Critical Vulnerability Patched in WooCommerce Upload Files
On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000...
View ArticleCritical 0-day in The Plus Addons for Elementor Allows Site Takeover
UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure. Special thanks...
View ArticleSeveral Vulnerabilities Patched in Tutor LMS Plugin
On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites. The first five flaws made it possible...
View ArticleClik here to view.
Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites
On February 23, 2021, the Wordfence Threat Intelligence team responsibly disclosed a set of stored Cross-Site Scripting vulnerabilities in Elementor, a WordPress plugin which “is now actively installed...
View ArticleRecently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild
On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were...
View ArticleTwo Vulnerabilities Patched in Facebook for WordPress Plugin
On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over...
View ArticleClik here to view.
PHP Compromised: What WordPress Users Need to Know
Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src git repository. These commits were...
View ArticleClik here to view.
Ten Password Mistakes That Could Get Your WordPress Site Hacked
A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site...
View ArticleVulnerabilities Patched in WP Page Builder
On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These...
View ArticleRecent Patches Rock the Elementor Ecosystem
This post has been updated with additional plugins that have been patched since its original publication. We will continue to add plugins as they are patched. Over the last few weeks, the Wordfence...
View ArticleClik here to view.
Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for...
Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during...
View ArticleSevere Vulnerabilities Patched in Redirection for Contact Form 7 Plugin
On February 11, 2021, our Threat Intelligence team responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites. One of these flaws...
View ArticlePSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately
Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium...
View ArticleSevere Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin
On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in...
View ArticleSQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin
On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by...
View ArticleCritical Vulnerability Patched in External Media Plugin
On February 2, 2021, our Threat Intelligence team responsibly disclosed the details of a vulnerability in External Media, a WordPress plugin used by over 8,000 sites. This flaw made it possible for...
View ArticleWordPress 5.7.2 Security Release: What You Need to Know
On May 13, 2021 01:00 UTC, WordPress core released a security patch for a Critical Object Injection vulnerability in PHPMailer, the component that WordPress uses to send emails by default. If your site...
View ArticleOver 600,000 Sites Impacted by WP Statistics Patch
On March 13, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. The vulnerability...
View ArticleSevere Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin
On April 8, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin...
View ArticleClik here to view.
Critical 0-day in Fancy Product Designer Under Active Attack
Update: A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of...
View Article
