Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: WordPress Security

Wordfence Blog

Critical SQL Injection Vulnerability Patched in WooCommerce

This entry was posted in Vulnerabilities, WordPress Security on July 15, 2021 by Ram Gall   15 Replies

Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS (Development Operations Security) On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by a security researcher, Josh …
Read More

Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

This entry was posted in General Security, Vulnerabilities, WordPress Security on July 13, 2021 by Chloe Chamberland   4 Replies

WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with …
Read More

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on June 28, 2021 by Chloe Chamberland   9 Replies

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator …
Read More

Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers

This entry was posted in Research, Vulnerabilities, WordPress Security on June 17, 2021 by Charles Strader Sweethill   6 Replies

The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to …
Read More

Cross-Site Request Forgery Patched in WP Fluent Forms

This entry was posted in Research, Vulnerabilities, WordPress Security on June 16, 2021 by Ram Gall   0 Replies

On March 2, 2021, the Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites. This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site. We reached out to the plugin …
Read More

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on June 14, 2021 by Chloe Chamberland   0 Replies

On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long …
Read More

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

This entry was posted in PSA, Research, WordPress Security on June 11, 2021 by Ram Gall   10 Replies

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and …
Read More

Wordfence is now a CVE Numbering Authority (CNA)

This entry was posted in General Security, WordPress Security on June 10, 2021 by Chloe Chamberland   5 Replies

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE┬«) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. WordPress powers over 40% of the World Wide Web in …
Read More

Critical 0-day in Fancy Product Designer Under Active Attack

This entry was posted in Research, Vulnerabilities, WordPress Security on June 01, 2021 by Ram Gall   2 Replies

Update: A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise. On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress …
Read More

Severe Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on May 26, 2021 by Chloe Chamberland   0 Replies

On April 8, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin installed on over 300,000 sites. One of these flaws made it possible for unauthenticated users to update redirects for the site allowing an attacker to redirect all site …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates