Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Category Archive: Vulnerabilities

PSA: Multiple Vulnerabilities Present In Firefox 61

This entry was posted in General Security, Vulnerabilities on September 6, 2018 by Mikey Veenstra   2 Replies

In an advisory published yesterday, Mozilla disclosed the presence of nine security flaws in Firefox 61 which have been patched in the latest release of the browser. Some of the bugs are severe, but at this time do not appear to be receiving attacks in the wild. To protect yourself as a Firefox user, ensure that you have updated Firefox to the latest version as soon as possible. To do this, click the 'Firefox' menu and 'About Firefox'. The browser will check for an update automatically and will download the update if available. You will then be prompted to 'Restart to update Firefox'...read more

Duplicator Update Patches Remote Code Execution Flaw

This entry was posted in Vulnerabilities, WordPress Security on September 5, 2018 by Mikey Veenstra   3 Replies

A critical remote code execution (RCE) vulnerability has been patched in the latest release of Duplicator, a WordPress backup and migration plugin with millions of downloads. In their public disclosure of this flaw, Synacktiv detailed its scope and severity, and provided a viable proof of concept exploit for the security community. In this post we'll take a look at the basics of the vulnerability, what was patched, and what you can do if you think your site's at risk....read more

Ninja Forms Security Updates: What You Need To Know

This entry was posted in Vulnerabilities, WordPress Security on August 28, 2018 by Mikey Veenstra   1 Reply

Yesterday, the popular WordPress plugin Ninja Forms released version 3.3.14, which disclosed and patched two security issues present in the plugin. Upon review of these issues we've determined their severity to be moderately low, however due to the plugin's wide userbase of more than a million active installs we've elected to provide a detailed exploration of exactly what these vulnerabilities are and what risks they do pose if left unpatched. As usual, we recommend updating vulnerable versions of the plugin as soon as possible, despite the relatively low risk....read more

Details of an Additional File Deletion Vulnerability – Patched in WordPress 4.9.7

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 5, 2018 by Matt Barry   4 Replies

Today WordPress released version 4.9.7, a security release which addresses two separate arbitrary file deletion vulnerabilities requiring Author privileges. Some details can be found on the WordPress.org blog....read more

Arbitrary File Deletion Flaw Present in WordPress Core

This entry was posted in Vulnerabilities, WordPress Security on June 27, 2018 by Mikey Veenstra   41 Replies

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server....read more

Service Vulnerability: MelbourneIT Fixes NFS Permissions Problem

This entry was posted in Research, Vulnerabilities on March 30, 2018 by Brad Haas   0 Replies

In February, we wrote about a vulnerability on three shared hosting services.  Following our Vulnerability Disclosure Policy, we had alerted them about vulnerable permissions on shared drives on their servers. They fixed the problem, making things safer both for their customers and for their customers' site visitors....read more

Service Vulnerabilities: 3 Hosting Companies Fix NFS Permissions Problem

This entry was posted in Vulnerabilities, WordPress Security on February 8, 2018 by Brad Haas   37 Replies

In mid-December we updated our Vulnerability Disclosure Policy to include Service Vulnerabilities. A service vulnerability is any issue with a technology service that represents an exploitable security risk for its users. We made this update in response to a growing trend of security issues we've been discovering in commercial services, most often WordPress hosting providers....read more

New Service Vulnerability Disclosure Policy

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on December 13, 2017 by Dan Moen   49 Replies

The Wordfence team regularly discovers security issues with commercial services, such as WordPress hosting providers, that put their users at risk. In some cases, the issue is quite severe, putting thousands of websites at risk simultaneously. In these instances, our standard approach has been to contact the service provider directly, provide them with the details and work with them toward resolution. Lately these issues have become more common, so we've decided to formalize our approach going forward, updating our Vulnerability Disclosure Policy to specifically address these scenarios....read more

Vulnerabilities in Formidable Forms, Duplicator and Yoast SEO Plugins

This entry was posted in Vulnerabilities, WordPress Security on November 16, 2017 by Mark Maunder   16 Replies

Vulnerabilities have been reported in the Formidable Forms, Duplicator and Yoast SEO WordPress plugins. The Premium version of Wordfence protects against all of these vulnerabilities, even if you have not updated your plugins yet. We do recommend that you update immediately, whether or not you are using the Premium version of Wordfence....read more

Zero Day Vulnerability Fixed in Ultimate Form Builder Lite

This entry was posted in Vulnerabilities, WordPress Security on October 23, 2017 by Brad Haas   2 Replies

Last month, we identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. We deployed new and improved firewall rules to block that kind of exploit....read more

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.