This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Category: WordPress Security
Medium Severity Vulnerability Patched in Fast Velocity Minify Plugin
Description: Full Path Disclosure CVE ID: CVE-2019-19983 CVSS v3.0 Score: 4.3 (Medium) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Plugin: Fast Velocity Minify Plugin Slug: fast-velocity-minify Affected Versions: <= 2.7.6 Patched Version: 2.7.7 A few days ago, our Threat Intelligence team identified a vulnerability present in Fast Velocity Minify, a WordPress plugin with approximately 80,000+ active installs.
Authentication Bypass Vulnerability in GiveWP Plugin
Description: Authentication Bypass with Information Disclosure CVSS v3.0 Score: 7.5 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Plugin: GiveWP Plugin Slug: give Affected Versions: <= 2.5.4 Patched Version: 2.5.5 A few weeks ago, our Threat Intelligence team discovered a vulnerability present in GiveWP, a WordPress plugin installed on over 70,000 websites.
Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild
Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: <= 1.7.4 CVSS Score: 8.3 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Rich Reviews plugin for WordPress.
The WordPress 5.2.3 Security Release Unpacked
WordPress core version 5.2.3 has just been released. This is a security release which contains several fixes.
Ongoing Malvertising Campaign Evolves, Adds Backdoors and Targets New Plugins
In July, we reported on a malvertising campaign which was distributing redirect and popup code through a number of public vulnerabilities affecting the WordPress ecosystem.
Malicious WordPress Redirect Campaign Attacking Several Plugins
Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities.
Recent WordPress Vulnerabilities Targeted by Malvertising Campaign
The Defiant Threat Intelligence team has identified a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads.
Critical Vulnerability Patched in Ad Inserter Plugin
Description: Authenticated Remote Code Execution Affected Plugin: Ad Inserter Affected Versions: <= 2.4.21 CVSS Score: 9.9 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H On Friday, July 12th, our Threat Intelligence team discovered a vulnerability present in Ad Inserter, a WordPress plugin installed on over 200,000 websites.
Introducing the Wordfence Login Security Plugin
Today we are excited to announce the release of a brand new plugin: Wordfence Login Security.
Service Vulnerability: Four Popular Hosting Companies Fix NFS Permissions and Information Disclosure Problems
Last year, we published two disclosures of service vulnerabilities on hosting platforms.
Breaking WordPress Security Research in your inbox as it happens.
