Category Archive: Vulnerabilities
This entry was posted in General Security, Vulnerabilities on September 06, 2018 by Mikey Veenstra 2 Replies
In an advisory published yesterday, Mozilla disclosed the presence of nine security flaws in Firefox 61 which have been patched in the latest release of the browser. Some of the bugs are severe, but at this time do not appear to be receiving attacks in the wild. To protect yourself as a Firefox user, ensure …
Read More
This entry was posted in Vulnerabilities, WordPress Security on September 05, 2018 by Mikey Veenstra 3 Replies
A critical remote code execution (RCE) vulnerability has been patched in the latest release of Duplicator, a WordPress backup and migration plugin with millions of downloads. In their public disclosure of this flaw, Synacktiv detailed its scope and severity, and provided a viable proof of concept exploit for the security community. In this post we’ll …
Read More
This entry was posted in Vulnerabilities, WordPress Security on August 28, 2018 by Mikey Veenstra 1 Reply
Yesterday, the popular WordPress plugin Ninja Forms released version 3.3.14, which disclosed and patched two security issues present in the plugin. Upon review of these issues we’ve determined their severity to be moderately low, however due to the plugin’s wide userbase of more than a million active installs we’ve elected to provide a detailed exploration …
Read More
This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 05, 2018 by Matt Barry 4 Replies
Today WordPress released version 4.9.7, a security release which addresses two separate arbitrary file deletion vulnerabilities requiring Author privileges. Some details can be found on the WordPress.org blog. The first arbitrary file deletion vulnerability was disclosed June 26, 2018 on the RIPS Tech blog with no official patch to WordPress in place. We released a …
Read More
This entry was posted in Vulnerabilities, WordPress Security on June 27, 2018 by Mikey Veenstra 41 Replies
The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server. By exploiting this arbitrary file deletion vulnerability, malicious …
Read More
This entry was posted in Research, Vulnerabilities on March 30, 2018 by Brad Haas 0 Replies
In February, we wrote about a vulnerability on three shared hosting services. Following our Vulnerability Disclosure Policy, we had alerted them about vulnerable permissions on shared drives on their servers. They fixed the problem, making things safer both for their customers and for their customers’ site visitors. During the past month we noticed the same kind …
Read More
This entry was posted in Vulnerabilities, WordPress Security on February 08, 2018 by Brad Haas 37 Replies
In mid-December we updated our Vulnerability Disclosure Policy to include Service Vulnerabilities. A service vulnerability is any issue with a technology service that represents an exploitable security risk for its users. We made this update in response to a growing trend of security issues we’ve been discovering in commercial services, most often WordPress hosting providers. …
Read More
This entry was posted in Vulnerabilities, Wordfence, WordPress Security on December 13, 2017 by Dan Moen 49 Replies
The Wordfence team regularly discovers security issues with commercial services, such as WordPress hosting providers, that put their users at risk. In some cases, the issue is quite severe, putting thousands of websites at risk simultaneously. In these instances, our standard approach has been to contact the service provider directly, provide them with the details …
Read More
This entry was posted in Vulnerabilities, WordPress Security on November 16, 2017 by Mark Maunder 16 Replies
Vulnerabilities have been reported in the Formidable Forms, Duplicator and Yoast SEO WordPress plugins. The Premium version of Wordfence protects against all of these vulnerabilities, even if you have not updated your plugins yet. We do recommend that you update immediately, whether or not you are using the Premium version of Wordfence. The details of …
Read More
This entry was posted in Vulnerabilities, WordPress Security on October 23, 2017 by Brad Haas 2 Replies
Last month, we identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. We deployed new and improved firewall rules to block that kind of exploit. While analyzing our attack data, we recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder …
Read More
Protect your websites with the #1 WordPress Security Plugin
Get Premium
Over 100 million downloads