Wordfence is now a CVE Numbering Authority (CNA)
Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE...
View ArticleMalicious Attack Campaign Targeting Jetpack Users Reusing Passwords
The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators...
View ArticleHigh Severity Vulnerability Patched in WooCommerce Stock Manager Plugin
On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on...
View ArticleCross-Site Request Forgery Patched in WP Fluent Forms
On March 2, 2021, the Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites....
View ArticleClik here to view.
Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely...
The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in...
View ArticleEasily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin
On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a...
View ArticleCommon WordPress Vulnerabilities and Prevention Through Secure Coding Best...
WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the...
View ArticleCritical SQL Injection Vulnerability Patched in WooCommerce
Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS...
View ArticleNulled WordPress Plugins – Dangers and Downsides
In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the...
View ArticleYou’ve Found a Vulnerability! Now What? A Guide to Responsible Disclosure.
Information security researchers make a valuable contribution to our online security by finding vulnerabilities and facilitating getting them fixed. Wordfence has been finding and disclosing...
View ArticleMultiple Vulnerabilities Patched in WordPress Download Manager
On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two...
View Article2021 Mid-Year WordPress Security Report: A Collaboration Between Wordfence...
Wordfence has collaborated with WPScan to conduct a 2021 mid-year review on the state of WordPress security. Using attack data from Wordfence’s internal threat intelligence platform, and vulnerability...
View ArticleXSS Vulnerability Patched in SEOPress Affects 100,000 sites
On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000...
View ArticleClik here to view.
WordPress Malware Camouflaged As Code
In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an...
View ArticleCritical Authentication Bypass Vulnerability Patched in Booster for WooCommerce
On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on...
View ArticleNested Pages Patches Post Deletion Vulnerability
On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop...
View ArticleOver 1 Million Sites Affected by Gutenberg Template Library & Redux Framework...
On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is...
View ArticleRecently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million...
On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over...
View ArticlePHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin
Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHP_SELF variable. Tomorrow we will publish part two, which describes another...
View ArticlePHP_SELFish Part 2 – Reflected XSS in Easy Social Icons
Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHP_SELF variable. In yesterday’s post, we...
View Article