This site uses cookies in accordance with our Privacy Policy.
Search Results
Suggestions:
Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder
August 4, 2020
On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, …
Read More
Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack
July 17, 2020
A number of high profile Twitter accounts including those of Elon Musk, Apple, Uber, Bill Gates, Joe Biden and others were compromised as a part of a coordinated bitcoin scam attack. The attack lasted a few hours and netted the attackers about $100,000 worth of bitcoin. We talk about how this attack could have possibly …
Read More
2 Million Users Affected by Vulnerability in All in One SEO Pack
July 16, 2020
On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all …
Read More
Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record
June 22, 2020
This week, we look at some targeted phishing attacks that are bypassing Microsoft Outlook’s protective filters, and phishing campaigns using calendar invitations to target unsuspecting recipients. We also look at some successful bitcoin scams and a new record for a massive DDoS attack that targeted an AWS customer. Drupal pushes out some security fixes, and …
Read More
WordPress 5.4.2 Patches Multiple XSS Vulnerabilities
June 11, 2020
WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security …
Read More
High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites
May 28, 2020
A few weeks ago, our Threat Intelligence team discovered several vulnerabilities present in Page Builder: PageLayer – Drag and Drop website builder, a WordPress plugin actively installed on over 200,000 sites. The plugin is from the same creators as wpCentral, a plugin within which we recently discovered a privilege escalation vulnerability. One flaw allowed any …
Read More
Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access
May 13, 2020
On April 21st, our Threat Intelligence team discovered a vulnerability in Site Kit by Google, a WordPress plugin installed on over 300,000 sites. This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. We filed a security issue report …
Read More
Episode 75: The WordPress 5.4.1 Security Release & More Plugin Vulnerabilities
May 2, 2020
The Wordfence Threat Intelligence team unpacked the security updates in WordPress 5.4.1, and they published quite a few blog posts about vulnerabilities in popular plugins like Ninja Forms, LearnPress, and the Real-Time Find and Replace plugin. These plugin vulnerabilities affected over one million WordPress sites. As a few of these were Cross Site Request Forgery …
Read More
Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update
April 29, 2020
WordPress Core version 5.4.1 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that appear to require specific circumstances to exploit. All in all this release contains 7 …
Read More
High Severity Vulnerability Patched in Ninja Forms
On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version. We …
Read More
Breaking WordPress Security Research in your inbox as it happens.
