Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

As you probably know we launched Gravityscan this May. Gravityscan is a security scanner for any website that serves as a great complement to Wordfence. Yesterday we were analyzing aggregate scan result data from Gravityscan, and we noticed data that surprised us: 12.8% of sites we scan have at least one sensitive file visible to anyone on the internet....read more

We have received a number of questions regarding the Postman SMTP plugin which was removed from the WordPress.org directory this week. According to an archived snapshot, the plugin is installed on over 100,000 websites. We assume it was removed because it contains a publicly known reflected cross-site scripting (XSS) vulnerability that has not been fixed. Both Wordfence Free and Premium users who have the firewall enabled have been protected against attempts to exploit this vulnerability from day one. In addition, we alerted all Wordfence users who have the plugin installed when it was removed from the plugin directory....read more

As part of our site cleaning service, our security analysts track down the method the attacker used to compromise the site. Often this involves quite a bit of investigative work, and recently it led us to find 0-day exploits in three separate plugins. The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created. But we captured the attacks in our threat data, and our lead developer Matt Barry was able to reconstruct the exploits. We quickly pushed new WAF rules to block these exploits. Premium customers received the new rules and were protected immediately. We also notified the plugin authors; all three have published updates to fix the vulnerabilities....read more

A reflected cross site scripting vulnerability has been reported in a premium WordPress plugin for WooCommerce known as the 'Product Vendors' plugin. This plugin is used by 28% of all online WooCommerce stores. Update: As a commenter pointed out, WooCommerce is used by 28% of all online stores, not the affected extension....read more

We have seen a significant increase in the number of websites affected by malware we refer to as 'TrafficTrade'. This malware is a piece of javascript that an attacker drops into your website content once they have compromised it. Your visitors are then redirected to websites that install malicious browser plugins or serve up spam advertising....read more

Imagine that one day you discover that a burglar has broken into your home and attempted to make off with your big-screen TV. Fearing for your safety, you immediately contact local law enforcement, and they promptly apprehend the criminal. But to your horror, as they drag the burglar away in handcuffs, they have an additional shocking revelation: the burglar has not only been living in the basement of your home for months, entirely undetected by you, but he's also converted your basement into an elaborate base for all of his criminal operations. ...read more

WordPress 4.7.3 has just been released. It is the third in a series of recent security releases for WordPress core....read more

Yesterday we published numbers indicating how widespread the defacement campaign is targeting the REST-API vulnerability recently fixed in WordPress 4.7.2. If you have not updated to 4.7.2 already on all sites you operate, do so immediately. If you are using Wordfence Premium, you are already protected....read more

In this report we share data on the ongoing flood of WordPress REST-API exploits we are seeing in the wild. We include data on 20 different site defacement campaigns we are currently tracking....read more

WordPress 4.7.1 was released on Wednesday. It contains 8 security fixes including a fix for the PHPMailer issue, which we reported on in late December....read more