Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

High-Severity Vulnerability Patched in Advanced Access Manager

This entry was posted in Research, Vulnerabilities, WordPress Security on August 20, 2020 by Ram Gall   2 Replies

On August 13, 2020, the Wordfence Threat Intelligence team finished investigating two vulnerabilities in Advanced Access Manager, a WordPress plugin with over 100,000 installations, including a high-severity Authorization Bypass vulnerability that could lead to privilege escalation and site takeover. We reached out to the plugin’s author the next day, on August 14, 2020, and received …
Read More

10 WordPress Security Mistakes You Might Be Making

This entry was posted in General Security, Wordfence, WordPress Security on August 19, 2020 by Chloe Chamberland   15 Replies

Yesterday, August 18, 2020, the Wordfence Live team covered 10 WordPress Security Mistakes You Might be Making. This companion blog post reviews the recommendations we provided to avoid these mistakes and better secure your WordPress environment. You can watch the video of Wordfence Live below. Timestamps You can click on these timestamps to jump around …
Read More

Episode 82: Important Changes in the WordPress 5.5 Update

This entry was posted in Podcasts on August 13, 2020 by Scott Miller   0 Replies

WordPress 5.5 was released on August 11 with a number of important updates, including a new feature allowing auto-updates of themes and plugins as well as changes to the block editor. The popular Astra theme was suspended from the repository for having affiliate links in the code. A vulnerability found in Google Chromium browsers could …
Read More

Critical Vulnerabilities Patched in Quiz and Survey Master Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on August 13, 2020 by Chloe Chamberland   1 Reply

On July 17, 2020, our Threat Intelligence team discovered two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin installed on over 30,000 sites. These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file which could …
Read More

Episode 81: Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

This entry was posted in Podcasts on August 07, 2020 by Scott Miller   0 Replies

Our Threat Intelligence team disclosed numerous vulnerabilities this week, including a critical vulnerability in the Divi and Extra themes as well as the Divi Builder plugin. In total, this vulnerability affected over 700,000 sites. A vulnerability found in The Official Facebook Chat Plugin created a vector for social engineering attacks as it allowed an attacker …
Read More

WordPress Auto-Updates: What do you have to lose?

This entry was posted in WordPress Security on August 06, 2020 by Matt Barry   35 Replies

A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and …
Read More

The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks

This entry was posted in Research, Vulnerabilities, WordPress Security on August 04, 2020 by Chloe Chamberland   0 Replies

On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors …
Read More

Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

This entry was posted in Research, Vulnerabilities, WordPress Security on August 04, 2020 by Chloe Chamberland   11 Replies

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, …
Read More

Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

This entry was posted in Research, Vulnerabilities, WordPress Security on August 03, 2020 by Ram Gall   6 Replies

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability. We reached out to the plugin’s author on …
Read More

Episode 80: Critical File Upload Vulnerability in wpDiscuz Plugin

This entry was posted in Podcasts on July 30, 2020 by Scott Miller   0 Replies

In this week’s news, our Threat Intelligence team discovered a vulnerability in the wpDiscuz plugin, affecting over 80,000 WordPress sites. A blind SQL injection attack affected analytics service Waydev, exposing OAuth tokens for GitHub repositories for software companies, leading to further breaches. A debate about problematic admin notices on the WordPress admin dashboard has many …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates