Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

Wordfence Blog

Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update

This entry was posted in Vulnerabilities, WordPress Security on April 29, 2020 by Ram Gall   0 Replies

WordPress Core version 5.4.1 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that appear to require specific circumstances to exploit. All in all this release contains 7 …
Read More

High Severity Vulnerability Patched in Ninja Forms

This entry was posted in Research, Vulnerabilities, WordPress Security on April 29, 2020 by Ram Gall   3 Replies

On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version. We …
Read More

High-Severity Vulnerabilities Patched in LearnPress

This entry was posted in Vulnerabilities, WordPress Security on April 28, 2020 by Ram Gall   3 Replies

On March 16, 2020, LearnPress – WordPress LMS Plugin, a WordPress plugin with over 80,000 installations, patched a high-severity vulnerability that allowed subscriber-level users to elevate their permissions to those of an “LP Instructor”, a custom role with capabilities similar to the WordPress “author” role, including the ability to upload files and create posts containing …
Read More

High Severity Vulnerability Patched in Real-Time Find and Replace Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on April 27, 2020 by Chloe Chamberland   0 Replies

On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in …
Read More

Critical Vulnerabilities Patched in MapPress Maps Plugin

This entry was posted in Vulnerabilities, WordPress Security on April 23, 2020 by Ram Gall   0 Replies

On April 1, 2020, the Wordfence Threat Intelligence Team discovered two vulnerabilities in MapPress Maps for WordPress, a WordPress plugin with over 80,000 installations. One vulnerability that allowed stored Cross-Site Scripting (XSS) was present in both the free and pro versions of the plugin, while a far more critical vulnerability that allowed Remote Code Execution …
Read More

Unpatched High-Severity Vulnerability in Widget Settings Importer/Exporter Plugin

This entry was posted in Vulnerabilities, WordPress Security on April 15, 2020 by Ram Gall   2 Replies

On March 12, 2020, our Threat Intelligence team discovered a stored Cross-Site Scripting (XSS) vulnerability in Widget Settings Importer/Exporter, a WordPress plugin with over 40,000 installations. This flaw allowed an authenticated attacker with minimal, subscriber-level permissions to import and activate custom widgets containing arbitrary JavaScript into a site with the plugin installed. We reached out …
Read More

Vulnerability Patched in Accordion Plugin

This entry was posted in Vulnerabilities, WordPress Security on April 14, 2020 by Chloe Chamberland   1 Reply

A few weeks ago, our Threat Intelligence team discovered a vulnerability in Accordion, a WordPress plugin installed on over 30,000 sites. This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion. We initially reached out to the plugin’s …
Read More

Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin

This entry was posted in Vulnerabilities, WordPress Security on April 07, 2020 by Ram Gall   0 Replies

On March 3, 2020, our Threat intelligence team discovered a number of vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations designed to allow site owners to create landing and squeeze pages on their sites. These vulnerabilities allowed an authenticated attacker with minimal permissions, such as a subscriber, to create or …
Read More

High Severity Vulnerability Leads to Closure of Plugin with Over 100,000 Installations

This entry was posted in Vulnerabilities, WordPress Security on April 02, 2020 by Ram Gall   5 Replies

On April 1, 2020, the Wordfence Threat Intelligence team discovered a stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Datepicker, a WordPress plugin installed on over 100,000 sites. As the plugin developer’s github page indicated that the plugin was no longer being maintained, we contacted the WordPress plugins team with our disclosure, and …
Read More

Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin

This entry was posted in Vulnerabilities, WordPress Security on March 31, 2020 by Ram Gall   6 Replies

On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. The …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates