Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

Wordfence Blog

Recent Patches Rock the Elementor Ecosystem

This entry was posted in Research, Vulnerabilities, WordPress Security on April 13, 2021 by Ram Gall   6 Replies

This post has been updated with additional plugins that have been patched since its original publication. We will continue to add plugins as they are patched. Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively …
Read More

Vulnerabilities Patched in WP Page Builder

This entry was posted in Research, Vulnerabilities, WordPress Security on April 08, 2021 by Ram Gall   0 Replies

On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any …
Read More

Two Vulnerabilities Patched in Facebook for WordPress Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on March 25, 2021 by Chloe Chamberland   2 Replies

On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization …
Read More

Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

This entry was posted in Research, Vulnerabilities, WordPress Security on March 24, 2021 by Chloe Chamberland   6 Replies

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products …
Read More

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on March 17, 2021 by Ram Gall   12 Replies

On February 23, 2021, the Wordfence Threat Intelligence team responsibly disclosed a set of stored Cross-Site Scripting vulnerabilities in Elementor, a WordPress plugin which “is now actively installed and used on more than 7M websites” according to a recent announcement on the Elementor blog. These vulnerabilities allowed any user able to access the Elementor editor, …
Read More

Several Vulnerabilities Patched in Tutor LMS Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on March 15, 2021 by Chloe Chamberland   1 Reply

On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites. The first five flaws made it possible for authenticated attackers to inject and execute arbitrary SQL statements on WordPress sites. This made it possible for attackers to obtain information stored in a …
Read More

Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

This entry was posted in Research, Vulnerabilities, WordPress Security on March 08, 2021 by Chloe Chamberland   28 Replies

UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure.  Special thanks to the plugin developers for working as quickly as possible to resolve these issues.  UPDATE 1: As of March 9th, 2021, the vulnerability …
Read More

Critical Vulnerability Patched in WooCommerce Upload Files

This entry was posted in Research, Vulnerabilities, WordPress Security on March 04, 2021 by Ram Gall   0 Replies

On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the …
Read More

Medium Severity Vulnerability Patched in User Profile Picture Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on March 03, 2021 by Chloe Chamberland   2 Replies

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information. We initially reached out to Cozmoslabs, the …
Read More

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

This entry was posted in Research, Vulnerabilities, WordPress Security on February 16, 2021 by Chloe Chamberland   0 Replies

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates