Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

Wordfence Blog

Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed

This entry was posted in Vulnerabilities, WordPress Security on January 18, 2021 by Ram Gall   3 Replies

On December 17, 2020, the Astra research security team disclosed that they had discovered a critical severity Unrestricted File Upload vulnerability in Contact Form 7, the most popular WordPress plugin of all time. The lead researcher, Jinson Varghese, also published a blog post providing limited information about this vulnerability. The initial disclosure claimed that “By …
Read More

Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on January 12, 2021 by Chloe Chamberland   1 Reply

On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress …
Read More

A Challenging Exploit: The Contact Form 7 File Upload Vulnerability

This entry was posted in Vulnerabilities, WordPress Security on December 17, 2020 by Ram Gall   1 Reply

Contact Form 7, arguably the most widely used WordPress plugin, released a security patch for an unrestricted file upload vulnerability in all versions 5.3.1 and lower. The WordPress plugin directory lists 5+ million sites using Contact Form 7, but we estimate that it has at least 10 million installations. One of the important features of …
Read More

Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on December 10, 2020 by Ram Gall   2 Replies

On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator’s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin’s publisher, …
Read More

Large-Scale Attacks Target Epsilon Framework Themes

This entry was posted in Research, Vulnerabilities, WordPress Security on November 17, 2020 by Ram Gall   6 Replies

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites …
Read More

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2020 by Chloe Chamberland   4 Replies

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October …
Read More

Object Injection Vulnerability in Welcart e-Commerce Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 05, 2020 by Ram Gall   2 Replies

On October 6, 2020, our Threat Intelligence team discovered a High-Severity Object Injection vulnerability in Welcart e-Commerce, a WordPress plugin with over 20,000 installations that claims top market share in Japan. After we finished our investigation, we contacted the plugin’s publisher, Collne Inc. on October 9, 2020. Full disclosure was sent on October 12, 2020, …
Read More

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

This entry was posted in Research, Vulnerabilities, WordPress Security on October 14, 2020 by Chloe Chamberland   0 Replies

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an …
Read More

Vulnerability Exposes Over 4 Million Sites Using WPBakery

This entry was posted in Research, Vulnerabilities, WordPress Security on October 07, 2020 by Chloe Chamberland   22 Replies

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support …
Read More

High Severity Vulnerabilities in Post Grid and Team Showcase Plugins

This entry was posted in Research, Vulnerabilities, WordPress Security on October 05, 2020 by Ram Gall   0 Replies

On September 14, 2020, our Threat Intelligence team discovered two high severity vulnerabilities in Post Grid, a WordPress plugin with over 60,000 installations. While investigating one of these vulnerabilities, we discovered that almost identical vulnerabilities were also present in Team Showcase, a separate plugin by the same author with over 6,000 installations. We initially reached …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates