Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: WordPress Security

Wordfence Blog

Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on April 11, 2019 by James   5 Replies

On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how …
Read More

Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on April 10, 2019 by Dan Moen   27 Replies

The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These …
Read More

Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin

This entry was posted in Research, WordPress Security on March 29, 2019 by Mikey Veenstra   36 Replies

This week, our team was notified of suspicious code present in a plugin offered alongside themes sold by Pipdig, a UK-based web development team. The user, who wishes to remain anonymous, reached out to us with concerns that the plugin’s developer can grant themselves administrative access to sites using the plugin, or even delete affected …
Read More

Recent Social Warfare Vulnerability Allowed Remote Code Execution

This entry was posted in Vulnerabilities, WordPress Security on March 25, 2019 by Mikey Veenstra   3 Replies

In posts last week, we detailed a vulnerability in the Social Warfare plugin, and discussed the attack campaigns against it. These issues were reported widely as Cross Site Scripting (XSS) flaws, due to an unexpected disclosure and proof of concept released by an unnamed researcher. Our Threat Intelligence team quickly released a firewall rule to mitigate impact …
Read More

Social Warfare Plugin Zero-Day: Details and Attack Data

This entry was posted in Vulnerabilities, WordPress Security on March 21, 2019 by Mikey Veenstra   6 Replies

In our earlier post, we issued a warning to users of the Social Warfare plugin regarding a zero-day vulnerability affecting their sites. At this time, the plugin’s developers have issued a patch for the flaw. All users are urged to update to version 3.5.3 immediately. Vulnerability Details The plugin features functionality that allows users to …
Read More

Unpatched Zero-Day Vulnerability in Social Warfare Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on March 21, 2019 by Mikey Veenstra   3 Replies

Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social Warfare. The plugin, which was subsequently removed from the WordPress.org plugin repository, has an active install base of over 70,000 sites. The flaw allows attackers to inject …
Read More

Hackers Abusing Recently Patched Vulnerability In Easy WP SMTP Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on March 20, 2019 by Mikey Veenstra   25 Replies

Over the weekend, a vulnerability was disclosed and patched in the popular WordPress plugin Easy WP SMTP. The plugin allows users to configure SMTP connections for outgoing email, and has a userbase of over 300,000 active installs. The vulnerability is only present in version 1.3.9 of the plugin, and all of the plugin’s users should …
Read More

XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers

This entry was posted in Research, Vulnerabilities, WordPress Security on March 11, 2019 by Mikey Veenstra   6 Replies

Last month, a stored cross-site scripting (XSS) flaw was patched in version 5.2.0 of the popular WordPress plugin Abandoned Cart Lite For WooCommerce. The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. A lack of sanitation on …
Read More

Vulnerabilities Patched in WP Cost Estimation Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on February 13, 2019 by Mikey Veenstra   2 Replies

At the end of January, Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of the commercial plugin WP Cost Estimation & Payment Forms Builder, or WP Cost Estimation for short. These flaws were found and patched by the developer a few months ago, but no official public disclosure was made at the time. Following …
Read More

WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on January 25, 2019 by Mikey Veenstra   6 Replies

The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. We have reserved CVE-2019-6703 to track and reference these vulnerabilities …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates