Category Archive: WordPress Security
This entry was posted in Vulnerabilities, WordPress Security on May 13, 2021 by Ram Gall 7 Replies
On May 13, 2021 01:00 UTC, WordPress core released a security patch for a Critical Object Injection vulnerability in PHPMailer, the component that WordPress uses to send emails by default. If your site is set to allow auto updating of minor point releases, your site has probably already updated to WordPress 5.7.2. While we do …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on May 13, 2021 by Chloe Chamberland 1 Reply
On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on May 03, 2021 by Ram Gall 0 Replies
On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 26, 2021 by Chloe Chamberland 2 Replies
On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites. We initially reached out to the plugin’s developer on March 5, 2021. We received no …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 21, 2021 by Chloe Chamberland 13 Replies
Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 20, 2021 by Chloe Chamberland 6 Replies
On February 11, 2021, our Threat Intelligence team responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 19, 2021 by Ram Gall 6 Replies
Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together. Number of sites attacked per day …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 13, 2021 by Ram Gall 6 Replies
This post has been updated with additional plugins that have been patched since its original publication. We will continue to add plugins as they are patched. Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on April 08, 2021 by Ram Gall 0 Replies
On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any …
Read More
This entry was posted in General Security, Wordfence, WordPress Security on April 07, 2021 by Chloe Chamberland 2 Replies
A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. From these common hacks, we have many cautionary tales of site security that could have been prevented by …
Read More
Protect your websites with the #1 WordPress Security Plugin
Get Premium
Over 150 million downloads