Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics...
On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This...
View ArticleClik here to view.
Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile...
On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration...
View ArticleVulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups
Update: a previous version of this article indicated that an attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a...
View ArticleReflected XSS in Header Footer Code Manager
On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over...
View ArticleEntering a Higher State of Vigilance – Ukraine Under Attack
It appears that Russia has just commenced the invasion of Ukraine. Check your preferred international news outlet, but according to the Ukrainian foreign minister “Putin has just launched a full-scale...
View ArticleStored Cross-Site Scripting Vulnerability Patched in a WordPress Photo...
On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is...
View ArticleClik here to view.
Ukraine Universities Hacked By Brazilian Via Finland As Russian Invasion Started
The Wordfence team has identified a massive attack on Ukrainian universities that coincided with the invasion of Ukraine by Russia, and resulted in at least 30 compromised Ukrainian university...
View ArticleClik here to view.
We’re Now Blocking 10,000 Requests Per Hour in Ukraine From Known Malicious IPs
48 hours ago we deployed our commercial real-time threat intelligence automatically, and for free, to all Ukrainian websites with the .UA top-level domain. That has made over 8,000 sites in Ukraine...
View ArticleWordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution...
Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well...
View ArticleClik here to view.
Increase In Malware Sightings on GoDaddy Managed Hosting
Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes...
View ArticleReflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk
On February 15, 2022, the Wordfence Threat Intelligence team finished research on two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin with over 100,000...
View ArticleClik here to view.
Critical Authentication Bypass Vulnerability Patched in SiteGround Security...
On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on...
View ArticleCritical Remote Code Execution Vulnerability in Elementor
On March 29, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary...
View ArticlePHP Object Injection Vulnerability in Booking Calendar Plugin
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over...
View ArticleClik here to view.
Millions of Attacks Target Tatsu Builder Plugin
The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly...
View ArticleCritical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium...
On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX...
View ArticleClik here to view.
The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner
One of the core concepts of cybersecurity is known as the CIA Triad. There are three pillars to the triad, with each pillar being designed to address an aspect of securing data. These three pillars are...
View ArticleClik here to view.
Cross-Site Scripting Vulnerability In Download Manager Plugin
On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to us that they discovered in Download Manager, a WordPress plugin installed on over...
View ArticlePSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin
On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security...
View ArticleClik here to view.
PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons...
The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take...
View Article