Research – Page 3

WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin

Posted on 1 August 2023 by

On June 8, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in WebToffee’s Stripe Payment Plugin for WooCommerce plugin, which is actively installed on more than 10,000 WordPress websites. This Continue reading WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin→

Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin

Posted on 12 July 2023 by

On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes Continue reading Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin→

Dissecting a Clever Malware Sample for Optimized Detection and Protection

Posted on 11 July 2023 by

As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In case of a security incident, our incident response team will investigate the root cause, find and remove malware Continue reading Dissecting a Clever Malware Sample for Optimized Detection and Protection→

miniOrange Addresses Authentication Bypass Vulnerability in WordPress Social Login and Register WordPress Plugin

Posted on 28 June 2023 by

On May 28, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, which is actively installed on more than 30,000 WordPress websites. The Continue reading miniOrange Addresses Authentication Bypass Vulnerability in WordPress Social Login and Register WordPress Plugin→

Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin

Posted on 27 June 2023 by

On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites Continue reading Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin→

StylemixThemes Addresses Authentication Bypass Vulnerability in BookIt WordPress Plugin

Posted on 20 June 2023 by

On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible Continue reading StylemixThemes Addresses Authentication Bypass Vulnerability in BookIt WordPress Plugin→

Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin

Posted on 19 June 2023 by

On May 29, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in Tyche Softwares’s Abandoned Cart Lite for WooCommerce plugin, which is actively installed on more than 30,000 WordPress websites. Continue reading Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin→

Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities

Posted on 7 June 2023 by

Alongside our usual work to discover, report, and remediate vulnerabilities in the WordPress ecosystem, the WordPress Threat Intelligence team has been conducting a deep-dive into WordPress plugin code with the objective of finding methods to bypass authentication and gain elevated Continue reading Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities→

Credential-Stealing Server Side Request Forgery Patched in Getwid

Posted on 6 June 2023 by

On April 6, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities in Getwid – Gutenberg Blocks, a plugin installed on over 50,000 WordPress sites. The plugin’s developers responded immediately, and we sent over the Continue reading Credential-Stealing Server Side Request Forgery Patched in Getwid→

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

Posted on 31 May 2023 by

On May 20, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in WPDeveloper’s ReviewX plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible Continue reading WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin→

Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign

Posted on 24 May 2023 by

The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version Continue reading Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign→

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

Posted on 22 May 2023 by

On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making Continue reading W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin→

PSA: Attackers Actively Exploiting Critical Vulnerability in Essential Addons for Elementor

Posted on 17 May 2023 by

On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts Continue reading PSA: Attackers Actively Exploiting Critical Vulnerability in Essential Addons for Elementor→

Multiple Vulnerabilities Patched in Shield Security

Posted on 25 April 2023 by

On March 20, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for two vulnerabilities in Shield Security, a security plugin with over 50,000 installations. One of these vulnerabilities allowed unauthenticated attackers to inject malicious JavaScript into an Continue reading Multiple Vulnerabilities Patched in Shield Security→

Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products

Posted on 18 April 2023 by

On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin Continue reading Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products→

Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin

Posted on 12 April 2023 by

On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an Continue reading Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin→

Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts

Posted on 11 April 2023 by

On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have Continue reading Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts→

Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched

Posted on 22 March 2023 by

The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). As Continue reading Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched→

Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover

Posted on 14 March 2023 by

Hundreds, if not thousands of WordPress plugins are conceived with the idea of making site building and maintenance easier for site owners. They add features not available in WordPress Core that would otherwise require site owners to write their own Continue reading Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover→

All In One SEO Pack Vulnerabilities Impacting 3 Million Sites Patched

Posted on 27 February 2023 by

On January 26, 2023, the Wordfence Team responsibly disclosed two vulnerabilities in All In One SEO Pack, a WordPress plugin installed on over 3 Million sites which provides search engine optimization tools designed to help content creators optimize their sites Continue reading All In One SEO Pack Vulnerabilities Impacting 3 Million Sites Patched→