This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Category: PSA
Newest
PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2
WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site. We urge all WordPress users to update to 6.4.2 immediately, …
Read More
PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin
The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users.
PSA: Critical Unauthenticated Arbitrary File Upload Vulnerability in Royal Elementor Addons and Templates Being Actively Exploited
Update: Wordfence has released a malware detection signature for wp.ph$p to Wordfence Premium, Wordfence Care, Wordfence Response, and the paid tiers of Wordfence CLI as of Monday, October 16, 2023.
PSA: Wordfence Brand Being Actively Used in Phishing Campaigns
Earlier this week we became aware that malicious actors are using Wordfence brand image to run a phishing scam on WordPress and Wordfence users, posing as unknown login notifications from their own website while linking to a fake login page, clearly aiming to steal WordPress login credentials.
PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited
Today, on June 29, 2023, the Wordfence Threat Intelligence Team became aware of an unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites, through our vulnerability changelog monitoring we do to ensure the Wordfence Intelligence Vulnerability Database has the most up to date and accurate information.
PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover
This post has been updated with additional information that has become available since its publication The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed.
PSA: Intentionally Leaving Backdoors in Your Code Can Lead to Fines and Jail Time
In the cybersecurity field, we talk a lot about threat actors and vulnerable code, but what doesn’t get discussed enough is intentional vulnerabilities and becoming your own threat actor.
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.
PSA: Zero-Day Vulnerability in WPGateway Actively Exploited in the Wild
On September 8, 2022, the Wordfence Threat Intelligence team became aware of an actively exploited zero-day vulnerability being used to add a malicious administrator user to sites running the WPGateway plugin.
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations.
Breaking WordPress Security Research in your inbox as it happens.
