This entry was posted in Research, Vulnerabilities, WordPress Security on September 22, 2021 by Chloe Chamberland 0 Replies
On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on September 01, 2021 by Ram Gall 3 Replies
On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on August 25, 2021 by Ram Gall 0 Replies
On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on August 24, 2021 by Chloe Chamberland 12 Replies
On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on August 16, 2021 by Chloe Chamberland 2 Replies
On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the …
Read More
This entry was posted in Research, WordPress Security on August 13, 2021 by Ned Andonov 21 Replies
In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. We describe …
Read More
This entry was posted in Research, WordPress Security on August 11, 2021 by Chloe Chamberland 0 Replies
Wordfence has collaborated with WPScan to conduct a 2021 mid-year review on the state of WordPress security. Using attack data from Wordfence’s internal threat intelligence platform, and vulnerability data from WPScan’s vulnerability database, we were able to analyze the current trend of attacks on WordPress and assess the current state of WordPress security. In the …
Read More
This entry was posted in Research, Vulnerabilities, WordPress Security on July 29, 2021 by Ram Gall 4 Replies
On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations. The …
Read More
This entry was posted in General Security, WordPress Security on July 28, 2021 by Chloe Chamberland 0 Replies
Information security researchers make a valuable contribution to our online security by finding vulnerabilities and facilitating getting them fixed. Wordfence has been finding and disclosing vulnerabilities in WordPress core, WordPress plugins, and WordPress themes since 2011. Our research has exposed vulnerabilities in the core infrastructure that powers WordPress, organized crime exploiting plugins for profit, and …
Read More
This entry was posted in General Security, WordPress Security on July 21, 2021 by Ram Gall 12 Replies
In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem. Many site owners are unaware of the risks associated with using nulled plugins, and in many cases, they may not even be aware that …
Read More
