Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

Wordfence Blog

The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks

This entry was posted in Research, Vulnerabilities, WordPress Security on August 04, 2020 by Chloe Chamberland   0 Replies

On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors …
Read More

Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

This entry was posted in Research, Vulnerabilities, WordPress Security on August 04, 2020 by Chloe Chamberland   11 Replies

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, …
Read More

Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on August 03, 2020 by Ram Gall   6 Replies

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability. We reached out to the plugin’s author on …
Read More

Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

This entry was posted in General Security, Vulnerabilities, WordPress Security on July 28, 2020 by Chloe Chamberland   3 Replies

On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. We initially reached out to the plugin’s developer …
Read More

High Severity Vulnerability Patched in TC Custom JavaScript

This entry was posted in Research, Vulnerabilities, WordPress Security on July 21, 2020 by Ram Gall   0 Replies

On June 12, 2020, Wordfence Threat Intelligence discovered an unauthenticated stored Cross-Site Scripting(XSS) vulnerability in TC Custom JavaScript, a WordPress plugin with over 10,000 installations. Wordfence Premium customers received a new firewall rule to provide protection against attacks targeting this vulnerability the same day. Wordfence users still using the free version received this rule after …
Read More

2 Million Users Affected by Vulnerability in All in One SEO Pack

This entry was posted in Research, Vulnerabilities, WordPress Security on July 16, 2020 by Chloe Chamberland   9 Replies

On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all …
Read More

XSS Flaw Impacting 100,000 Sites Patched in KingComposer

This entry was posted in Research, Vulnerabilities, WordPress Security on July 09, 2020 by Ram Gall   2 Replies

On June 15, 2020, our Threat Intelligence team was made aware of a number of access control vulnerabilities that had recently been disclosed in KingComposer, a WordPress plugin installed on over 100,000 sites. During our investigation of these vulnerabilities, we discovered an unpatched reflected Cross-Site Scripting(XSS) vulnerability. Wordfence Premium customers received a new firewall rule …
Read More

Critical Vulnerabilities Patched in Adning Advertising Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on July 08, 2020 by Ram Gall   4 Replies

On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could …
Read More

WordPress 5.4.2 Patches Multiple XSS Vulnerabilities

This entry was posted in Vulnerabilities, WordPress Security on June 11, 2020 by Ram Gall   2 Replies

WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security …
Read More

High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on May 28, 2020 by Chloe Chamberland   0 Replies

A few weeks ago, our Threat Intelligence team discovered several vulnerabilities present in Page Builder: PageLayer – Drag and Drop website builder, a WordPress plugin actively installed on over 200,000 sites. The plugin is from the same creators as wpCentral, a plugin within which we recently discovered a privilege escalation vulnerability. One flaw allowed any …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates