This entry was posted in Research, Vulnerabilities, WordPress Security on February 13, 2019 by Mikey Veenstra 2 Replies
At the end of January, Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of the commercial plugin WP Cost Estimation & Payment Forms Builder, or WP Cost Estimation for short. These flaws were found and patched by the developer a few months ago, but no official public disclosure was made at the time. Following …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on January 25, 2019 by Mikey Veenstra 6 Replies
The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. We have reserved CVE-2019-6703 to track and reference these vulnerabilities …
Read More
This entry was posted in Wordfence, WordPress Security on January 22, 2019 by Dan Moen 13 Replies
If you’ve never taken a few minutes to look at the information available in the Wordfence Live Traffic feature, I strongly recommend it. It gives you a detailed look at what attackers are trying to do to break into your site, and how Wordfence is blocking them. For today’s post we analyzed all of the …
Read More
This entry was posted in Vulnerabilities, WordPress Security on January 18, 2019 by Mikey Veenstra 10 Replies
As the most popular CMS on the market, one of the major draws of WordPress is a rich ecosystem of plugins made available by the community. The WordPress.org plugin repository makes the process of installing and updating plugins a seamless experience in the dashboard of a site, and a team of volunteers works to maintain …
Read More
This entry was posted in WordPress Security on December 13, 2018 by Dan Moen 12 Replies
WordPress 5.0.1 was released Wednesday night, less than a week after the much anticipated release of WordPress 5.0. This security release fixes seven security vulnerabilities, a few of which are quite serious. Sites running versions in the 4.x branch of WordPress core are also impacted by some of the issues. WordPress 4.9.9 was released along …
Read More
This entry was posted in General Security, Wordfence, WordPress Security on December 10, 2018 by Mark Maunder 3 Replies
This weekend I had a really fun conversation with Doc Pop from Torque Magazine. Torque is a great news source for WordPress news. They are part of WP Engine, but maintain editorial independence. I chatted with Doc in Nashville, in the Music City Center where WordCamp US was being held. Music City Center is an …
Read More
This entry was posted in Research, Wordfence, WordPress Security on December 05, 2018 by Mikey Veenstra 17 Replies
The Defiant Threat Intelligence team recently began tracking the behavior of an organized brute force attack campaign against WordPress sites. This campaign has created a botnet of infected WordPress websites to perform its attacks, which attempt XML-RPC authentication to other WordPress sites in order to access privileged accounts. Between Wordfence’s brute force protection and the premium real-time …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on November 20, 2018 by Mikey Veenstra 19 Replies
News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites. WordPress contributor Sybre Waaijer identified the security issue and confidentially disclosed it to the WordPress plugins team. To exploit the flaw, an attacker needs to have a minimum of subscriber-level access on a vulnerable site. The …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2018 by Mikey Veenstra 19 Replies
Earlier this week the WP GDPR Compliance plugin was briefly removed from the WordPress.org repository after the discovery of critical security issues impacting its users. In yesterday’s post, we provided some details regarding these issues and illustrated their severity. In the hours since that post was published, our team has continued tracking the adversaries seeking …
Read More
This entry was posted in Vulnerabilities, WordPress Security on November 08, 2018 by Mikey Veenstra 23 Replies
After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, …
Read More
