This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Category: Vulnerabilities
Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin
On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites.
Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites
Description: Unauthenticated Arbitrary File Download Affected Plugin: Duplicator Affected Versions: <= 1.3.26 CVE ID: CVE-2020-11738 CVSS Score: 7.5 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Patched Version: 1.3.28 A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem.
Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild
Description: Remote Code Execution Affected Plugin: ThemeREX Addons Plugin Slug: trx_addons Affected Versions: Versions greater than 1.6.50 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched Version: Currently No Patch.
Vulnerability in wpCentral Plugin Leads to Privilege Escalation
Description: Improper Access Control to Privilege Escalation Affected Plugin: wpCentral Affected Versions: <= 1.5.0 CVE ID: CVE-2020-9043 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Patched Version: 1.5.1 On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000 sites.
Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover
Description: Unauthenticated Administrator Registration Affected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected) Affected Versions: <= 3.1.0 CVSS Score: 10.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Patched Version: 3.1.1 Earlier this week, a critical vulnerability was patched in the Profile Builder plugin for WordPress.
Improper Access Controls in GDPR Cookie Consent Plugin
Description: Improper Access Controls Affected Plugin: GDPR Cookie Consent Affected Versions: <= 1.8.2 CVSS Score: 9.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Patched Version: 1.8.3 The following post describes how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it was removed from the repository.
High Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin
Description: Cross-Site Request Forgery to Remote Code Execution Affected Plugin: Code Snippets Affected Versions: <= 2.13.3 CVE ID: CVE-2020-8417 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Patched Version: 2.14.0 On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites.
Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin
On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites.
Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin
Description: Authentication Bypass Affected Plugin: InfiniteWP Client Affected Versions: < 1.9.4.5 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched Version: 1.9.4.5 A vulnerability has been discovered in the InfiniteWP Client plugin versions 1.9.4.4 or earlier.
Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin
A few weeks ago, our threat intelligence team discovered several vulnerabilities present in Minimal Coming Soon & Maintenance Mode – Coming Soon Page, a WordPress plugin installed on over 80,000 websites.
Breaking WordPress Security Research in your inbox as it happens.
