Clik here to view.
Critical Vulnerability Patched in Ad Inserter Plugin
Description: Authenticated Remote Code Execution Affected Plugin: Ad Inserter Affected Versions: <= 2.4.21 CVSS Score: 9.9 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H On...
View ArticleClik here to view.
Recent WordPress Vulnerabilities Targeted by Malvertising Campaign
The Defiant Threat Intelligence team has identified a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech...
View ArticleMalicious WordPress Redirect Campaign Attacking Several Plugins
Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to...
View ArticleOngoing Malvertising Campaign Evolves, Adds Backdoors and Targets New Plugins
In July, we reported on a malvertising campaign which was distributing redirect and popup code through a number of public vulnerabilities affecting the WordPress ecosystem. As mentioned in the article,...
View ArticleClik here to view.
The WordPress 5.2.3 Security Release Unpacked
WordPress core version 5.2.3 has just been released. This is a security release which contains several fixes. I’m going to detail each of them below and unpack what each fix means and add any...
View ArticleZero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild
Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: <= 1.7.4 CVSS Score: 8.3 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L...
View ArticleClik here to view.
Authentication Bypass Vulnerability in GiveWP Plugin
Description: Authentication Bypass with Information Disclosure CVSS v3.0 Score: 7.5 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Plugin: GiveWP Plugin Slug: give...
View ArticleClik here to view.
Medium Severity Vulnerability Patched in Fast Velocity Minify Plugin
Description: Full Path Disclosure CVSS v3.0 Score: 4.3 (Medium) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Plugin: Fast Velocity Minify Plugin Slug: fast-velocity-minify...
View ArticleClik here to view.
Open Redirect Vulnerability Patched In Bridge Theme
Description: Open Redirect CVSS v3.0 Score: 7.1 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Affected Software: Two built-in plugins packaged with the Bridge theme – Qode...
View ArticleStored XSS Patched in SyntaxHighlighter Evolved Plugin
Description: Stored XSS CVSS Severity Score: 6.1 (Medium) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Software: SyntaxHighlighter Evolved Plugin Slug: syntaxhighlighter Affected...
View ArticleWP-VCD: The Malware You Installed On Your Own Site
One of the most prevalent malware infections facing the WordPress ecosystem in recent weeks is a campaign known as WP-VCD. Despite the relatively long existence of the campaign, the Wordfence threat...
View ArticleClik here to view.
Multiple Vulnerabilities Patched in Email Subscribers & Newsletters Plugin
A few weeks ago, our Threat Intelligence team identified several vulnerabilities present in Email Subscribers & Newsletters, a WordPress plugin with approximately 100,000+ active installs. We...
View ArticleClik here to view.
High Severity Vulnerability Patched in WP Maintenance Plugin
Description: Cross-Site Request Forgery to Stored Cross-Site Scripting CVSS v3.0 Score: 8.8 (High) CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H Affected Plugin: WP Maintenance...
View ArticleClik here to view.
WP-VCD Evolves To Remain Most Prevalent WordPress Infection
Early last month we released a comprehensive paper covering WP-VCD, the most prevalent malware campaign affecting the WordPress ecosystem in recent memory. In this paper we examined the campaign from a...
View ArticleClik here to view.
Critical Vulnerability Patched in 301 Redirects – Easy Redirect Manager
Description: Authenticated Arbitrary Redirect Injection and Modification Affected Plugin: 301 Redirects – Easy Redirect Manager CVSS Score: 9.0 (Critical) CVSS Vector:...
View ArticleClik here to view.
Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode –...
A few weeks ago, our threat intelligence team discovered several vulnerabilities present in Minimal Coming Soon & Maintenance Mode – Coming Soon Page, a WordPress plugin installed on over 80,000...
View ArticleCritical Authentication Bypass Vulnerability in InfiniteWP Client Plugin
Description: Authentication Bypass Affected Plugin: InfiniteWP Client Affected Versions: < 1.9.4.5 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched...
View ArticleEasily Exploitable Vulnerabilities Patched in WP Database Reset Plugin
On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user...
View ArticleHigh Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin
Description: Cross-Site Request Forgery to Remote Code Execution Affected Plugin: Code Snippets Affected Versions: <= 2.13.3 CVE ID: CVE-2020-8417 CVSS Score: 8.8 (High) CVSS Vector:...
View ArticleClik here to view.
Improper Access Controls in GDPR Cookie Consent Plugin
Description: Improper Access Controls Affected Plugin: GDPR Cookie Consent Affected Versions: <= 1.8.2 CVSS Score: 9.0 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Patched...
View Article