Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

This entry was posted in Vulnerabilities, WordPress Security on April 10, 2019 by Dan Moen   30 Replies

The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These …
Read More

Podcast Episode 6: The Brandy Lawson Interview, The News and Facebook Rants

This entry was posted in Podcasts on April 10, 2019 by Mark Maunder   2 Replies

 This week we follow up on two stories from last week, the Pipdig P3 plugin and Jetpack suggestions found within the WordPress plugin dashboard. We also take a look at quite a few privacy concerns with Grammarly, malware in the healthcare industry, and we discuss privacy concerns with Facebook. I also talk to Brandy …
Read More

Podcast Episode 5: The Raquel Landefeld Interview & The Pipdig Story

This entry was posted in Podcasts on April 02, 2019 by Mark Maunder   2 Replies

This week I chat about the Pipdig controversy in full with Mikey Veenstra and Kathy Zant. Kathy and I cover the news. And we have an amazing interview with Raquel Landefeld who is a community organizer for WordPress, co-founder of agency Mode Effect and a well known and loved personality in the WordPress community. Raquel …
Read More

Pipdig Update: Dishonest Denials, Erased Evidence, and Ongoing Offenses

This entry was posted in Research, Vulnerabilities on April 02, 2019 by Mikey Veenstra   25 Replies

In last week’s post, we reported on some concerning code identified in the Pipdig Power Pack (P3) plugin. The plugin, which is installed alongside WordPress themes sold by Pipdig, was found to contain a number of suspicious or malicious features. Among these features were a remote “killswitch” Pipdig could use to destroy sites, an obfuscated …
Read More

Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin

This entry was posted in Research, WordPress Security on March 29, 2019 by Mikey Veenstra   36 Replies

This week, our team was notified of suspicious code present in a plugin offered alongside themes sold by Pipdig, a UK-based web development team. The user, who wishes to remain anonymous, reached out to us with concerns that the plugin’s developer can grant themselves administrative access to sites using the plugin, or even delete affected …
Read More

Podcast Episode 4: The Aaron Campbell Interview and the Social Warfare Saga

This entry was posted in Podcasts on March 26, 2019 by Mark Maunder   1 Reply

This week we have an update on the Social Warfare plugin vulnerability, how it was more serious than originally thought, and a feud that has broken out between a security researcher and forum moderators. We also have some interesting data on how WordPress will become more secure soon with code signing. And along with several …
Read More

Recent Social Warfare Vulnerability Allowed Remote Code Execution

This entry was posted in Vulnerabilities, WordPress Security on March 25, 2019 by Mikey Veenstra   3 Replies

In posts last week, we detailed a vulnerability in the Social Warfare plugin, and discussed the attack campaigns against it. These issues were reported widely as Cross Site Scripting (XSS) flaws, due to an unexpected disclosure and proof of concept released by an unnamed researcher. Our Threat Intelligence team quickly released a firewall rule to mitigate impact …
Read More

Social Warfare Plugin Zero-Day: Details and Attack Data

This entry was posted in Vulnerabilities, WordPress Security on March 21, 2019 by Mikey Veenstra   6 Replies

In our earlier post, we issued a warning to users of the Social Warfare plugin regarding a zero-day vulnerability affecting their sites. At this time, the plugin’s developers have issued a patch for the flaw. All users are urged to update to version 3.5.3 immediately. Vulnerability Details The plugin features functionality that allows users to …
Read More

Unpatched Zero-Day Vulnerability in Social Warfare Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on March 21, 2019 by Mikey Veenstra   3 Replies

Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social Warfare. The plugin, which was subsequently removed from the WordPress.org plugin repository, has an active install base of over 70,000 sites. The flaw allows attackers to inject …
Read More

Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin

This entry was posted in Podcasts on March 21, 2019 by Mark Maunder   2 Replies

 Welcome to Think Like a Hacker, Episode 3. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses an active exploit in the Easy WP SMTP plugin. This is breaking news which we added to the podcast at the very last minute. We also chat with Cory Miller, the founder and former CEO …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates