In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a Continue reading WooCommerce Security Issue Plays Critical Role in Exploiting Serious Vulnerabilities in Other Plugins
WordPress, like other open-source content management systems, allows you to enhance your website’s appearance and functionality through custom code and third-party components like plugins and themes. It’s these extensions that allow you to publish content with added functionality for your Continue reading How to Update, Install & Remove WordPress Plugins & Themes With WP-CLI
Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Emails are everywhere. They have become one of the most common methods of communication among people over the Internet. WordPress administrators and website owners use emails for various purposes, such as personal and professional communication, marketing, recruitment, and more. Emails Continue reading Why should I worry about securing my WordPress emails?
On May 20, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible Continue reading WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve Continue reading WordPress Vulnerability & Patch Roundup May 2023
Welcome to another installment in helping website owners secure their digital assets, this time with a focus on the world of ecommerce. If you’re an ecommerce website owner, you’re likely aware that online stores face a unique set of challenges Continue reading How to Secure Your Online Store: A Ecommerce Security Primer
Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version Continue reading Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
Following the success of last year’s survey, we are happy to announce that this year’s WordPress Security Survey is now live. The survey aims to gain a clearer picture of the state of WordPress security in 2023 as well as Continue reading Announcing WordPress Security Survey 2023
Welcome to the world of keyloggers, where every keystroke you make may be watched, recorded, and potentially used against you! Now that we’ve got your attention, let’s dive into the somewhat unsettling realm of these sneaky little digital spies. In Continue reading What Is a Keylogger?
On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making Continue reading W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin
On May 11th, 2023, the very popular WordPress plugin Essential Addons for Elementor released a patch for a critical privilege escalation vulnerability, initially discovered by PatchStack. The technical details of this vulnerability can be found on their recent blog post. Continue reading Vulnerability in Essential Addons for Elementor Leads to Mass Infection
Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)
On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts Continue reading PSA: Attackers Actively Exploiting Critical Vulnerability in Essential Addons for Elementor
On May 16, 2023, the WordPress core team released a crucial update — WordPress 6.2.1. This latest security and maintenance release addresses a number of bug fixes and vulnerability patches, including an unauthenticated Directory Traversal vulnerability, unauthenticated Cross-Site Scripting vulnerability, Continue reading WordPress 6.2.1 Security & Maintenance Release
A recent SecurityWeek headline claimed that a Ferrari website was put at risk by a WordPress plugin: “WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers”. While a WordPress plugin was involved, it shouldn’t have been the focus of the headline. Continue reading Vulnerability Assessments and Penetration Testing Are Not Essential for Addressing Security Risks on WordPress Websites
In the past couple of days there have been scary sounding claims from journalists related to a recently fixed reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced Custom Fields (ACF), which we had detailed on May 4 after Continue reading Akamai SIG’s Advanced Custom Fields (ACF) Attack Claim Confuses Script Kiddie With Attacker
On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities. These patches have been backported to every Continue reading WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know
It’s not often that we get the opportunity to write about website defacements on this blog. Defacements — where a website homepage is replaced with a hacker logo or some sort of political or religious message — are usually fairly Continue reading Websites Defaced with Belarusian Bottled Water Company Content