Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: Vulnerabilities

New Service Vulnerability Disclosure Policy

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on December 13, 2017 by Dan Moen   49 Replies

The Wordfence team regularly discovers security issues with commercial services, such as WordPress hosting providers, that put their users at risk. In some cases, the issue is quite severe, putting thousands of websites at risk simultaneously. In these instances, our standard approach has been to contact the service provider directly, provide them with the details …
Read More

Vulnerabilities in Formidable Forms, Duplicator and Yoast SEO Plugins

This entry was posted in Vulnerabilities, WordPress Security on November 16, 2017 by Mark Maunder   16 Replies

Vulnerabilities have been reported in the Formidable Forms, Duplicator and Yoast SEO WordPress plugins. The Premium version of Wordfence protects against all of these vulnerabilities, even if you have not updated your plugins yet. We do recommend that you update immediately, whether or not you are using the Premium version of Wordfence. The details of …
Read More

Zero Day Vulnerability Fixed in Ultimate Form Builder Lite

This entry was posted in Vulnerabilities, WordPress Security on October 23, 2017 by Brad Haas   2 Replies

Last month, we identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. We deployed new and improved firewall rules to block that kind of exploit. While analyzing our attack data, we recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder …
Read More

12.8% of Sites Have Sensitive File Disclosure Vulnerabilities

This entry was posted in Vulnerabilities, WordPress Security on October 12, 2017 by Dan Moen   5 Replies

As you probably know we launched Gravityscan this May. Gravityscan is a security scanner for any website that serves as a great complement to Wordfence. Yesterday we were analyzing aggregate scan result data from Gravityscan, and we noticed data that surprised us: 12.8% of sites we scan have at least one sensitive file visible to …
Read More

Postman SMTP Plugin With Unpatched Vulnerability Removed From Directory

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on October 06, 2017 by Dan Moen   24 Replies

We have received a number of questions regarding the Postman SMTP plugin which was removed from the WordPress.org directory this week. According to an archived snapshot, the plugin is installed on over 100,000 websites. We assume it was removed because it contains a publicly known reflected cross-site scripting (XSS) vulnerability that has not been fixed. …
Read More

3 Zero-Day Plugin Vulnerabilities Being Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on October 02, 2017 by Brad Haas   6 Replies

As part of our site cleaning service, our security analysts track down the method the attacker used to compromise the site. Often this involves quite a bit of investigative work, and recently it led us to find 0-day exploits in three separate plugins. The exploits were elusive: a malicious file seemed to appear out of …
Read More

XSS Vulnerability in WooCommerce Product Vendors Plugin

This entry was posted in Vulnerabilities, WordPress Security on August 31, 2017 by Mark Maunder   3 Replies

A reflected cross site scripting vulnerability has been reported in a premium WordPress plugin for WooCommerce known as the ‘Product Vendors‘ plugin. This plugin is used by 28% of all online WooCommerce stores. Update: As a commenter pointed out, WooCommerce is used by 28% of all online stores, not the affected extension. Product Vendors version …
Read More

TrafficTrade Infection Spreading – How to Protect Yourself and Detect TrafficTrade

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on August 08, 2017 by Mark Maunder   37 Replies

We have seen a significant increase in the number of websites affected by malware we refer to as ‘TrafficTrade’. This malware is a piece of javascript that an attacker drops into your website content once they have compromised it. Your visitors are then redirected to websites that install malicious browser plugins or serve up spam …
Read More

WSO Shell: The Hack Is Coming From Inside The House!

This entry was posted in Vulnerabilities, WordPress Security on June 22, 2017 by Andie   12 Replies

Imagine that one day you discover that a burglar has broken into your home and attempted to make off with your big-screen TV. Fearing for your safety, you immediately contact local law enforcement, and they promptly apprehend the criminal. But to your horror, as they drag the burglar away in handcuffs, they have an additional shocking revelation: …
Read More

WordPress 4.7.3 Security Release – Upgrade ASAP

This entry was posted in Vulnerabilities, WordPress Security on March 06, 2017 by Mark Maunder   5 Replies

WordPress 4.7.3 has just been released. It is the third in a series of recent security releases for WordPress core. WordPress 4.7.2 was released on January 26th to fix a now famous WordPress defacement vulnerability. WordPress 4.7.1 was released on January 11th which fixed a vulnerability in PHPMailer. This new 4.7.3 core release fixes three …
Read More


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates