Wordfence Research and News

Blog icon
Category: Vulnerabilities

Service Vulnerability: Four Popular Hosting Companies Fix NFS Permissions and Information Disclosure Problems

Last year, we published two disclosures of service vulnerabilities on hosting platforms.

Critical Vulnerability Patched in Popular Convert Plus Plugin

Description: Unauthenticated Administrator Creation CVSS v3.0 Score: 10.0 (Critical) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Affected Plugin: Convert Plus Plugin Slug: convertplug Affected Versions: <= 3.4.2 Patched Version: 3.4.3 On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs.

Privilege Escalation Flaw Present In Slick Popup Plugin

In April, our Threat Intelligence team identified a privilege escalation flaw present in the latest version of Slick Popup, a WordPress plugin with approximately 7,000 active installs.

OS Command Injection Vulnerability Patched In WP Database Backup Plugin

Toward the end of April, an unnamed security researcher published details of an unpatched vulnerability in WP Database Backup, a WordPress plugin with over 70,000 users.

Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress.

Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild

On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository.

Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild

The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day.

Pipdig Update: Dishonest Denials, Erased Evidence, and Ongoing Offenses

In last week’s post, we reported on some concerning code identified in the Pipdig Power Pack (P3) plugin.

Recent Social Warfare Vulnerability Allowed Remote Code Execution

In posts last week, we detailed a vulnerability in the Social Warfare plugin, and discussed the attack campaigns against it.

Social Warfare Plugin Zero-Day: Details and Attack Data

In our earlier post, we issued a warning to users of the Social Warfare plugin regarding a zero-day vulnerability affecting their sites.