Two weeks ago, we looked at inaccurate information about claimed vulnerabilities in WordPress plugins, where a journalist was citing information from the National Vulnerability Database (NVD): The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce Continue reading Severity Scores From NIST’s National Vulnerability Database (NVD) Are Not Reliable
WordPress security providers often make extraordinary claims about their services, which not only couldn’t be true, but even to the extent they could deliver something reasonably close to it, they fail to do that. The service Patchstack makes this claim Continue reading Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker
Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a Continue reading WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve Continue reading WordPress Vulnerability & Patch Roundup November 2022
Configuration files exist to make life easier for developers and website operators. In a world without configuration files, every instance of code that depended on a database connection could potentially require the connection details to be hard coded or manually Continue reading Configuration Probing: Your Backups Might Be Your Greatest Weakness
You’re about to make an online purchase but all of a sudden you’re asked to decode a strangely twisted word, make a simple calculation, or identify which images presented include a bus. What just happened? What is this popup that Continue reading Why You Need CAPTCHA on Your WordPress Website
There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress. This week Patchstack started promoting that it is providing Continue reading Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file: /wp-content/plugins/contentstudio/readme.txt [Read more] ShareTweetSharePostSharePin It!
Wordfence 7.8.0 is out! A huge thanks to our quality assurance team, our team of developers and our ops team for planning, implementing and releasing Wordfence 7.8.0. This release has several fixes to make Wordfence even more robust, and includes Continue reading Wordfence 7.8.0 Is Out! Here Is What Is Included
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of November 25
When reviewing security changes being made in WordPress plugins used by our customers, it isn’t uncommon for us to find that developers have failed to fully fix the vulnerabilities, or as was the case recently with a plugin with 300,000+ Continue reading WordPress Plugins Failing to Include Needed Capabilities Check for AJAX Accessible Functionality
On November 15th, Ben Martin reported a new type of WordPress infection resulting in the injection of SocGholish scripts into web pages. The attack loads zipped malicious templates from WordPress theme and fake plugins files before extracting the SocGholish script, Continue reading New Wave of SocGholish cid=27x Injections
This Black Friday, we are offering an amazing 50% discount on all new plugin subscriptions. This is the perfect opportunity to shore up your WordPress security and administration (at a hefty discount) as we head into a busy festive season. Continue reading Black Friday deals 2022
Sure, there are tons of one-click installers floating around for WordPress. But they’re not always the most secure option — and can still be tedious to use, especially if you need to update default configurations after installation. But what if Continue reading WP-CLI: How to Install WordPress via SSH
Most modern web browsers and search authorities like Google have a vested interest in protecting their users from malware. Warning messages like “This site may harm your computer” are a clear way for services to educate and protect end users Continue reading How to Fix the “This Site May Harm Your Computer” Warning
The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier Continue reading CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission
CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling Continue reading CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers
Earlier today someone posted on the support forum for the 200,000+ active install WordPress plugin Activity Log with the subject “Critical Exploit: Disable plugin Immediately!” and wrote this: As reposted by CISA and NIST, NVD this plugin has a critical Continue reading VulDB’s Alarmism on Display With False Claim of “Critical” Vulnerability in WordPress Plugin Activity Log
Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including Continue reading New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
When setting up a WordPress website, it is easy to focus on the look and feel of the website, while overlooking the important aspect of security. This makes sense, because the security of a website is largely invisible until something Continue reading Not Just for the Government: Using the NIST Framework to Secure WordPress