Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Episode 109: This Attack Will Make You Want to Stop Using SMS 2FA

This entry was posted in Podcasts on March 19, 2021 by Kathy Zant   0 Replies

An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting over 7 million WordPress sites and how easily these cross-site scripting vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The data center fire …
Read More

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on March 17, 2021 by Ram Gall   12 Replies

On February 23, 2021, the Wordfence Threat Intelligence team responsibly disclosed a set of stored Cross-Site Scripting vulnerabilities in Elementor, a WordPress plugin which “is now actively installed and used on more than 7M websites” according to a recent announcement on the Elementor blog. These vulnerabilities allowed any user able to access the Elementor editor, …
Read More

Several Vulnerabilities Patched in Tutor LMS Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on March 15, 2021 by Chloe Chamberland   1 Reply

On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites. The first five flaws made it possible for authenticated attackers to inject and execute arbitrary SQL statements on WordPress sites. This made it possible for attackers to obtain information stored in a …
Read More

Episode 108: Hack Exposes 150,000 Security Cameras at Tesla, Cloudflare and Others

This entry was posted in Podcasts on March 12, 2021 by Ram Gall   0 Replies

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this …
Read More

Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

This entry was posted in Research, Vulnerabilities, WordPress Security on March 08, 2021 by Chloe Chamberland   28 Replies

UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure.  Special thanks to the plugin developers for working as quickly as possible to resolve these issues.  UPDATE 1: As of March 9th, 2021, the vulnerability …
Read More

Episode 107: Two Plugin Vulnerabilities Target File Upload Capabilities

This entry was posted in Podcasts on March 05, 2021 by Ram Gall   0 Replies

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange …
Read More

Critical Vulnerability Patched in WooCommerce Upload Files

This entry was posted in Research, Vulnerabilities, WordPress Security on March 04, 2021 by Ram Gall   0 Replies

On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations. Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin. After confirming the …
Read More

Medium Severity Vulnerability Patched in User Profile Picture Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on March 03, 2021 by Chloe Chamberland   2 Replies

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information. We initially reached out to Cozmoslabs, the …
Read More

Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

This entry was posted in Podcasts on February 26, 2021 by Ram Gall   0 Replies

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to …
Read More

Episode 105: The Hottest Trend in WordPress

This entry was posted in Podcasts on February 19, 2021 by Kathy Zant   2 Replies

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates