Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: WordPress Security

Wordfence Blog

PHP 8: What WordPress Users Need to Know

This entry was posted in WordPress Security on November 23, 2020 by Ram Gall   14 Replies

PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 …
Read More

Wordfence Site Cleaning Guarantee Extended to 1 Year

This entry was posted in Wordfence, WordPress Security on November 19, 2020 by Kathy Zant   0 Replies

Today, we’re pleased to announce that all customers of Wordfence site cleaning services receive an 1-year clean site guarantee. If your site is compromised again after our team has cleaned and secured your WordPress site, we’ll clean it again for free. Additionally, we’re expanding our Security Services Team coverage to 24/7 effective immediately. The Wordfence …
Read More

Large-Scale Attacks Target Epsilon Framework Themes

This entry was posted in Research, Vulnerabilities, WordPress Security on November 17, 2020 by Ram Gall   6 Replies

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites …
Read More

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2020 by Chloe Chamberland   4 Replies

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October …
Read More

Object Injection Vulnerability in Welcart e-Commerce Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 05, 2020 by Ram Gall   2 Replies

On October 6, 2020, our Threat Intelligence team discovered a High-Severity Object Injection vulnerability in Welcart e-Commerce, a WordPress plugin with over 20,000 installations that claims top market share in Japan. After we finished our investigation, we contacted the plugin’s publisher, Collne Inc. on October 9, 2020. Full disclosure was sent on October 12, 2020, …
Read More

Unpacking the WordPress 5.5.2/5.5.3 Security Release

This entry was posted in WordPress Security on November 02, 2020 by Chloe Chamberland   0 Replies

On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here. …
Read More

Emergency WP 5.5.3 Release

This entry was posted in WordPress Security on October 30, 2020 by Matt Barry   26 Replies

The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in WordPress 5.5.2 making it impossible to install WordPress on a brand new website without a database connection configured. In preparing for this emergency …
Read More

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

This entry was posted in Research, Vulnerabilities, WordPress Security on October 14, 2020 by Chloe Chamberland   0 Replies

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an …
Read More

Vulnerability Exposes Over 4 Million Sites Using WPBakery

This entry was posted in Research, Vulnerabilities, WordPress Security on October 07, 2020 by Chloe Chamberland   22 Replies

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support …
Read More

High Severity Vulnerabilities in Post Grid and Team Showcase Plugins

This entry was posted in Research, Vulnerabilities, WordPress Security on October 05, 2020 by Ram Gall   0 Replies

On September 14, 2020, our Threat Intelligence team discovered two high severity vulnerabilities in Post Grid, a WordPress plugin with over 60,000 installations. While investigating one of these vulnerabilities, we discovered that almost identical vulnerabilities were also present in Team Showcase, a separate plugin by the same author with over 6,000 installations. We initially reached …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates