Security – Page 10

Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability

Posted on 6 December 2023 by

Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where Continue reading Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability→

PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

Posted on 6 December 2023 by

WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary Continue reading PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2→

WordPress Security Optimizer Firewall Review: It Doesn’t Actually Contain One

Posted on 6 December 2023 by

Recently SiteGround rebranded their SiteGround Security plugin as Security Optimizer. Along with that new name came new marketing. While the new marketing text for it on the WordPress Plugin Directory doesn’t mention that it contains a firewall, it wouldn’t be Continue reading WordPress Security Optimizer Firewall Review: It Doesn’t Actually Contain One→

Wordfence’s “Highly Credentialed and Industry-Leading Vulnerability Researchers and Analysts” Don’t Understand Local File Inclusion

Posted on 6 December 2023 by

Last week we noted how the WordPress security provider Wordfence was criticizing another provider of WordPress plugin vulnerability data for doing something they also do. That situation involved them mislabeling a security issue as a vulnerability in the very popular Continue reading Wordfence’s “Highly Credentialed and Industry-Leading Vulnerability Researchers and Analysts” Don’t Understand Local File Inclusion→

Common Website Hacking Techniques

Posted on 6 December 2023 by

Website hacking — the act of exploiting weaknesses to gain unauthorized access to a website, database, cPanel, or admin dashboard — is a reality that some webmasters struggle with. In the hands of bad actors, automated hack tools and exploit Continue reading Common Website Hacking Techniques→

Security Provider CloudFlare Providing Service for Phishing Campaign Targeting WordPress Websites

Posted on 5 December 2023 by

A recent phishing campaign is targeting administrators of WordPress websites, trying to get them to install malicious code on websites. The phishing campaign was reported to be using the domain name en-gb-wordpress.org. The domain name servers for that belong to Continue reading Security Provider CloudFlare Providing Service for Phishing Campaign Targeting WordPress Websites→

Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed

Posted on 5 December 2023 by

In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive Continue reading Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed→

Hide My WP Ghost Firewall Review: It Provides Very Limited Protection

Posted on 4 December 2023 by

Like the developers of lots of WordPress security plugins, the developer of Hide My WP Ghost makes a lot of impressive sounding claims about their plugin and the protection it offers. The actual results, like those of most of those Continue reading Hide My WP Ghost Firewall Review: It Provides Very Limited Protection→

Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection

Posted on 4 December 2023 by

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection→

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution

Posted on 4 December 2023 by

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today! On Continue reading Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution→

Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability

Posted on 1 December 2023 by

Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins: There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” Continue reading Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability→

PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin

Posted on 1 December 2023 by

The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an Continue reading PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin→

Developer of Solid Security Thinks That Their Plugin Shouldn’t Be Easier To Secure Than Chrome Web Browser

Posted on 1 December 2023 by

This week we have covered plenty of questionable behavior by the developer of the 900,000+ install WordPress security plugin Solid Security. From focusing their plugin on a non-existent threat to responding to the plugin failing to prevent an infection by Continue reading Developer of Solid Security Thinks That Their Plugin Shouldn’t Be Easier To Secure Than Chrome Web Browser→

Earn up to $10,000 for Vulnerabilities in WordPress Software – 6X Rewards in the Wordfence Holiday Bug Extravaganza!

Posted on 1 December 2023 by

At Wordfence our mission is to Secure The Web. WordPress powers over 40% of the Web, and Wordfence secures over 4 million WordPress websites. Today we are announcing that for the next 20 days, Wordfence will be paying out some Continue reading Earn up to $10,000 for Vulnerabilities in WordPress Software – 6X Rewards in the Wordfence Holiday Bug Extravaganza!→

Solid Security vs Wordfence

Posted on 30 November 2023 by

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats Continue reading Solid Security vs Wordfence→

Skimming Credit Cards with WebSockets

Posted on 30 November 2023 by

If you were to believe shopping mall merchants, you’d think the holiday season starts immediately after Halloween. Christmas trees and candy canes abound, along with the same songs played on repeat that we hear every year ad nauseam. However, the Continue reading Skimming Credit Cards with WebSockets→

Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise

Posted on 30 November 2023 by

SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their Continue reading Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise→

Developer Responds to Solid Security Pro Not Preventing Infection by Claiming It is Focused on Malware Prevention

Posted on 30 November 2023 by

A recent negative review of the WordPress security plugin Solid Security claimed that the reviewer was using the Pro version and “my website was infected while this plugin was installed, so it was not really helpful to prevent the infection.” Continue reading Developer Responds to Solid Security Pro Not Preventing Infection by Claiming It is Focused on Malware Prevention→

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

Posted on 30 November 2023 by

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)→

Solid Security Firewall Review: It Doesn’t Contain One and Doesn’t Prevent Exploitation of Plugin Vulnerabilities

Posted on 29 November 2023 by

Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also Continue reading Solid Security Firewall Review: It Doesn’t Contain One and Doesn’t Prevent Exploitation of Plugin Vulnerabilities→