Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites

This entry was posted in Vulnerabilities, WordPress Security on March 12, 2020 by Ram Gall   5 Replies

On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal …
Read More

Vulnerability Patched in Import Export WordPress Users

This entry was posted in Vulnerabilities, Wordfence on March 11, 2020 by Chloe Chamberland   0 Replies

On February 26th, our Threat Intelligence team discovered a vulnerability in Import Export WordPress Users, a WordPress plugin installed on over 30,000 sites. The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users. We reached out to the plugin’s developer on February 26th, who responded …
Read More

Zero-Day Vulnerability in ThemeREX Addons Now Patched

This entry was posted in Vulnerabilities, WordPress Security on March 09, 2020 by Chloe Chamberland   0 Replies

On February 18th, we were alerted to a vulnerability present in ThemeREX Addons, a WordPress plugin installed on approximately 44,000 sites. We took immediate action to release a firewall rule to protect Wordfence Premium users. As this vulnerability was being actively attacked, we also publicly notified the community of the vulnerability to help protect users …
Read More

Active Attack on Zero Day in Custom Searchable Data Entry System Plugin

This entry was posted in Vulnerabilities, WordPress Security on March 06, 2020 by Ram Gall   2 Replies

The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s …
Read More

Episode 69: The Meteoric Growth of Elementor with Kfir Bitton

This entry was posted in Podcasts on March 06, 2020 by Kathy Zant   0 Replies

On February 26, WordPress page building platform Elementor announced that they had received $15 million in venture funding. After topping 4 million installations of their plugin in January, it appears that Elementor is on a path to do some big things with WordPress. This week, we chat with Elementor CRO Kfir Bitton from his office …
Read More

Multiple Vulnerabilities Patched in RegistrationMagic Plugin

This entry was posted in Vulnerabilities, WordPress Security on March 05, 2020 by Ram Gall   3 Replies

On February 24th, our Threat Intelligence team discovered several critical vulnerabilities in RegistrationMagic, a WordPress plugin installed on over 10,000 sites, including the vendor’s own site. These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those of an administrator and to export every form on the site, including all the data …
Read More

Coupon Creation Vulnerability Patched In WooCommerce Smart Coupons

This entry was posted in Vulnerabilities, WordPress Security on March 04, 2020 by Mikey Veenstra   0 Replies

Description: Unauthenticated Coupon Creation Affected Plugin: WooCommerce Smart Coupons Affected Plugin Slug: woocommerce-smart-coupons Affected Versions: <= 4.6.0 CVSS Score: 5.3 (Medium) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Patched Version: 4.6.5 Late last month a patch was released for WooCommerce Smart Coupons, a commercial WooCommerce plugin that helps store managers handle coupons and gift certificates. In vulnerable versions of the …
Read More

Happening Now: Over 2 Percent of Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warnings

This entry was posted in General Security, WordPress Security on March 03, 2020 by Kathy Zant   5 Replies

On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug. This is 2.6% of the over 116 million active certificates issued by Let’s Encrypt. Let’s Encrypt has contacted all certificate holders affected by this bug, and they’ve created …
Read More

COVID-19 and WordPress Community Engagement in 2020

This entry was posted in Wordfence on March 01, 2020 by Mark Maunder   1 Reply

This is an update regarding Wordfence’s community engagement in 2020 along with a recommendation for WordCamps globally and for the global WordPress community. As always, I’m taking a data-driven approach to this post. I present an update from the WHO regarding the containment of COVID-19 in China and what has worked. I then discuss what …
Read More

Episode 68: More Plugin Vulnerabilities and Active Attack Campaigns

This entry was posted in Podcasts on February 29, 2020 by Kathy Zant   0 Replies

This week, we review numerous plugin vulnerabilities in popular WordPress plugins and the attacks that are targeting them. We also review the Duplicator vulnerability affecting over 1 million sites, and Chloe Chamberland’s discovery of multiple vulnerabilities in the Pricing Table by Supsystic plugin. Some WordPress-focused companies, Elementor and Strattic, receive venture funding. We also ask …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates