This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Category: WordPress Security
Critical Vulnerability Patched in Popular Convert Plus Plugin
Description: Unauthenticated Administrator Creation CVSS v3.0 Score: 10.0 (Critical) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Affected Plugin: Convert Plus Plugin Slug: convertplug Affected Versions: <= 3.4.2 Patched Version: 3.4.3 On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs.
Privilege Escalation Flaw Present In Slick Popup Plugin
In April, our Threat Intelligence team identified a privilege escalation flaw present in the latest version of Slick Popup, a WordPress plugin with approximately 7,000 active installs.
OS Command Injection Vulnerability Patched In WP Database Backup Plugin
Toward the end of April, an unnamed security researcher published details of an unpatched vulnerability in WP Database Backup, a WordPress plugin with over 70,000 users.
Announcing 3 New Login Security Features
Spend any time looking at blocked attacks in Wordfence Live Traffic and you’ll walk away worried about login security.
Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin
Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress.
Zero-Day Vulnerability in Yellow Pencil Visual Theme Customizer Exploited in the Wild
On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository.
Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild
The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day.
Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin
This week, our team was notified of suspicious code present in a plugin offered alongside themes sold by Pipdig, a UK-based web development team.
Recent Social Warfare Vulnerability Allowed Remote Code Execution
In posts last week, we detailed a vulnerability in the Social Warfare plugin, and discussed the attack campaigns against it.
Social Warfare Plugin Zero-Day: Details and Attack Data
In our earlier post, we issued a warning to users of the Social Warfare plugin regarding a zero-day vulnerability affecting their sites.
Breaking WordPress Security Research in your inbox as it happens.
