This entry was posted in Vulnerabilities, Wordfence, WordPress Security on December 13, 2017 by Dan Moen 49 Replies
The Wordfence team regularly discovers security issues with commercial services, such as WordPress hosting providers, that put their users at risk. In some cases, the issue is quite severe, putting thousands of websites at risk simultaneously. In these instances, our standard approach has been to contact the service provider directly, provide them with the details …
Read More
This entry was posted in Vulnerabilities, WordPress Security on November 16, 2017 by Mark Maunder 16 Replies
Vulnerabilities have been reported in the Formidable Forms, Duplicator and Yoast SEO WordPress plugins. The Premium version of Wordfence protects against all of these vulnerabilities, even if you have not updated your plugins yet. We do recommend that you update immediately, whether or not you are using the Premium version of Wordfence. The details of …
Read More
This entry was posted in Vulnerabilities, WordPress Security on October 23, 2017 by Brad Haas 2 Replies
Last month, we identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. We deployed new and improved firewall rules to block that kind of exploit. While analyzing our attack data, we recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder …
Read More
This entry was posted in Vulnerabilities, WordPress Security on October 12, 2017 by Dan Moen 5 Replies
As you probably know we launched Gravityscan this May. Gravityscan is a security scanner for any website that serves as a great complement to Wordfence. Yesterday we were analyzing aggregate scan result data from Gravityscan, and we noticed data that surprised us: 12.8% of sites we scan have at least one sensitive file visible to …
Read More
This entry was posted in Vulnerabilities, Wordfence, WordPress Security on October 06, 2017 by Dan Moen 24 Replies
We have received a number of questions regarding the Postman SMTP plugin which was removed from the WordPress.org directory this week. According to an archived snapshot, the plugin is installed on over 100,000 websites. We assume it was removed because it contains a publicly known reflected cross-site scripting (XSS) vulnerability that has not been fixed. …
Read More
This entry was posted in Vulnerabilities, WordPress Security on October 02, 2017 by Brad Haas 6 Replies
As part of our site cleaning service, our security analysts track down the method the attacker used to compromise the site. Often this involves quite a bit of investigative work, and recently it led us to find 0-day exploits in three separate plugins. The exploits were elusive: a malicious file seemed to appear out of …
Read More
This entry was posted in Vulnerabilities, WordPress Security on August 31, 2017 by Mark Maunder 3 Replies
A reflected cross site scripting vulnerability has been reported in a premium WordPress plugin for WooCommerce known as the ‘Product Vendors‘ plugin. This plugin is used by 28% of all online WooCommerce stores. Update: As a commenter pointed out, WooCommerce is used by 28% of all online stores, not the affected extension. Product Vendors version …
Read More
This entry was posted in Vulnerabilities, Wordfence, WordPress Security on August 08, 2017 by Mark Maunder 37 Replies
We have seen a significant increase in the number of websites affected by malware we refer to as ‘TrafficTrade’. This malware is a piece of javascript that an attacker drops into your website content once they have compromised it. Your visitors are then redirected to websites that install malicious browser plugins or serve up spam …
Read More
This entry was posted in Vulnerabilities, WordPress Security on June 22, 2017 by Andie 12 Replies
Imagine that one day you discover that a burglar has broken into your home and attempted to make off with your big-screen TV. Fearing for your safety, you immediately contact local law enforcement, and they promptly apprehend the criminal. But to your horror, as they drag the burglar away in handcuffs, they have an additional shocking revelation: …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 06, 2017 by Mark Maunder 5 Replies
WordPress 4.7.3 has just been released. It is the third in a series of recent security releases for WordPress core. WordPress 4.7.2 was released on January 26th to fix a now famous WordPress defacement vulnerability. WordPress 4.7.1 was released on January 11th which fixed a vulnerability in PHPMailer. This new 4.7.3 core release fixes three …
Read More
