their severity to be moderately low, however due to the plugin’s wide userbase of more than a million active installs we’ve elected to provide a detailed exploration …
Read More

Details of an Additional File Deletion Vulnerability – Patched in WordPress 4.9.7

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 05, 2018 by Matt Barry   4 Replies

Today WordPress released version 4.9.7, a security release which addresses two separate arbitrary file deletion vulnerabilities requiring Author privileges. Some details can be found on the WordPress.org blog. The first arbitrary file deletion vulnerability was disclosed June 26, 2018 on the RIPS Tech blog with no official patch to WordPress in place. We released a …
Read More

Arbitrary File Deletion Flaw Present in WordPress Core

This entry was posted in Vulnerabilities, WordPress Security on June 27, 2018 by Mikey Veenstra   41 Replies

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server. By exploiting this arbitrary file deletion vulnerability, malicious …
Read More

Service Vulnerability: MelbourneIT Fixes NFS Permissions Problem

This entry was posted in Research, Vulnerabilities on March 30, 2018 by Brad Haas   0 Replies

In February, we wrote about a vulnerability on three shared hosting services.  Following our Vulnerability Disclosure Policy, we had alerted them about vulnerable permissions on shared drives on their servers. They fixed the problem, making things safer both for their customers and for their customers’ site visitors. During the past month we noticed the same kind …
Read More

Service Vulnerabilities: 3 Hosting Companies Fix NFS Permissions Problem

This entry was posted in Vulnerabilities, WordPress Security on February 08, 2018 by Brad Haas   37 Replies

In mid-December we updated our Vulnerability Disclosure Policy to include Service Vulnerabilities. A service vulnerability is any issue with a technology service that represents an exploitable security risk for its users. We made this update in response to a growing trend of security issues we’ve been discovering in commercial services, most often WordPress hosting providers. …
Read More


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates