This entry was posted in Research, Vulnerabilities, WordPress Security on October 26, 2021 by Ram Gall 6 Replies
Update: a previous version of this article incorrectly indicated that this vulnerability could be used for site takeover, we have updated this for accuracy, as the impact is instead complete loss of site content. Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on October 20, 2021 by Chloe Chamberland 7 Replies
Update: This article has been updated for accuracy: while we initially did create a rule to block this vulnerability we later found that the vulnerability was already blocked by an existing rule. Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. In …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on October 13, 2021 by Ram Gall 0 Replies
Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites. During a routine review of our …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on October 06, 2021 by Chloe Chamberland 0 Replies
Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on September 29, 2021 by Ram Gall 0 Replies
Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHP_SELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of PHP_SELF. On August 16, 2021, the Wordfence Threat …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on September 28, 2021 by Ram Gall 4 Replies
Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHP_SELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF. So be sure to look out for that post via our …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on September 22, 2021 by Chloe Chamberland 0 Replies
On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on September 01, 2021 by Ram Gall 3 Replies
On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on August 25, 2021 by Ram Gall 0 Replies
On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on August 24, 2021 by Chloe Chamberland 12 Replies
On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the …
Read More
