This entry was posted in Vulnerabilities, WordPress Security on March 26, 2020 by Ram Gall 2 Replies
On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using the free version of Wordfence, were already protected from this vulnerability by the Web Application …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 24, 2020 by Chloe Chamberland 0 Replies
A few weeks ago, we disclosed several flaws that were patched in the Pricing Table by Supsystic plugin. On January 20th, our Threat Intelligence team discovered several similar vulnerabilities present in another product from Supsystic: Data Tables Generator by Supsystic, a WordPress plugin installed on over 30,000 sites. These flaws were very similar and allowed …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 18, 2020 by Chloe Chamberland 0 Replies
On March 2nd, our Threat Intelligence team discovered several vulnerable endpoints in Responsive Ready Sites Importer, a WordPress plugin installed on over 40,000 sites. These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 12, 2020 by Ram Gall 5 Replies
On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 09, 2020 by Chloe Chamberland 0 Replies
On February 18th, we were alerted to a vulnerability present in ThemeREX Addons, a WordPress plugin installed on approximately 44,000 sites. We took immediate action to release a firewall rule to protect Wordfence Premium users. As this vulnerability was being actively attacked, we also publicly notified the community of the vulnerability to help protect users …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 06, 2020 by Ram Gall 2 Replies
The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 05, 2020 by Ram Gall 3 Replies
On February 24th, our Threat Intelligence team discovered several critical vulnerabilities in RegistrationMagic, a WordPress plugin installed on over 10,000 sites, including the vendor’s own site. These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those of an administrator and to export every form on the site, including all the data …
Read More
This entry was posted in Vulnerabilities, WordPress Security on March 04, 2020 by Mikey Veenstra 0 Replies
Description: Unauthenticated Coupon Creation Affected Plugin: WooCommerce Smart Coupons Affected Plugin Slug: woocommerce-smart-coupons Affected Versions: <= 4.6.0 CVSS Score: 5.3 (Medium) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Patched Version: 4.6.5 Late last month a patch was released for WooCommerce Smart Coupons, a commercial WooCommerce plugin that helps store managers handle coupons and gift certificates. In vulnerable versions of the …
Read More
This entry was posted in General Security, WordPress Security on March 03, 2020 by Kathy Zant 5 Replies
On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug. This is 2.6% of the over 116 million active certificates issued by Let’s Encrypt. Let’s Encrypt has contacted all certificate holders affected by this bug, and they’ve created …
Read More
This entry was posted in Vulnerabilities, WordPress Security on February 27, 2020 by Mikey Veenstra 3 Replies
Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings. As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional zero-day vulnerabilities in popular WordPress plugins that are being exploited as a part of this …
Read More
