Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: WordPress Security

Wordfence Blog

Recent WordPress Vulnerabilities Targeted by Malvertising Campaign

This entry was posted in Research, WordPress Security on July 22, 2019 by Mikey Veenstra   7 Replies

The Defiant Threat Intelligence team has identified a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. This type of campaign is far from novel, but these attacks drew our attention. By targeting a few …
Read More

Critical Vulnerability Patched in Ad Inserter Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on July 15, 2019 by Sean Murphy   3 Replies

Description: Authenticated Remote Code Execution Affected Plugin: Ad Inserter Affected Versions: <= 2.4.21 CVSS Score: 9.9 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H On Friday, July 12th, our Threat Intelligence team discovered a vulnerability present in Ad Inserter, a WordPress plugin installed on over 200,000 websites. The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP …
Read More

Introducing the Wordfence Login Security Plugin

This entry was posted in Wordfence, WordPress Security on June 04, 2019 by Mark Maunder   16 Replies

Today we are excited to announce the release of a brand new plugin: Wordfence Login Security. This plugin is a completely standalone plugin and you don’t need to install the full version of Wordfence to take advantage of the specific security features included in it. Wordfence Login Security is designed by our team to secure …
Read More

Service Vulnerability: Four Popular Hosting Companies Fix NFS Permissions and Information Disclosure Problems

This entry was posted in Vulnerabilities, WordPress Security on June 03, 2019 by Brad Haas   7 Replies

Last year, we published two disclosures of service vulnerabilities on hosting platforms. The first one included a trio of brands: Hostway, Momentous, and Paragon Group. The second was for MelbourneIT. In all cases, we were happy to report that the affected companies took our disclosures seriously and moved quickly to fix the problems. Today we’re …
Read More

Critical Vulnerability Patched in Popular Convert Plus Plugin

This entry was posted in Vulnerabilities, WordPress Security on May 29, 2019 by Mikey Veenstra   3 Replies

Description: Unauthenticated Administrator Creation CVSS v3.0 Score: 10.0 (Critical) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Affected Plugin: Convert Plus Plugin Slug: convertplug Affected Versions: <= 3.4.2 Patched Version: 3.4.3 On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs. This flaw allowed …
Read More

Privilege Escalation Flaw Present In Slick Popup Plugin

This entry was posted in Vulnerabilities, WordPress Security on May 28, 2019 by Mikey Veenstra   2 Replies

In April, our Threat Intelligence team identified a privilege escalation flaw present in the latest version of Slick Popup, a WordPress plugin with approximately 7,000 active installs. We notified the developers, a firm called Om Ak Solutions, who acknowledged the issue and informed us that a patch would be released. Per our disclosure policy, we …
Read More

OS Command Injection Vulnerability Patched In WP Database Backup Plugin

This entry was posted in Vulnerabilities, WordPress Security on May 28, 2019 by Mikey Veenstra   3 Replies

Toward the end of April, an unnamed security researcher published details of an unpatched vulnerability in WP Database Backup, a WordPress plugin with over 70,000 users. The vulnerability, which was irresponsibly disclosed to the public before attempting to notify the plugin’s developers, was reported as a plugin configuration change flaw. A proof of concept (PoC) …
Read More

Announcing 3 New Login Security Features

This entry was posted in Wordfence, WordPress Security on May 14, 2019 by Dan Moen   23 Replies

Spend any time looking at blocked attacks in Wordfence Live Traffic and you’ll walk away worried about login security. WordPress sites are under constant attack by bots attempting to guess your users’ passwords. A lot of these attacks simply test lists of commonly used passwords along with usernames they think you may have chosen, like …
Read More

Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin

This entry was posted in Vulnerabilities, WordPress Security on May 02, 2019 by Mikey Veenstra   2 Replies

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress. This update fixes two distinct vulnerabilities: an arbitrary file upload flaw present in certain configurations, and a flaw allowing attackers to delete media files from affected sites. The plugin’s users are advised to install the latest available version (4.3 …
Read More

Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on April 11, 2019 by James   10 Replies

On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates