This site uses cookies in accordance with our Privacy Policy.
Search Results
Suggestions:
Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin
On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites. Wordfence Premium, Wordfence Care, and Wordfence Response users received several firewall rules to protect against any exploits targeting these vulnerabilities …
Read More
Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)
🎉Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th. Last week, there were 135 vulnerabilities …
Read More
Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress
On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations. After making our initial contact attempt on September 28th, 2023, we received a response on September 29, 2023 and sent over our full disclosure details. Receipt of …
Read More
Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT
In the first 6 months of 2023, our team has already added 2,471[1] individual vulnerability records to the Wordfence Intelligence WordPress Vulnerability Database. These vulnerabilities affected 1,680[2] WordPress software components. This means we have already surpassed the total number of vulnerabilities disclosed last year (2022), which was 2,395[1] based on unique vulnerability records. Introduction The …
Read More
WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin
On June 8, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in WebToffee’s Stripe Payment Plugin for WooCommerce plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an attacker to gain access to the accounts of users …
Read More
Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin
On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. This vulnerability makes it possible for any user with an existing …
Read More
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
On May 20, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges via a user meta update. Wordfence …
Read More
PSA: Attackers Actively Exploiting Critical Vulnerability in Essential Addons for Elementor
On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed. …
Read More
WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know
On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities. These patches have been backported to every version of WordPress since 4.1. WordPress has supported automatic core updates for security releases since …
Read More
Authorization vs. Intent: Why You Should Always Verify Both
The Wordfence Threat Intelligence team has observed a recent increase in the number of partial vulnerability patches that don’t properly address separate underlying issues. More specifically, we have been seeing an increase in Missing Authorization vulnerabilities that are fixed using tools intended for addressing Cross-Site Request Forgery, which are two independently fixable vulnerability types that …
Read More
Breaking WordPress Security Research in your inbox as it happens.
